Africa is falling victim to malware infection


Imagine this: You’re in the middle of a financial year-end when a blue-screen message pops up on your computer that reads: “Your operating system has been locked. Type in the encryption key. Visit website blah-blah to pay the ransom.” BOOM! Your company’s entire (and highly-sensitive) financial database has just been compromised and held hostage by cyber-extortionists. The timing is awful. The deadline is tomorrow.

What do you do? Do you remain headstrong; refuse to pay the ransom as a counter-offer? You threaten with legal action in the hope they’ll crack first and unlock your computer. Or do you just suck it up and pay the $300 (R4 500) ransom in Bitcoin in the hope that these cyber-blackmailers restore your server’s functionality before tomorrow’s cut-off. Most people opt for the latter.

Ransomware is probably one of the most feared cybersecurity threats in today’s digital age. It’s a class of malware that encrypts (kidnaps) all files on your computer and only releases them (kept hostage) when a ransom is paid through an untraceable Bitcoin account to the hacker holding the encryption key (pay-off).

In the past two years, there has been a significant increase in ransomware attempts on financial services companies throughout Africa. However, figures remain inconsistent as many corporates and companies are reluctant to reveal the extent of their compromise.

Whether you’re an individual or institution, everyone is at risk of ransomware attacks. But there is a higher degree of risk attached to businesses, more so those that handle confidential and sensitive information, to whom the effects of ransomware could be devastating from both a financial and reputational perspective.

David Jacoby, senior security researcher at Kaspersky Lab US’s global research and analysis team, has witnessed an increase in the number of professional cyber-gangs using ransomware in the last two years. “It’s a game of cat and mouse,” says Jacoby. He believes that the Internet makes malware available to virtually anyone with criminal intent.

“It’s increasingly becoming a problem in South Africa and companies are reluctant to report any instances for fear of reputational damage. It’s quite embarrassing to tell clients that the company lacks security,” says Jacoby, “but it also depends on the institution, especially those that handle sensitive data.”

Cyber-hackers even target government institutions like hospitals, compromising patients’ sensitive medical records. Doctors are unable to access your personal medical files due to the encryption, making it impossible to check things like your blood type or allergies. By compromising your files, it doesn’t just affect the hospital but also you as a patient.

Globally, ransomware has become a lucrative business. Experts at security software company, Norton by Symantec, reported that nearly 3% of compromised users paid the ransom. Although the percentage seems small, it pays off for the hackers.


Norton by Symantec experts put it over in figures. According to their study, they recorded:

• 68 000 infected computers in a single month (average 5 700 per day)

• Hackers ransom between $60–$200 (R850–R3 000) to unlock the computer

• If only 3% of victims pay the ransom, hackers earn up to $33 600 (R480 000) per day

• Some criminals earn up to $394 000 (R5.6-million) per month

But it’s not just Africa that’s a target. “Bad guys don’t care about regions,” says Jacoby. He says that these cyber-hackers develop malware that’s applicable for all regions. The only difference is that each region (whether it’s Africa or Europe) has different players in the game, localising emails and phishing attacks.

Jacoby says that these cyber-gangs have various players within each region. Some develop the actual code while others set up infrastructure and distribute the malware, making sure systems get infected. Those who distribute the malware will often localise the content of phishing emails. It might look like an authentic email from your local bank. “But ransomware itself is the same you get anywhere in the world. The only difference is in the way they distribute it.”

Phishing emails are a common hook and sinker for cyber-criminals. But why are so many people still clicking on dodgy email links? Jacoby says that it’s not all about clicking on the wrong email and that cyber-criminals are using known vulnerabilities in computer software to gain access.

“If not regularly updated, programmes like Java, Internet Explorer, Google Chrome, Firefox or even your media player are eventually vulnerable to something. If you don’t patch your computer, the bad guys only need to exploit one of these vulnerabilities to install the encryption code without you having to click on any links,” he says.

It’s a domino effect. Cyber-criminals can now hack normal websites, infect it with malicious code and every visitor on that website with an un-updated version of Internet Explorer or VLC Media Players can get infected too.

Jacoby says cyber-criminals are getting smarter too. Attaching malware to email increases the chances of security codes detecting compromised files. Hackers now include links to websites that have already been compromised. Hackers won’t often register new domains, but rather compromise existing ones, making it harder for security companies to blacklist them.

Let’s say you find a vulnerability in a semi-popular South African website or forum. You can’t really blacklist the website as there are too many users who depend on it. Hackers will even infect Dropbox, Cloud and Amazon accounts.


“Ransomware is risky business,” says Ryan van de Coolwijk, product manager of cyber and HBM liability specialist at Hollard Broker Markets. The core risks include interruption to operations and financial losses resulting therefrom. This would include things like incident response costs, including the investigation and mitigation of the incident, lost productivity, cost to recover operations, staff overtime costs and legal fees.

“Apart from the risk of the full fallout from a data breach should data be compromised and subsequently publicised, reputational damage could lead to potential resulting loss of client and investor confidence and corresponding financial loss,” says Van de Coolwijk.

Another risk faced following the payment of ransom is that there’s no guarantee that your data will be returned or that you’ll receive the decryption key to unlock systems or devices. “There’s also no guarantee that you won’t be attacked again shortly after,” he says.

Van de Coolwijk refers to an instance where an online gambling service provider was hit with a ransom attack related to a DDoS attack. DDoS, or ‘Distributed Denial of Service Attacks’ are where an attacker takes an online service or website offline.

The initial attack is typically for a relatively short period of time and payment is demanded to avoid sustained attacks. Locally, several instances have been reported, especially online betting companies before the Durban July horse race. “The online gambling services company paid the ransom only to be hit by the same perpetrators a week later – demanding a higher ransom than the first attack.”


What we also need is training that helps people develop better ‘cyber hygiene’. This includes teaching people to frequently update anti-virus software, appropriately program firewalls, and routinely back up their computers on discs that are then disconnected from the network. In addition, people should be taught how to deal with a ransomware attack and stop its spread by quickly removing connected drives and disconnecting from the Internet.

Jacoby advises companies to “back up, back up, back up.” Should you get infected, instead of having the headache of paying ransoms, you can simply reinstall your machine and put the backed-up files back on your computer. “Have an external drive backup that runs daily and make sure that you unplug the backup when it’s not running, otherwise, it may also get encrypted,” says Jacoby.

He also says that common sense should be applied. “People often think: ‘Well, I’m not a target. I have nothing to hide or information that hackers can use. These bad guys don’t care who you are as an individual. They target the masses and you are part of the masses.”


Malware can enter a company’s network through an email attachment. Some of the malicious software programmes include Trojan-Ransom.Win32.Onion | Trojan-Ransom.Win32.Locky | Trojan-Ransom.Win32.Scraper (TorLocker). Ransomware programmes typically encrypt user files on computers, including pdf, doc, docx, xls, xlsx, ppt, pptx, jpg, jpeg, bmp, tiff, png, mpg, mpeg, avi, 3gp, mp4, m3m, mp3, wav, zip and java extensions.