AI, Ransomware, and IoT Dominate Kaspersky’s Cybersecurity Outlook for META Region

At its annual Cyber Security Weekend for the Middle East, Turkiye and Africa (META) region, Kaspersky  Global Research and Analysis Team presented cybersecurity trends, including ransomware, advanced persistent threats (APTs), supply chain attacks, mobile threats, AI and IoT developments.

Kaspersky experts constantly track highly sophisticated attacks. Specifically, they are monitoring 25 APT groups currently active in the META region, including well-known ones such as SideWinder, Origami Elephant, and MuddyWater. The rise of creative exploits for mobile and further development of techniques aimed at evading detection are among the trends Kaspersky is seeing in these targeted attacks.

On a broader level, the first quarter of 2025 showed that Turkiye and Kenya had the highest number of users affected by web incidents (online threats) – 26.1% and 20.1% respectively. They were followed by Qatar (17.8%), Nigeria (17.5%) and South Africa (17.5%).

Ramsomware remains one of the most destructive cyberthreats. According to Kaspersky data, the share of users affected by ransomware attacks increased by 0.02 p.p to 0.44% from 2023 to 2024 globally. In the Middle East the growth is 0.07 p.p. to 0.72%, in Africa: 0.01 p.p. growth to 0.41%, in Turkiye 0,06 p.p. growth to 0.46%. Attackers often don’t distribute this type of malware on a mass scale, but prioritise high-value targets, which reduces the overall number of incidents. While ransomware is not increasing largely, that doesn’t mean that it becomes less dangerous.

In the Middle East ransomware affected a higher share of users due to rapid digital transformation, expanding attack surfaces and varying levels of cybersecurity maturity. Ransomware is less prevalent in Africa due to lower levels of digitisation and economic constraints, which reduce the number of high-value targets. However, as countries like South Africa and Nigeria expand their digital economies, ransomware attacks are on the rise, particularly in the manufacturing, financial and government sectors. Limited cybersecurity awareness and resources leave many organisations vulnerable, though the smaller attack surface means the region remains behind global hotspots.

Ransomware trends

• AI tools are increasingly being used in ransomware development, as demonstrated by FunkSec, a ransomware group that emerged in late 2024 and quickly gained notoriety by surpassing established groups like Cl0p and RansomHub with multiple victims claimed in December alone. Operating under a Ransomware-as-a-Service (RaaS) model, FunkSec employs double extortion tactics — combining data encryption with exfiltration — targeting sectors such as government, technology, finance, and education in Europe and Asia. The group’s heavy reliance on AI-assisted tools sets it apart, with its ransomware featuring AI-generated code, complete with flawless comments, likely produced by Large Language Models (LLMs) to enhance development and evade detection. Unlike typical ransomware groups demanding millions, FunkSec adopts a high-volume, low-cost approach with unusually low ransom demands, further highlighting its innovative use of AI to streamline operations.
• In 2025, ransomware is expected to evolve by exploiting unconventional vulnerabilities, as demonstrated by the Akira gang’s use of a webcam to bypass endpoint detection and response systems and infiltrate internal networks. Attackers are likely to increasingly target overlooked entry points like IoT devices, smart appliances or misconfigured hardware in the workplace, capitalising on the expanding attack surface created by interconnected systems. As organisations strengthen traditional defenses, cybercriminals will refine their tactics, focusing on stealthy reconnaissance and lateral movement within networks to deploy ransomware with greater precision, making it harder for defenders to detect and respond in time.
• The proliferation of LLMs tailored for cybercrime will further amplify ransomware’s reach and impact. LLMs marketed on the dark web lower the technical barrier to creating malicious code, phishing campaigns and social engineering attacks, allowing even less skilled actors to craft highly convincing lures or automate ransomware deployment. As more innovative concepts such as RPA (Robotic Process Automation) and LowCode, which provide an intuitive, visual, AI-assisted drag-and-drop interface for rapid software development, are quickly adopted by software developers, we can expect ransomware developers to use these tools to automate their attacks as well as new code development, making the threat of ransomware even more prevalent.

Ransomware is one of the most pressing cybersecurity threats facing organisations today, with attackers targeting businesses of all sizes and across every region, including META. Ransomware groups continue to evolve by adopting techniques, such as developing cross-platform ransomware, embedding self-propagation capabilities and even using zero-day vulnerabilities that were previously affordable only for APT actors. There is also a shift toward exploiting overlooked entry points — including IoT devices, smart appliances, and misconfigured or outdated workplace hardware. These weak spots often go unmonitored, making them prime targets for cybercriminals. To stay secure, organisations need a layered defense: up-to-date systems, network segmentation, real-time monitoring, robust backups, and continuous user education.

– Sergey Lozhkin, Head of META and APAC regions in Global Research and Analysis Team, Kaspersky

Kaspersky encourages organisations to follow these best practices to safeguard their assets:

• Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network.
• Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.
• Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. Use the latest Threat Intelligence information to stay aware of the actual Tactics, Techniques, and Procedures (TTPs) used by threat actors.
• Enable ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions.

To protect the company against a wide range of threats, use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organisations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing.