Security pros think a lot about ransomware: how to avoid it, what data they manage that might be at risk and what’s the next slimy tactic they will need to contend with. In the year ahead ransomware experts predict a shift in tactics and targets by criminals as cyber-defenses get harder to bypass. They also warn that mobile endpoints will become more attractive targets and that old bugs, such as Log4j, will continue to be springboards into networks for ransomware attacks.
What follows is a roundup of experts chiming in on what to watch out for and how to build an effective ransomware prevention and mitigation playbook for 2024.
2024 ransomware makeover?
Ransom will get more personal, says Kevin O’Connor, head of threat research, Adlumin:
Be prepared to see more conniving ransom threats in the year ahead.
Ransomware crooks are using the data they steal in very calculated, and sometimes personal ways to increase pressure on people and organizations into paying ransom. We’ve seen sensitive and personal data about children stolen from school districts sent directly to their parents. We even saw the BlackCat group recently report its own attack to the SEC as a pressure tactic.
Kevin O’Connor
The days of ransomware groups simply encrypting data and demanding ransom are gone. Double extortion has become the norm. Groups are going far beyond just posting stolen data online.
One example of how attacks are evolving comes from our threat research team. It recently observed an instance where affiliates of the same ransomware-as-a-service RaaS gang were simultaneously targeting the same organization. They were stepping over each other as one affiliate was focused on low and slow exfiltration in hopes of a large data extortion payout, while the other affiliate came with a more “smash-and-grab” operation that helped to expose the first. But it shows just how prolific these threats can get.
Amid midlife crisis, ransomware is heading for a makeover, says John Dwyer, head of research, IBM X-Force:
Ransomware may be facing a recession in 2024, as more countries pledge not to pay the ransom, and increasingly fewer enterprises succumb to the pressure of encrypted systems — choosing to divert funds to rebuilding systems versus decrypting systems. Ransomware operators are starting to face a cash flow problem, making it challenging to keep up with their resource-intensive campaigns. While we anticipate a bigger pivot to high pressure data extortion attacks, ransomware isn’t going anywhere, as we expect it to shift focus to a consumer or small business target base where threat actors’ leverage remains strong. But considering that ransom demands against SMBs are likely to be smaller than enterprise victims, it’s clear that ransomware is heading for a makeover.
JT Keating
Rise of mobile ransomware, says JT Keating, SVP of Corporate Development, Zimperium:
Another threat to beware of in 2024 is mobile ransomware. Sometimes people are tricked into downloading mobile ransomware through social networking schemes, because they think they are downloading innocent content or critical software.
According to Zimperium’s Global Mobile Threat Report it spotted a 51% increase in the total number of unique mobile malware samples detected year-over-year. It is reasonable to expect that to continue.
Trend of not paying, says Michael DeBolt, chief intelligence officer, Intel 471:
Countries agreed in 2023 at the Counter Ransomware Initiative that governments should not pay ransoms. Australia has said that banning the payment of ransoms at some point is “inevitable.” Some U.S. states have taken this step and banned their governments from paying ransoms. We expect more countries to look at the ransom angle as one way to bring cybercrime to heel.
New and old threats in 2024
Unpatched Log4j instances will drive ransomware attacks, says Douglas McKee, executive director of threat research, SonicWall:
Security professionals prefer to forget about past vulnerabilities such as Log4j, as they are often tied to a traumatic time. However, this is exactly what threat actors prey on. While many patches are in place from big-name vendors and security vendors have issued a wide range of signatures to cover Log4j, it is still one of the biggest supply chain vulnerabilities discovered to date.
Due to its position in the supply chain, its continued discovery in new places and its unfortunate continued implementation in new code, it is well worth an attacker’s time. SonicWall’s threat data is trending to demonstrate a potential 10% year-over-year increase from 2022 to 2023 in Log4j-related attacks. By the end of 2024, we predict there will be an even larger increase.
Cybercriminals will increasingly target account recovery methods, says Jerome Becquart, COO, Axiad:
As the “front door” of the (computer network) house gets stronger, cybercriminals will shift from stealing credentials (e.g., passwords) to attacking the “back door,” or account recovery methods. For example, let’s say a cybercriminal enters incorrect information on an account five times. The account recovery process then kicks in. If that process involves calling a help desk to answer security questions or answering them online, there’s a good chance hackers will be able to ascertain the information they need to hack their way in by perusing social media. We’re already seeing this happen, but, in 2024, we’ll see an escalation of cybercriminals targeting account recovery methods to compromise credentials.
Ihab Shraim
More cyberattacks will leverage dormant, aging domains, says Ihab Shraim, CTO, CSC Digital Brand Services:
Most average organizations have many inactive, dormant brand domains that are not monitored on an ongoing basis, and many are owned by unaffiliated third parties who purchased the domains for malicious purposes. Threat actors keep these dormant domain names inactive for a few months or even years, connecting them to an MX domain record and leaving them alone until they are ready to activate for cyberattacks including targeted phishing and malware distribution campaigns. Considering how many organizations lack ownership of their full brand-affiliated domain portfolio, I predict there will be significantly more dormant domains weaponized in phishing and malware targeted attacks in 2024.
Digital fraud and abuse will skyrocket as bots become more sophisticated and easier to leverage, says Sam Crowther, founder and CEO, Kasada:
Nearly 80% of IT pros claim that bots are becoming more sophisticated and challenging for their security tools to detect. Advanced bots intended to scalp sneakers and electronics are being repurposed and are easily accessible for those wanting to commit fraud. The hacking community has achieved economies of scale, and it’s never been easier to launch sophisticated cyberattacks without needing the formerly prerequisite expertise. In 2024, advanced bots will drive an increase in digital fraud and abuse, including more high profile, successful account takeover attacks and money washing schemes.
Chandrodaya Prasad
The rise of supply chain attacks, says Chandrodaya Prasad, executive vice president of product marketing, SonicWall:
The complexity and interconnectedness of modern software and hardware supply chains make them attractive targets for cybercriminals and state-sponsored hackers. We've already seen notable examples, such as the SolarWinds and Kaseya incidents, where attackers compromised widely used software to infiltrate multiple organizations at once. In 2024 we expect to see the trend of attacking suppliers instead of direct targets escalate, making supply chain security a significant concern for organizations. Given the potential for such attacks to be highly impactful, affecting not just one company but potentially hundreds or thousands, expect to see increasing pressure from regulators and customers alike to secure supply chains. The result will be stricter regulations and compliance requirements related to supply chain security, forcing organizations to scrutinize their vendors more closely.