Nigeria’s complicated ransomware problem and the ‘simple’ solution for it

Nigeria has a low internet penetration rate of only 3.6 percent, but it is faced with the same cyber threats of the same aggressiveness and sophistication observed in other countries.

According to Cybersafe Foundation, an African nongovernmental organization that advocates for inclusive and safe digital access, there is a need for greater awareness and collaboration in dealing with the growing menace of cybercrime in Nigeria.

Just like the rest of the world, Nigeria also has a ransomware problem. As reported in the second quarter of 2021, 22 percent of Nigerians had experienced ransomware attacks over the past twelve months. Some 39 percent said that they did not encounter a ransomware attack, but they expect it to happen in the future as they believe that ransomware is becoming more difficult to prevent because of its enhanced sophistication.

Lower incidence rate, higher impact
The numbers cited above actually show a significant decline in the number of people who fell prey to a ransomware attack. For the same survey period in 2020, the number was at 53 percent. Also, the same survey found that the number of organizations that became victims of cyber attacks in 2021 is at 37 percent, which is also a significant drop from 51 percent in 2020. It is also worth noting that fewer organizations (54 percent in 2021 vs 73 percent in 2020) said that their data were encrypted after a ransomware attack.

The report, which reveals that the average ransom paid in 2021 is around $170,404 (~70 million Nigerian Naira), also shows that only eight percent of organizations that pay the ransom manage to get back all of their data, while some 29 percent recover half or less than half of the data they lost.

This seeming improvement in numbers, however, does not exactly show that ransomware has become less of a threat in Nigeria. While the number of attacks may have gone down, there is actually an upward trend in the impact of the attacks. Ransomware perpetrators have apparently learned to specialize or conduct more targeted attacks instead of doing generic automated large-scale assaults. These targeted attacks employ more sophisticated tactics that tend to result in better outcomes for the attackers.

The report finds that the number of organizations that decided to pay the ransom rose to 32 percent in the current year from 26 percent in 2021. More victims are getting convinced that they should just pay to get back their data, but it does not change the fact that paying the ransom is still a bad decision given that only a few of those who pay are able to fully recover their data. Add to this the recent attack on Colonial Pipeline, which showed that even if the company already paid the ransom sought by the attackers, they still had to turn to their own backup because the decryption process was too slow.

Bolder than ever
A recent ransomware scheme proves the kind of temerity bad actors in Nigeria have. As reported recently, Nigerian ransomware perpetrators think it is possible to skip the usual social engineering step (phishing, baiting) in spreading their malware. They are convinced that they can just communicate directly with employees in an organization to convince them to install the malicious software.

Instead of trying to trick employees into downloading and executing an email attachment or some dubious file download, Nigerian cyber attackers bait disgruntled employees in companies into becoming a part of the scheme to compromise their organizations’ data. These ill-intentioned actors offer $1 million or a 40 percent share of the ransom to turn employees into accomplices in a ransomware attack. The amount promised is set to be paid in bitcoins or some other digital currency that supports anonymous transactions.

If it’s any consolation, though, this approach in deploying ransomware is said to be driven by the effectiveness of the automated anti-ransomware tools employed by many companies. Reportedly, the actors behind this bribe-an-employee strategy admitted that they find it difficult to get through the cyber defenses of many organizations, so they resort to this desperate tactic. Still, this desperation is not something to be downplayed, as it still managed to claw in victims.

Why ransomware attacks are so successful
The ransomware problem has been quite prevalent recently, as evidenced by the news coverage of numerous attacks over the past year. These include the recent high-profile ones such as the Colonial Pipeline, Kronos, Sinclair Broadcast Group, Accenture, National Basketball Association (NBA), and the National Rifle Association (NRA) attacks.

Attackers continue attacking because they know they have been succeeding so far. Two of the biggest reasons for this “success” are the lack of incident response plans and security testing among organizations. These points are supported by the statements of Lindy Cameron, CEO of the National Cyber Security Centre (NCSC) when she gave a speech at the Chatham House Cyber 2021 Conference.

“Many have no incident response plans, or ever test their cyber defences,” Cameron pointed out. This may sound contradictory to the point mentioned earlier about ransomware perpetrators offering bribes for employees to become accomplices in an attack against their own organizations, but it is not. Attackers get desperate when they fail to beat the cyber defenses of their target organizations because these organizations are taking cybersecurity seriously.

When companies put in place the right security controls and undertake meticulous security validation, the chances of becoming a ransomware victim decrease dramatically. Cybersecurity solutions generally work, so it is not a good idea to ditch them because of the belief that cybercriminals are too relentless and resourceful in coming up with more sophisticated ways to penetrate defenses, a sentiment shared by some 38 percent of organizations (as mentioned earlier). 

On the other hand, ransomware attacks continue to be successful because victims pay the ransom. The situation is no different from what is happening when authorities advise people not to pay any ransom to kidnappers and to work with the authorities instead. Ransomware attacks are profitable because there are those who pay. If nobody pays, this form of cybercrime will go away on its own.

Alas, a world where ransomware victims absolutely refuse to pay the ransom is remotely realistic. As the numbers show, more organizations have succumbed to the ransomware demand in 2021 compared to the situation in the previous years.

Simple solution for a complex problem
Addressing the problem of ransomware boils down to two basic solutions: having the right security controls and security testing. These security controls include everything from the software tools to the security measures and employee education programs designed to combat social engineering efforts. Meanwhile, security testing or validation is about making sure that the controls and measures are working effectively, free from vulnerabilities that can be exploited to disable an organization’s cyber protection.

Doing all of these may not exactly be that simple, but these two are basically enough to address the ransomware problem. It’s just a matter of choosing the right security controls, designing effective security policies, and ensuring thorough security validation that is preferably threat-informed or driven by an adversarial perspective and supported by dependable and up-to-date threat intelligence networks and threat detection frameworks.