In the last blog I wrote for 2014, I looked at some of the common prediction trends that the various vendors and analysts had sent to me.
In that article, I identified 15 trends for information security, ranging from identity management changes to connected devices to better collaboration between the dark and light sides of the industry.
On Tuesday 6th January, analyst Richard Stiennon and researcher Tom Cross will join me in an online discussion at 4pm GMT on these and other 2015 predictions (https://www.brighttalk.com/webcast/11399/138375). But with such insight in my inbox, I am going to look at some of the more interesting predictions a bit closer.
For this first blog, it is the theme of ransomware. This vein of malware was not especially new; I recall conversations going back several years where there were reports of ransomware infecting and affecting users.
The trend really stepped up in 2014 though, with Cryptlocker, CryptoWall and TorrentLocker all hitting businesses and consumers hard and spreading the fear of infection beyond the IT department. Interesting research by ESET found that some people were prepared to pay the fine, but it is likely that fear enabled payment.
For the evolution of the ransomware trend, the predictions seemed to suggest that the next logical next step for ransomware creators is to say “how can I increase value from my victim?” Blue Coat Systems predicted that the next real targets will be small businesses or small Government organisations, effectively entities with hundreds of thousands of pounds in their bank accounts.
Lancope claimed that there is one industry at great risk here – healthcare. “Three factors make it a highly attractive target for ransomware expansion in 2015 – the mandate to move to electronic records, the sensitive nature of healthcare data, and the immaturity of the information security practices that exist in the healthcare industry today,” it said.
Frightfully, it claimed that the cost of a compromise could range from an inconvenience to loss of life. If a business is not sufficiently backing up its databases and systems or is not preparing staff to not click on suspicious items, then there is a significant danger that the fear, uncertainty and doubt around ransomware will remain a genuine threat.
One area that both Lancope and Proofpoint suspected would be a “growth area” for ransomware is into the area of “cyber extortion”. Proofpoint claimed that cyber extortion schemes will increase in scope, sophistication, and – following the example of the Destover malware – destructiveness.
“Attackers will become smarter and more targeted in their efforts to extract ransoms from the systems and organisations they have compromised by varying their ransoms based on the value of the system and data to the organisation,” it said.
“Not only will organisations have to adapt their backup and recovery programs to account for this threat, but they will need to become even more effective at detecting and rapidly responding to potential infections in their environment as soon as possible after they occur.”
Lancope claimed that this will develop into “targeted extortion-ware”, effectively an expansion on ransomware whereby unless you pay a certain amount to the attacker, the data will be made public for all to see. “Much like spear phishing, this attack will be much more targeted, but attackers will yield a higher take per victim, and those victims are less likely to involve law enforcement due to the sensitive nature of the data,” it said.
With stories such as the iCloud attack hitting notable people and revealing things that they would rather keep private, surely this comes down to personal security? If your settings and security software is good enough for your device, can you guarantee it is the same for third party services? If not, what are your options to protect yourself?
It is a tricky one to solve, and one that has the capability to become true. Other predictions saw a consistent move for ransomware to the cloud and mobile devices. McAfee claimed that ransomware will evolve its methods of propagation, encryption and the targets it seeks, and as a result, more mobile devices are likely to suffer attacks.
Also, Watchguard predicted that malware will jump to mobile devices is not new, but until now, it has not been particularly damaging. “In 2015, expect mobile malware to have more teeth, for example with customised ransomware designed to make your mobile unusable until you pay up,” it said.
FireEye claimed that mobile ransomware will enable attackers to steal cloud accounts and encrypt the data, as attackers turn their attentions to mobile in 2015. Likewise, McAfee predicted that ransomware variants which evade security software will specifically target endpoints that subscribe to cloud-based storage solutions.
“Once the endpoint has been infected, the ransomware will attempt to exploit the logged-on user’s stored credentials to also infect backed-up cloud storage data,” it said, saying that it expects the technique of ransomware targeting cloud-backed-up data to be repeated in the mobile space.
If the interest is in mobile devices, then the prediction from AdaptiveMobile is quite telling. It claimed that the rise of ransom-based monetisation strategies with Koler, where infected phones were blocked by a fake law enforcement notification saw a new level of sophistication in the threat. “The combination of new propagating and monetisation techniques seen in 2014 making mobile malware a growing threat in the year ahead,” it said.
As with most malware predictions, things will get worse and hit the mobile platform eventually. We’ve seen it with viruses, worms and ransomware seems the logical next step. In 2014, Facebook passed the one billion user mark for its mobile apps, while Barclays Bank – rated as having the best mobile banking app, claimed to have over two million registered users, with almost half logging in daily.
So if 2015 will be the year the small shiny in your hand falls under the control of attackers, what are the solutions? FireEye recommended that businesses should consider the value they get from cloud-based data protection services and the privacy implications of letting a third party manage their data. Elsewhere it seems that education of employees both in and out of the workplace is the best tactic, and regular back-ups.
For a more in-depth conversation, join me with analyst Richard Stiennon and researcher Tom Cross on 6th January at 4pm GMT for a discussion on this and other 2015 predictions here –https://www.brighttalk.com/webcast/11399/138375