Symantec 2021 Cyber Security Predictions – Looking Toward the Future

If you were asked to name the biggest cyber threat of 2020 you might say COVID.  It’s certainly been the dominant subject of social engineering, taking off in March, just as the virus (medical, not malicious) exploded into our consciousness.  But that’s the thing.  Unlike the real world, it’s not COVID that is a threat.  It’s just something that’s on all our minds and so makes for the perfect bait, the enticement to click on a link, download an attachment or send money to a scammer.  Social engineering is the means, not the threat.

But there is a single word that describes the threat landscape in 2020.  That word: Ransomware.  There has been no bigger threat to a business or organization, or anything quite as profitable for a cyber criminal in 2020.  There is a simple reason for this.  Extortion is profitable.  And cyber criminals are working to maximize those profits.

This blog is looking at the future and predictions for what’s ahead.  It’s no surprise that the past plays heavily into these predictions.  And while not all of our predictions are specifically about ransomware, they all are heavily influenced by the directions ransomware is driving the threat landscape.  

Predictions are just that, they don’t come with a guarantee of certainty.  But we can be certain of when ransomware will go away - as soon as people stop paying the ransom. This threat ends when it becomes unprofitable.  Until then, here are our predictions for the coming year.

Ransomware gangs will continue develop new tactics to pressurize victims

If 2019 was the year that targeted ransomware attacks began to proliferate, 2020 was the year that targeted ransomware groups began to develop their tactics and find new ways to pressurize their victims into paying.

The original template for a targeted ransomware attack already posed a significant threat to most organizations. Unlike older crypto-ransomware operations, which were designed to be spread indiscriminately, targeted ransomware groups focus on one organization at a time and try to encrypt as many computers as possible on the victim’s network, in addition to wiping backups where available. Encrypting most, if not all of the machines on the victim’s network allowed attackers to present a high value ransom demand, anything from several hundred thousand dollars to several million.

While targeted ransomware attacks can be difficult and time-consuming to perform, the potential returns are enormous and there has been a proliferation of groups carrying out these kinds of attacks.

During 2020, attackers began to find more ways of maximizing their revenues. In January, the Maze ransomware gang began stealing data from its victims’ networks prior to encryption and threatening to publish that data unless the ransom was paid. The tactic allowed the gang to put pressure on two kinds of victims who may not have ordinarily opted to have paid a ransom: organizations who may have been well prepared and able to restore their network without having to pay for a decryption key, and organizations who decide that the cost of losing their data is lower than the risk of paying a ransom. The success of the tactic was demonstrated by the fact that several other ransomware gangs immediately began to incorporate it into their attacks.

We predict that the coming year will see ransomware gangs become increasingly aggressive in finding more ways to tighten the screws on victims. We are already seeing some evidence of this with reports of at least one gang threatening DDoS attacks on victims, while we at Symantec, a division of Broadcom (NASDAQ: AVGO), observed the Sodinokibi ransomware gang looking for Point-of-Sale networks.

Attackers will begin to find ways to further exploit working from home

The COVID-19 pandemic has brought about a radical change in how many people work. Offices across the world have shut and, wherever it has been possible, employees have shifted to working from home. What initially seemed to be a temporary measure is looking more permanent and many companies are now adapting to a long term, if not permanent, work from home model for the majority of their employees.

This presents a considerable challenge to security professionals. Employees who were sitting in a single office, on a single network, are now at home, using home networks and internet connections and remotely accessing company systems. A decentralized workforce could, in theory, represent more potential avenues of attack. Combined with the fact that the shift to remote working was largely unplanned, it’s easy to see why cyber criminals may be wondering if there are opportunities to exploit.

An early indication of this is the level of interest that attackers displayed in a number of recently patched vulnerabilities in VPN and virtualization software. Multiple warnings have been issued by attackers attempting to exploit vulnerabilities in Pulse Secure VPN (CVE-2019-11508, CVE-2019-11510, CVE-2019-11538, and CVE-2019-11539), Palo Alto GlobalProtect (CVE-2019-1579), Fortigate (CVE 2018-13379), and Citrix ADC servers and Citrix network gateways (CVE-2019-19781).

By way of example of how attackers are quick to attempt to exploit these flaws, there was a spike in exploit attempts for the Citrix vulnerability immediately after its disclosure, peaking in February with over 492,000 attempts blocked by Symantec.

Close co-operation of cyber crime gangs

Co-operation between cyber criminals isn’t a new phenomenon. The cyber crime eco-system tends to be quite segmented and actors usually specialize in one malicious activity, rather than handle attacks from end-to-end. It’s a world where malware authors, malware distributors, exploit kit creators, money launderers, and many more actors frequently interact.

However, what is new and potentially worrying news, is some of the biggest actors in cyber crime coming closer and closer together, in particular some of the biggest botnet operators and ransomware authors. For the past number of years, Emotet (and until very recently Trickbot) have been among the most powerful botnets, stealing credentials from infected users and selling their services to malware authors looking for a distribution channel.

Meanwhile, targeted ransomware (ransomware attacks where most, if not all of the computers at the victim’s organization are encrypted) is among the most lucrative cyber crime niches, sometimes earning attackers millions of dollars from a single attack.

A recent Organized Crime Threat Assessment from Europol said that the relationship between Emotet, Trickbot, and the Ryuk targeted ransomware group was now so close that it was possible the three belong to the same overall structure or that they have become smarter at co-operating with each other. “The relationship between Emotet, Ryuk and Trickbot is considered one of the most notable in the cyber crime world,” it concluded.

That’s an assessment that we at Symantec would agree with. Emotet has the reach and is capable of infecting large number of organizations, while Ryuk has one of the most potent payloads currently circulating.

While the relationship itself is a concern, there is also the danger that other large cyber crime actors will copy their example and also team up.

While there is no crystal ball for what 2021 will hold, history is a strong indicator that attackers will continue to refine their methods to take advantage of global events and the adoption of new technologies. Learning from the past to protect our future can be key to an organization's cyber security endurance.