Ransomware focus heads south

The frequency and size of ransomware attacks has started to spread from organisations primarily based in developed economies in the northern hemisphere, to include more targets in the southern hemisphere including the Middle East, Asia, Australia, as well as South America. The cause is related to a complex set of factors, says Hiscox’s Eddie Lamb – Cyber Education and Advisory: “The shift in focus ranges from the displacement of criminal activity caused by the Russia/Ukraine conflict, to a perceived greater vulnerability of businesses in the southern hemisphere with less mature cyber defences. In addition, there is the evolution of ‘ransomware as a service’ subscription-based malware models serving Russian-speaking gangs only, to the introduction of more varied language options.”

Consequently, says Hiscox’s Tim Andrews – Senior Cyber Underwriter: “The focus must be on both multi-nationals with operations in the southern hemisphere region as well as companies domiciled in those regions to tighten up their approach to the ransomware threat.”

Ransomware attacks proliferate in southern hemisphere

In December 2022, the Swedish furniture retailer – IKEA – confirmed that some of its outlets in North Africa and the Middle East had been victims of the ransomware crew Vice Society. Was this a one-off for the region or part of a growing trend? A global record of reported ransomware attacks maintained by cyber security information provider Comparitech reveals that back in 2018, ransomware was mainly a northern hemisphere problem. But by 2022, the number of attacks in the southern hemisphere had begun to proliferate particularly in South America, as well as Africa, across the Middle East, East and South East Asia, and is likely to be worse than reported.

Further evidence that ransomware attacks – though by no means eradicated in the northern hemisphere – are increasingly a problem in the southern hemisphere is provided by analysing trends on the darknet says Lamb: “Research on the darknet – conducted on the 28 February, 2023 – reveals that ransomware provider LockBit’s most recent victims were organisations targeted in Thailand, Hong Kong, Brazil and Argentina. In addition, the top ten ransomware darknet sites now show a huge shift from countries like Italy, Spain, UK, US, Netherlands to southern hemisphere locations including Vietnam, Singapore, Thailand, China, India, and Argentina. There is a clear trend of ransomware activity heading south.”

Geo-political instability drives change

The reasons why this growth of ransomware attacks is happening in the southern hemisphere alongside a corresponding a drop in attacks in the northern hemisphere are multi-faceted, says Lamb. “There is a geo-political angle to this ransomware trend given the conflict in Ukraine with a repurposing and reallocation of criminal resources given a lot of dark net infrastructure was formerly hosted in Ukraine and that has moved.

“Last year we also saw some of the ransomware as a service (RaaS) malware models like LockBit open up to non-Russian speaking people. Previously only Russian speakers had access to their software but they have changed the rules which seems to be a response to their business challenges and probable less take up from Russian speakers given the nature of the Ukraine conflict.” That means, Lamb adds, that hackers in South America for example, can now use a platform hosted in Eastern Europe to target entities in their jurisdiction.

Other causes that make the southern hemisphere a target for ransom crews include the growing cyber maturity amongst organisations in the northern hemisphere and the corresponding cyber weaknesses of many businesses operating in developing economies. “In Europe and the US, for example, we have been dealing with the ransomware problem for much longer than many countries in the southern hemisphere. Organisations here have built advanced defences which makes targeting regions where ransomware hasn’t been a problem potentially easier and more profitable for the criminals,” says Lamb. There’s also typically more stringent regulation in the northern hemisphere for organisations to follow when it comes to data security and demands like the EU’s Network and Information Systems Directive – shortly to be updated – all serve to make many businesses harder to hack, adds Lamb.

Insurers look for the weakest link

As a consequence of this geographical shift when it comes to ransomware attack, cyber insurers are making sure they focus on the subsidiaries of multi-nationals when assessing overall cyber maturity says Andrews. “Underwriters now typically spend more time looking at the weakest cyber security link in a business which often means taking a close examination of their subsidiaries in other parts of the world. Also in focus are newly enquired entities who may not have the maturity or controls that their new parent organisation benefits from, and have been the cause of an uptick in cyber insurance claims in recent years. If these acquired entities are in the southern hemisphere, they will now be the target of a greater number of ransomware attacks.

“For businesses operating in the southern hemisphere, it’s become just as important that they consider the risk of being targeted by ransomware crews in those regions and take appropriate steps to bolster their cyber security by both reinforcing their cyber defences, and ensuring they have a well well-practised crisis management response should they fall victim.”


  • Cyber