The Caribbean is increasingly a choice target for ransomware. During late October 2020 one of Trinidad and Tobago's largest conglomerates notified the public that a cybersecurity incident that began at its Barbados operations had migrated to Trinidad, affecting operations in some of its subsidiaries. The hackers behind the attack, REvil, claimed to have control over 17,000 critical files. The attackers threatened to make the files public unless a ransom was paid. Duly, when the company refused to pay the ransom, the cybercriminals reportedly released the information to the dark web.

Ransomware is one of the most feared types of cyber-attack. The malware encrypts files and documents, and often facilitates exfiltration, preventing work, locking up vital information, and providing a route to exposure. A ransom, often running into many tens of thousands of dollars or more, is required to obtain a decryption key. Ransomware is one of the most prevalent and successful types of cyber-attack. In 2020, according to a report from Sophos, over half of those surveyed had been victims of a ransomware attack.

The Caribbean is often missed out on reports into ransomware attacks. However, the region is as much at risk as anywhere else in the world.

Early warning signs The Caribbean is a ransomware target

Ransomware is a world-wide problem. The 2017 WannaCry ransomware attack was proof that these types of cyber-attacks are of world-wide relevance. At its peak, WannaCry infected organizations in over 150 countries, including The Caribbean. The warning signs that cybercriminals were focusing on The Caribbean has been seen in a number of reports. In 2016, a publication from the Center for Strategic Studies and McAfee focused on Latin America and the Caribbean stating that the region has “become a new frontier for cyber-attacks and crime at an estimated cost of around US$90 billion per year”. In 2017, PricewaterhouseCoopers (PwC) Caribbean Region put out a warning that Caribbean firms were “not paying enough attention to cybersecurity risks”. These reports were published during increasing ransomware attacks on organizations in the region.

Ransomware attacks are financially motivated. But the fraudsters behind the crime also look for ‘low-hanging fruit’, that is, companies that are least placed to prevent or manage such an attack. The cybercriminals behind ransomware also look for firms who are simply not taken precautions. Many recent targets of ransomware have included local government with some high-profile U.S. victims. A report from Barracuda found that 60% of all ransomware attacks in the US targeted local or state government. One of those hit by ransomware, Florida City, ended up paying over $600,000 in ransom money. Similar threats to organizations in The Caribbean are being seen as evidenced by the high-profile attack against ANSA McAl.

The Caribbean and ransomware-threats today

In October 2020, Trinidad and Tobago Cyber Security Incident Response Team (TT-CSIRT) published an advisory notice that a significant increase in ransomware attacks targeting Caribbean organizations has been identified.

The notice asked local firms to be diligent and aware of the threat level. The notice also described a number of key preventative measures against the main vectors used to target Caribbean firms, namely:

• Exploiting system vulnerabilities (particularly outdated firewall devices and exposed remote desktop protocol)
• Phishing emails with infected attachments or links
• Compromising user credentials

All three of these vectors are well known methods used to infect corporate networks with ransomware. Phishing, for example, is still the main way that malware ends up on a device. Phishing causes 90% of data breaches and 1 in 3 employees have been found to click the malicious link in a phishing email. Phishing is behind credential theft and malware infection with credential loss due to phishing increasing by over 280% since 2016. The intelligence gathered by (TT-CSIRT) is vital in helping Caribbean firms to mitigate these types of attacks.

Ways for Caribbean firms to mitigate a ransomware attack

Caribbean firms must be vigilant against the impact of ransomware. To do so, an organization should ensure certain measures are employed:

Protection against vulnerability exploits

• Make sure that all devices, including those used by remote workers, have security patches installed and software is up to date. System vulnerabilities offer a perfect exploit for ransomware, allowing infection to take hold and propagate throughout the corporate network and into cloud repositories.
• If possible, disable Remote Desktop. This can be more difficult as remote working is increasingly used. If your organization must use a remote desktop, consider access via a VPN, or implement a Remote Desktop Gateway.

Phishing prevention

• Use email scanning to help prevent phishing emails from being delivered and/or stop any malicious attachments from reaching end users.
• However, email scanning should be shored-up by using security awareness training for all staff. As part of this training, phishing simulation exercises that teach employees how to spot phishing emails should be used.
• Another useful measure is to authenticate inbound emails using specific policies and protocols such as DMARC.

Further ransomware mitigation measures

• If your organization is unfortunate enough to become a victim of a ransomware infection, having a back-up can ensure your business continues to operate. Backups must be performed regularly and be ransomware-proof, i.e., isolated from the main network to protect against ransomware infection.
• Web content filtering is a measure that helps prevent users from navigating to a malicious website even if they do click a link in a phishing email.
• Implement second factor authentication. This helps prevent attacks that rely on using stolen credentials.

A ransomware free future for the Caribbean?

The Caribbean may be small in scale in comparison with some of the territories around the world, but this does not place the region outside of the cybercriminal target list. While the TT-CSIRT has stated that Caribbean businesses are increasingly ransomware targets, these attacks do not need to result in an incident. By putting some key measures in place, the likelihood of a successful ransomware attack is much reduced.