Orpheus 2020 Forecast

ORPHEUS 2020 FORECASTS

With the start of the new year Orpheus takes a look at the emerging threats, upcoming events, and developing technology that we believe will shape the threat landscape in 2020. Below are five forecasts for the year ahead.

In line with analytical best practice, Orpheus has attempted to ensure that these forecasts are quantifiable, time-bound and based on a probability yardstick,[1] allowing for the accuracy of these predictions to be assessed throughout the year. The nature of cyber operations, where reporting is frequently fragmentary and sometimes misleading, and where attribution is an inexact process, means that such well-defined forecasts can be difficult to generate; however there is still assessed to be value in highlighting likely trends in the coming year.

  1. Shift towards continuous development cycles for malware

Echoing their legitimate counterparts on the surface web, malware developers are increasingly adopting an iterative approach to releasing their code, with an emphasis on continuous delivery. In 2020, this trend will be driven by both push and pull factors – for example the continuing demand for malware-as-a-service which will accelerate competition between these offerings on one side; and improving mitigation measures for ransomware, which necessitate more frequent releases on the other. We therefore anticipate that to stay ahead of their peers and their targets, and in line with the broader effort to imitate successful surface web business models, malware developers will be increasingly agile and flexible in the way in which they release malware in an attempt to retain and grow their customer base.

For example, the Buran ransomware receives frequent updates to stay afloat in the increasingly competitive ransomware-as-a-service market. In the screenshot below, a member of its support team posts to announce that the fourth version of the service includes significantly faster data processing.

Figure 1 Buran ransomware’s support team highlights the faster data processing in the latest version of their product

Forecast: We assess it as probable that there will be ten malware-as-a-service offerings using this continual development model by the end of 2020.


  • . Geopolitical rivalries to provide drivers for state information operations

State actors have persistently sought to breach and release potentially sensitive information to support their own geopolitical objectives. Russia’s APT28 has led this charge, targeting bodies such as the World Anti-Doping Agency (WADA) and the US Anti-Doping Agency (USADA) in a bid to expose and undermine their alleged anti-Russian bias. WADA’s current ban on Russian participation in the 2020 Tokyo Olympics means these motives remain, while Russia’s Olympic Destroyer false flag attack on the 2018 Winter Olympics illustrates a potentially more disruptive intent. This targeting rationale may also extend to associated bodies, such as drug testing laboratories, national Olympic committees or even the personal accounts of individual athletes and coaches.

Meanwhile, the 2020 US presidential election is likely to encourage similar Russian activity to that in 2016. As before, the aim will likely be to steal and leak potentially sensitive information relating to Democratic candidates, mixed in with disinformation. Reports that Russia’s APT28 group targeted Burisma, the Ukrainian energy firm related to Trump’s impeachment, may indicate these efforts are underway – and possibly expanding the US-only scope from the 2016 election.

Russia will not be alone in the pursuit of these operations in 2020. Although Iran will continue to dedicate a significant portion of its cyber capabilities to controlling political dissent, we anticipate it will also use increasingly sophisticated information operations to undermine its geopolitical rivals in 2020. Iran’s desire to strike back at accessible US targets means that these may take a more active shape – for example by breaching and releasing information from rival governments and supranational bodies.

Forecast: We assess that it is almost certain that there will be public reporting concerning attempted targeting of WADA, or testing laboratories, or other Olympic infrastructure, by 31 December 2020, and probably before 24 July 2020. We assess that it is likely that Iran conducts its own information operations targeting international bodies. We assess that it is almost certain there will be public reporting in which efforts to target the US election and associated targets is attributed to Russia.

3. Ransomware to run rampant – with a twist

Despite predictions of its demise, ransomware has successfully innovated to remain relevant. We anticipate in 2020 new tactics will ensure its persistence.

Previously, ransomware operators have threatened to publish stolen data unless the ransom demand is met. More often than not, these data extortion threats remain just that – threats. However, many organisations are resisting ransom demands as they become more aware of the ransomware threat and better at implementing back-up policies. We recently observed a new tactic when threat actor TA2101 infected a security staff provider with the Maze ransomware strain, and after an unsuccessful extortion attempt, leaked part of the organisation’s data online.

Forecast: We predict that by 31 December 2020, 18% of all of our recorded ransomware incidents will consist of cases where data confidentiality was also impacted, representing twice the current 9% figure in our reporting.

We anticipate the volume of ransomware incidents affecting the confidentiality of data will double

4. Increasingly elaborate phishing techniques

Phishing: the most popular infection vector and a seasonal nuisance. Many endpoint security solutions filter emails deemed to be suspicious, and organisations are increasingly educating employees on how to combat the threat phishing poses. Yet both technological and human solutions, as they currently stand, may not be enough against emerging Deepfake technology – particularly instances that use Artificial Intelligence (AI) to mimic voices.[2]

Reports that cybercriminals were able to defraud $243,000 from a CEO of a UK based energy firm, who thought he was speaking to the chief executive of the firm’s parent company, highlight the potential risks associated with AI powered cyber attacks – particularly in support of CEO fraud. 2020 will likely witness more phishing via audio Deepfakes, as its potential profitability has been proven. This represents a natural evolution of “vishing” efforts, where the perpetrator uses a phone call or a voice mail to supplement their phishing email, making it appear more legitimate.

Forecast: We assess that at least one previously unreported evolution to phishing techniques will be publicly documented by 31 December 2020. We forecast that reporting of AI-facilitated phishing attempts will increase five-fold by 31 December 2020 (from a baseline of a single incident in 2019).

5. Companies will fail to secure exposed databases

Despite repeated instances throughout 2019, companies will continue to fail to properly secure databases in 2020. Amazon S3 buckets, MongoDB and Elasticsearch instances will all remain exposed to the internet without proper authentication. These instances will leave easy pickings for cybercriminals looking to steal sensitive or personal data – or, more mercifully – security researchers who are instead looking to notify the companies and raise publicity of the issue.

Forecast: Orpheus’ Cyber Risk Rating tool will show that 15% of companies will have ports associated with popular database services exposed to the internet.


[1] Tetlock, P.E. and Gardner, D., 2016. Superforecasting: The art and science of prediction. Random House.

[2] https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402

SHARE ON

Share on linkedin
Share on facebook
Share on twitter

Get our latest cyber intelligence insights straight into your inbox every week