In a secret global digital war, even a country’s own residents are just collateral damage. The trick is to minimize exposure!

Are global geo-political developments linked to cybercrime trends? Are governments hiding behind many illicit cybercriminal activities in the name of ‘national security’?

Are cyber defense professionals just unwitting pawns in a high level ongoing game of wits, not meant to disrupt premeditated cyber agendas?

To get a finger on the pulse of ransomware and digital extortion trends raging worldwide, CybersecAsia interviewed Charl van der Walt, Head of Security Research, Orange Cyberdefense for some insights.

CybersecAsia: How are global developments and tensions impacting the tactics of digital extortion by cybercriminals and APTs?

Charl van der Walt (CW): Cybercrime and geopolitics are increasingly inter-wound. We can observe several major ramifications of this:

    1. Many cyber extortion gangs are believed to reside and operate from former Commonwealth of Independent States countries, where they enjoy varying degrees of state support. This allows those gangs to operate against victims in other countries with little fear of disruption or prosecution.
    2. In other countries, there are instances where cybercriminals can operate under the direction of their government.
    3. International conflicts are increasingly adopting a ‘hybrid warfare’ approach in which hacking is used to support or replace traditional operations. There have been several instances of this in the Ukraine-Russian war, including wipers, denial of service attacks, destruction of communications systems, data leaks and more. Much of the hacking in this conflict has been conducted by independent ‘hactivists’ from both sides, who have only loose connections to the governments.
    4. As cybercrime, particularly cyber extortion, exerts an ever-increasing toll on victims, governments around the world are taking increasingly forceful action to counter it. Where indictments and arrests are not feasible, governments are deploying their own hackers to attack and disrupt the systems used by cybercriminals.
    5. Cyber power, whether in the hands of a terrorist/hacktivist group or a state, can be wielded as a political weapon to coerce a way of thinking through undermining social trust in an institution, which could be a person, organization or state. The attacks we are seeing are often in line with that modus operandi whereby the first effect is merely a means to an end for the second affect, which is that coercion.

CybersecAsia: Can you cite how some of the biggest ransomware groups have changed incident response strategies and policies?

CW: It is becoming increasingly clear that the role of a security team is to manage crisis, not just reduce risk. On top of implementing a wide range of preventative controls, firms are working from the assumption that a breach will eventually happen and planning accordingly, by putting contingency plans in place that can be deployed in the case of a compromise. This includes improved detection systems, Incident Response Teams on standby, and comprehensive crisis response plans that are sometimes even tested. 

We are also seeing closer working relationships with their (cyber) insurance providers, who will often direct activities in response to an incident. Insurance providers see paying the ransom as the last, and least favorable response, and often have the experience required to navigate the victim toward other possible responses.

Technically, there has also been a renewed appreciation for backup and response capabilities, which are often the best counter to traditional encryption-based extortion attacks.

Charl van der Walt, Head of Security Research, Orange Cyberdefense

CybersecAsia: Tell us more about the observed global cyber extortion patterns in your firm’s ecosystem, in North America, Europe and Asia. What do you read into these permanent/temporary shifts? 

CW: For several years, the business model of ransomware groups has been to attack organizations located in wealthier countries that are more likely to pay. However, in 2022 ransomware groups launched more attacks against organizations located in developing countries.

    • We had previously argued that English-speaking countries were mostly impacted due to their presumed wealth, on top of the language often mastered by the criminals and information readily available on the victims (revenue, clients, and so on). Nevertheless, by the end of 2021, we had noticed a shift towards non-English speaking countries, such as European or Latin American countries.
    • We have also observed that the number of victims headquartered in Europe have had a drop in cyber extortion attacks since the beginning of the Russian invasion of Ukraine. Since the end of 2022, cyber extortion groups have also increasingly impacted regions that were previously marginally affected, including Africa, Oceania (AU and NZ), and South-east Asia (SEA).
    • By numbers, Africa remains the least impacted region in the world, even if RansomHouse succeeded in breaching the continent’s largest supermarket chain, Shoprite, back in April 2022.
    • We saw the highest proportional increase in the South-east Asia region including Indonesia, Singapore, Thailand, the Philippines, and Malaysia. It could be the case that threat actor groups do not expect as big a reaction from these countries in comparison to that from the US or European countries.

CybersecAsia: Cyber tactics have often outpaced the defense capabilities of people who are well-versed with the cyber landscape. Can you share some insights on what they can do to minimize vulnerabilities and exposure?

CW: It can be a mistake to think that every threat requires a new, technical control. I would emphasize a few simple things:

    1. Make sure backup and recovery are in place, work well, and are regularly tested!
    2. Focus on limiting the blast radius of a compromise. This can be done with well-known technical controls like limiting user privilege, segmenting networks and controlling outbound traffic.
    3. Focus on breadth as well as depth. Very often compromises happen because controls are not deployed somewhere, and not because the victim does noot have access to them. This is especially true for endpoint protection and patching.
    4. Think about how you can build agility into your structures and processes. As threat actors evolve and adapt, we need to do the same. This is not so much about ‘escalating’, but rather about ‘responding’ to new intelligence about threats, vulnerabilities, campaigns and incidents. Seek to develop the ability to Observe, Orient, make Decisions, and Act in response to new changes in the landscape.