By Kathy Gibson – Africa is turning on to the Internet – but users could be in for a nasty shock if they fail to protect themselves from the onslaught of cyberattacks.
Kate Mollett, senior regional director for Africa at Commvault, points out that there are already 500-million Internet users on the continent. “That’s half-a-billion people, with more connections than either North America or South America.”
Part of the reason Africa has taken to the Internet so enthusiastically is its history of poor infrastructure. “We rely to heavily on digital because there is such a shortage or other media.
“A massive 38% of the continent is online, and we use the Internet for everything. Services are very digitised, and our online banking is among the most progressive in the world to serve this online community – the biggest in the world.”
But there’s a looming problem, Mollett says. “With all of this digitalisation, as much as 90% of these organisation and applications have zero security protocols.
So, yes: we are remote, so we have built this amazing online world that is digital advanced. But is comes at a huge cost because we are not prepared for cyberattacks.”
Mollett points to a 2021 Interpol report c carried out in conjunction with the African Joint Operations for Cybercrime, which found that 61% of every business on the continent has had a ransomware attack.
“We have seen the biggest increase in ransomware in Africa, increasing by 34% from 2020 – this is the highest increase for any continent.
“We had more 1,5-million ransomware detections in 2020, with 35% of them in Egypt, 28% in South Africa and 23% in Tunisia.”
Cybercrime has a real economic impact, Mollett adds. “We are told that Africa’s GDP in 2021 was reduced by 10% as a result of cybercrime. This is a staggering impact from the 230-million attacks that the continent was subjected to in that year.”
With numbers of this magnitude, she says Interpol is taking a strong approach to urgent action. “With the size of the African online community combined with the scale of banking and government digitalisation, it becomes a dire situation.
“And, when you combine that with the fact that 90% of organisations don’t have security protocols in place, it becomes worse.”
From a South African perspective, we have seen some major attacks, Mollett points out.
“Within the last 18 months, the second largest private hospital operator was hit by a cyberattack which affected the admission systems and cost more than a month in downtime.
“Transnet has suffered a couple of unprecedented attacks again critical maritime infrastructure. In one of the world’s boldest attacks of all time, ransomware was used to delay and shut down a critical trade route in the middle of a pandemic.
“In 2021, two of our major banks in were hit with distributed denial of service (DDoS) attacks, affecting their ability to run end-of-month payment cycles.”
For African companies, the average downtime following a cyberattack is 21 days – and this is after the 107 days dwell time, Mollett adds.
“Considering there is a ransomware attack on an African organisation every 11 seconds, with an average cost to the company of $300 000.00, we need to be better prepared.”
As with the rest of the world, Africa’s cybersecurity agenda was interrupted by Covid-19 – although the shift to online connectivity increased.
“It’s almost like we constantly chasing our own tail,” Mollett says.
And often, companies that are doing something about security are focusing on point solutions, or patching legacy systems that are not secure by design, rather than looking at holistic protection of their data.
As a data management vendor, Commvault has been building security into its systems for some time. “Our ransomware capability in Commvault is not so much about a ransomware attack, but enabling the CISO (chief information security officer) to build a security posture on the backup estate that allows them to recover correctly according to the 3-2-1 rule (this is three copies of the data, on two media, with one offsite).
“This give them an immutable, air-gapped copy of the data,” Mollett explains. “And we have been building these features for some time.”
But as defences get more sophisticated, so do to attackers, and Commvault realised it needed to up its security game.
“And so we bought TrapX, which focuses specifically on cyber-detection technology; and we have launched this as ThreatWise.”
Bar Hori, the account executive for Commvault’s Metallic offering, explains that the way attackers launch and execute ransomware attacks has changed significantly over the last couple of years.
“They used to be pretty straightforward: get into the system, get access to the data, see the impact, and the victim could then recover. We are well able to protect data from this kind of attack, with the platform hardened enough that there is no impact to recover; and users can recover in the timely manner at a lower cost.”
Today, ransomware attackers don’t just encrypt data and send a ransom note, they leak or steal the data as well.
“There is a way to recover data from being encrypted, but once it has been taken out of the organisation there is not much you can do,” says Hori.
This is leading to the so-called double-extortion and triple-extortion that is now a feature of ransomware attacks, he adds.
Cyber deception is emerging as an effective defence against a ransomware attack taking place in the first place, which is the best way to reduce the impacts.
“It’s a honeypot, although the official term is cyber deception,” Hori explains. “Organisations can quickly and easily implement cyber deception tools like ThreatWise, which mimics the business’s real assets as a decoy or trap for cyberattackers.
“The bottom line it to trick bad actors, to reduce the chance of them interacting with the organisation’s real assets at all.
“This serves to expose threats early, and contain attacks before they can impact the organisation.”
The chances of the attack ignoring the deception and progressing straight to the real assets are very slim, Hori adds. “ThreatWise is implemented in a way that attracts attackers. It is deployed to mimic real and high-value assets that are desirable to attackers.
“By doing that, it exposes threats early.”
Typical attacks have an average 107 days dwell time, he explains. This is the time between the attack being launched on a system to “finding the crown jewels”. Solutions like ThreatWise help to expose the threats a lot quicker.
“Our goal is to reduce that 107 days to zero by approaching the threat from a behavioural point of view.”
What is double- and triple extortion
“Classic” ransomware happens with a threat actor encrypts an organisation’s data and demands a ransom. Upon receipt of the ransom, usually in cryptocurrency, it may provide the keys needed to decrypt the data.
With double extortion, data is not only encrypted but also either removed or a leak threatened.
Threat actors then demand ransom to prevent the data being leaked; or start demanding ransom from new victims within the stolen data sets.
“Double- and triple-extortion is the re-exploitation of the originally-exposed data,” explains Mollett. “It means the threat actor can repurpose the initial breach over and over again.”
Bad news for organisations is that these attacks are no longer hit-and-run, but are constantly evolving in terms of the commercial benefits they offer.
“Cybercriminals are now able to monetise and milk your data for other income streams. This makes it more important than ever to prevent your organisation being affected by a ransomware attack in the first place.”