Cybersecurity threats to protect against in 2023 — ransomware still king
2023 looks like being as big a year as we’ve seen in recent decades as far as cybersecurity and ransomware is concerned. But what will the threat landscape actually look like? In December, every analyst with an email account is keen to give you their predictions of what you should be scared of, especially if they happen to have a solution for one vulnerability or another. We sat down with Mike McLellan, Director of Intelligence at the SecureWorks Counter Threat Unit, for cybersecurity threat predictions based not on sensation or salesmanship, but threats already being observed as they impact companies around the world in late 2022.
Ransomware-as-a-service seems to be a successful, proven business model for hackers. That’s not about to disappear in 2023, right?
Correct. But what we probably will see is a continuation of the things we’ve seen this year, like a lot of smaller players in the field coalescing behind one or two very large hacker entities. Whereas before, there were maybe 10 or 12 very successful ransomware-as-a-service schemes, there are now really only one or two players who are dominating the market, and they’re attracting more and more affiliates and posting more and more victims.
The Sopranos of Cybercrime
So just as in the legitimate business world, we’re looking at mergers and acquisitions, with bigger players able to wield more power?
That’s been happening in 2022, yes, so it will probably continue in 2023. The other thing that we expect to see is that ransomware-as-a-service will become more and more of a problem for small to medium sized businesses (SMBs), because what we are seeing at the moment is more attacks against smaller organizations.
There are various reasons why that’s happening, but we think some of these criminals have decided that going after very large corporations can maybe get you too much publicity. So they’ve decided to go for more attacks, but on smaller organizations.
Like an involuntary crowdfunding model, rather than one big bank job.
So we think SMBs need to be definitely aware of this as a threat. And it’s obviously challenging for them, because they have comparatively limited resources. It is going to be a real challenge for SMBs in 2023, I think.
No press please, we’re cybercriminals
It’s interesting that cybercriminals would be worried about the amount of publicity they get, but then in Australia, two mega-hits in quick succession woke up the government to taking a hard line on ransomware, so it makes sense.
There’s also the Irish health service, which was hit last year, but the ransomware attack got a lot of publicity, and the Irish National Guard got involved in joint recovery. That’s probably bad for business if you’re trying to run a successful criminal enterprise where you don’t necessarily want too much scrutiny from law enforcement.
So if you can go after organizations who aren’t going to make so many headlines, but will still get you your payout, you’re probably going to try and do that. That’s why higher volume, but possibly smaller organizations is going to be something we’ll see more of in terms of ransomware in 2023.
We’re also going to see attacks happening faster. Previously on average, the kind of median dwell time for these attacks was five days. That’s down to about four and a half. And it’s probably going to continue to shrink, because, again, I think in the interest of getting a payout, these criminals are trying to act faster, maybe encrypt fewer systems on the network, but still have enough effect that they can get their ransom. So the time to detect these things is also going to become a challenge as well, particularly for SMBs, that lack significant resources.
Extortion-only – cyberattacks for dummies
What about extortion-only attacks?
We’re probably going to see more actors getting involved in these kinds of attacks in 2023, but there is nothing in the data we’ve got at the moment to suggest that the return on investment is going to be better than a ransomware attack. Ransomware is a more lucrative way to get the payout, because you’ve got the data theft, but you’ve also got the encryption component. So you have two points of leverage on the victim. Whereas if you just steal their data, obviously, you’ve only got that single button leverage, you’ve only got the data you’ve stolen.
So we’ll see more of these attacks in 2023, and it’s definitely going to be a problem, especially since fairly unsophisticated threat actors can conduct these kinds of attacks, but the big money really is going to stay in ransomware.
We were talking to someone recently who predicted that if and when ransomware stops being such a big thing, then you might see a big increase in extortion-only attacks, as attackers find a different way of monetizing their activities, but for now, ransomware is still king.
That’s absolutely right. I think we do expect there will be some evolution, because if you go back five years, this kind of ransomware activity was not a thing, it grew up between 2017-19. So we expect an evolution at some point away from the encryption part of these attacks to just stealing data, or at least a growth in that kind of attack. But some people are predicting ransomware is dead. We don’t see any evidence of that.
Let’s talk business email compromises. That’s been like a growing threat in 2022. But it doesn’t seem to have had “The Big One” that wakes companies up to its seriousness.
That’s a weird one. We’ve dealt with many, many incidents of this. And some of them have resulted in multimillion dollar losses from a single event. When you compare business email compromise to ransomware, it’s actually arguably a bigger threat in terms of monetary loss.
But it doesn’t have quite the same disruptive impact, which is why it hasn’t really made the headlines as much. We expect to see it grow in 2023. Again, there are lots and lots of individuals and groups who are involved in these attacks, and they’re not very sophisticated, but they are quite effective.
We’re trying to raise the flag on this as a threat, because if you message something for long enough, organizations start to pay attention to it. That’s where we are with ransomware — but then something else comes up in the meantime, and you need to try and make sure companies are also alert to that risk. Business email compromise is a real threat, and it can have a massive impact on companies, so we are trying to make sure organizations are aware of what we’re seeing.
As more organizations move to the cloud, which is where Microsoft 365 email accounts are stored, for instance, business email compromise is going to become a bigger thing. There will be no malware deployed, no tools used, it’s just literally a case of gaining access to someone’s email inbox. Or even just spoofing some emails and being able to then hijack an email conversation and ultimately, inject fraudulent payment details into a transaction. It doesn’t take much to be able to do that.
So organizations need to be really alert to this and thinking about it if 2023 is the year they’re going to migrate to the cloud. Make sure you know what controls are going to be in place and how you’re going to be able to detect things like business email compromise, where the only activity you might see is maybe mail forwarding rules being set up or something like that.
Are organizations as aware as they need to be about business email compromise?
I don’t think so. I think ransomware is definitely grabbing the attention. And that’s not a bad thing, because the controls you need for that apply fairly well to lots of other threats as well. But business email compromise is still underappreciated as a threat. And because of the way it happens, it can be quite hard to detect, so quite often we’ll see that actually no compromise occurs at all. This is as much about business controls as it is about threat and technology. But there are definitely things you can do from a technology standpoint to make yourself more secure – once you’re aware of the significance of the threat.
In Part 2 of this article, we’ll take a whistle-stop tour through some of the other main cybersecurity threats to look out for in 2023, from technological innovations to state actors with nefarious geopolitical agenda.
26 May 2023
26 May 2023