Illustration: Si Weon Kim
The country of Vanuatu is the latest victim in a string of crippling ransomware attacks on small countries this year. Experts say various motives underlie these incidents but disagree on whether this trend reflects a shift in threat actors away from well-resourced Western nations.
On Nov. 4, newly elected Prime Minister Ishmael Kalsakau assumed office in the tiny South Pacific island nation of Vanuatu. Two days later, Kalsakau’s government was caught off-guard by a ransomware crisis that halted the government’s ability to engage in financial transactions, shuttered all civic phone systems, including those of fire and rescue services, and forced hospitals and medical services to rely on pen-and-paper communications. Virtually all these systems remain non-functional over five weeks later.
Vanuatu is just the latest victim in a string of crippling ransomware attacks on small nations in 2022. Cybersecurity experts say there is no single motive behind these incidents, although most likely were driven by financially motivated actors. In addition, ransomware analysts disagree about whether threat actors have shifted their focus to smaller nations and away from Western nations, although they are unanimous in believing such attacks will continue. One thing, however, is clear: small countries can better position themselves to defend against — and recover from — ransomware attacks.
2022 is the year of ransomware attacks on small nations
Although ransomware threat actors have long targeted federal, state and local governments in the U.S. and various arms of governments throughout Europe and Latin America, 2022 witnessed an unusual number of devastating attacks that essentially shut down small nation-state governments. In April, the government of Costa Rica suffered the first of two ransomware attacks by the Conti threat group that damaged the country’s functioning so severely that it declared a national emergency.
In July, the government of Albania shut down its computer and internet systems following what seemed to be a financially motivated ransomware attack. However, both U.S. authorities and Albania subsequently called the attack a false flag operation by Iranian threat actors.
In late August, multiple government digital systems were taken down for weeks following a ransomware attack by the Cuba ransomware gang on the small European nation of Montenegro. Chile was hit by a ransomware attack that same month, although it wasn’t as disruptive as some of the other incidents.
Difficult to identify attackers and their motives
Except for Albania, the fog of recent ransomware attacks on small countries often obscures who the attackers are and their motives. “You have to look at each one of the cases individually because not all ransomware actors are the same,” Redacted director of threat intelligence Adam Flatley told README. “You can’t group ransomware actors as a single entity with a common philosophy. Each one of these things is an individual case with individual motivations.”
“In some cases, they could very well be accidental spillover. It’s really easy for these kinds of operations to go wrong,” Flatley said, “but some of these are absolutely intentional. And they may not even be done by a true cybercriminal gang. It could even be run by a government using the cover of cybercriminal activity to conduct destructive operations against one of its adversaries. So, it’s a grab bag of varieties of motivations.”
Kimberly Goody, the senior manager, cyber crime analysis at Mandiant, told README that attacks on small nations can generally be attributed to two kinds of threat actors.
“When we look at the case of Costa Rica, for example, that particular attack was conducted by a financially motivated actor whose goal was to obtain payment for a ransom,” Goody said. “When we look at the attack on Albania that was attributed to Iran, that particular attack didn’t necessarily have the goal of profit. That is an important distinction.”
Chris Painter, president of The Global Forum on Cyber Expertise Foundation and the former top cyber diplomat for the U.S. State Department, told README that he thinks attacks on small nations “are a combination of targets of opportunity, from ransomware actors who think they can make money and nation-states who are trying to disrupt, and to some extent, hacktivists.”
Are ransomware attacks on small nations a new development?
It’s unclear if ransomware attacks on small countries are a new development or if they’re simply becoming more public. Financially motivated threat actors are notorious for being indifferent to who their targets are so long as they can pay. As a result, some small countries may have experienced brutal attacks but paid the ransom to avoid public disclosure.
“I want to caution against people saying that is like a new trend because to me, it’s just more of the same; it’s not really a new trend,” Flatley said. “These are just nations and criminal groups operating as they always have.”
Experts say it’s likely that financially motivated threat actors don’t care who their targets are so long as they believe they can make some easy money. “I think the criminal actors will go for the lowest-hanging fruit,” Painter said. “They’ll go for where the path of least resistance is, where there are lower chances of consequences for them. And it’s easier to get in.”
Does this trend signal a shift away from Western nations?
Even as financially motivated threat groups become more active in smaller countries, it’s unclear if ransomware is on the decline in better-resourced Western nations. National Security Agency cybersecurity director Rob Joyce said in May that ransomware was going down in the U.S., which he attributed to the Ukraine conflict, only to backpedal later.
Emsisoft threat analyst Brett Callow told README that increased determination by attackers and tougher stands against ransomware by the U.S. and other countries could cause threat actors to cast their gaze elsewhere.
“These things are combining to shift the risk-reward ratio more in favor of risk than it has been in the past,” Callow said. “So I suspect the gangs are testing the waters in new markets such as Vanuatu to see what happens and whether they can monetize in those new markets with less risk than carrying out attacks in the U.S. and Australia.”
Glen Craig, chairperson of the Vanuatu Business Resilience Council and managing partner of Pacific Advisory, told README that he and his colleagues in Vanuatu speculate among themselves that big Western nations have gotten wise to the ways of financially motivated cybercriminals, forcing threat actors to look elsewhere.
Mandiant’s Goody partly agreed. “We’ve definitely seen a broadening in the targeting of threat actors,” she said. “One of the places where we can look at data are the data leak sites, which, granted, are skewed to victims that don’t pay. But, historically, North America was the most targeted of the world’s various regions. What we’ve seen is a 10% decrease [in North American] attacks year-over-year since 2020. So, in 2020, 64% of all the victims appearing on those sites were based in North America compared to only 46% in 2022.”
Redacted’s Flatley, however, said he doesn’t see any diminution of interest in Western nations by ransomware gangs. “I feel like the U.S. and Europe are still incredibly vulnerable to ransomware attacks,” he told README. “I don’t see this as a sea change where they’re starting to shift and attack these more vulnerable countries because the money is in the West and the big fish. These guys are making so much money operating in the West that to go for something easier where you don’t make even a fraction of the profit doesn’t seem to fit their mentality.”
Experts’ advice for small nations
In terms of what small nations can do to better protect themselves from ransomware attacks and shorten the recovery time following these incidents, cybersecurity experts agreed that the best advice is what they would tell any government or private-sector organization: implement better risk management practices and adopt better cyber hygiene habits.
Independent cybersecurity researcher and consultant Lukasz Olejnik told README that small nation-states “should devise a dedicated team and a plan, add resources and make people accountable. It’s about technical and organizational solutions.”
“The advice that CISA and other agencies have pushed out to U.S. organizations is the same advice that applies to smaller nations,” Callow said. “It’s things like segmenting networks, enabling multi-factor authentication, it’s patching systems, and in the case of poorer countries, that’s stopping using pirated software so very often.” (Pirated software is notorious for containing embedded malware.)
“For countries that are resource-constrained, it’s tough,” Goody said. “We also have seen an increase, compared to prior years, in vulnerability exploitation used as an initial infection vector, which underscores the importance of doing regular patching on these external facing systems, especially when it’s known that a ransomware threat actor has leveraged that as an initial access point.”
Painter pointed to the importance of more well-resourced nations helping smaller nations build cybersecurity capacity. “Almost all developing nations, really all countries, are very hot on the idea of digital transformation. But as you’re doing that, you need to think about cybersecurity as a base for your country’s growth,” he said. “It means you need to give it some political priority and do things like having national strategies.”
Vanuatu still trapped in murky circumstances
Whatever the underlying trends surrounding 2022’s spate of ransomware attacks on small nations, the attack on Vanuatu is still unresolved, with little clarity on what happened and when. As is often the case, victims initially report ransomware attacks as generic “incidents” with little other detail, mainly to give the targeted organizations breathing room to negotiate with threat actors.
But well over a month later, the Vanuatu government has remained extremely tight-lipped about the nature of the attack on its country, as has the Australian government, which is working with Vanuatu to help deal with the incident. When asked during a press conference if the attack in Vanuatu was ransomware, Australia’s Minister for the Defense Industry Pat Conroy said, “It’s probably not appropriate for me to go into the details of it. The really important thing is, in this age, governments and organizations, and businesses are under constant scrutiny from malicious actors, and it’s very important that the Pacific family works together to make sure that all our systems work properly and when a system does go down, members of the Pacific family are there to help.”
When contacted by README, an Australian Department of Foreign Affairs and Trade spokesperson likewise refused to confirm details surrounding the incident. However, in a written statement, the spokesperson said, “Cyber security threats and incidents are an increasing challenge for the Pacific family, just as they are for Australia. The Australian Government is supporting Vanuatu’s response to a cyber incident. Specific questions about the incident should be directed to the relevant authorities in Vanuatu.” Vanuatu did not respond to README’s request for comment.
Craig told README that the freshly installed government is sharing little information about what happened or when daily life will return to normal. Kalsakau’s administration has yet to clarify that the cybersecurity incident was ransomware, and no ransomware gang has taken credit for the attack. Craig said rumors on the island abound that the attackers are demanding a ransom of AUD 50 million to AUD 60 million, and the government was trying to pay, but “we couldn’t afford to pay that.”
“It’s only been one statement so far, which is by the honorable Prime Minister, who read a statement that said government services [have] been restored,” Craig said. “What he meant by that was that they’ve got them online and tested them. They’re not available to the public. So, we’ve been left in the dark and told pretty much the whole time it’ll be sometime this week, but we’ve been hearing that for several weeks now.”
According to Craig, following the ransomware attack, the government set up alternative nongovernment email addresses and publicized them on social media, but as of Dec. 12, the government email system for Vanuatu was still not functional. Sources on the island said they have confirmed that the backups for the government’s systems were encrypted in the attack and that no data after July can be accessed.
