The State of Ransomware Attacks in the Middle East

Vast wealth from natural resources, dynamic regional politics and a significant investment in technology have resulted in the Middle East becoming a fertile ground for ransomware and other types of cyber attacks. This article looks at the state of ransomware in the Middle East by focusing on some recent attacks and highlighting important takeaway lessons.

Cybercrime in the Middle East: Statistics

Before exploring some specific ransomware attacks in different Middle Eastern countries over the last couple of years, it is worth approaching the topic armed with some interesting statistics about the current state of cybercrime in this region of over 400 million people.

  • In Saudi Arabia and the UAE, the average cost of a data breach of $6.53 Million per breach is almost $3 Million higher than the global average of $3.86 Million.
  • In the Middle East, there were 2.57 Million phishing attacks from April-June 2020. Phishing attacks are a key mode of delivery for ransomware.
  • A recent report found that Israel was the 4th most targeted country worldwide in terms of attack volumes.

Oman United Insurance, Oman: January 2020

The year 2020 began with bad news for Oman United Insurance when it was revealed the company became the victim of a ransomware attack. Oman United Insurance is one of the largest insurers in Oman. According to a company spokesman who spoke with local media, the attackers targeted the main server leading to data loss and encryption.

Luckily for Oman United Insurance, it seems reasonable cybersecurity defenses were in place, which limited the scope and damage of the attack. Online operations resumed after a 24-hour disruption to services.

Thanos Ransomware, Undisclosed Location: July 2020

Thanos is a relatively new ransomware family that was first observed in February 2020. July of the same year saw a major report released by Palo Alto’s Unit 42 threat intelligence team indicating an attack on a state-run organization in the Middle East and one in North Africa. 

The report referred to a variant of Thanos ransomware that used a 2048-bit public key to encrypt files. A text file revealed a $20,000 ransom demand to decrypt. It would take a classic computer 300 trillion years to crack this type of key.

The report didn’t reveal the identity of the target organizations or the countries they operate in. Most disconcerting about this attack was that it showed the Thanos ransomware family is still undergoing modifications that are adding more potent functionality.

Pay2Key Ransomware Campaign, Israel: November 2020

A ransomware campaign conducted by an Iranian threat group targeted several Israeli businesses and organizations in November 2020. The ransomware in question was a previously unknown variant named Pay2Key.

This particular ransomware variant targets Remote Desktop Protocol (RDP) connections. Businesses around the world started using RDP far more often in response to the global pandemic because it allows employees to remotely connect to their work computers.

Shirbit, Israel: December 2020

In early December 2020, the BlackShadow hacking group published sensitive information online belonging to employees of the Israeli insurance company, Shirbit. Credit card details, a vehicle registration number, and an image of the CEO’s passport photos were included in leaked documents published online. The company specializes in auto, retail, and travel insurance.

The little-known hacking group demanded a payment of 50 bitcoins from the insurance company, which amounted to almost $1 million at the time. Speculation began about whether Shirbit paid the ransom or the hackers sold some of the data online when bitcoin payments made their way into the group’s bitcoin wallet.

Takeaway Lessons

As the ransomware problem continues to escalate both regionally and globally, it is easy to get lured into a defeatist mindset. However, analyzing the kinds of breaches that occur provides ample opportunity to keep up with trends, learn lessons, ensure your organization is ready to prevent and combat attempted infiltrations.

  • The Oman United Insurance attack serves as a compelling example of how backing up your data regularly negates any notion of caving into hackers’ demands and paying their ransoms to return your data. Cloud failover servers deployable from any location are also useful tools in your arsenal against disruptions caused by ransomware.
  • The emergence of a more potent version of Thanos ransomware highlights how hacking groups continue to modify and make their malicious software harder to detect by even the most advanced systems. The sensible approach for organizations is to stop ransomware at the source with an email security platform that can detect and block phishing emails before users click on any suspicious links inside.
  • The Pay2Key campaign acts as a warning to organizations about the importance of securing RDP connections that facilitate employees working from home. Even with global normality fully restored in a post-Covid world, it is likely that far more employees will remain working from home in some capacity than before the pandemic.
  • The Shirbit attack shows that finance remains a lucrative target for ransomware groups who believe the large sums of money on the line in the financial sector can result in higher payouts. All financial services companies need to take cybersecurity very seriously and make it part of their mission to have a security-aware culture.

To learn how IRONSCALES can help you to stop ransomware attacks with our award-winning anti-phishing solution, please schedule a demo today.