Ransomware hitting South African economy hard
Ransomware attacks have been the most prominent form of cyber threat amongst South Africa’s private and public sectors, affecting all parts of the economy.
This is according to Minister of the Presidency Khumbudzo Ntshaveni, who answered a parliamentary question regarding threats against and breaches of South Africa’s cybersecurity.
“It is indeed accurate that South Africa, like many countries globally, is seeing an increasing occurrence of cybercrime incidents and cyber-attacks,” Ntshaveni said.
“These affect all sectors of our economy, such as telecommunications, financial, transportation, energy, education, health and so on, all of which are considered critical sectors.”
The minister highlighted that ransomware has been the most prevalent threat among attackers.
Ransomware attacks typically involve encrypting the victim’s data and extorting them for a decryption key.
Attackers also often exfiltrate sensitive data and threaten to leak it online unless you pay
Sophos’ State of Ransomware report for 2024, released earlier this year, showed that it is more expensive for companies to recover from ransomware attacks than to pay the extortion demand.
It found that the mean ransom payment made by firms was $958,110 (R17.1 million) compared to the average recovery cost of $1.04 million (R18.53 million). The recovery cost excludes all ransom payments.
The median ransom amount paid was $152,000 (R2.7 million), significantly less than the R17.1-million mean, indicating that the dataset contains a greater quantity of lower amounts.
The mean is all the ransoms added together and divided by the number of data points, whereas the median is the data point found in the middle of the dataset when ranked in ascending order.
Nthsaveni referred to two widely reported ransomware attacks on state entities, which involved the National Health Laboratory Service (NHLS) and the South African Department of Defense.
The NHLS was forced to shut down its IT systems in June this year after a hacking group called BlackSuit broke into its servers and stole 1.2 terabytes of data.
The shutdown affected its emails, website, and system for retrieving and storing patients’ lab test results.
In addition to stealing data, NHLS CEO Koleka Mlisana said the group had erased large portions of data, including backups.
However, she noted that there was no evidence that patient data had been erased.
The Department of Defense suffered a similar attack in August 2023 after hacking group Snatch claimed responsibility for exfiltrating 200 terabytes of data.
In addition to leaking data, Snatch also posted the contact information of several senior government officials online — including phone numbers it says belong to Cyril Ramaphosa.
According to Sophos, Snatch uses an attack model to penetrate enterprise networks via automated brute-force attacks against exposed services.
They then leverage that foothold to spread internally within the target organisation’s network through human-directed action.
Nthsaveni points out that these attacks will continue to hinder South Africa’s economy. However, the State Security Agency is aware of this constant threat and is attempting to mitigate it accordingly.
“Threats to the country’s critical information infrastructure will continue to rise, and some of these threats will materialise,” Ntshaveni said.
“The State Security Agency continues to collaborate with entities both in the public and private sectors to monitor, detect and respond to these threats to our critical information infrastructure.”
According to Orange Cyberdefense South African MD Dominic White, progress is being made in bringing criminal syndicates that employ cyberattacks to justice.
White explained that several breakthroughs have been made behind the scenes through collaboration between law enforcement and cybersecurity professionals.
He recently hosted a discussion with international law enforcement, who provided some details on their recent successes thanks to their local partnerships.
This included helping to freeze funds being transferred out of South Africa after a multi-million rand business email compromise and substantial jail sentences being handed down on kingpins involved in everything from phishing to human trafficking.