Ransomware operations remained the top cyber threat to companies and organisations across the world between H2 2021 and H1 2022, not least in the Middle East and Africa (MEA).

This is according to Group-IB’s Hi-Tech Crime Trends 2022/2023 report, in which the company’s threat intelligence analysts stipulate that the number of companies that had their information uploaded onto dedicated leak sites (DLS) between H2 2021 and H1 2022 was up 22% year-on-year to 2,886, which corresponds to eight companies having their data leaked online every single day.

In the MEA region, 150 companies had their information leaked on DLS during the reporting period.

For the second consecutive year, Group-IB researchers observed the increasing impact of initial access brokers (IABs) on the ransomware market in MEA and beyond.

Group-IB researchers detected 2,348 instances of corporate access being sold on dark web forums or privately by IABs, twice as much compared to the preceding period.

The number of brokers also grew from 262 to 380, leading to a drop in prices that made the attacks of ransomware gangs and other threat actors more affordable. In the MEA region, the number of network access offers more than doubled to 179 in H2 2021 - H1 2022, resulting in a drop in price of total offers of 23%.

Global ransomware-related data leaks by region (H2 2021 – H1 2022) (Image: Group-IB).

Group-IB adds that globally, 2,886 companies had their information, files, and data published on DLS in H2 2021 - H1 2022, a 22% increase compared to the 2,371 companies affected during the previous period (H2 2020 - H1 2021).

As with the preceding year, the number of ransomware-related data leaks peaked in the final quarter of 2021, when the data of 881 companies was shared on dedicated leak sites.

The cyber security firm says it is important to note that the actual number of ransomware attacks is believed to be significantly higher as many victims chose to pay the ransom and some ransomware gangs do not use DLS.

“It is worth noting that the number of victims whose data was published in the wake of ransomware attacks in H2 2020 – H1 2021 was 935% up from the preceding year. As a result, the 22% year-on-year growth seen in the observed period suggests that the Ransomware-as-a-Service market has passed the phase of rapid growth and is now beginning to stabilise,” says Dmitry Volkov, CEO at Group-IB.

Group-IB discovered that companies based in North America (50% of companies whose data was leaked by ransomware gangs) were the most affected by ransomware-related data leaks. Comparatively, the MEA region was the second-least affected by ransomware-related data leaks, as 150 companies from the region had their data published online. Only 5.3% of the leaks on DLS contained data from countries from this region.

The most affected countries were Israel (23 companies), South Africa (21), Turkey (14), United Arab Emirates (14), and Saudi Arabia (12).

Other affected countries in Africa were: Egypt (6 companies), Morocco (3 companies), Angola (2 companies), Botswana (2 companies), Nigeria (2 companies), Zambia (2 companies), Côte D’Ivoire (2 companies), and Burkina Faso, Congo, Ethiopia, Mali, Senegal, Tanzania, Tunisia (all 1)

The most active ransomware gang in the MEA market was Lockbit, responsible for 37% of publications of victims’ data from the region on designated leak sites. Second in this list was Conti, a Russian-speaking ransomware group that launched the devastating ARMattack campaign at the end of 2021, which was responsible for 12% of leaks, and third was Hive (4% of leaks).