Ransomware gangs FOG and Akira continue to be the main culprits behind a number of recent cyberattacks plaguing businesses locally and across the Caribbean, a cyber-security expert has indicated.

According to Rory Ebanks, director of cybersecurity at Symptai Consulting Limited, the two ransomware gangs, which both emerged in the last three years, primarily exploit vulnerabilities in firewalls to gain access to networks.

Ransomware is a type of malware that locks users out of systems, preventing them from accessing stored files, particularly after data becomes encrypted.

Akira, the more established of the two, has been in operation since 2023 but the group revamped its malware last year, launching an even more potent version. FOG, on the other hand, as a newer player, focuses its attacks on the education sector.

“It’s two primary ransonware groups that we’re seeing target Jamaica over the last couple of weeks — FOG is one of them, and the other is Akira. There have been a few companies that have been hit by these groups, with FOG primarily targeting the education sector. In terms of how they typically execute attacks — they either try to do social engineering where they will send phishing e-mail or trick a user into clicking on a link to compromise access after which they’ll move in to gain access and afterward proceed to deploy their ransomware in the environment,” Ebanks said, during a recent interview with the Jamaica Observer.

FOG utilises third-party tools and cloud services for data exfiltration during attacks, often leading to double extortion. If victims refuse to pay the ransom, the group typically threatens to leak and eventually publish the stolen data on a data leak site they operate.

Akira, following a similar double-extortion model, exfiltrates data before encrypting it. According to its leak site, the group has already compromised hundreds of organisations worldwide and is notorious for demanding exorbitant ransom payments, sometimes in the hundreds of millions of dollars. Educational institutions as well as those in the financial, manufacturing, real estate, and medical industries are all known targets of these attacks.

Since its emergence last year, FOG has attempted multiple attacks across the Caribbean and while many were unsuccessful, Ebanks said they were not successful locally until last month when there was a breach reported by Northern Caribbean University. The cyberattack crippled key computer systems at the university which is headquartered in Manchester, restricting access to academic records and student financial databases.

“Ransomware groups typically leave a ransom note with specific instructions on how to communicate with them to arrange payment for data restoration — which is never recommended. They have also engaged a new tactic in sending ransom notes via e-mail to multiple people within an organisation, urging them to push their IT personnel to pay the ransom. These payments are usually requested in Bitcoin,” Ebanks explained.

The cybersecurity director, whose organisation, along with several others that monitor the dark web, said they have, overtime, all observed a significant increase in ransomware activity.

He said the groups, in posting new victims, tend to do this weekly, or sometimes daily.

“Akira, for example, compromised over 300 victims in 2024 and within the first two months of 2025 they have already targeted nearly 200 entities. FOG attacks, now at 90, have also already surpassed the 87 reported for all of 2024,” Ebanks revealed.

Globally, millions of cyberattacks are attempted daily, with many being thwarted through automated blocking. However, hackers are most frequently detected operating from regions such as the Middle East, China, Korea, and Russia.

“While we see cyberattacks originating from various locations, we have not observed significant inter-Caribbean attacks,” he told the BusinessWeek.

Despite the Data Protection Act (DPA) now being in full effect, Ebanks stressed that many cyber incidents remain unreported or are not disclosed within the required time frame.

“For the cases we handle, we urge clients to report all incidents and we also leverage our APO service internally to give them that capability, so in instances where they don’t know the steps to report breaches to the Office of the Information Commissioner (OIC), we will use our own services to assist them with doing so,” he said.

Under the DPA, companies must report breaches to the OIC within 72 hours and disclose them to the public within seven days. However, concerns over reputational damage and potential legal repercussions, the director said, often deter timely reporting.

“There are, however, some cases in which an organisation may not even know that they’ve been hacked or what data has been leaked or even if there was an actual compromise. However, the presence of a ransomware on a network is a clear indication of a breach, whether due to external infiltration or internal system vulnerabilities. Regardless of the attack’s origin, it is crucial to report incidents to the OIC and the Jamaica Cyber Incident Response Team (JaCIRT),” he said.

JaCIRT, being made aware of these ransomware groups’ activities through its own operations, said it remains committed to bolstering its surveillance and monitoring efforts as one of the chief watchdogs of the local cyber-security space.

“The CIRT continues to raise awareness among stakeholders and assist with incident management and response. By sharing lessons learned, we seek to help potential victims with mitigating risks or avoiding compromise,” said Lieutenant Colonel Godphey Sterling, head of JaCIRT.

While there has been a downward trend in vulnerabilities and attempted attacks, Sterling further told BusinessWeek that the number of unmitigated vulnerabilities remains high. The under-reporting of breaches, he said, further obscures the true scale of cyber incidents, as indicated by the volume of breached data found on the dark web.

With threat levels remaining high due to systemic weaknesses in multi-factor authentication and the strategic targeting of known vulnerabilities in Virtual Private Network software, Ebanks also said that these could be greatly improved if companies put proper patch management systems in place as well as better end-point protection and robust two-step verification processes as they continue to undertake employee training to prepare staff on how to deal with likely risks.

“Having a continuous programme in place to sensitise everyone about the cyber security risk is very critical and paramount, as even with the best technology in place, security can still be compromised if employees knowingly or unknowingly disclose passwords or even grant unauthorised access to outsiders,” Ebanks concluded.