Kaspersky Identifies Evolving Ransomware and Cybersecurity Trends in META Region

Kaspersky’s Global Research and Analysis Team (GReAT) recently shared pressing insights at its annual Cyber Security Weekend for the Middle East, Turkiye, and Africa (META) region. The cybersecurity giant outlined the growing threat of ransomware, the evolving nature of advanced persistent threats (APTs), and the increasing use of artificial intelligence (AI) in cyberattacks.

Escalating APT Activities Across META

Kaspersky experts are closely monitoring 25 active APT groups within the META region. Notable groups include SideWinder, Origami Elephant, and MuddyWater. These threat actors continue to develop increasingly creative techniques to evade detection, particularly in mobile environments. Kaspersky highlights a clear trend: mobile devices are now a growing focus for sophisticated attackers who exploit new vulnerabilities and stealth tactics.

Web Incidents Surge in Turkiye and Kenya

Data from Q1 2025 indicates that Turkiye and Kenya experienced the highest web incident rates, affecting 26.1% and 20.1% of users respectively. They were closely followed by Qatar (17.8%), Nigeria (17.5%), and South Africa (17.5%). This upward trend underscores the need for nations in the region to improve their cybersecurity maturity in response to increasingly frequent and complex online threats.

Ransomware: Subtle, Sophisticated, and Expanding

Globally, ransomware still looms as one of the most dangerous cyberthreats despite a modest overall increase in cases. Kaspersky reported that ransomware incidents grew by 0.02 percentage points globally from 2023 to 2024, reaching 0.44%. However, in specific regions, the rise is more pronounced: the Middle East saw a 0.07 percentage point increase to 0.72%, Turkiye recorded a 0.06 point rise to 0.46%, and Africa experienced a smaller increase of 0.01 point to 0.41%.

In the Middle East, rapid digitization and varying cybersecurity maturity have created a fertile environment for ransomware proliferation. In Africa, ransomware incidents remain comparatively lower due to reduced digital penetration and fewer high-value targets. Nevertheless, rising digitization in economies like South Africa and Nigeria is gradually increasing ransomware threats in sectors such as manufacturing, finance, and government.

AI-Driven Ransomware: The FunkSec Paradigm

A key highlight from Kaspersky’s briefing was the emergence of the AI-powered ransomware group FunkSec in late 2024. Operating under a Ransomware-as-a-Service (RaaS) model, FunkSec has quickly overtaken prominent groups such as Cl0p and RansomHub by exploiting AI-generated code, complete with professional-quality comments likely created using large language models (LLMs). Their approach, based on low-cost, high-volume attacks, represents a new phase in ransomware economics.

Unlike traditional groups demanding millions in ransom, FunkSec opts for lower ransom values, leveraging automation to reduce operational costs and increase reach. Their tactics are especially dangerous because they exploit both AI tools and human psychology, using convincing phishing and social engineering lures.

Exploiting the Unconventional: IoT and Workplace Devices

Cybercriminals are moving beyond conventional vectors. The Akira gang demonstrated how a simple webcam was used to bypass endpoint detection systems and infiltrate internal networks. Increasingly, attackers are targeting under-secured entry points like IoT devices, smart appliances, and misconfigured hardware — often ignored in standard security protocols.

These overlooked devices are prime targets due to their weak security configurations and lack of consistent monitoring. As more organisations integrate smart tech, the cyberattack surface broadens, offering new infiltration opportunities for ransomware actors.

LLMs, RPA, and Low-Code Tools Empower Cybercriminals

The dark web now features tailored LLMs for cybercrime, significantly lowering the bar for entry. Unskilled actors can deploy effective ransomware campaigns or phishing schemes using AI-assisted code and automated tools.

Emerging software development trends like Robotic Process Automation (RPA) and Low-Code platforms, which allow developers to build applications via drag-and-drop interfaces, are now being misused by cybercriminals. These tools simplify malware deployment, making it easier than ever to execute complex attacks with minimal technical expertise.

Evolving Techniques: Cross-Platform Malware and Zero-Days

Ransomware groups are innovating rapidly — building cross-platform ransomware, self-propagating malware, and even exploiting zero-day vulnerabilities once exclusive to state-sponsored APT actors. This advancement significantly amplifies their ability to bypass defenses and cause widespread damage.

Kaspersky’s Recommendations for Organisational Defense

To counter these evolving threats, Kaspersky recommends a multi-layered cybersecurity strategy:

• Update Software Regularly: Keeping all devices patched helps prevent attackers from exploiting known vulnerabilities.

• Focus on Lateral Movement Detection: Organisations should monitor internal and outbound traffic closely to detect data exfiltration attempts.

• Maintain Offline Backups: Ensure backups are stored securely and accessible during emergencies.

• Invest in Threat Intelligence and Training: Equip security operations center (SOC) teams with current threat intelligence and professional development.

• Enable Endpoint Ransomware Protection: Tools like Kaspersky Anti-Ransomware Tool for Business provide robust, free protection.

• Adopt Adaptive Security Solutions: The Kaspersky Next suite delivers real-time protection, visibility, and incident response tailored to the needs of organisations of all sizes.

Vigilance and Agility Are Key

As ransomware grows smarter, stealthier, and more AI-driven, businesses in the META region must stay ahead with proactive cybersecurity practices. The era of digital transformation is not only redefining industries but also exposing new vulnerabilities. With AI enabling both defenders and attackers, the cybersecurity battlefield is becoming increasingly dynamic and unforgiving.