Ransomware gangs with zero-days and more players overall will characterize financially motivated cyberattacks next year.

Financial cybercrime in 2021 is set to evolve, researchers say, with extortion practices becoming more widespread, ransomware gangs consolidating and advanced exploits being used more effectively to target victims.

That’s according to key predictions from Kaspersky. Researchers said the drastic COVID-19-related changes to the way people live and work has changed the way financial attackers operate. The implications of these shifts for 2021 are significant. Over the past year, companies became less secure due to hastily deployed remote work solutions, researchers said. That has translated into a lack of employee training, default laptop configurations left unchanged and vulnerable remote access connections. Together these trends have opened up a myriad of new attack vectors, including targeted ransomware campaigns.

According to Kasperky, ransomware – above all – will continue to be a main scourge in the year ahead.

“Due to their successful operations and extensive media coverage this year, the threat actors behind targeted ransomware systematically increased the amounts victims were expected to pay in exchange for not publishing stolen information,” researchers said in a Monday posting. “This point is important because it is not about data encryption anymore, but about disclosing confidential information exfiltrated from the victim’s network. Due to payment card industry security and other regulations, leaks like this may result in significant financial losses.”

Kaspersky researchers anticipate an even higher growth in extortion attempts for next year, with more cybercriminals targeting organizations with ransomware or distributed denial of service (DDoS) attacks or both. This could include advanced persistent threat (APT) groups going forward.

“The Lazarus group has tried its hand at the big game with the VHD ransomware family. This received attention, and other APT threat actors followed suit, MuddyWater among them,” researchers said. “Advanced threat actors from countries placed under economic sanctions may rely more on ransomware imitating cybercriminals’ work. They may reuse already-available code or create their own campaigns from scratch.”

Meanwhile, zero-day exploits could become more common among ransomware gangs according to the firm, as they purchase these to expand even further the scale of attacks and boost their success, resulting in more profit.

“Ransomware groups who managed to accumulate funds as a result of a number of successful attacks in 2020 will start using zero-day exploits – vulnerabilities that have not yet been found by developers – as well as N-day exploits to scale and increase the effectiveness of their attacks,” according to Kaspersky. “While purchasing exploits is an expensive endeavor, based on the money some of the ransomware operators were able to obtain from their victims, they now have sufficient funds to invest in them.”

Researchers also noted that financial cybercriminals will likely switch to “transit cryptocurrencies” when demanding payment from victims, for enhanced privacy.

“Special technical capabilities for monitoring, deanonymizing and seizing Bitcoin accounts will prompt a shift in the methods used by many cybercriminals to demand payment,” according to the report. “Other privacy-enhanced currencies such as Monero are likely to be used as a first transition currency, with the funds being later converted to other cryptocurrency, including Bitcoin, to cover criminals’ tracks.”

Aside from ransomware landscape changes, Kaspersky researchers predicted that Magecart payment-skimming attacks will move to the server side, as fewer threat actors rely on client-side attacks that use JavaScript.

And, Bitcoin theft will become more attractive, as many nations are hit hard financially as a result of the pandemic.

“The COVID-19 pandemic is likely to cause a massive wave of poverty, and that invariably translates into more people resorting to crime including cybercrime,” researchers said. “We might see certain economies crashing and local currencies plummeting, which would make Bitcoin theft a lot more attractive. We should expect more fraud, targeting mostly BTC, due to this cryptocurrency being the most popular one.”

Dmitry Bestuzhev, a security researcher at Kaspersky, noted that while this year was substantially different from any other, many trends that were anticipated to come to life last year came true regardless.

“These include new strategies in financial cybercrime – from reselling bank access to targeting investment applications — and the further development of already existing trends, for instance, even greater expansion of card-skimming and ransomware being used to target banks,” he said. “Forecasting upcoming threats is important, as it enables us to better prepare to defend ourselves against them, and we are confident our forecast will help many cybersecurity professionals to work on their threat models.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.