Skulls and bones on computer screen showing ransomware attack

Ransomware Attack on Papua New Guinea Government Freezes Much-Needed Foreign Aid

Ransomware gangs have trended toward targeted attacks on well-funded (or at least well-insured) targets in recent years, but some threat actors are still willing to take whatever opportunities they can find. A recent ransomware attack on the developing and mostly-rural Papua New Guinea illustrates this.

The embattled island nation of nine million people depends heavily on foreign aid, much of which was frozen as the country’s finance office was crippled. This comes amidst a major COVID-19 surge in the country as the fragile health care system struggles to keep up with new cases.

Ransomware attack disrupts systems that process foreign aid

Located just north of Australia, Papua New Guinea is rich in natural resources but has relatively little infrastructure and a population that mostly lives in rural areas. The country relies on hundreds of millions of dollars a year in foreign aid, primarily from Australia, to fund its health systems and other public services.

The ransomware attack hit in the worst possible place to disrupt this vital flow of funds, compromising the Department of Finance. It locked government workers out of the Integrated Financial Management System, which intakes and processes incoming aid. However, as of October 29 the national government gave the “all clear” and said that systems were fully restored and once again processing transactions.

The threat actors did not appear to show any mercy to the struggling nation, demanding a ransom in bitcoin (the government would not disclose the amount). The country was left unable to process incoming financial aid payments until the situation was resolved, though it remains unclear if the ransom was paid or if the impacted agencies were able to restore from backups.

This was a particular problem at the moment as a series of recent Covid-19 surges have swamped what few hospital resources are available, leading to a wave of deaths caused by the virus as people have not been able to make it to medical care in time.

The country is also struggling to vaccinate its population, with only a 1.2% rate of success to date. Vaccines are available in the country, but there is strong resistance to them with health outreach workers even being threatened with violence while trying to get them to the population. Misinformation and conspiracy theories have been blamed, though only about 15% of the population is estimated to have internet access. Facebook has been asked to run education campaigns targeting users in the country, and the social media giant estimates this has been viewed by about 800,000 people thus far.

The particular vulnerabilities of developing nations

In addition to its reliance on neighbors for financial aid, Papua New Guinea also leans on countries in the region for cyber expertise and defense. Sometimes that trust is misplaced. The country accepted a data center, the Cyber Security Centre, from China-based Huawei in 2020. It was then discovered by Australian intelligence that the new data center had the ability to extract confidential government files.

The small nation simply lacks the resources to build cyber infrastructure, install appropriate defenses and staff the necessary positions. It must either accept aid from foreign governments, which could mean backdoors or compromising conditions, or neglect the issue altogether as resources go to more vital issues such as the flagging health care system.

Papua New Guinea is not in a unique position among developing nations. Smaller countries are struggling to keep pace with the cyber threat landscape as they increasingly make government functions and services online and digital. This leads to the double whammy of not only maintaining proper security against things like ransomware attacks, but also not being able to aid victims when the attacks occur.

All of this accompanies a trend in developing nations of internet access outpacing other forms of infrastructure and even basic human needs. For example, 54% of the population of India now has a smartphone and that number is projected to rise to 96% in the next 20 years. Almost an equal amount of the population does not have a toilet at home or access to safe tap water. The poorest members of developing economies are increasingly likely to be online, but without resources to protect them from ransomware attacks and more pressing matters to attend to with what funds are available.

Global investment by China also presents many countries with the same dilemma that Papau New Guinea faced, particularly in Africa (where China is now the largest foreign investor in telecommunications infrastructure). China has been accused of putting backdoors in other infrastructure it has built, such as the African Union Commission headquarters (which French intelligence sources allege regularly exfiltrates data to Shanghai). While it is extremely unlikely that Chinese nation-state threat actors will engage in relatively petty criminality like ransomware attacks, the growing threat from the world’s various ransomware gangs often presses small nations into accepting China’s technological assistance even with the knowledge that it will probably open them up to espionage.

Trevor Morgan, product manager at comforte AG, sees the only answer as a combination of backups and encryption (an approach that organizations of all sizes can also use as a model): “The recent ransomware incident affecting Papua New Guinea’s finance department underscores a harsh reality that every governmental agency must confront: a ransomware attack isn’t just a remote possibility but rather a likely imminent event … Putting organizations under a harsh public spotlight as these events unfold puts incredible pressure on them to pay a ransom as the most expedient mitigating tactic … A better course of action other than relying on paying a ransom is to prepare for this eventuality with robust recovery capabilities (tools and processes) combined with proactive data-centric protection. The former restores the IT and data environment to a pre-breach state, while the latter ensures that threat actors can’t exfiltrate sensitive data and use that compromised information as further leverage. Data-centric security methods such as tokenization and format-preserving encryption protect the data itself rather than the environment around it. Even if hackers get their hands on data, they can’t blackmail organizations with the threat of imminent release of that data. And that’s what ransomware is all about-blackmail. Don’t let that happen to your organization. Accept the eventuality and prepare accordingly.”