In the sixth article of our special series on cyber incident response, Virginia Romero Sanchez-Herrero and David Broome explore the year ahead and highlight four key trends to look out for in 2024.
Missed last week’s article? Read Secure Rapid Recovery: lessons from recovery cases in 2023 now.
1. Ransomware is here to stay
We anticipate ransomware will continue in 2024 in much the same form as it has in previous years. Despite the extreme threat ransomware poses to businesses across geographies, industries and sizes, the threat has continued to evolve quicker than victims can improve their resiliency and invest in their defences.
For some this is purely a budget issue. Our annual Cyber Security Insights Report highlights that cyber security budgets increased just 3% in 2023, which puts a strain on implementing the required security measures to match the threat. Whether directly related to budgetary pressure or other constraints such as a lack of security skills, S-RM's Incident Response team continues to engage with companies who have not implemented a resilient backup and disaster recovery system. As a result, we regularly see backups being successfully deleted or encrypted during ransomware attacks, forcing victims to pay ransoms to regain access to affected data. Until there is a widespread shift in how companies back up data to render these tactics ineffective, we expect ransomware and the encryption of corporate data to continue unabated.
While we are unlikely to see a major shift in the occurrence of ransomware, we have chosen three ransomware trends we expect to emerge in 2024:
- Exploitation of software vulnerabilities: Ransomware groups focused much of their attention on exploiting vulnerabilities in software in 2023, a theme we explore in depth next week in our 2023 data review, and we expect this trend will continue this year. While ransomware groups have long exploited vulnerabilities to gain initial access to networks, cyber criminals are becoming adept at quickly automating their exploitation before victims have time to patch vulnerable systems. In 2023, recent vulnerabilities in software, such as Atlassian Confluence and Citrix NetScaler, lead to their mass exploitation to deploy ransomware and to some of the largest cyber-attacks of the year, with CL0P’s exploitation of the MOVEit file-sharing platform resulting in the theft of sensitive data belonging to thousands of global organisations.
- The long arm of the law: Often portrayed as fighting a losing battle in the fight against ransomware, 2023 has been a promising year for law enforcement. In October, Europol led a takedown of Ragnar Locker, which included the arrest of multiple group members in France, Spain, and Ukraine. In December, authorities seized the data leak sites operated by prolific group ALPHV, also known as BlackCat, in a coordinated law enforcement operation. Unfortunately, this takedown highlighted the persistence of the ransomware threat: within days, BlackCat were operational again with minor overall disruption to their operations.
We can expect continued law enforcement attention targeting the ransomware ecosystem, increasingly utilising sanctions to target prolific groups to stymy the flow of funds and focusing on preventing criminals from successfully ‘cashing out’ from these incidents. However, until geopolitical tensions subside somewhat, and meaningful progress is made to curtail activities in nations where domestic law enforcement action against ransomware groups is non-existent, ransomware groups will continue to rebrand and reemerge days, weeks or months after law enforcement takedowns.
- Evading defences: Ransomware groups will likely be increasingly successful at bypassing technology solutions considered security best practice. They are investing considerable time, resources and money into developing and exploring methods of circumventing existing security tools. For example, we are aware of prominent ransomware groups purchasing security tools to deploy in dummy environments, as a means to test bypasses and exploits that might enable them to evade these technologies during live incidents. In 2023, we witnessed these bypasses in action as we were called in to help organisations who had relied on their defensive technologies – especially multifactor authentication (‘MFA’) and market-leading endpoint detection and response (‘EDR’) – to mitigate the threat. Whether its bypassing MFA, or evading EDR to mask malicious activity on endpoints, ransomware groups are becoming increasingly capable of both.
2. Criminals will increasingly bypass traditional MFA setups
In 2023, S-RM's Incident Response team witnessed a resurgence in Business Email Compromise (‘BEC’) cases, primarily driven by the increased availability and adoption of MFA bypass tools by threat actors. Once thought to be a silver bullet against such compromises, threat actors can purchase access to Adversary-in-the-Middle (AitM) platforms such as Evilginx, which can bypass MFA by intercepting ‘session cookies’ and authenticating as the legitimate user even when MFA is in place. This trend is likely to persist with access to phishing kits that bypass MFA selling for as little as a few hundred dollars a month.
Just a few years ago, the development of AitM platforms would have been considered a fringe threat, but this is at the root of some of the most significant BEC cases our team responded to in 2023. In particular, we observed threat actors using these techniques to breach into law and real estate firms, diverting payments and stealing confidential information. This shows how rapidly the threat landscape shifts and why organisations must avoid relying on any single method of protection, instead constantly try to stay ahead in the cyber arms race. We are already observing clients in our Cyber Advisory and Transformation practice roll out new methods of MFA implementation, such as FIDO-2-certified authenticators like Windows Hello for Business and Yubi hardware keys, to mitigate against this threat.
3. Crime migrates to the cloud too
Concurrent with the widespread adoption of cloud-based infrastructure has been an increased focus on the exploitation of these platforms. As organisations store more sensitive data in the cloud, many are failing to adequately protect it. This data is a key target for cyber criminals who seek to capitalise on lax security controls implemented on newly adopted cloud technologies or an overreliance on default configurations.
Once attackers have exfiltrated sensitive data, they often seek to delete it to extort victims into paying a ransom to regain access and prevent it being sold or published. To protect cloud-based environments it is essential to understand configuration settings, with misconfigurations and the use of default settings potentially creating gaps in security controls that can lead to compromise. Cloud-based security solutions can be used to discover misconfigurations, in addition to detecting anomalous user behaviour and preventing unauthorised transfers of data. To mitigate the risk of data deletion, it is important to back up your data to an immutable or offline backup solution that cannot be tampered with by cyber criminals or accidentally deleted by legitimate users.
4. Criminals use ChatGPT just like us
Cybercrime perpetrated using tools either created using Artificial intelligence (‘AI’), or at least through the assistance of AI, is likely to develop significantly in 2024. The release of ChatGPT in November 2022 brought the world of generative artificial intelligence (AI) into the limelight. AI became a tool with widespread application that could be used by the masses, but not all choose to wield these tools for good. As one would expect, the dark web is awash with discussion about how to most effectively use AI.
Cyber criminals have begun to develop and sell their own ‘Dark AI’ models on the dark web, with claims that models such as WormGPT, FraudGPT, and DarkGPT can be used for a variety of malicious purposes, including writing malicious code. The efficacy of such models remains to be seen, with numerous reports that these ‘Dark AI’ models are often unusable. That said, we have already observed the influence of AI in phishing campaigns, with an increase in sophisticated and targeted phishing emails which appear to have been generated using phishing kits powered by large language models (‘LLMs’) like the GPTs listed above. In fringe cases, cyber criminals will increasingly be able to use AI to generate fake images of people to impersonate them, fake audio clips to sound like them, and fake emails to communicate like them.
Ultimately, cyber criminals will continue to evolve and adapt their attacks on businesses in 2024, whether by continuing to adapt their ransom tactics, across the cloud, or increasingly leveraging AI. To protect your organisation, it is critical to keep up to date with the rapidly changing cyber threat landscape and understand your attack surface and vulnerabilities. Our experts at S-RM are happy to discuss any of the trends mentioned in this article, and signing up to our weekly Cyber Intelligence Briefing is a great way to stay informed and ahead of cyber criminals.