Ransomware Gangs Pummel Southeast Asia

A spate of major ransomware attacks in Southeast Asia in the first half of this year was just the beginning.

Companies and government agencies in Southeast Asia — especially Thailand, Japan, South Korea, Singapore, Taiwan, and Indonesia — have experienced a significant increase in attacks, outpacing the rate of ransomware growth in European nations, according to telemetry data from Trend Micro. Major incidents such as the June ransomware attack by a gang known as Brain Cipher that disrupted more than 160 Indonesian government agencies, are likely to multiply as the economies in the region grow.

Many companies and organizations in Asia are rushing to digitize their infrastructure, but often at the sacrifice of security, says Ryan Flores, senior manager of forward-looking threat research at Trend Micro.

"There is a lot of digitization initiatives happening in the region, with governments supporting and encouraging the adoption of online services and payments," he says. "Because of the rush to infrastructure and services, security is most often relegated to a lower-level priority, as priority number one is to get the service or platform to market as soon as possible."

Already, companies and organizations in the Asia-Pacific region have suffered serious cyberattacks, confirming signs that threat groups have focused on the region. In March, a major brokerage in Vietnam had to shut down securities trading for eight days, following a ransomware attack that encrypted critical data. The same month, Japanese officials called out North Korean hackers for polluting the Python Package Index (PyPI) with malicious code capable of dropping ransomware on victims' computers.

While more than three-quarters of ransomware attacks continue to target organizations in North America and Europe, the share of successful cyberattacks that impact other regions — especially Asia — has spiked. In 2023, the number of publicly reported ransomware attacks grew 85% in Asia, according to data from cybersecurity information services firm Comparitech.

Other threat trackers show similar trends: India and Singapore are both in the top six most-targeted countries tracked by cybersecurity firm Sophos, according to the firm's "State of Ransomware 2024" report.

APAC a Ripe Field for Ransomware

Ransomware groups are targeting the most critical and vulnerable industrial sectors in the Asia-Pacific region. The manufacturing sector saw a significant increase in attacks, with 21 confirmed ransomware events in 2023, followed by 16 for the government sector and 11 in healthcare, according to data compiled from public reports by Comparitech.

One major factor is that many countries do not have a breach notification law in place, leading to a significant underreporting of breaches and less focus on cybersecurity in Asia. The popularity of cryptocurrency in many Asian countries also has resulted in a greater likelihood of companies paying ransoms, says Rebecca Moody, head of data research at Comparitech.

"In a lot of cases, the only time you find out if [an attack has] been confirmed or not is because of system disruptions or websites going down ... whereas ... if they managed to get the systems back online and nobody's none the wiser ... then they can kind of skirt over it," she says.

Ransomware, along with cybercriminal fraud, is endemic in the Asia-Pacific region. North Korean groups use ransomware, cryptojacking attacks, and other schemes to siphon cash from the global economy, as well as conduct espionage. Large fraud centers in Cambodia, Laos, and Myanmar — essentially forced-labor camps — run by criminal syndicates from China and other Asia nations conduct massive industrial-scale romance scams and "pig butchering" to generate tens of billions of dollars a year in revenue.

Big Money, Minimal Effort

In the end, however, the increase in ransomware attacks is likely less about specific targeting and more about the increase in potential victims, as companies implement digital transformations but fail to update their security as quickly, Trend Micro's Flores says. The relative immaturity of the region's cybersecurity ecosystem, along with increasing regional tensions, are more likely behind the rise in attacks rather than specific targeting.

"Ransomware groups and cybercriminals in general are opportunistic, so I don't think they are really focused on one region over another," he says. "What they focus on instead are big payouts with minimal effort, so if there are infrastructure that are vulnerable, open, or misconfigured, those are easy targets for them and it does not matter if that is in Asia, Europe, or Africa."

National governments in the Asia-Pacific region have already started to update their regulations to improve security. In May, Singapore updated it Cybersecurity Act to account for its critical infrastructure sector's reliance on third parties who use cloud services, while Malaysia passed legislation in April that requires cybersecurity service providers to be licensed to do business in the country, although the details still need to be ironed out.

Companies in those regions should focus on covering their bases and implement foundational defenses, says Matt Hull, global head for strategic threat intelligence for the NCC Group, a cybersecurity consultancy.

"Organizations must prioritize regular patch management to close known vulnerabilities, enforce strong password policies to prevent easy exploitation, and implement multifactor authentication (MFA) to add an additional layer of security beyond passwords," he says. "Additionally, it’' essential to establish robust detection and monitoring systems that can swiftly identify and respond to potential threats."