Beyond Ransomware: Cybercrime Trends to Watch in 2023
The global cybercrime problem continues to grow and change, bringing with it additional challenges for those tech and cybersecurity pros entrusted with securing their organizations’ data and infrastructure.
The latest statistics from the FBI’s Internet Crime Report show agents recorded nearly 850,000 complaints related to cybercrime in 2021, a 7 percent increase from the previous year. All told, the FBI estimates cyber losses to American citizens totaled $7 billion in 2021. The biggest culprits include ransomware, business e-mail compromise schemes, and the criminal use of cryptocurrency.
Ransomware tends to make the most headlines, and with good reason. Cybercriminal gangs continue to wield a dangerous combination of crypto-locking malware and extortion threats to great effect. The 2022 Verizon Data Breach Investigations Report found 25 percent of all breaches now involve some type of ransomware component. Adding to these concerns, security firm FortiGuard Labs published a December report detailing how its researchers are tracking three new ransomware variants that are extremely effective at encrypting data on compromised Windows systems.
One reason cybercrime remains a consistent problem is a thriving underground economy that gives almost anyone with rudimentary skills ready access to an arsenal of malicious tools. A report by HP Wolf Security found that competition in the underground continues to push prices down: for example, researchers found more than 150 exploits for less than $10, as well as a slew of information stealers selling for $5 or less, and remote access Trojans (RATs) for $3.
Combined with economic uncertainty, layoffs across several sectors and the growing conflict between nation-states (i.e., the ongoing war between Ukraine and Russia, which has a significant cyber component), tech and cybersecurity pros need to keep up with how cybercrime will morph and change over the next 12 months.
“With potential global recession leading to higher unemployment and continued geopolitical unrest around the globe, most industry leaders are looking at 2023 as the year that will finally bottom out. When this happens, expect a scramble for talent as companies try to accelerate their recovery… As we continue to see a convergence across the IT operations, risk, and security, businesses need to see this as a transformation catalyst,” Erik Gaston, vice president for global executive engagement at security firm Tanium, recently told Dice.
With multiple factors to consider, here’s a look at five cybercrime trends likely to shape 2023, and how tech and security pros can best prepare for what is about to happen.
Ransomware Gangs Continue to Grow and Adapt
Ransomware has become the number one cybercrime concern over the past several years, as criminal gangs have refined their malware and deployed new techniques to extract cryptocurrency payments from victims.
These attacks received enough attention over the last three years that President Joe Biden made a point of confronting Russian President Vladimir Putin about the role his country plays in harboring some of the gangs. And while attacks have slowed somewhat, these threats have not abated. Security firm Proofpoint finds that criminal gangs are more likely now to deploy what is called triple extortion, which includes the initial breach along with “attackers seeking payments not only from the target organization but also any entities that the data leak may impact.”
With data and money on the line, not only do cybersecurity and tech professionals need to keep their skills up-to-date, but they must also work to ensure other employees are aware of the dangers, said Lucia Milică, Proofpoint’s global resident CISO.
“Security teams can best protect their organizations by strengthening cyber resiliency within their workforce before an attack strikes because most attacks start with employees,” Milică told Dice. “Ransomware is usually delivered through social engineering attacks, including phishing attacks, and human interaction is required for phishing attacks to be successful. This emphasizes the need for effective security awareness and training in the workplace, and organizations can achieve this by understanding their specific threat landscape. By leveraging threat intelligence, organizations can reduce cyber risk by communicating the latest insights company-wide, which can then help to deliver tailored security training that will reduce specific risks that the organization is facing.”
While private firms are the most lucrative targets for ransomware gangs and their affiliates, Darren Guccione, CEO and co-founder at Keeper Security, noted an increase in attacks that have affected government entities, including many state and local agencies. This trend is likely to continue and increase in the new year.
“The stakes are high for public sector organizations, as confidential, sensitive data is at risk if these organizations do not maintain good cyber hygiene,” Guccione told Dice. “In 2023, we will see greater attack frequency against public sector entities, including educational institutions, the federal government, and at the state, local and municipal levels. As the risk heightens, education and government leaders must prioritize adopting solutions and implementing processes to protect against these growing threats.”
Securing Identities Becomes Critical as Cloud Use Grows
In the almost three years since the start of the COVID-19 pandemic, the cloud has grown even more critical for organizations as workers remain remote or conduct their jobs via a hybrid schedule.
Securing the identity of those who need access to enterprise applications and data is critical, since so much of cybercrime involves stealing and compromising this information. With more and more organizations opting to use two or more cloud infrastructures or services, securing identities and preventing identity theft will be a significant concern in 2023, said RSA’s Chief Product Officer Jim Taylor.
“That’s going to prove to be a security nightmare: cloud providers’ identity and access management controls typically don’t map to the original business roles or enforce the same authentication policies needed to secure sensitive data,” Taylor told Dice. “That’s bad enough in one public cloud and grows with every additional cloud that an organization adds. Gartner recently predicted that ’99 percent of cloud security failures’ will result from organizations misconfiguring who should have access to what resources, and whether authentication is required to access them.”
To counter this trend, Taylor noted that tech and cybersecurity pros should invest in training, especially around how a zero trust approach can address identity and access management concerns.
“Don’t let perfect be the enemy of the good—use Data Loss Prevention to identify your highest-value assets and make sure you have the identity controls needed to secure them,” Taylor added. “Security professionals will also ensure that users can only access what they’re supposed to: clean up orphan accounts, audit entitlements, and embrace least privilege.”
CISOs Under the Microscope
While CISOs and other security executives work to prevent breaches and attacks, some industry observers see a trend where these leaders might be held much more accountable following a cybersecurity incident.
In October, former Uber CISO Joe Sullivan was found guilty of obstructing an active U.S. Federal Trade Commission (FTC) investigation into the ride-share company’s security practices, along with concealing a 2016 data breach that exposed the data of about 50 million customers and drivers.
“The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain,” according to the U.S. Department of Justice, which prosecuted the case.
Cases like the one involving Uber are likely to make organizations and their security teams rethink their approach and look for additional protections following a breach or an attack, said Andrew Barratt, vice president at Coalfire, a cybersecurity consulting firm.
“We will continue to see amped-up accountability on the C-Suite in the year to come. CISOs, in particular, can now be held personally liable for withholding specific information,” Barratt told Dice. “There isn’t currently another role that exists where accountability can be held in this same way. As current cyber insurance plans do not cover this new type of criminal liability, we will likely start seeing C-level insurance being implemented for these roles.”
Post-Pandemic Social-Engineering Attacks
With the world moving into a post-pandemic phase, cybercriminals are likely to shift with the times and deploy new social engineering techniques, including new waves of phishing and spear phishing attacks, to target victims.
As the 2022 Verizon DBIR report noted: “25 percent of total breaches in the 2022 report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82 percent of analyzed breaches over the past year.”
This will require tech and cybersecurity pros to not only keep up-to-date on the latest social engineering techniques but also raise awareness within their organizations, said Archie Agarwal, founder and CEO at security firm ThreatModeler.
“We are still just getting out of the pandemic, and social engineering attacks have seen an uptick. Attackers are continuously instilling the sense of fear through phishing attacks,” Agarwal told Dice. “Simple blacklisting of emails and messages may not help 100 percent, but it is definitely a good starting point. For the industry as a whole, an evolved system of identifying and blocking such attacks needs to be taken as a priority.”
Don’t Forget About OT Systems
Over the last two years, attacks that have threatened critical infrastructure have raised awareness of the threats to operational technology (OT) systems.
OT security has been a top priority of the U.S. Cybersecurity and Infrastructure Security Agency and threats to critical infrastructure have spurred lawmakers to pass legislation such as the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which is designed to encourage data sharing between the federal government and private industry.
Still, threats to critical infrastructure and OT systems remain a major concern, with experts worried about what attackers might try to exploit in 2023. This puts pressure on those who must secure the infrastructure and hire professionals who understand critical OT systems and technology.
“Threat actors are now targeting OT and IoT environments managed by non-IT teams, and those teams are hiring people with cybersecurity skills to secure and harden a range of devices including physical security, manufacturing, and smart buildings,” Bud Broomhead, CEO at Viakoo, told Dice. “With more solutions available to cybersecurity professionals, orchestrating them into being effective defenses will drive more career opportunities for security architects.”