The success of ransomware-as-a-service in 2015 means enterprises will be subject to more online extortion attempts in 2016, experts predict.
During 2015, ransomware-as-a-service operators employed the Tor network for hosting and used virtual currencies for payments said Intel Security's threat intelligence malware operation director Christiaan Beek.
“We expect to see more of this in 2016, as inexperienced cybercriminals will gain access to this service while staying relatively anonymous,” Beek said.
“Although a few families — including CryptoWall 3, CTB-Locker, and CryptoLocker — dominate the current ransomware landscape, we predict that new variants of these families and new families will surface with new stealth functionalities,” the McAfee Labs 2016 Threats Predictions report (PDF) stated.
For example, new variants may start to silently encrypt data. The encrypted files will be backed up and eventually the attacker will "pull the key", resulting in encrypted files both on the system and in the backup.
“Other new variants might use kernel components to hook the file system and encrypt files on the fly, as the user accesses them. The groups behind most current ransomware campaigns are going for fast cash, by using spam campaigns and exploit kits such as Angler, and targeting wealthy countries in which people can afford to pay the ransom.”
While Beek expects this to continue in 2016, he also foresees a new focus on industry sectors including financials and local government, which will quickly pay ransoms to restore their critical operations.
“Usually only Microsoft Office, Adobe PDF, and graphics files are targeted; in 2016 we predict that other file extensions typically found in business environments will also become targets. Attacks will continue on Microsoft Windows. We also expect ransomware to start targeting Mac OS X in 2016 due to its growing popularity.”
Trend Micro Asia Pacific managing director Dhanya Thakkar agreed that online extortion will evolve to rely more on mastering the psychology behind each scheme than the technical aspects of the operation.
“In the past decade, cyber extortionists made use of ransomware to trick online users to make them fall for their tactics. This was done by exploiting one’s fears to coerce victims into paying the ransom. The rogue/fake AV trap was set up to target those who feared computer infection,” he said.
Thakkar pointed out that earlier variants of ransomware locked screens of users, tricking them into paying to regain access.
“Police Trojans threatened users with arrests and charges for violations. And finally, with crypto-ransomware, cybercriminals aimed for the most valuable part of one’s system, the data. With this in mind, cyber extortionists will devise new ways to target victim’s psyche to make each attack personal—either for an end user or an enterprise.”
According to Thakkar, reputation is everything, and threats that can ruin an individual’s or a business’ reputation will prove to be effective and—more importantly—lucrative.
More advanced threats
According to Kaspersky Lab global research and analysis team senior security expert Juan Andres Guerrero-Saade, there will be a decreased emphasis on advanced persistent threats (APTs) and a greater focus on fileless malware which reduces the traces left on an infected system.“Rather than investing in bootkits, rootkits, and custom malware that gets burned by research teams, Kaspersky Lab expects to see an increase in the repurposing of off-the-shelf malware. As the urge to demonstrate superior cyber-skills wears off, return on investment will rule much of the nation-state attacker’s decision-making and nothing beats low initial investment for maximizing ROI,” he said.
2015 saw a rise in the number of public shaming and extortion attacks, as everyone from Anonymous to nation-states embraced the strategic dumping of private pictures, information, customer lists and code to shame their targets.
“2016 will see significant evolution in cyberespionage tradecraft, as sophisticated threat actors minimize investment by repurposing commercially available malware and become more adept at hiding their advanced tools, infrastructure, and identities by ditching persistence altogether,” he said.
Risk based security
IBM security services business unit executive Glen Gooding said that organisations that have taken a risk-based approach to ICT security or that use risk-based models will start to replicate this in their supply chain.
“Many companies are becoming more aware that while they may have robust security, an opportunistic or targeted attack at their supply chain could result in a major security compromise. Given recent real-life examples where prominent organisations have been put at risk, particularly in the retail sector, companies are taking steps to protect themselves and demand security assurance.”
Gooding added that influencing the decisions of C-suite executives to approve funding for security projects will be a huge task for CISO's in 2016.
“They will need to work towards a framework based approach to articulate the extent of the security risk to upper management. Those that approve funding will also expect to see a plan aligned to an industry framework in order to commit to new security projects,” he said.
“This alignment to industry best practices will form the basis of an ongoing strategy that can be built upon, that will allow CISO's to systematically improve on the varying maturity levels across multiple domains. The benefit of this is that it will allow ongoing security improvement and the ability to measure ROI to push for future investment.”