A Huge Shift in Cyber Threats

In this Future of Risk interview, Gallagher Bassett's Kirsten Mickelson lays out the major changes in cyber threats to expect this year. 

Future of Risk Conversation

 

Kirsten Tomlinson Headshot

Kirsten Mickelson leads the cyber practice group at Gallagher Bassett, which offers claims and risk management expertise to navigate the rapidly expanding cyber market overseeing cyber, technology, privacy, and data security matters, specifically focusing on cyber incident response, data breach response, privacy class actions, and data privacy compliance issues. 

Prior to joining Gallagher Bassett, Kirsten was a senior team manager and counsel at Coalition Inc., where she counseled customers in preparing for, and responding to, data breaches in their network infrastructure. She also served as senior claims counsel at Hiscox, where she worked with affected cyber policyholders to respond to hundreds of cyber incidents and third-party claims involving data breaches, cyber extortion, ransomware, DDoS attacks, and business interruption losses.

Kirsten has been awarded the Fellow of Information Privacy (FIP) designation by the International Association of Privacy Professionals (IAPP) and is a Certified Information Privacy Manager (CIPM).

Insurance Thought Leadership

The cybersecurity landscape morphs so rapidly. What emerging cybersecurity threats should organizations be prepared for?

Kirsten Mickelson

We're going to see a huge shift in the coming year in terms of the magnitude of existing attack types. Our most typical attacks are business email compromises [BECs], wire fraud where someone misdirects funds to a fraudulent account, and ransomware attacks. These three types of attacks typically lead to data breaches requiring notification of affected individuals and sometimes evolve into class action privacy lawsuits. These attacks will be amplified significantly, leading to bigger paydays for threat actors and more negative press and scrutiny for victims.

The threats are evolving because threat actors have noticed that organizations are increasingly reluctant to pay ransoms during ransomware attacks. We never advise organizations to pay -- no one wants to pay a criminal -- and there's now even more government scrutiny around ransom payments. Organizations are also becoming savvier about properly securing and backing up their data for business continuity, allowing them to restore from backups rather than paying threat actors for decryption tools.

In response, we'll see threat actors shift their tactics. They'll not only encrypt data in ransomware attacks but also exfiltrate data and threaten to publish it if the ransom isn't paid -- creating a double extortion scenario. Some might skip the encryption process entirely and simply steal data, threatening to publish it if a ransom isn't paid. This is more efficient for them because they don't have to provide continuing support during the decryption process.

Another emerging tactic is that threat actors are showing more patience before striking. They're slowly exfiltrating data to avoid triggering EDR [endpoint detection & response] tools and alarm bells that would detect large data transfers. They're getting into systems and observing email traffic, reading communications, identifying key players who approve large wire transfers, and reviewing documents to understand if there are lucrative opportunities like M&A deals that they can exploit for higher ransom demands.

We're also going to see continued exploitation of zero-day vulnerabilities -- bugs in software or tech products that threat actors find before organizations can patch them. This is particularly effective for scaling attacks and extorting more money, especially with so many organizations relying on SaaS [software as a service] products and outsourced tech.

Finally, we'll see an increase in supply chain and vendor attacks. With organizations increasingly connected and reliant on outsourced tech solutions, vendors become lucrative targets. A single point of attack can affect hundreds or thousands of downstream customers. We saw this last year with Change Health and CDK Global, and now with PowerSchool, and threat actors are very aware of how these attacks can leverage higher payouts by having downstream customers pressure the victim to pay, because their businesses rely on that victim's services.

Insurance Thought Leadership

I’m seeing that artificial intelligence both helps with cybersecurity prevention and with enabling threat actors to conduct more sophisticated attacks.

Kirsten Mickelson

Yes, threat actors are using generative AI to create more convincing social engineering text. These are more believable phishing emails that have a tone and style like that of a trusted colleague. Threat actors are also using AI to translate these more credible phishing emails to scale -- in French, German, Chinese, and other languages to increase their attack surface. Before AI, these phishing emails were easy to spot. They had lots of red flags, with grammar errors, low sophistication, and mismatched fonts. Now, AI is removing those easy-to-spot flags, enabling more seamless social engineering.

Over the holidays, we saw a perfect example. A company that uses an HR management system for time tracking received a sophisticated phishing email. The email claimed that an employee's time-off request had been denied and asked them to review the reasoning by clicking a link. It wasn't unusual to get that type of email in their organization. When clicked, the link led to a fake landing page that looked exactly like the real one -- no mismatched fonts, no red flags. Once credentials were entered, the threat actor gained access to the system.

In the ransomware space, we're seeing threat actors using AI to review documents more efficiently. They're using it to quickly locate and identify financials, P&Ls, and cyber insurance policies so they can make credible demands. Before, threat actors had to manually review documents to figure out who the key players were, but AI accelerates this process.

We're also seeing threat actors using AI to automate the process of finding zero-day exploits and vulnerabilities before they can be patched. Some are using AI to write malicious code for ransomware attacks, which is making the ransomware industry more accessible to less technical actors.

Another interesting development is that threat actors are targeting legitimate AI agents themselves. As more organizations implement AI chatbots for customer service, we're seeing injection attacks on these agents. Threat actors are using these compromised agents to get victims to disclose sensitive information, reset passwords, and even transfer money. This poses a huge challenge for insurers, and not just cyber insurers.

Insurance Thought Leadership

When I spoke at a recent INSEAD seminar in San Francisco, a fellow panelist shared a scary story about sophisticated neighbors who were scammed by fraudsters who used a deepfaked voicemail of their son saying he desperately needed bail money. How frequently are you seeing deepfakes being used beyond email-based fraud?

Kirsten Mickelson

We're seeing deepfakes frequently, and I don't expect that trend to slow. For instance, in Zoom calls, threat actors are mimicking photos and images of credible people who appear to be your colleagues, even commandeering their voices. If someone who looks and sounds like my senior executive calls into a meeting and tells me to do something, I'm likely to comply.

We've seen this particularly with wire fraud. There was a significant case in Hong Kong where an organization's financial person received instructions from what appeared to be senior executives -- all deepfaked -- directing them to wire several million dollars to a Hong Kong bank. The employee complied. 

I was recently on a panel with a Secret Service agent who said he and his colleagues had experimented by taking his voice and creating a deepfake saying things like, "Hey Joe, do wire that money" -- and it sounded exactly like him.

We're also seeing threat actors playing panicked voices of customers to victims, often vendors. They'll say something like, "Your customer is telling you to pay this ransom, otherwise they'll make this demand or sue you."

Insurance Thought Leadership

Cyber insurance premiums appear to be declining despite increasing cyber threats. Is this because premiums were initially set too high, or are companies becoming more effective at preventing attacks with help from insurers?

Kirsten Mickelson

From the claims perspective, I can say I've seen a lot of new entrants into the market. Also, particularly on the standalone cyber insurance side, insurers are requiring organizations to implement specific security measures before they'll even underwrite them.

They have to have MFA [multi-factor authentication] not just implemented but enforced at all times, in addition to processes such as dual authentication before wiring funds, before insurers will even consider the risk.

Insurance Thought Leadership

The bad guys collaborate all time, but insurance companies need to be careful about antitrust laws and, of course, don’t want to give up a competitive advantage. How can the industry collaborate better?

Kirsten Mickelson

We're seeing that with CISA [the Cybersecurity and Infrastructure Security Agency], which strongly encourages reporting if you’re exploited in some way. The goal is to enable government to aggregate data to go after these bad actors. We are seeing partnerships developing.

Insurance Thought Leadership

Has there been a shift in the geographic origin of cybersecurity threats? I know Russia has historically been a prominent source of attacks.

Kirsten Mickelson

Definitely. For threat actors to receive payment under U.S. insurance policies (and U.S. law), we have to run it through OFAC [Office of Foreign Assets Control]. Payment cannot be sent to a sanctioned entity on the OFAC list.

Before the conflict in Ukraine, many threat actors were operating out of Russia and Eastern Europe. While Russia as a country wasn't on OFAC, there were organizations and individuals within Russia on the list. However, following the Russian invasion of Ukraine, the U.S. placed all Russian financial institutions on the OFAC list, which triggered a massive shift.

Many large ransomware gangs broke up and reformed in new locations. We're now seeing more attacks originating from the Asia-Pacific region, as well as increased activity from Southeastern Europe.

Insurance Thought Leadership

What else should we be thinking about for 2025 that we haven't discussed?

Kirsten Mickelson

I think there's another important trend regarding new tactics. With the ransomware-as-a-service model, the barrier to entry is going to be much lower. This means we're likely to see the threat actor ecosystem expand, unfortunately.

One way this will manifest is through the rise of initial access brokers. In the ransomware-as-a-service world, everything can be outsourced, even finding access to exploit. Access brokers go out and find entry points, then sell them to their customers -- the threat actors who deploy the actual ransomware attacks. These initial access brokers view themselves as less malicious threat actors, though they're still criminals. Because this role doesn't require as much technical knowledge, I expect we'll see a significant rise in initial access brokers.

Insurance Thought Leadership

This is super informative. Thanks, Kirsten.

Insurance Thought Leadership

Profile picture for user Insurance Thought Leadership

Insurance Thought Leadership

Insurance Thought Leadership (ITL) delivers engaging, informative articles from our global network of thought leaders and decision makers. Their insights are transforming the insurance and risk management marketplace through knowledge sharing, big ideas on a wide variety of topics, and lessons learned through real-life applications of innovative technology.

We also connect our network of authors and readers in ways that help them uncover opportunities and that lead to innovation and strategic advantage.

MORE FROM THIS AUTHOR

Read More