The Middle East and Africa did remain relatively unscathed in the recent ransomware attacks, with only a few isolated cases reported across the region. But that doesn’t mean the region is invulnerable to such attacks. The recent wave of ransomware is just another example of attackers upping their ante to target critical infrastructure. It’s an unfortunate but crucial wake-up call for organisations and governments around the world to stay vigilant about data security.
Many feel that the main reason for this region being shielded by the recent attacks was their timing. WannaCry started spreading during the weekend when a lot of the user systems in Middle East were offline. When work was resumed on Sunday morning everyone was already aware of the threat and took the necessary steps to ensure their networks were secure.
“In the case of WannaCry the region was fortunate that the global spread occurred during a non-working day (Friday) for this region. The exploit ‘Eternal Blue’ that was used by WannaCry was also used by Petya. Due to its similarity to WannaCry, much of the same security advice applied to Petya. When Petya was propagating globally most of the systems in the region were already secured. This is probably the reason why the outbreak had limited impact to the region,” stated Deepak Jacob, VP & Engagement Director at Paladion.
According to Scott Carlson, Technology Fellow at BeyondTrust, organisations with legacy security systems are the most vulnerable to these types of attacks. Commenting on why many companies around the globe were impacted, Carlson explains that many of these companies made a significant portion of legacy security systems available to external customers that due to limited understanding of risks, never got updated or couldn’t be updated.
In the MEA region, companies have adopted newer technologies and this has led to their having very limited connected, legacy systems. “In addition, multiple branches of a corporate network have not been connected via inter-company networks simply because the infrastructure was not freely available in every case,” added Carlson.
Jaytirtha Diddigi, Vice President at Forcespot feels that companies in Middle East have good patch management policies that seem to be working.
“Timely and effective patch management is critically important in minimizing such attacks followed by continuous monitoring of end-point e-mail and web downloads,” added Diddigi.
Another contributing factor could be the fact that the Governments and companies in this region have taken cybersecurity seriously from the very beginning, focusing on developing a serious and cohesive regulatory framework around information security and data protection.
Haider Pasha, Chief Technology Officer – Emerging Markets at Symantec stresses that Government regulations with regards to cybersecurity is one of the key factors as to why the Middle East remained largely unscathed by such attacks, with board level executives taking considerable measures to ensure their organization remains protected.
“Additionally, Petya was specially meant to target a non-regional country, hence its limited reach,” Pasha added.
“The presence, with very limited exceptions, of serious information security and data protection legislation helped Governments and organizations in the region to pay more attention to adequate policies and procedures around security. Therefore, these companies are being less vulnerable than their counterparts in regions with less developed regulation,” said Ahmad Mubarak, Sr. Systems Engineer – Middle East at Infoblox.
Attacks such as ransomware often pass through many security checkpoints, such as email filters, endpoint protection and more. Traditionally, however, these products have worked independently, reflecting the fact that, in many organisations, each part of the network is managed and secured separately.
“Organisations also need to ensure their firewall has an active, up-to-date gateway security subscription to receive automatic protection from ransomware attacks. In this case, simply detecting the worm is not sufficient, as it automatically propagates internally once a system has been infected,” explained Florian Malecki, International Product Marketing Director at SonicWall.
Ransomware typically gains access to a network when an employee visits a compromised site or downloads a compromised file via email. So it is absolutely critical that CIOs communicate the importance of having up-to-date protection to their organisation and also take steps to educate personnel on best practices.
“Ransomware relies on a variety of tricks to infect users. If there’s any doubt about an email’s legitimacy, leave it be. Especially emails from unknown origin with a strong call to action. Having a robust backup strategy and proactive defenses will greatly enhance your chances of preventing or recovering from a ransomware attack,” stated Harish Chib, Vice President ME & Africa at Sophos.
In a post attack scenario, the Director of Systems Engineering at Fortinet Middle East, Kalle Bjorn says that it becomes very difficult to get help from legal entities.
“Tracking down the attackers is very difficult and even if the attacker is identified they might be based out of a country that does not have legal system that would allow prosecuting the attackers. Or in some cases the attacker might even be a nation state,” Bjorn explained.
Symantec believes that enterprises should never cooperate with criminals if infected by ransomware, as there is no guarantee that they will receive their files back. Additionally, the chances of getting breached again are higher once the attackers have identified that their target has the means to make payments.
Creating a perfectly secure environment is very difficult. However, once impacted under no circumstances should the affected parties strike a deal with the attackers, warns Warren Mercer, Security Researcher at Cisco Talos.
“Paying the attackers provides more financial incentive and more money in turn allows attackers to potentially buy better exploits, more developers and more infrastructure,” Mercer added.
Hence, speed of communication from CIO is key to reassure stakeholders that the required steps are being taken to contain any incidents. CISOs need to ensure that antivirus and malware signatures are updated to the latest versions and a recent backup of data is secured offsite to limit any loss of data.
Jacob emphasises that it is equally important for CISOs to be alert to threat intelligence feeds from research labs of global security partners such as Paladion, regarding the developing situation. Information of vulnerabilities used in the exploit need to be communicated to the relevant technical asset owners to check the systems and prioritize the closure of any open vulnerabilities. Latest patch information needs to be used to close the affected vulnerabilities in the systems.
The impact of attacks could be considerable since the rise of the digitalisation and electronic retail services, spurred by a surge in the usage of smartphones, affordable data packages and the Internet of Things (IoT), have exponentially increased cyber risks. Enterprises can use such ransomware attacks as a learning point, and consequently take measures to enhance their protection against similar attacks in the future. The aftermath of a major attack is an excellent time to reflect on what went well, and what requires addressing in the near future. If gaps are found in defences and responses, then this is the opportunity to examine what can be done to secure systems against future attacks.