There’s no denying that 2023 was a challenging year in cybersecurity – well, and in pretty much every other area of life too. We had ransomware out the wazoo, more zero days and supply chain attacks than you can shake a stick at, hacktivists went wild, and approximately a bazillion people had their personal information compromised (okay, maybe not quite a bazillion, but there were certainly a lot with the MOVEit incident alone impacting more than 80 million people.)
The victims this year included the UBA TV network which was left “flirting with financial disaster” (no, wait, that was fictional), the Royal Mail, the British Library and the Toronto Public Library, MGM Resorts, Japan’s Space Agency, Caesar’s Entertainment, the UK Electoral Commission, Clorox, the City of Dallas, Boeing, ICBC, Otka, and multiple hospitals, schools and local governments.
As we near the end of the year, the big question is will 2024 be another annus horribilis? To find out what may be in store, we asked some of the best and brightest minds in cybersecurity for their predictions. We even asked a Russian ransomware operator who’s wanted by the FBI (if you have any information that may lead to his arrest, please let us know so that we can pass it along and collect the $10 million reward.) Here’s what they had to say.
Kevin Beaumont, Internet Porg
I think there’s an increasing chance each year that a ransomware operator – probably a teenager – blunders into some sort of critical international infrastructure, badly damages it, and everybody will pretend to be shocked it happened… when really, it is inevitable due to misaligned incentives within industry and government about tackling the problem.
Ryan Chapman, SANS Author and Certified Instructor
In 2024, I believe we will see a continued increase in cyber extortion, meaning we’ll see more ransomware groups move toward avoiding encryption post data exfiltration. After all, “cyber extortion” is mostly comprised of ransomware incidents that occur sans encryption. We’ve been seeing this move for some time now, and I think the trend will continue given the lower complexity involved. However, I do not believe that encryption will go away completely. Many groups still rely on the urgency brought on by downed services. We will hear the term “cyber extortion” more and more, thus we’ll need to learn as a community how to differentiate the two similar attacks.
I also believe that initial entry vectors will continue to trend away from RDP and phishing, moving more toward SIM swapping and SMS phishing (a.k.a. smishing) to facilitate MFA bypass. Groups such as Scattered Spider (a.k.a. Muddled Libra, UNC3944, and Scatter Swine) have already begun partnering with core ransomware operations crews. The more these types of groups work together, the more we’ll see initial access via means that are increasingly difficult to monitor, alert on, and/or deal with using current methodologies. I believe the ongoing partnerships between these teams will lead to a threat landscape that resembles the current-day one, yet with a heavier emphasis on gaining access to single sign-on resources, which provide an immense amount of access to the actors who abuse these methods. Sadly, non MDM-based phones, such as those used with bring your own device (BYOD) plans, will continue to be susceptible to such threats.
Finally, I believe we’ll see a continued shift of inter threat actor communications from darknet forums to systems such as Telegram. Some of these systems are more tightly regulated, allowing the threat actor community to keep more of their communications private. For this reason, I believe we in the threat intel community need to continue fostering sock puppet/research accounts in order to gain additional credibility within the various threat actor communities. The more we lose sight of their communications, the more we’ll be blinded to developing attack methods. The more we learn, the more we can prevent and hunt.
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft
I think we will see a lot more creative ways to leverage social engineering alongside extortion, not necessarily involving encryption, but data as leverage to get payment. I’m also betting on a radical change in the role of the CISO. Finally, I think the election in 2024 will be the biggest thing to watch – that’s going to be a bellwether in our ability to secure democracy.
Dissent Doe, Journalist and privacy advocate at DataBreaches.net
In 2024, we’ll see yet more new ransomware groups and leak sites because ransomware has become cheap enough and readily available, leading more kids with dreams of making a fortune to give it a try. Because many of these groups won’t have real skills, we may see more victims’ files become corrupted or destroyed, and leaked data may be like detritus all over the internet. Law enforcement agencies will continue to improve collaboration and takedowns of major groups, but with constant re-branding and shifting affiliations, it will be a bit like whack-a-mole. Experiments with reporting victims for violating laws will be abandoned after threat actors realize what privacy advocates have already figured out — that it’s usually a waste of time. Groups will continue to test more aggressive pressure tactics involving sensitive data. Attacks on healthcare, education, and critical infrastructure will increase, and groups will embrace self-described “researchers” who do not actually research anything but shout “Breaking News” as they repeat threat actors’ unverified claims that can harm victims’ reputations. By the end of 2024, at least one firm will sue one of these “researchers” for reputation harm. In 2023, and flying under the media radar, there were a handful of cyberattacks where experienced threat actors decided not to leak or sell the data of victims who did not pay. Instead, they made deals with law enforcement to return the data and delete their copies. I predict we’ll see more of that in 2024.
John Hultquist, Chief Analyst, Mandiant Intelligence at Google
Next year hundreds, if not thousands of organizations will be affected by major, broad incidents tied to three origins: 1) North Korean actors leveraging the supply chain to get to crypto; 2) Chinese state actors leveraging a zero-day in a popular security device to access networks globally; and 3) ransomware operators leveraging a vulnerability in a file transfer system to target the data of multiple victims simultaneously. These increasingly familiar problems will ultimately become reliable.
Azim Khodjibaev, senior intelligence analyst with Cisco Talos’ Threat Intelligence and Interdiction team
I think that there will be more disruption of infrastructure resulting from internationally coordinated efforts. I think these efforts all began a few years ago in many different ways and since they involve bureaucracies, they took off in a typical slower pace than the private sector. We all know bureaucracies don’t go away and the work against ransomware will only grow bigger. As we saw in 2023, taking down server infrastructure, botnets, arresting affiliates in friendly countries will only increase as the organizations working on these continue to build trust and experience in doing so. Additionally, with increased rate of entry of lower-skilled and multinational affiliates into the ransomware environment, the likelihood of these take downs increases as well.
Allan Liska, threat intelligence analyst at Recorded Future
Ransomware tools and operations have become so automated that the barrier for entry is lower than ever. This McDonaldization of ransomware will lead to even more ransomware groups popping up all over the world, further increasing the number of ransomware attacks and the number of new instances of ransomware attacker “collisions.”
This continued growth will spur countries to introduce ransomware payment bans in the hope of slowing down ransomware attacks.
Jamie MacColl, Cyber security Research Fellow at the Royal United Services Institute
With the new SEC requirements and the recent charges against the SolarWinds CISO, we may finally see more corporate responsibility for cyber security at board level. On a related note, CISO (surely now the worst role to hold in the cyber security profession) vacancies at large companies may become rather more challenging to fill.
Valery Marchive, Editor-in-Chief at LeMagIT
More industrialisation/automation of the killchain. Cl0p has clearly done it this year to some extent; others will follow.
Mikhail Matveev, ransomware operator
The issue of ransomware programs is greatly hyped by marketers, the companies themselves, and the government. In reality, we see entire special services hunting for 14-year-old teenagers from Killnet, and on GitHub, there is a huge number of ready-to-fight exploits, tools, and instructions. Anyone interested in computers can become a ransomware operator with their own RaaS. The wide coverage in the media has attracted the attention of both the corporate sector and government structures. However, despite the apparent hyperbolization, the threat posed by ransomware remains relevant and serious.
The chaotic number of RaaS and people involved in it create chaos, including for those who do it for money… They very clearly play the role of the bad guys doing everything to promote themselves and their brand without making a profit, but I can say that this trend is declining and will soon begin to decrease. Let’s remember the carders… how many are there now? A minimal amount. Here are some reasons why I expect a decrease in the threat from them, not as a phenomenon but as a threat.
1. Market saturation: As the number of RaaS operators increases, competition grows, which can lead to lower profitability due to smaller ransoms and increased costs for maintaining infrastructure.
2. Ethical and moral considerations: Over time, the hacking community may come to understand that ransomware attacks often harm innocent users and businesses, which can lead to the rejection of such methods.
What I expect from 2024:
A shift in focus from Ransomware as a Service (RaaS) and similar mass attacks to more targeted cyber espionage. It may become more attractive to certain actors, as it offers the opportunity to obtain valuable information with a relatively low risk of detection compared to mass attacks such as RaaS. And perhaps cybersecurity specialists are already not hunting the right guys.
P.S.: Thank you to my Wife for always supporting and inspiring me, and to my friends Azim [at Cisco Talos Intelligence Group] and Brett [at Emsisoft] for keeping an eye on me.
Katie Moussouris, Founder and CEO at Luta Security
You better watch out,
For things like WannaCry
You better not doubt
Your MFA was compromised,
Ransomware will take us all down.
Make your asset list
Update it at least twice
Adversaries will find all
Unpatched hosts to compromise,
Ransomware is far from shut down
In all seriousness, attacks are on the rise as always and record layoffs in the tech and cyber sectors are leaving organizations less prepared to meet the challenges ahead. AI isn’t going to help defenders fast enough to close the workforce gaps left by staffing reductions, but it is already helping attackers. I predict we’ll see AI driven reconnaissance followed by automated exploitation, as well as AI voice and translation enabled phishing. It will take more defensive innovation at scale to keep up than ever before.
Allison Nixon, Chief Research Officer at Unit 221b
We will witness the rise of cybercrime actors that use violence to support cyberattacks.
Chester Wisniewski, Director, Global Field CTO at Sophos
Ransomware criminals will continue to target the lowest hanging fruit, beginning with unpatched network gear and then using stolen credentials. As organizations continue to adopt weak MFA we will see increased use of MFA bypasses including evilginx, SIM swapping, social engineering, and cookie theft. As with earlier techniques, as they refine their processes they will become adept and MFA will simply be another speed bump.
Victor Zhora, former Deputy Chairman and Chief Digital Transformation Officer at the State Service of Special Communication and Information Protection of Ukraine
2024 is expected to become a year of high geopolitical turbulence accompanied by a huge number of determining election campaigns. No doubt, cyber operations will play a distinct role in influence operations aiming interference in these elections. Global powers will continue increasing their offensive cyber capabilities, while those of irresponsible behavior in cyberspace will demonstrate closer coordination in opposing the West in the cyber domain.
We’d like to extend our sincere thanks to everybody who took their time to share their thoughts. We hope that most of the predictions are proven wrong – especially Allison’s! – but suspect that that will not be the case. So buckle up, folks, as 2024 is likely to be another wild ride.
Emsisoft Endpoint Protection: Award-Winning Security Made SimpleExperience effortless next-gen technology. Start Free Trial
Happy Holidays to one and all!