If there is one predictable constant in cybersecurity, it's the omnipresence of ransomware. As Mandiant put it best, "There's no end in sight for ransomware."
But don't expect ransomware to continue as we know it today. Mandiant predicts threat actors will develop new ways to gain a profit from ransomware, starting with a shift to globalized attacks.
"Indictments, arrests, seizures of funds, and cyber offensive operations against threat actors and their infrastructure by U.S. law enforcement will cause threat actors to reevaluate which countries they target," said Charles Carmakal, SVP and CTO with Mandiant.
The common thread around these trends is cybercriminals finding a way to manipulate corporate data, and for that problem, there really is no end in sight. As 2022 unfolds, here are four cyberthreat trends to watch:
Paying ransom won't stop data publication
Paying a ransom probably won't stop threat actors from placing stolen data on the dark web or using it for extortion purposes, Mandiant warned. That's because of infighting in cybercriminal rings.
"Often, conflict arises within these groups as a specific actor may feel like they're not getting paid their fair share," said Carmakal.
To retaliate, the disgruntled threat actor in the group could decide to publish some or all of the data after the ransom is paid. As greed around ransom grows, expect it to impact post paid-ransom behavior. Individuals could break away from the group and hold the data ransom multiple times.
"The more this happens, the more it's going to affect the way organizations think about making ransom payments," said Carmakal.
Ransomware as espionage
There has been at least one international cyberattack conducted as an act of espionage in 2022. As tensions between countries escalate, Carmakal also anticipates governments will leverage ransomware in extortion operations.
Threat actors will use masquerading ransom or extortion operations to disguise the objectives of some intrusions, especially when there is conflict between nations.
Attacks on the software supply chain
This year, cybersecurity experts are sounding the alarm on attacks to the software supply chain, especially after 2021 ended with the Log4j flaw.
"Log4j is not the first or last software supply chain vulnerability, but it is by far the most widespread and easy to exploit weakness that we've seen in many years — including SolarWinds," said Kumar Saurabh, CEO and co-founder of LogicHub.
The Log4j vulnerability impacted the logging feature of Java, which runs on billions of devices, especially internet of things (IoT) devices, many of which have some form of logging enabled. Seeing how vulnerable these ubiquitous and often ignored codes are in open source software, threat actors will up the ante and go after other forgotten code to exploit.
"What's critical now is careful monitoring of logs from all possible security tools. Unfortunately, many security teams are already flooded with security alerts, and often don't monitor all logs because of excessive storage costs with many SIEM tools," Saurabh.
It is another type of attack that could be attractive to nation-states looking to infiltrate governments or wreak havoc on the systems that control the critical infrastructure. A powerful zero-day exploit can fetch top dollar on the black market, but it might be worth even more if it remains closely guarded in the toolbox of a sophisticated APT team, including those sponsored by a nation-state, ready to be deployed surgically without attracting too much attention.
SMBs lack the manpower for in-house monitoring or keeping track of the open source software supply chain. Nor can they analyze or reverse-engineer every software update a vendor sends them. Zero trust models may be the ultimate solution for this style of attack.
"Adopting the ‘assumption of breach' philosophy combined with an asset-based risk management and risk transfer program may be the only way to keep up with the bad guys," said Daniel Schwalbe, CISO at DomainTools.
While many cybercriminals tend to pursue high-profile attacks designed for financial gain, threat actors are increasingly trying to infiltrate companies and go unnoticed for a long period of time. These quiet attacks allow cybercriminals to exfiltrate data from servers and endpoints at a slow and steady pace.
In today's hybrid/remote work reality, the information on remote computers is typically less protected, putting it at higher risk for a stealth attack.
"Quiet threats are on the rise because cybercriminals are well aware of the value of data to business and other organizations," said Nigel Thorpe, technical director at SecureAge.
In 2022, expect email and other messaging systems to be the most popular point of entry for these quiet attacks, with the goal of compromising corporate communication systems. Cybercriminals can then infiltrate the corporate network and do damage from the inside without discovery.