Cybercrime is borderless and takes many forms. In discussions with industry experts, I’ve observed that cyber extortion is one of the few threats that, ironically, is “globalising” in our fragmented world.
In the realm of cyber extortionists, there must always be a victim pressured into paying a ransom. Cyber extortion (Cy-X) has become a truly global issue, with 75% of all countries recording one or more victims since 2020. Combating this borderless crime requires multiple parties to navigate the complex web of local and international laws in a coordinated effort.
The Cy-X pandemic spreads
Commonly referred to as ransomware, we define Cy-X as a form of cybercrime where the security of a digital asset — whether confidentiality, integrity, or availability — is compromised and used as leverage to extort payment.
The Cy-X problem is, in fact, bigger than we think.
Based on our research conducted from April 2023 to May 2024, Cy-X has grown rapidly worldwide, with a 77% increase in incidents recorded between April 2023 and March 2024. Data emerging from recent law enforcement efforts suggests the actual number of victims may be 50%-60% higher than currently documented.
While analysts often use the term “big game hunting” to describe targeted, sophisticated attacks on large, high-value targets, we find the term “harvest” more apt for the indiscriminate patterns reflected in our data. With very few exceptions, these patterns follow simple global economic realities: most victims are concentrated in the predominantly English-speaking countries that dominate the global economy. This is not because these geographies are being specifically “targeted,” but rather because, in an indiscriminate “harvest,” most suitable victims are clustered within large, English-speaking economies and the industries they underpin.
We also observe a clear correlation between economic size and increased risk of cyber extortion. As one of the fastest-growing regions in the world, Southeast Asia is particularly vulnerable, reflected by a 36% increase in victims recorded over a 12-month period. Notably, 16% of the total victims were from Singapore.
In terms of industries, manufacturing was the hardest hit globally and in Southeast Asia, with finance and insurance following. We note that attacks on manufacturing primarily target IT systems, rather than the “less sophisticated” operational technology (OT) sector that is increasingly a concern for the security industry. Our continued research into this dynamic suggests that cyber extortion in the form of ransomware does not easily translate into OT environments in a way that makes economic sense for criminals.
Australia leads the Asia-Pacific region in terms of victims, with a year-on-year growth rate of 62%. Given this trend, we expect the Cy-X issue to intensify in Singapore, where English is the primary business language and the manufacturing sector has relatively lower levels of technical maturity.
Ideologically motivated hacktivism is also on the rise, influencing societal perception, discourse, and policy. Australia, Singapore, the Philippines, and Indonesia are likely to be impacted by broader geopolitical trends in the Asia-Pacific region.
Revictimisation
Revictimisation is a trend that has emerged in recent years and has been exacerbated by the sharp increase in victim numbers in 2023. The impact of revictimisation is profound, despite being a technically unsophisticated crime.
Merely being posted on a dedicated leak site exposes an organisation to several forms of harm. The revictimisation cycle amplifies consequences such as reputational damage, increased risk of data loss, financial burden, and psychological impact. The reposting of victims on dedicated leak sites is particularly common following takedowns or when threat groups disband.
Technically, threat actors are sticking to what works. Gaining initial access through exploits, credential stuffing, brute forcing, phishing, and social engineering will remain effective unless organisations take concerted action to address these weaknesses.
What organisations need to do to address Cy-X
First, organisations must play their part in combating Cy-X by taking steps that raise the cost for attackers. This includes reducing the attack surface, especially for internet-facing systems; keeping all internet-facing systems properly patched; using endpoint detection and response (EDR) to prevent and detect malware and other malicious activities; implementing effective detection mechanisms; ensuring that every security event is examined and responded to; and maintaining robust, comprehensive backups that are regularly tested.
Second, addressing credential-based attacks can eliminate several attack vectors. The use of multi-factor authentication (MFA) on all systems that support it will reduce the risk of initial access and lateral movement. In addition, enforcing the principle of least privilege — allowing users access only to the resources necessary for their roles — can hinder or prevent attackers from accessing critical systems. The zero trust security model, which removes implicit trust from all computing infrastructure, is increasingly adopted by organisations to secure employees, assets, and applications, regardless of location.
Third, organisations should prioritise patching internet-exposed technologies, particularly secure remote access services (such as firewalls, content management systems, virtual private networks, or remote desktop protocols) and office automation services, which are often abused and exploited.
It is crucial that all operating systems and software applications be kept up to date with the latest patches and releases, especially for internet-facing systems. Implementing a thorough external attack surface management (EASM) and vulnerability management program is essential. However, this only works if there is a well-maintained, accurate asset register to identify what needs patching.
Finally, organisations must invest in enabling and encouraging staff to identify and report potential attacks. While employees are often considered the weakest link in cybersecurity, they can also be the strongest. Ongoing awareness training and hygiene should cover new phishing and business email compromise (BEC) techniques, as well as how to recognise suspicious emails, links, webpages, and even attempted deepfake attacks. Fostering a cybersecurity-aware culture by encouraging staff to report unusual activity without fear of blame will ensure that incidents are promptly investigated and addressed.
Conclusion
In 2023, Singapore recorded 132 reported ransomware cases, according to the national Cyber Security Agency. The question is no longer “if” a cyberattack will happen, but “when.” Paying or giving in to demands rarely resolves the issue, and can often be seen as a sign of compliance by aggressors. In today’s digital landscape, protection against cyber extortion, ransomware, and other malware is a critical necessity.
Comprehensive advice for strengthening organisational defences is readily available. There is no reason for businesses to delay. Decision-makers must approach Cy-X with the urgency and objectivity that this persistent threat requires.