Sapsiwai - Fotolia

Ransomware expected to dominate in 2017

Ransomware and IoT-enabled attacks are expected to continue, while 2017 will see the rise of data integrity attacks, targeting of cloud infrastructure and the use of AI by attackers, experts predict

Ransomware or malware that locks up data and demands payment for its release is set to evolve and make up the majority of cyber attacks in 2017, according to most predictions by security commentators.

Cyber attacks that exploit weaknesses in mobile devices and devices that make up the internet of things (IoT), including distributed denial of service (DDoS) attacks, are also expected to continue from 2016.

However, in 2017, experts predict an increase in professional, advanced attacks – including attacks on cloud infrastructure – and the rise of data manipulation attacks, further underlining the need for a fresh approach to data security.

Perhaps the most disturbing prediction is that as defenders look to artificial intelligence (AI) to bolster security, this will be mirrored in the cyber criminal world by AI-driven attacks.

Overall, the pace and variation of exploits driven by technically astute adversaries will only gain momentum if not managed effectively, said Mike East, vice-president of sales in Europe at CrowdStrike.

What will not change, he said, is that all businesses will be vulnerable as attack targets, whether they are a Fortune 500 company, a family-run business or a utility company.


Ransomware, typically in the form of encryption Trojans, grew rapidly in popularity with attackers in 2016, and these attacks are expected to cannibalise other more traditional attacks based on data theft in 2017.

The pursuit of profit is the primary motivation of cyber criminals, and ransomware is the simplest and most effective way to achieve this, said researchers at Panda Security.

But not only is the number of ransomware attacks expected to continue to increase, the malware involved is also expected to become more sophisticated, predict security experts at SecureWorks.

“Though most ransomware attacks are not targeted, it is likely there will be an uptick in targeted attacks in 2017,” said Alexander Hanel, a security researcher at SecureWorks.

“Compromising corporate environments through targeted attacks allows the attackers to request more money than they would receive from a typical user. That makes enterprise targets more attractive,” he said.

Read more about ransomware

  • Businesses still get caught by ransomware, even though straightforward avoidance methods exist.
  • Criminals used devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, said security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off guard, but there is a defence strategy that works.

In 2016, a wave of ransomware attacks hit targets ranging from hospitals to a major metropolitan municipal railway system, said Hanel. “The proliferation of ransomware families and the success attackers have had in compromising systems makes it highly likely these types of attacks will continue in 2017,” he said.

The emergence of open source ransomware programs hosted on GitHub and hacking forums is expected to further spur the growth of these attacks in 2017.

“These programs are freely available for anyone who has the basic knowledge needed to compile existing code,” said Ondrej Vlcek, chief technology officer at security firm Avast.

“Even if the wannabe perpetrator doesn’t have the skills to create their own malware from free code, this can now also be readily outsourced. There is already a ransomware as a service [RaaS] model, which provides automatically generated ransomware executables for anyone who wants to get rich by infecting potential victims. The bottom line is that creating or buying your own ransomware has never been easier. So ransomware is here to stay and is expected to be a bigger problem yet in 2017,” he said.

While law enforcement action is expected to have some effect on general ransomware, security experts predict 2017 will see a rise in ransomware targeting mobile devices.

In the light of the fact that mobile users generally have their data backed up on the cloud, mobile ransomware will aim to steal users’ bank credentials and take money directly from their accounts, according to virtual private network (VPN) service provider NordVPN.

Security experts generally advise against paying ransoms because there is no guarantee the data will be restored.

The threat of ransomware encryption and file deletion can be minimised by solid malware protection, email hygiene and regular, offline backups.

However, Avast’s Ondrej Vlcek points out that cyber criminals could potentially also download a copy of sensitive data and threaten to publish and expose these files online if the company fails to pay ransom.

“This technique is called doxing. It has been used in hacking attacks where systems have been penetrated. While, to date, only proof-of-concept inclusions of doxing capabilities have been seen in ransomware, we’re predicting to see more of this type of extortion in the wild in 2017,” he said.

Another prediction is that 2017 will see the emergence of self-propagating ransomware that will have the same kind of characteristics traditionally found in network worms such as Conficker.

This will result in a breed of ransomware designed to produce endless duplicates of itself, spreading the infection across an entire network, according to WatchGuard Technologies.

Internet of things

In the light of Mirai IoT botnet-enabled DDoS attacks towards the end of 2016 that exploited weaknesses in IP cameras and routers, this trend is expected to continue in 2017.

“We predict the number of botnets that can enslave IoT devices will continue to grow in 2017 as the number of devices vulnerable to exploitation increases,” said Ondrej Vlcek.

“The growth in wearables also presents a growing challenge. Not only do they offer the opportunity to simplify processes and everyday actions, such as providing security clearance to buildings or as a way of tracking activities so that time is used efficiently, but they also create new potential vulnerabilities. In essence, every extra connected device that enters the home or the workplace is an extra route in for hackers,” he said.

In 2017, IoT-enabled cyber attacks are also expected to become more intelligent and focused, successfully executing data theft and escalation of privilege of enterprise systems, according to Pete Kofod, founder and CEO of desktop as a service firm The Sixth Flag.

“IoT systems lack many of the protections commonly found in datacentre and commercial off-the-shelf (Cots) systems. The systems are often low powered, meaning advanced encryption and data integrity functions are not available,” he said.

Kofod predicts IoT will become another shadow IT headache as IoT-based devices increasingly pop up across enterprise departments.

“Facilities departments in particular will need to become more integrated with enterprise security as they deploy countless sensors and controllers,” he said. “This relationship will be especially important in organisations that maintain critical infrastructure as IoT and industrial control systems merge.”

Security firm RiskIQ also predicts that IoT will not only increase as a risk factor, but move beyond the DDoS attacks seen in 2016 to be used in more sophisticated ones such as ransomware and data theft.

As the frequency and sophistication of ransomware and IoT attacks increase, we should expect to see the two threats merge, making IoT ransomware a devastating threat in 2017,” said Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi.

Corey Wilburn, security practice manager with cyber resilience firm DataEndure, believes further exploitation of IoT devices to disrupt critical infrastructure will lead to suppliers “finally understanding what security professionals have been warning about for years”.

Data manipulation

In September 2013, Scott Borg, chief of the US Cyber Consequences Unit, predicted that manipulation of international financial markets would be the next evolution of cyber crime.

There is a limit to the amount of money criminals can make through theft and credit card fraud, he told a joint session of the ASIS International and (ISC)2 annual congresses in Chicago.

“But there is no limit to the money that can be made by manipulating financial markets. By taking a position in the market and then conducting a cyber attack to discredit a company, criminals can make an almost infinite amount of money,” he said.

2017 will be the year that data integrity breaches will send shockwaves throughout the world, with at least one “almighty” breach disclosure of this type, predicts Jason Hart, chief technology officer of data protection at security firm Gemalto.

Data integrity is a promise or assurance that information can be accessed or modified only by authorised users. Data integrity attacks compromise that promise, with the aim of gaining unauthorised access to modify data for a number of ulterior motives, such as financial or reputational.

“Data integrity attacks are, of course, nothing new, yet they remain under the radar of businesses who have an ever increasing reliance on data and make huge business decisions based on its analysis. These types of attacks are what I like to call the ultimate weaponisation of data,” said Hart.

“The first generation of cyber attacks focused on stopping access to the data, which quickly moved on to stealing it. Today, we’re starting to see more evidence that the stolen data is being altered before transition, effecting all elements of operations,” he said.

According to Hart, data integrity attacks have the power to bring down an entire company and more. “Entire stock markets could be poisoned and collapsed by faulty data. The power grid and other IoT systems, from traffic lights to the water supply, could be severely disrupted if the data they run on were to be altered. And perhaps the greatest danger is that many of these could go undetected for years before the true damage reveals itself,” he said.

The most recent examples of data integrity attacks include the breach at JP Morgan Chase and subsequent attempts at market manipulation in 2015, as well as breaches of the World Anti-Doping Agency and Democratic National Committee in 2016, with hackers manipulating their data to embarrass the organisations involved.

Risk management firm Stroz Friedberg also expects the rise of data integrity attacks in 2017. “Criminals will seek to sow confusion and doubt over the accuracy and reliability of information, impairing decision making across the private and public sector,” the company predicts.

CrowdStrike’s Mike East said organisations need to be continually and proactively assessing their networks to understand how they are compromised. “Too many are focusing on the ‘known’ bad, rather than trying to understand the threat of the ‘unknown’,” he said.

Attacks on cloud infrastructure

Cloud-based methods of persistence and compromise have been presented at many security conferences, including BlackHat and Defcon in the past year, said Aaron Shelmire, senior threat researcher at threat intelligence firm Anomali.

“In 2017, we expect to see the leading security organisations begin to catch malicious actors breaching their cloud management infrastructure,” he said.

In addition, Anomali expects to see malware purpose built to capture cloud services credentials, similar to the banking trojans that are able to intercept two-factor authentication input.

“After the malicious actors gain access to cloud infrastructure, we expect to see new methods of persistence established via the cloud management profiles. This will actively present a significant challenge for understanding intrusion timelines,” said Shelmire.

“Thus far, none of the large cloud storage or infrastructure companies have detailed a breach since the Aurora attacks that Google did in 2009. This is occurring in an environment where as many as 89% of healthcare organisations experienced a data breach in 2015, yet we are not hearing much about them from the companies that host these industries’ data and systems. In 2017, we expect a major cloud supplier will be in the news for a significant security breach,” he said.

According to Anomali, threat actors have been using cloud services for command and control channels for a few years already.

“There has been a continued evolution in this activity by many threat actor groups over the past two years. In 2017, we expect to see continued development of malicious software using cloud services. It is likely that security companies will not report on this activity for fear of losing potential clients,” said Shelmire.

Artificial intelligence

2017 will see AI and machine learning used by both sides of the cyber security battle, resulting in more sophisticated threats and even more advanced means to combat them, according to Andy Powell, head of cyber security at Capgemini UK.

“From a hacker’s point of view, AI will power malware, and use data from the target to send phishing emails that replicate human mannerisms and content. Seeming more lifelike, these AI-powered attacks will resonate with the target better than ever before, meaning they’ll be more likely to fall victim,” he said.

On the flipside, Powell said cyber security teams will implement AI and machine learning to bolster their encryption tactics.

“We’ll see a rise in AI systems that are able to frequently rewrite encryption keys to prevent them being unlocked. There will also be further implementation of AI that can spot unusual activity both on the inside and at the perimeter of an organisation’s walls, to help meet the need for advanced, agile and tailored cyber intelligence feeds that adapt to the battleground,” he said.

There is increasing usage of AI by attackers to enable highly customised attacks that can be detected only if the defenders are also using AI, Emily Orton, director of UK information security startup Darktrace told the Eema ISSE 2016 security conference in Paris in November 2016.

In India, Darktrace discovered an AI-enabled attack that was designed to monitor user behaviour and emulate it to avoid detection.

“These are really clever attacks and defenders need to have a similar AI capability to detect them,” said Orton. However, she believes that defenders can do far more with AI than attackers.

A new approach

In the light of what is expected in terms of cyber security threats in 2017, businesses need actionable intelligence to overcome this hurdle and get ahead of the threats that could compromise their business, according to CrowdStrike’s Mike East.

“Ultimately, we cannot properly interpret today’s threat landscape without understanding the impact of global economic developments and geopolitical events,” he said. “Just because something happens miles away, it doesn’t mean it won’t wash up on your doorstep in the form of an attack. Intelligence needs to be added to the equation so we can anticipate and detect potential threats and defend against new tactics, techniques and procedures.”

The inherent limitations in conventional security defences have been illustrated in the well-documented proliferation of cyber attacks across all industries,” said East, echoing a widely held view in the industry.

“As such, we’re beginning to see indicators of a tectonic shift away from legacy solutions as people start thinking differently about security. This has been a snowball rolling down the hill, and it’s picking up momentum heading through 2017, where it will likely reach a critical mass.

“Businesses are starting to work out how they can get more visibility across their entire network, augment and then entirely replace their legacy systems with next-generation solutions. The industry has been talking about replacing these for 15 years and now we are finally starting to see the trend accelerate.

“Whether part of criminal groups or nation-state operations, adversaries can move faster than ever before, mutate malware and actively change exploit tactics or IP addresses. Reactive cyber-security methods are now obsolete,” he said.

Chase Cunningham, networks director of cyber operations at A10 Networks, predicts the days of security teams working nine to five are over.

“Now is the dawn of the 24/7 security team,” he said. “As more security solutions become services-based, consumers and businesses will demand the security teams and their suppliers be available around the clock. While monitoring tools do some of the work, threats don’t stop just because it’s midnight, and security teams need to be ready to do battle all day, every day.”

However, WatchGuard Technologies predicts that small and medium-sized enterprises (SMEs) will increasingly turn to managed security service providers (MSSPs).

SMEs continue to be aggressively targeted by cyber criminals, but with small IT teams and rarely any dedicated security professionals on staff, and without the resources to configure, monitor or adjust their own security controls, SMEs will recognise that MSSPs may be the answer, according to WatchGuard.

In 2017, at least a quarter of small businesses will turn to more specialised MSSPs for their security needs, and this percentage will continue to increase each year, the company predicts.

Read more on Privacy and data protection