Here's how ransomware hits SA

Typical ransomware demand. (Duncan Alfreds, Fin24)
Typical ransomware demand. (Duncan Alfreds, Fin24)

Cape Town – Ransomware is increasingly becoming a problem in SA and local companies are not reporting incidents for fear of reputational damage, says a security company.

“Statistics in South Africa remain vague as organisations are reluctant to reveal the extent to which they have been targeted by ransomware," security firm Panda Security said in a statement to Fin24.

"However, anecdotal evidence points to this being a widespread issue - Panda is increasingly being approached by organisations looking for a real solution after being afflicted with ransomware,” Panda Security said.

Unlike other malware, ransomware is direct financial targeting. Once cyber criminals have encrypted data on a device, they demand payment, usually in the form of bitcoins. However, electronic funds transfers have also been employed.

“The impact of ransomware is difficult to calculate, since many organisations opt to simply pay to have their files unlocked - an approach that doesn’t always work. But a report on the Cryptowall v3 ransomware campaign, issued in October of 2015 by the Cyber Threat Alliance, estimated that the cost of that single attack was $325m,” said Paul Williams, major account manager for security firm Fortinet.

Number of attacks

READ: SA fails to make data breaches public - expert

According to data from Kaspersky Lab, 41% of South African companies recognise the threat posed by ransomware, also known as cryptomalware.

The malware enters company networks through email attachments and some of the malicious software programs include Trojan-Ransom.Win32.Onion, Trojan-Ransom.Win32.Locky (known as Locky) and Trojan-Ransom.Win32.Scraper (TorLocker) which cyber criminals have used to demand ransom of at least $300.

Locky, the most recent ransomware, has already been detected in 114 countries and SA has experienced the sixth highest number of attacks at 220, the highest number in Africa.

“Among other Trojans, Locky caught our attention because it was so active and spread so pervasively and quickly. We also noticed that the attacks weren’t partial to any particular region, where we have received notifications about attacks in over 114 countries across all continents – no other ransomware Trojan to date has targeted so many countries at once,” said Fedor Sinitsyn, Senior Malware Analyst at Kaspersky Lab.

READ: Thousands of cyber attacks target SA

Data from Kaspersky Lab shows that 2.3% of South African computers may have a cyber infection over the last 24 hours.

Experts do not recommend that victims pay ransoms.

"Paying for ransom is a dangerous option. For starters, there is no guarantee your files will be returned or that the malware will be removed. Will the hacker exploit you again in six months’ time?" said Eset South Africa of ransomware scams.

Ransomware programs typically encrypt user files on computers, including those with pdf, doc, docx, xls, xlsx, ppt, pptx, jpg, jpeg, bmp, tiff, png, mpg, mpeg, avi, 3gp, mp4, m3u, mp3, wav, zip and java extensions among others with a 128 bit key.

Demands for payment will begin with about $300, but many cases the amount is increased the longer you take to pay – usually in bitcoins.

According to Symantec, users’ sentiment toward the encrypted data “can lead to irrational behaviour”, and payment to the cyber criminals.

Would you pay to have your PC unlocked by cyber crooks? Let us know

- Follow Duncan on Twitter

We live in a world where facts and fiction get blurred
In times of uncertainty you need journalism you can trust. For only R75 per month, you have access to a world of in-depth analyses, investigative journalism, top opinions and a range of features. Journalism strengthens democracy. Invest in the future today.
Subscribe to News24
Rand - Dollar
Rand - Pound
Rand - Euro
Rand - Aus dollar
Rand - Yen
Brent Crude
Top 40
All Share
Resource 10
Industrial 25
Financial 15
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Voting Booth
Facebook is facing a fresh crisis after a former employee turned whistle-blower leaked internal company research . Do you still use Facebook?
Please select an option Oops! Something went wrong, please try again later.
Yes, the benefits outweigh the risk for me
26% - 300 votes
No, I have deleted it
44% - 518 votes
Yes, but I am considering deleting it
30% - 356 votes