In brief: With ransomware becoming so lucrative and widespread, hackers have started deploying new malware strains in developing and emerging nations as a way of testing them before attacking businesses in richer countries. Organizations in Africa, Latin America, and Asia are hit first as they tend to have weaker security and draw less attention. The hackers then attack high-profile targets in North America and Europe.
Attacks have been observed on a bank in Senegal, a financial services company in Chile, a tax firm in Colombia, and a government economic agency in Argentina using strains of malware that were later used in Europe and North America, writes cybersecurity firm Performanta (via Ars Technica).
One of these ransomware strains is Medusa, a variant that gets its name from being able to turn files "into stone" by stealing and encrypting data. It was first used against businesses in South Africa, Senegal, and Tonga in 2023. It was later used in 99 breaches in the US, UK, Canada, Italy, and France.
Medusa victims would see a file with the subject line !!!READ_ME_MEDUSA!!!.txt. instructing users to start negotiations with the ransomware gang on the dark web. Failure to do so would result in the stolen data being published online.
Nadir Izrael, chief technology officer at cyber security group Armis, said that when attackers were discussing a new vulnerability, named CVE-2024-29201, earlier this year, they "specifically targeted a few [exposed servers] in third world countries to test out how reliable the exploit was." The gang's attacks were restricted to South East Asia before becoming more widespread.
Teresa Walsh, chief intelligence officer at global cyber threat intelligence body FS-ISAC, said some gangs perfect their ransomware techniques in poorer countries, such as Brazil, against less well-protected companies before exporting their attacks to richer nations that speak the same language, like Portugal.
Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, has a different take. She believes the increase in attacks on organizations in developing countries is due to ransomware gangs selling their product to less-sophisticated hackers in poorer nations. These attackers often do not understand how the malware works, so they only stage their attacks against less well-guarded targets.
In other ransomware news, a member of the notorious LockBit ransomware group was sentenced to four years in jail last month for infecting over 1,000 systems.