Protected by online anonymity, cybercriminals are extorting huge sums from companies. How should businesses prevent this, and how should they respond?
‘If you see the faces of a board of directors when they realise they are under attack, you’d swear they’d seen a ghost,’ says cybersecurity expert Graham Croock describing the aftermath of the ‘dreaded call’.
The ‘dreaded call’ is a notification of a ransomware attack, an increasingly common phenomenon in South Africa. In 2021, for example, South Africa’s state-owned logistics company Transnet was thrown into disarray as a result of an attack. It was forced to declare force majeure, slamming the entire economy to which its services were essential.
Africa is undergoing a profound transformation. As the continent’s population goes online, information and communications technology systems are becoming an omnipresent part of life. Given the relative sophistication of its economy, this is especially true for South Africa. While this fosters opportunities for legitimate business, it has equally done so for criminals. ‘We’re a lot more connected than we were – but that has made us all more vulnerable,’ says Duncan McLeod, editor at TechCentral.
The ghost analogy is apposite. Cybercrime takes numerous forms. Ransomware is software that effectively captures a computer or network, locking users out and demanding payment for an encryption key to unlock it. Sometimes, the ransom is linked to a threat to leak or sell the information.
It is an impersonal, post-modern crime: the commodity stolen is information, and the thieves operate through encoded channels elsewhere in the world. Rather like a ghost of folklore, the criminals are elusive, but the impact is terrifying.
The earliest form of crude ransomware, AIDS Trojan, appeared in 1989, when floppy disks were posted to attendees of a conference that took place the year before. It locked access to users’ computers and delivered a demand for a ‘software lease’ payment to be made to an address in Panama. The disks originated from a biologist named Joseph Popp, whose motivations remain obscure.
Much of the immediate damage could be avoided if proper measures were in place
Later iterations of digital ransoms began to appear in the 2000s, and with the COVID pandemic, criminal groups used the rapid shift to online work to their advantage; cybercrime spiked. McLeod describes ransomware as organised crime’s digital ‘weapon of choice.’
According to Sophos, a United Kingdom-based cybersecurity firm, some 69% of South African firms surveyed in early 2024 had been hit by a ransomware attack in the preceding year. Of these attacks, 76% resulted in data being encrypted.
Behind the extortion sits a cast of malign actors. Cybercriminals range from individual computer enthusiasts to established syndicates for which the online world is a complement to existing operations. ‘Cybercrime starts out with IT specialists,’ says Croock, ‘but it has become more organised. The traditional syndicates found that it wasn’t lucrative to do cash-in-transit heists any more. They had to take things online. It’s the same principle for a greater reward.’
Using the dark web, the ransomware field parodies everyday business activity. On online fora, services can be traded, collaborations negotiated, and technical solutions purchased. As security company BlackFog notes: ‘The most formidable ransomware syndicates function like modern businesses with defined corporate structures, marketing, customer service protocols, and common diversification into extortion affiliate models.’
A typical ransomware attack exploits vulnerabilities in organisations’ computer systems. Often, this relies on the human factor, such as inserting malware through a link in an email sent to an employee, or by breaching the systems of a client or supplier firm. The programmes may lie dormant for months – the proverbial ghost in the machine – before being activated. These invariably target backup systems as well as primary operating systems.
Craig Pedersen, cyber forensic expert at TCG Digital Forensics, explains that a frequent vulnerability lies in outdated software. While system designs are constantly upgraded, users might choose to remain with obsolete versions – perhaps an industrial process that cannot be run off a newer version, for example.
But old systems are inherently penetrable. Indeed, when they are decommissioned in favour of newer versions, designers will publish reports on the flaws, giving invaluable intelligence to cybercriminals.
Payments are typically made, relying on insurance against losses from the attack to make up the costs
The target organisation’s data having been seized, contact will be made, perhaps via WhatsApp, or through a bespoke website. Payment is demanded, invariably in cryptocurrency, which makes tracing it difficult.
Where the affected company is governed by a board of directors, the board will need to decide how to respond – pay immediately or try to negotiate. Ultimately, payments are typically made, relying on insurance against losses from the attack to make up the costs. ‘Yes, they pay,’ says Pedersen, ‘even if they don’t acknowledge it. They don’t really have a choice, since losing the information can be an existential issue.’
This is a thorny issue in South Africa, which has been a trailblazer in corporate governance thinking – particularly regarding business’ responsibility to wider society. ‘How do you declare a R10 million ransom in your annual report? And how do you explain to your shareholders that someone got into their data?’ he asks. A reluctance to make such disclosures corrupts the corporate governance of the firms involved.
What is paid is shrouded in mystery, though some aggregate figures exist. The mean ransom demanded in South Africa, Sophos reports, is US$975 675 (R17 899 050); the mean paid is $958 110 (R17 576 815). Aside from the ransom costs, lost opportunity costs and spending on recovery adds another US$1.04 million (R19.08 million) to the bill. (In 2023, the Council for Scientific and Industrial Research said the cost of cybercrime to South Africa was some R2.2 billion annually.)
Even if ransoms are paid, information is not always recovered. A 2023 multi-country survey by Veeam, a software company, found that some 28% of firms attacked with ransomware paid, but could not recover their data. And there is a risk that having successfully extorted an organisation once, a syndicate may be incentivised to do so again. The haunting will continue. The reality is that the ability to defeat ransomware attacks usually lags behind the abilities of those who perpetrate them.
Note that while ransomware demands may be made on South African firms, the syndicates may have no relationship to South Africa. The digital economy is global, and syndicates (or ‘gangs’) exist as identifiable online presences, but with the identities and locations of actual members unknown. This makes taking action to shut them down almost impossible.
Law enforcement responses have been limited. Pedersen says the capacity of South Africa’s government to fight cybercrime is marginal, as few detectives have the necessary skills to deal with it. ‘When you take a case to the authorities,’ he says, ‘you hope that you find someone who knows what you’re talking about. If you get to court, will the court understand what an IP is, or what cryptocurrency is? Cases typically run for years, and the justice system is just not at a point where it understands it.’
A typical ransomware attack exploits vulnerabilities in organisations’ computer systems
Going forward, artificial intelligence (AI) stands to drive cybercrime more aggressively. AI-based tools like WormGPT enable automated attacks, probing defences and lowering thresholds to entry to would-be cybercriminals. ‘AI is revolutionising the cybercrime environment,’ warns McLeod, ‘and also the ability to fight it. We are looking at an AI arms race in the coming years.’
What is to be done? Pedersen says the frontline response is technical: keep systems updated, educate staff about risks, and back up offline and offsite. Much of the immediate damage could be avoided if proper measures were in place.
The reality is that software firms attempt to keep pace with cyberthreats, but the vulnerability typically manifests with user behaviour. As Pedersen says: ‘Ninety percent of ransomware can be eliminated as a risk if people just maintain proper backup protocols and keep their operating systems updated.’
In policy terms, it is necessary to take a long-term, cross-national view. The scale of the problem must be acknowledged and appropriate capacitation among specialist law enforcement units undertaken. This means recruiting IT forensic specialists and ensuring their ongoing training.
This must be coupled with international law enforcement cooperation via institutions like Interpol. This is a critical minimal condition, given the transnational nature of the crime. But even with such cooperation, it’s difficult to physically locate and arrest cybercriminals.
McLeod suggests that it may be time for a debate on a global ban on ransomware payments. If it is possible to constrict the flow of rewards, it may disincentivise the crime, although this would only be possible if all countries enacted such a ban – and it may not be practically feasible, given the existential threat that data seizures pose to individual firms.
Finally, there is a need to educate the public about cybercrime, and people’s vulnerabilities to it. With life increasingly lived online, standard precautions for physical safety must be matched by precautions for online safety.
For now, the ghost is in the machine – or rather, the ghosts are in the machines governing modern life – with scant prospect of successful exorcism.
Terence Corrigan, ENACT research consultant and Project and Publications Manager, Institute of Race Relations