Ultimately, turning the tide against ransomware means getting attackers to see the crime as more trouble than it’s worth. Recent years saw some states consider whether banning cyber extortion payments could help get us there. Federal officials said this year they’d been mulling whether to enact a widespread payments ban, though some cyber experts say such a move could involve painful short-term side effects and administrative challenges.
As victims adopt better backup processes, cyber criminals have increasingly forsaken single extortion in favor of the two-pronged, double-whammy approach of double extortion or the ease of encryption-free extortion. The latter extortion scheme came into the global spotlight following CLOP’s MOVEit file transfer software exploit, and with a known victims count that — at time of writing, nearly five months later — keeps on growing. As of Oct. 2, 2023, Emsisoft estimated the list of known victims included more than 2,000 organizations and more than 62 million individuals, most from the U.S.
Those aren’t the only emerging ransomware attack trends. At least one cyber expert expects to see more secure-delete style extortion. In this approach, attackers exfiltrate files then purge them from victims’ hard drives by erasing and writing over the files. Then they offer back their own stolen copies in exchange for payment. In September, the FBI also raised concern over a trend of “dual ransomware” attacks, which see attackers deploying multiple ransomware strains against a single victim within 48 hours.
The traditional image of a hoodie-clad hacker clicking away in the basement has fallen away to that of sophisticated criminal syndicates run like businesses. Young adults and teenagers are now joining the picture. Groups like Scattered Spider and Lapsus$ are known for youth members, a trend that’s been drawing concern from federal officials.
Human behavior may be the most vexing point for organizations to shore up, and is reportedly involved in 74 percent of breaches globally, per Verizon’s 2023 Data Breach Investigations Report. Similarly, a SolarWinds study found 58 percent of state and local governments saying careless or untrained insiders were among the top threat actors facing them. (In comparison, that beats out the 56 percent who named foreign governments, and 47 percent who listed the general hacking community.)
Expect such challenges to grow: Generative AI is making social engineering, pretexting and phishing more convincing, with voice spoofs and believably worded emails. Lapsus$ demonstrated how even teenagers can wield phishing to significant effect.
Good cyber hygiene practices can still go a long way toward defending organizations, including phishing awareness training for employees, multifactor authentication (MFA) and timely patching. Zero-trust security approaches, scanning for vulnerabilities and managing third-party risks help, too.
Collaboration is becoming a prevailing theme in today’s fight against cyber attacks. The State and Local Cybersecurity Grant Program (SLCGP)’s greatest impact may not be the money, but rather how it brings local and state representatives together to plan how to use those funds. The bulk of the grant award must go to local governments, and some states are considering if shared services or statewide procurement vehicles can deliver the most impact.
All but two states participated in year one of the SLCGP, and 2024 will bring year-two funding. Tribes are getting their long-awaited companion grant program, too, with first-year applications closing in January 2024.
School cybersecurity is also a significant concern, with a State Educational Technology Directors Association survey finding 24 percent of state leaders saying cyber is their top priority, up from 17 percent the prior year. Federal officials are putting attention on the issue, and August 2023 saw the White House announce national efforts to bolster K-12 cyber, including via public information campaigns, grant opportunities and ed-tech partnerships.
Federal officials are also aware that end users like governments and residents can only do so much to stay safe and are continuing to urge tech companies to design their products with security in mind and safety measures set by default. The Cybersecurity and Infrastructure Security Agency has until late FY24 to provide more specific guidance here, while the Office of the National Cyber Director is expected to explore software liability frameworks that might spur more companies into action.
As the 2024 elections approach, officials are eyeing the risks of dis- and misinformation. Thanks to the improving abilities of generative AI, that includes the threat of political deepfakes — or the threat that people will falsely claim that genuine video and audio clips are fakes.
Click here to read the rest of our 2023 Year in Review coverage.
This story originally appeared in the December issue of Government Technology magazine. Click here to view the full digital edition online.