Looking Ahead: A Hacker’s Perspective on the Next Wave of Ransomware

Ian Lee

Making predictions after the turbulence of 2020 may seem like a fool’s errand. In 2019, few would have predicted a global pandemic that changed the way we live and work. The rapid pace of the pandemic forced organizations to adopt distributed and dynamic solutions in days, rather than the months IT planners would traditionally expect and, as is always the case – malicious adversaries were there to take advantage, often for ransom. While we cannot predict a precise sequence of events that will unfold in 2021, the ways in which attackers evolved in 2020 — from the use of new ransomware techniques to the targeting of new attack vectors — provides a glimpse into where they will go next and the new set of risks introduced in 2020 that organizations must now grapple to manage.

As businesses continue to adapt to remote operations, it is essential security teams have a firm understanding of their attack surface. Being able to detect unknowns and manage change is more critical than ever. In that spirit, I sat down with Randori CTO and co-founder David “moose” Wolpoff to get a hacker’s perspective on how he sees malicious adversaries evolving their techniques in 2021. 

Read on for moose’s top five predictions for 2021:

  1. Ransomware evolves into enterprise extortion

    Threat actors are evolving from a high-volume/low-value business model to a high-value/low-volume model targeting commercial businesses. Half of ransomware attacks already involve data exfiltration, and in 2021, cybercriminals will incorporate extortion by weaponizing the content they’ve stolen to increase ransoms and compel their victim to action. Ransomware attacks will shift from “I’ve stolen all your data, now pay me;” to, “I’m going to extort your CEO with the information I’ve found in the data I’ve stolen from you, and if you don’t pay, we’ll devalue your stock on Wall Street and tarnish your brand.”

  2. Cloud infrastructure gets taken for ransom

    Threat actors are beginning to sift through exfiltrated data from ransomware attacks for high-value content, and their pot of gold? Cloud infrastructure credentials that could allow them to hold a company’s or entire cloud provider’s infrastructure for ransom. It takes adversarial creativity, but the reward is high. The Solarwinds hack proves – it can be done. Maybe they find keys in the data directly, or maybe the attacker can gain access to an app like Slack and find keys shared there. Maybe they go so far as to send spoofed messages to convince unwitting victims to share cloud login credentials (heads up, IT). With a little information and a bit of persistence, an attacker can turn their ransomware access into high-privilege AWS tokens, log into the cloud infrastructure and hold it for ransom. The threat of turning off the business with the click of a button is a highly effective extortion technique. Many CISOs don’t know when and where highly privileged passwords have been recorded (in an old Slack message from 2 years ago?) — this is a big risk for companies mid-cloud migration.

  3. Deepfakes and voice fakes come to the enterprise

    In 2021, threat actors will move on from basic ransomware attacks and will weaponize stolen information about an executive or business to create fraudulent content for extortion. From deepfakes to voice fakes, this new type of attack will be believable to victims, and therefore, effective. For example, imagine an attacker on a video system, silently recording a board meeting, then manipulating that private information to contain false and damning information that if leaked, would create business chaos, to compel a business to pay up.

  4. The cyber skills gap hits the US government.

    Chris Krebs’ unceremonious post-election ousting may be the proverbial sour cherry on top of the Trump administration’s treatment of cybersecurity talent in the White House. Under the administration, turnover at the senior leadership level of the National Security Council was record-breaking and we will witness the first downstream effects on our national global cybersecurity ability in 2021. US national cyber policy and our global cybersecurity posture will take a hit, and tactically but crucially, government hiring of cyber talent will stall. These will have a lasting impact on our cyber leadership that will take 10-20 years to correct – just when the geopolitical landscape is shifting the focus to cyber.

  5. Social platforms face government reckoning in 2021

    Democratic institutions rely on common information and facts, which have been challenged in light of disinformation and misinformation proliferating across social platforms. With antitrust sentiment slowly taking over Washington, it’s becoming more apparent that technology and social platforms are unregulated domains that have been damaging to truth and the functioning of democratic processes. In 2021, I expect antitrust hearings to come about as a matter of national security, and the force of the government will be extended against social platforms and tech monopolies in the next year or so.