Evolving threats and broadening responses to Ransomware in the UAE
Following the COVID-19 outbreak, cyberattacks spread through the Middle East, making both public and private institutions very susceptible and turning the pandemic into a physical as well as a digital menace. Despite physical isolation on a global scale, more people were connected online than ever before, greatly increasing the attack surface for eager cyber threat actors. More than two years later, we have seen how such actors were able to effectively exploit the new reality in the wake of the widespread panic and social unrest that followed the outbreak of the pandemic by bringing social engineering attacks to a new level. The Middle East has experienced a quick and widespread increase in ransomware assaults, particularly in the United Arab Emirates (UAE), whose sophisticated digital economy and connections made it an attractive target.
Ransomware is a sort of malware that constantly evolves, hacking into devices and encrypting data that can be locked and encrypted. It can lock and encrypt data, preventing victims from accessing it, and it holds the data hostage until a ransom is paid to unlock it or give the victim access again. A closer examination of how ransomware attacks developed throughout the UAE during the pandemic, the tactics, techniques, and procedures (TTP) employed by TAs, and the UAE’s response offers an ideal case study for comprehending how cyberattacks can impact a digital economy and emphasizes the necessity for greater digital security throughout the Middle East.
The Scale of Threat
According to Kaspersky statistics, attacks involving social engineering, phishing, and other threats to data loss considerably increased in the UAE in the second quarter of 2022 by 230% when compared to the same period in the previous year. After a ransomware attack, businesses are under extreme pressure to resume operations and must choose between paying the ransom and going through the laborious and time-consuming process of attempting to recover and restore the programme that runs that data. Paying the ransom entails a significant risk because businesses frequently aren’t aware of any extra TA interference, such as backdoors or password copying. Because of the harmful material that is still on their network, businesses are susceptible to repeat attacks and may even invite new attacks if appropriate cleanup is not done.
Also Read: UAE businesses are increasingly utilizing cloud-based applications
The Rise of RansomOps
Over time, relatively straightforward reused malware variants using antiquated techniques like phishing have been replaced by so-called RansomOps. These changes have led to increasingly sophisticated and intricate operations where the payload is the last link in an attack chain. RansomOps is the term used to describe the ransomware operation as a whole, which is currently a highly focused and human-driven organization operating in a sophisticated, organized, and unpredictable manner. The more predictable and automated traditional ransomware malware is no longer in use, and RansomOps have become much more organized and resemble software-as-a-service businesses. The distinction between RansomOps and ransomware is primarily made by four factors, all of which highlight the greater sophistication and specialized nature of these attacks:
- Ransomware-as-a-service providers
- Initial access brokers
- Cryptocurrency exchanges
- Ransomware affiliates
With the advent of the pandemic, leading ransomware in the Middle East found an opening in the UAE. These organizations first capitalized from the unique vulnerabilities caused by the pandemic, but they are now continuing their efforts as a result of both the quick adoption of digital technology and the increasingly sophisticated attacks. The following ransomware organizations have targeted and are still targeting the UAE: Egregor, LockBit 2.0, Conti, Snatch, DarkSide, REvi, BlackByte, Xing, AvosLocker, Avaddon, Rook, and Pysa; LockBit, Conti, and Snatch are the main organizations that have targeted the UAE specifically. These groups are typically assumed to come from Iran, Russia, or China and target top institutions in the public sector, the IT industry, and the financial sector.
Tactics, Techniques, and Procedures
These operators develop similar TTP that provide insight into the RansomOps technique.
- RansomOps uses the software-as-a-service technique known as “ransomware-as-a-service” (RaaS) to industrialize cybercrime. These ransomware organizations use business-minded hackers who take advantage of various RansomOps. In the “Ransomware Threat Report 2022” from Palo Alto Networks, it is stated that “this is a business for criminals, with agreements that specify the rules for distributing genuine ransomware to affiliates, frequently in exchange for monthly fees or a portion of ransom paid.” RaaS streamlines attacks, making them simpler to carry out, expanding the target audience, and decreasing the entry barriers. LockBit, Conti, and REvil are all RaaS operators among the ransomware organizations described above, but their strategies vary. The LockBit ransomware RaaS model allows its associates to create a wide range of strategies and resources. Contrarily, Conti took a different tack, lowering the bar and compensating its affiliates even in the absence of a successful breach. As a result, there is a stronger motivation to try more, which could lead to more breaches and payouts for the group.
- Another significant TTP is double/multiple extortion methods. Attacks using ransomware have disrupted several organizations in the UAE, raising worries about business continuity, revenue loss, and the loss of critical human resources. Even though the frequency of ransomware attacks has dropped and businesses have implemented better safeguards, ransomware has grown more complex and menacing due to the usage of multiple extortion attacks. These kinds of attacks begin with the exfiltration of the victim’s data while encrypting it on their systems, and then demand a ransom in return for the decryption key. If the ransom is not paid, the TA will threaten to make the data public. Even while businesses now have better systems in place to back up their data in the case of an attack, if the ransom is not paid, sensitive data and intellectual property may still be released or sold. In the end, the TA goes beyond just encryption by using leak sites and threatening more attacks (distributed denial-of-service, or DDoS), to coerce the victim into paying the ransom.
- A third TTP frequently used by these operators is “zero days”. Zero-day vulnerabilities are defects that make a defect in hardware or software visible before engineers can fix it. A zero-day attack occurs when attackers can discover a vulnerability before it can be fixed. Ransomware groups will continue to exploit them, especially high-profile vulnerabilities, as long as these vulnerabilities are not addressed. Ransomware groups can also attack supply chain components or take advantage of third-party software, which might ultimately have an impact on numerous firms. Zero-day attacks have been used by Conti, DarkSide, and REvil to target organizations before they can defend themselves.
Also Read: Three business trends that will determine how cloud technology develops in the UAE
What is the role of the UAE in raising awareness against cyber attacks?
The UAE has shifted to the digital economy as a national priority, with technologies like Artificial Intelligence, Blockchain, Fintech, the Internet of Things, and 5G quickly gaining traction across the public and private sectors but this also means that it now faces a higher risk of targeted cyber threats than ever before. In conclusion, the UAE’s recent attacks may be an indication of things to come, and the nation’s response may serve as a template for how the region should address this growing security concern in the short and long term.
Recently, the UAE has established the UAE Cyber Security Council. The Council was established to define a cyber security policy, provide a secure cyber infrastructure, and ensure quick response times to combat cybercrime. The UAE has recently been moving toward a “service-centric approach,” establishing preliminary deals with numerous companies, including Huawei, Amazon Web Services (AWS), and Deloitte, to attain ambitious goals for combating cybercrime. With this kind of strategy, organizations adopt a service-based approach to cyber security as opposed to a technology-focused one. As a result, they outsource security operations to a professional and contract with a service-level, agreement-based offer.
Additionally, this strategy reduces expenses, increases efficiency, and enables firms to concentrate on their core competencies.
Specific goals of these agreements, along with one signed in March 2022 with the UAE-based Cyber Protection X, include strengthening local cyber security knowledge, expanding cyber training capacities, exchanging best practices, and promoting research and innovation in the sector. These collaborations are anticipated to speed the UAE’s transformation to a digital economy and strengthen its cyber security infrastructure.
Summing up
While earlier operations targeted third-party storage, in 2022 RansomOps targeted consumers more specifically. This has already begun to occur, with 70% of UAE businesses reporting that ransomware attacks have specifically targeted consumer data. Such attacks will pose a threat to numerous levels of security and civilian infrastructure, including potentially everything from oil to food supply chains, which continue to be fragile and exposed given the pandemic’s continuing effects on the world, the conflict in Ukraine, and the ensuing economic disruptions. Additionally, this dynamic is unlikely to end with ransomware, and innovation will certainly bring about new dangers and difficulties. In the upcoming years, as cyber security develops, cybercriminals will follow closely behind the new trends, utilizing cutting-edge technology to evade the defenses.
Cybercrime is expanding like nothing else. Be ready and protect your company against these risks because all it takes is one weak spot for it to fail. A Cyber Security Ninja can help you shield your company against these emerging dangers. Within 48 hours, Hire a Cyber Security Expert.
Take Action Immediately!