Criminals Are Testing Their Ransomware Campaigns in Africa

The industry consensus about ransomware is that it's not going away anytime soon, evidenced by the consistent growth of ransomware attacks over the past decade. We've seen some of the biggest ransomware attacks in history — including the JBS, Colonial Pipeline, and Equifax breaches — over the past five years. What's more, between 2023 and 2024, there was an 81% year-on-year jump in the number of recorded ransomware attacks, according to cybersecurity research firm Black Kite.

And according to a report earlier this year by cybersecurity research firm Performanta, ransomware gangs have a new strategy: Ransomware-as-a-service (RaaS) organizations are focusing on African nations as initial targets for nation-state attacks before launching malicious campaigns in more developed climes.

But what makes Africa a choice destination for these so-called "RaaS gangs," and what does this mean for the burgeoning economies on the continent?

Why Africa?

The booming economies of Africa, rich in natural resources and brimming with potential, are attracting not just investors but also cybercriminals. Performanta's report, which shows that Africa is increasingly becoming a testing ground for ransomware attacks, raises serious concerns for the continent's future and underscores the urgent need for collaboration among African states, corporations, and the West.

One draw for the cybergangs is the continent's overall low levels of cybersecurity strategy at the national level. In the 2024 edition of the International Telecommunication Union's Global Cybersecurity Index, only nine out of 44 countries in Africa qualified for the first or second tier of cybersecurity maturity. While this is an improvement over the previous report's rankings, that still leaves swathes of the continent less prepared.

Funsho Richard, a senior cybersecurity analyst and consultant, agrees with Performanta's findings.

"Africa's potential for profitable attacks amidst its digital growth is a magnet for cybercriminals," he says. Ransomware gangs and nation-state actors are exploiting the continent's weaker cybersecurity defenses to refine their methods in a "lower-risk environment" before launching attacks on better-secured developed nations.

This approach makes perfect sense from the attackers' perspective, as Gal Nakash, co-founder and CPO at identity-based SaaS security company Reco, explains.

"Building a sophisticated testing environment for a campaign is challenging," Nakash says. "Leveraging less interesting or poorly secured victims is more effective and increases the likelihood of remaining undetected by security tools."

In June, South Africa's National Health Laboratory Service (NHLS) confirmed it was dealing with a ransomware attack that significantly affected the dissemination of lab results as the country was responding to an outbreak of mpox (previously known as monkeypox). The NHLS runs 265 laboratories across South Africa that provide testing services for public healthcare facilities in the country's nine provinces. The spokesperson declined to say which ransomware group was behind the incident or whether a ransom was paid.

Signs and Guardrails

So how can African businesses identify these potential "ransomware testing" campaigns? Richard points out that, unlike traditional ransomware attacks that target specific industries like finance or energy, these campaigns might target a wider range of businesses.

Traditionally, ransomware gangs have a well-defined appetite: high-value sectors like finance, manufacturing, and energy. A recent surge in attacks targeting a wider range of businesses across various industries in Africa could be a red flag, indicating a testing campaign in progress.

Performanta's research also validates this concern. The report reveals a "large increase in financial/banking trojans with a 59% increase in Kenya and a 32% increase in Nigeria across a single quarter," suggesting gangs are casting a wider net.

Performanta's report suggests African organizations may not be fully prepared for this shift in attack tactics. While Nakash expresses confidence in the capabilities of modern cybersecurity solutions like extended detection and response/endpoint detection and response (XDR/EDR), he acknowledges a lack of widespread adoption. But he says that businesses that regularly update their cybersecurity controls and policies can stop attackers dead in their tracks.

"This includes maintaining visibility into their entire network environment, encompassing cloud, SaaS [software-as-a-service], on-premises infrastructure, and all the applications they use daily," Nakash says. "Critical applications should be mapped, and robust policies and alert notifications should be set up to identify and address any violations or misconfigurations that could create potential security vulnerabilities."

However, to spot the wider trend of test campaigns requires national coordination and strategy, as well as regional cooperation. The Africa Center for Strategic Studies cites several regional initiatives, such as Afripol, but warns that only 17 countries on the continent even have a national cybersecurity strategy.

Building a Strong Defense

What businesses on the continent need to stay cybersafe is a foundational approach — doing the basic things the right way. Ensuring that all configurations adhere to best security practices and setting up alert notifications for any suspicious activity are essential steps to prevent potential threats.

"Organizations need thorough visibility into their entire network environment, including cloud and on-premises infrastructure," Nakash says.

The fight against cybercrime requires a united front, says Guy Golan, executive chairman and CEO at Performanta.

"The West and Africa must implement long-term collaborative efforts to build a strong defense against this threat," he says. By sharing knowledge, resources, and best practices, both continents can work together to create a more secure digital landscape for all.

Building resilience against these attacks isn't just about protecting individual businesses; it's about safeguarding the future of Africa's booming digital economy.

"The solution lies in long-term collaborative efforts. Only then can we effectively combat this growing threat," says Richard.