TK Keanini, CTO, Lancope wrote a 2015 Predictions editorial over at SC Magazine. He said he expects more malware like CryptoLocker and CryptoWall over the next 12 months, but also something new called "extortionware".
I wholeheartedly agree with what he said: "Ransomware remains profitable, and cybercriminals are always looking for areas to grow their business. To date, victims have mainly been individuals with data from their computers or smartphones being held for ransom. But the one industry at great risk here is health care. Three factors make it a highly attractive target for ransomware expansion in 2015 – the mandate to move to electronic records, the sensitive nature of health care data, and the immaturity of the information security practices that exist in the health care industry today. This is a scary notion because we rely so heavily on the availability and accuracy of patient records. The cost of a compromise could range from an inconvenience to loss of life."
But then he predicts something else for 2015 and that I do not agree with so much: "Extortionware is an expansion on ransomware whereby unless you pay a certain amount to the attacker, the data will be made public for all to see (or for more targeted disclosure). What if the data contains evidence of infidelity, for example? The list of possible incriminating data goes on and on, but you can see how this differs from ransomware. Much like spear phishing, this attack will be much more targeted, but attackers will yield a higher take per victim, and those victims are less likely to involve law enforcement due to the sensitive nature of the data."
Why do I think this is not very likely?
Cybercriminals are in it for the cash. Their time is money. The infrastructure they rely on is massive botnets. Their money-making machine is always designed to scale, which is why threat actors have largely moved their targets from individuals to businesses. They send out hundreds of thousands of phishing emails using social engineering tactics and a small fraction get clicked on, but those pay off handsomely with ransomware.
On the other hand, this "extortionware" does not "scale". It's too labor intensive to ever make it big as you cannot send it to millions of email addresses and be profitable. There may be some of this type of crime next year, but it will not expand exponentially like CryptoLocker did in 2014.
The easiest and cheapest way to prevent all your files being encrypted will all employees sitting on their hands for days, is to step them all through effective security awareness training. Find out how affordable this is for your organization:
