Ransomware in the UAE: Evolving threats and expanding responses

Immediately following the outbreak of COVID-19, cyber attacks swept across the Middle East, leaving public and private entities highly vulnerable and transforming the pandemic into both a physical and a digital threat. Despite worldwide physical isolation, many people were more digitally connected than ever before, which vastly expanded the attack surface for eager cyber threat actors (TAs). More than two years on, we have seen how such actors were able to take social engineering attacks to the next level in the wake of the mass panic and social instability that followed the onset of the pandemic, effectively taking advantage of the new reality. Ransomware attacks, in particular, hit the Middle East rapidly and in great numbers, especially the United Arab Emirates (UAE), whose advanced digital economy and connectivity made it a promising target. Ransomware is a continuously evolving type of malware that hacks and infects devices, has the ability to lock and encrypt data restricting victim access, and holds the data until a ransom is paid to decrypt it or allow the victim to regain access. A closer look at how ransomware attacks unfolded across the UAE during the pandemic; the tactics, techniques, and procedures (TTP) used by TAs; and the UAE’s response provides an ideal case study for understanding how cyberattacks can affect a digital economy and highlights the need for greater digital security across the Middle East.

The impact of the pandemic

The UAE was in some ways an ideal target for the newly digitized attack surface in early 2020. With its advanced digital economy and widespread adoption of technology in the workplace, the country’s existing cyber vulnerabilities proved irresistible to attackers. When the pandemic forced a rapid transition to a work-from-home model, the lack of security awareness training among employees and of an understanding of how to run a safe virtual working environment among employers only exacerbated these security issues.

The UAE was required to roll out new technology at a rapid pace while creating and adopting more complexity in infrastructure without being fully prepared and protected. TAs identified the chance to capitalize on both existing weaknesses and the emergence of new ones resulting from the rapid adoption of new digital technologies, and they infiltrated organizations through unpatched vulnerabilities, which is the main attack vector that ransomware exploits. Existing unremedied weaknesses, sensitive remote environments, employee naiveté, and a rapid escalation in the implementation of new technology all contributed to an increase of malicious code executions and ultimately ransomware. The UAE’s evolving smart cities also proved to be an ideal target for malicious actors during the pandemic, and they continue to be at risk going forward.

The scale of the threat

Recent data and trends underscore just how severe the threat is: Compared to 2020 levels, cyber attacks increased by 50% globally and by a whopping 71% in the UAE in 2021. During the fourth quarter of 2021, there were 925 cyber attacks per week per organization globally on average, while in the UAE the average was 408 attacks. In 2020 throughout the pandemic, the UAE experienced a 250% increase in cyber attacks, which included 1.1 million phishing attacks, the most popular technique for carrying out ransomware attacks. Ransomware increased considerably as a result, with more than 33% new ransomware threat groups affecting 78% of UAE organizations in 2020 (up from 66% in 2019). Last year 59% of UAE organizations were hit by ransomware; although this was a lower overall percentage than the year before, reporting by Sophos indicates the impact and damage of these attacks was greater.

After a ransomware attack, companies are under immense pressure to get their business up and running again and have to make a difficult choice between paying the ransom or going through the complex and lengthy process of trying to recover and restore the application that runs that data. Paying the ransom creates a big risk because organizations are usually unaware of any additional meddling by the TA, such as backdoors or copying of passwords. Without a proper clean up, companies are vulnerable to a potential repeat attack because of the leftover toxic material on their network and could simply encourage more attacks.

According to a survey by Cybereason, 84% of UAE companies paid the ransom in these attacks, which is more than 20% higher than the global average. Of the companies that paid, 90% experienced a second ransomware attack and 59% found their data corrupted.

The rise of RansomOps

Over time, fairly simple repurposed malware strains utilizing old-school methods like phishing have been replaced by so-called RansomOps. This transformation has resulted in more sophisticated and complex campaigns in which the payload is just the final link in an attack chain.

RansomOps refers to the ransomware operation as a whole, which is now a highly targeted and human-driven operation functioning in a sophisticated, methodical, and unpredictable manner. Traditional malware, which is much more predictable and automated, is no longer in use, and RansomOps are now much more organized and closely resemble software-as-a-service companies. There are four main components that differentiate RansomOps from ransomware, all of which underscore the greater sophistication and specialization involved in these attacks:

• Initial access brokers
• Ransomware-as-a-service providers
• Ransomware affiliates
• Cryptocurrency exchanges

With the onset of the pandemic, leading ransomware groups worldwide saw an opportunity in the UAE. While these groups initially capitalized on the unique vulnerabilities created by the pandemic, they are now continuing their efforts due to both the rapid pace of digital adoption and the increasing sophistication of attacks. Ransomware groups that have targeted and continue to target the UAE include: Egregor, LockBit 2.0, Conti, Snatch, DarkSide, REvi, BlackByte, Xing, AvosLocker, Avaddon, Rook, and Pysa; of these, LockBit, Conti, and Snatch are the top groups that have targeted the UAE specifically. These groups are generally thought to be from Russia, China, or Iran and target leading organizations in the government, IT, and finance sectors.

Tactics, techniques, and procedures

These operators use similar TTP that shed light on the methodology of RansomOps.

1. RansomOps make use of a software-as-a-service method called “ransomware-as-a-service” (RaaS) that enables them to industrialize cybercrime. Entrepreneurial hackers are hired by these ransomware groups and capitalize on different RansomOps. According to Palo Alto Networks’ “Ransomware Threat Report 2022," “This is a business for criminals, by criminals, with agreements that set the terms for providing actual ransomware to affiliates, often in exchange for monthly fees or a percentage of ransom paid.” RaaS simplifies attacks, making them easier to carry out and enlarging the target audience while lowering the barriers to entry.

Of the above-mentioned ransomware groups, LockBit, Conti, and REvil are all RaaS operators, but their methods differ. The LockBit ransomware RaaS model allowed its affiliates to develop several different varieties of tactics and tools. For example, LockBit 1.0 had four different campaigns with different methodologies to access systems. For LockBit 2.0, affiliates used StealBit for automated data exfiltration. This ransomware pays affiliates only when a breach is successful and will earn a 10-30% commission from the payment. By contrast, Conti adopted a different approach, lowering the bar and paying its affiliates even when there was not a successful breach. This creates a greater incentive and encourages more attempts, which potentially results in more breaches and payments for the group.

2. Another major TTP is double/multi-extortion tactics. Ransomware attacks in the UAE have disrupted various businesses, creating concerns about continuity of operations and loss of income or valuable human resources. Although the rate of ransomware attacks has decreased and companies have adopted better protocols, ransomware has become more threatening and more sophisticated through the use of multi-extortion attacks. These types of attacks first involve exfiltrating the victim’s data while encrypting it on their systems, before subsequently demanding a ransom in exchange for the decryption key. If the ransom cannot be paid, the TA will threaten to release the data. Even though organizations have built better protocols to back up their data in the event of an attack, that does not prevent the release or sale of exfiltrated sensitive data and intellectual property if the ransom is not paid. Ultimately, the TA goes beyond just encryption by also leveraging leak sites and threatening additional attacks (distributed denial-of-service or DDoS) to strong-arm the victim into paying the ransom.

Egregor, the successor of Maze, which first used this technique, and DarkSide, the ransomware group involved in the Colonial Pipeline attack in the U.S, both use multi-extortion attacks, as do the other groups listed above.

3. A third TTP popular among these operators is “zero days.” Zero-day vulnerabilities are flaws that expose a weakness in software or hardware before developers are able to patch it. Zero-day attacks occur when attackers are able to exploit that flaw before it can be fixed. Ransomware groups will continue to take advantage of these opportunities, especially high-profile vulnerabilities, as long as they remain unpatched. Ransomware groups can also exploit third-party software or attack supply chain elements that can affect multiple organizations in the long run. Conti, DarkSide, and REvil have all taken advantage of zero-day attacks to exploit organizations before they have time to react.

Lessons from the UAE experience

The UAE has made the transition to the digital economy a national priority, with technologies like Artificial Intelligence, Blockchain, Fintech, the Internet of Things, and 5G rapidly gaining traction across the public and private sectors, but this also means it faces a heightened and increasing risk of targeted cyber threats. In short, the attacks faced by the UAE are potentially a sign of things to come and the country’s response could provide a model for how the region can deal with this growing security threat, both in the short and long term.

In November 2020, the country established the UAE Cybersecurity Council led by Mohamed Hamad al-Kuwaiti, head of cyber security for the UAE government. The Council was created to develop a cyber security strategy and build a secure cyber infrastructure by creating laws and regulations while also ensuring timely response capabilities to fight cyber crime. Recently, the UAE has been moving toward a “service-centric model,” signing preliminary agreements with multiple organizations, including Huawei, Amazon Web Services (AWS), and Deloitte, in hopes of achieving aggressive goals for countering cyber crime. This type of model shifts businesses toward a service-based cyber security approach rather than a technology-focused one, meaning they will outsource security operations to an expert and contract on a service-level, agreement-based offer. This approach also cuts costs, maximizes efficiency, and allows organizations to focus on their core business.

In terms of specifics, these agreements, along with a March 2022 deal with UAE-based Cyber Protection X, are aimed at building up local cyber security expertise and enhancing cyber training capabilities, sharing best practices, and encouraging research and innovation in the field. These partnerships are expected to boost the UAE’s cyber security infrastructure as it accelerates its transition into a digital economy. In 2021, the country ranked 5th place on the International Telecommunications Union’s Global Cybersecurity Index 2020, jumping 33 places, and it continues to prioritize cyber security and cyber awareness.

Outlook

Although these ransomware groups and trends are not UAE-specific, the country is in some ways a useful test case for understanding how the broader Middle East, with its fast evolving economies, might begin to better prepare for the security threats posed by the adoption of new technologies. Staying up to date with the evolving threat landscape is essential as ransomware is constantly changing and growing ever more prevalent. TAs will continue to leverage new techniques and organizations should be aware of what to expect. Dr. al-Kuwaiti has made it clear in recent statements that RansomOps will likely start moving toward the exfiltration and encryption of cloud data. Use of the cloud has grown, especially since the pandemic, and as a result, RansomOps are searching for vulnerabilities to target on platforms like AWS and Azure.

While past campaigns have targeted third-party storage, in 2022 RansomOps will likely also target customers more directly. Indeed, this is already happening, with 70% of UAE companies saying that ransomware attacks have targeted customer data. It is clear that such attacks will threaten multiple layers of security and civilian infrastructure, including potentially everything from oil to food supply chains, which remain fragile and vulnerable given the ongoing global impact of the pandemic, the war in Ukraine, and the associated economic disruptions. Moreover, this dynamic is unlikely to end with ransomware and innovation will inevitably result in new threats and challenges. As cyber security advances in the coming years, cyber criminals will be right behind the new trends, leveraging new technologies and attempting to stay ahead of the defenses.

Maria Harika is a MS in Cyber Security: Cyber Crime Investigation Candidate at the University of Alabama at Birmingham (UAB) and a Cyber Intelligence Analyst and Supervisor at the UAB Computer Forensics Research Lab. She previously served as a research assistant with MEI’s Cyber & Emerging Technology Program.

Eliza Campbell was previously the director of MEI’s Cyber & Emerging Technology Program. The views expressed in this piece are their own.

Photo by Lino Mirgeler/picture alliance via Getty Images