Cybersecurity specialists have observed a disturbing trend in ransomware attacks: developing and emerging nations are being used as test beds for malicious software before it is unleashed upon organizations in more affluent countries. These regions often have weaker cybersecurity defenses and attract less attention, making them ideal targets for hackers.
Once the malware has been refined and tested in these initial target areas, it is deployed against high-profile organizations in North America and Europe. Recent attacks have targeted a bank in Senegal, a financial services company in Chile, a tax firm in Colombia, and a government economic agency in Argentina. The malware strains employed in these attacks were later found to have been utilized in subsequent attacks in Europe and North America.
One notable example is the Medusa ransomware strain, which encrypts and steals data, effectively turning files “into stone.” It was initially deployed against businesses in South Africa, Senegal, and Tonga in 2023 before being used in 99 breaches across the US, UK, Canada, Italy, and France. Medusa victims received a file with the subject line !!!READ_ME_MEDUSA!!!.txt, instructing them to initiate negotiations with the ransomware gang via the dark web. Failure to comply would result in the stolen data being leaked online.
Nadir Izrael, Chief Technology Officer at Armis, observed that attackers targeting a recently discovered vulnerability (CVE-2024-29201) earlier this year specifically targeted exposed servers in third world countries to gauge the exploit’s reliability. The attacks were initially confined to Southeast Asia before spreading more widely.
Industry experts have proposed various reasons for this trend. Teresa Walsh, Chief Intelligence Officer at FS-ISAC, suggests that some gangs hone their ransomware techniques against vulnerable companies in developing countries like Brazil before pivoting their attacks to more affluent nations with similar languages, such as Portugal. However, Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, believes that the proliferation of attacks in developing countries can be attributed to ransomware gangs selling their malware to less-experienced hackers in those regions. These attackers may not fully understand the malware’s functionality, leading them to target less well-guarded organizations.
In related news, a member of the notorious LockBit ransomware group was recently sentenced to four years in prison for infecting over 1,000 systems.