IT security pros are not the only ones with sandboxes and honeypots to test malware in, as hackers are doing the same – in developing parts of the world.
A report from Performanta says that many hackers would first try out new malware strains in developing countries, before targeting companies in the developed world.
The report claims this process is particularly effective as organizations in the developing world have less awareness of the issue of cybersecurity and as such are an easier target, so organizations in Africa, Latin America, and Asia are hit first, before the attackers pivot towards Europe and North America.
Cheaper malware
The researchers claim to have observed attacks in Senegal, Chile, Colombia, and Argentina, using strains which later ended up on systems in Europe and North America. One of the strains being tested this way is Medusa, a ransomware variant that was first seen in South Africa, Senegal, and Tonga, after which it hit organizations in the US, UK, Canada, Italy, and France.
In 2023, there were roughly a hundred reported cases of Medusa attacks.
In its writeup, Ars Technica discussed the problem with Nadir Izrael, chief technology officer at cyber security group Armis, who said attackers were observed discussing an exploit for a new vulnerability earlier this year. “They ‘specifically targeted a few [exposed servers] in third world countries to test out how reliable the exploit was,’” he said.
Armis confirmed the strategy a few weeks later, when its honeypots picked up the threat actor going after firms in Southeast Asia, first.
However, not everyone agrees with this assessment, with Microsoft’s director of threat intelligence strategy, Sherrod DeGrippo, telling the publication that in reality – malware and ransomware variants had gotten cheaper, allowing hackers in the developing world to mount their own, mini attacks.
Darktrace director of threat research, Hanah-Marie Darley, also believes Medusa lowered its prices, resulting in more attacks in poorer countries.