The growth of ransomware has been the focus of headlines for several years. Typically, cybercriminals have prioritised targeting advanced economies such as the US, the UK, Canada and northern and central Europe with the hope of extorting a comparatively higher ransom from victims. However, in the past year there has been a step change in the targeting patterns of such criminal threat actors, and we have observed an increase in high-impact ransomware attacks targeting middle-income economies.

The persistent threat of ransomware in advanced economies has resulted in governments, law enforcement and cyber insurers increasing their scrutiny of ransom payments, making it harder for cybercriminals to successfully extort their victims. Meanwhile, middle-income countries are less hardened to this threat, and have lower cyber security maturity, and so cybercriminals have begun to perceive them as easier targets. Moreover, middle-income countries account for a third of global GDP and have thus far been a largely untapped market for cyber extortionists.

An increasing threat in Latin America, Eastern Europe

Latin America is the new ransomware frontier due to quickly growing economies, comparatively low investment in cyber security and strong cybercriminal knowledge and international links. In November 2022, Guatemala’s foreign ministry was named on a data lea site by a ransomware gang, after a previous attack in September. In August and September, cybercriminals took down Córdoba’s judicial system and Buenos Aires’ legislature in Argentina respectively. In April, Peru’s primary intelligence agency suffered ransomware and data leak extortion attacks, and in May the Costa Rican government declared a state of emergency after the now-defunct Conti ransomware group attacked multiple government agencies.

Last year, in late summer and moving into autumn, cybercriminals turned their attention to the Western Balkans: Bosnia and Herzegovina’s parliament was targeted in a ransomware attack just weeks before the September general elections, while Montenegro’s Department for Public Relations was disrupted in a ransomware and data leak extortion attack in August. This shift in targeting focus is likely driven in part by the broader geopolitical landscape – following the outbreak of the Ukraine conflict, Russia-based cybercriminal groups have increased their targeting of organisations in countries perceived to be adversaries of Russia. This reflects the blurring between ransomware threat actors’ political allegiances and financial motivations.

Public and private organisations in the crosshairs

Cybercriminals have repeatedly targeted government and public sector organisations in middle-income countries, with such attacks aiming to cause maximum impact by taking out critical public services and leveraging the widespread social and economic disruption to extort a ransom. However, although some of the most impactful and publicised attacks have severely crippled government organisations, the same trends are observed impacting private sector organisations in industries such as energy and manufacturing.

The threat to private sector organisations is two-fold. First, there is an increased likelihood that their operations, or those of their supply chain partners, will be targeted directly in new jurisdictions. Second, critical public services required for business operations are increasingly at risk of being taken out by disruptive ransomware attacks.

More broadly, the uptick in targeting middle-income countries is likely driven by the perception that organisations in these countries have less mature cyber security than those in advanced economies

and are therefore more vulnerable to attacks. Also, the barriers to entry for cybercriminal capabilities continue to lower, particularly given the growth of initial access brokers on dark web marketplaces, while general cyber awareness improves in emerging economies, making it easier for low-capability threat actors to launch disruptive attacks for financial gain. The pace at which criminals’ capabilities are improving will far outstrip security improvements in such economies, generating a highly concerning threat landscape in the next 12 months and beyond.

Companies need to take measures to ensure they are protected against ransomware attacks both in bolstering proactive defences and in readying teams to effectively respond to ransomware incidents. Ransomware is unique in the cyber threat landscape as there are both technical and extortive tactics to understand, mitigate and prepare for. It is critical that you understand:

  • which groups are active in your region and targeting your sector
  • any jurisdictional regulations specific to cyber incidents and ransomware attacks and payments
  • threat actors’ technical and extortive tactics, techniques and procedures (TTPs)

By understanding these, you can proactively defend your network and understand how these groups will attempt to extort you, your clients and your suppliers. This will then enable your crisis management teams to navigate the various scenarios that can unfold on the new ransomware frontline.