This year has been a real doozy, y’all: Ransomware capitalizing on extortion, operators compromising thousands of organizations, the COVID-19 pandemic forcing organizations to shift to work-from-home solutions at the drop of a hat, and a dumpster fire of misinformation observed from nation-state threat actors and cybercriminals. We’ve all been put through the wringer in 2020. As we approach the beginning of a new year, it’s about time to start imagining what the future ahead of us will look like. 

Spoiler alert: The threat landscape doesn’t seem to concede much hope regarding next year’s development – but not everything is bleak, we promise.

But on that note, we feel that it’s time to say (again):

There’s no need to ZOMG when threat actors attack; they’re predictable. In many respects, there is nothing new here.

The “Pyramid of Pain” by David Bianco

Let’s repeat that one more time for the folks in the back: There is nothing new here. 

To level with you, yes, it looks and sounds scary. However, as pictured in David Bianco’s Pyramid of Pain, it’s wildly challenging for threat actors to change up their tactics, techniques, and procedures. Albeit bittersweet, threat actors keep security researchers like us employed; however, at the possible expense of our jobs, mitigations to these threats remain the same: 

  • Patch your stuff. This is easier said than done, but if you see threat actors exploiting known vulnerabilities, we have to ask—why aren’t organizations actioning these patches? We’ll leave the answer to you. 
  • Don’t click on sketchy things. Most cyber attacks start with phishing emails. Therefore, if you don’t recognize an email, or you weren’t expecting a specific email, don’t interact with it until you confirm with the alleged sender that it’s legitimate. 
  • Your dog’s name is a terrible password. Yes, it’s wildly easy to remember – but that’s not the objective of a password. Is convenience worth the loss or theft of your data? We think not. Seriously, just bite the bullet and enlist the assistance of a credible password manager. 

Okay. We’ve covered some of the simplest, but most applicable, security measures. While keeping the above points in mind, let’s pull out our crystal ball and explore what we’ve seen in 2020 while trying to make some sense of what’s coming…


Photon Research Team


The global lockdown in the face of the coronavirus pandemic has forced companies worldwide to move away from their offices and adapt to thousands of employees working from home.

We all remember the hectic times back in March and April when teams worked around the clock to enable business continuity with the least amount of disruption possible. Meanwhile, operators of well-known trojans like Emotet, for example, switched to leveraging COVID-19 phishing lures at the beginning of the pandemic.

Reports of email phishing campaigns using COVID-19-related lures surfaced almost immediately after confirmed infections began increasing in January 2020. As people started to work from home, the remote worker attack surface expanded significantly and presented further challenges to adapting organizations. 

For years, companies have been moving towards more remote working and cloud adoption as part of their digital transformation programs. However, COVID-19 has been the most significant accelerant these initiatives have ever had. As well as dealing with the immediate crisis, many companies will not return to their old ways when we are on the other side of this. Once productivity is established in the new world, many of the changes are here to stay because companies will have invested heavily, made them work effectively, and have the ability to cut costs by doing away with some previous working practices, including legacy, on-site approaches to technology.

With many changes being presented and implemented to corporate networks as we once knew them, many of the changes are positive and progressive, but they come with a new set of risks:

  • Lack of visibility: To protect a firm and its data, it’s paramount the security team understands the assets they have that are visible and accessible to their adversaries. With the scramble to get everyone online in Phase 1, many new internet-connected assets likely came online, and much will probably be insecure or open to attack.
  • Accidental data exposure: Having thousands of new, remote workers accessing data outside the perimeter risk that data are ending up in the open, primarily through the use of cloud file storage and other third party services. That data could include customer records, credentials, code, intellectual property (IP), or additional sensitive information critical to the company.
  • Phishing attacks: Since lockdowns were initiated, we have seen a massive increase in phishing attacks on our clients. Just because a lockdown is in place does not mean the attackers will cease attempts to breach their targets, especially when new opportunities present themselves, including exploiting COVID-19 hysteria through malicious domains, social profiles, and campaigns.
  • Threats to VIPs: Suddenly, the C-suite of major organizations is outside the perimeter and more vulnerable than ever to targeted phishing and other attacks and is likely to expose themselves to attack online like never before.  
  • Increased third party risk:  All partners and suppliers are at increased risk in the new world since most are also going through rapid digital transformation and enabling remote work, with all of the associated risks.

Coming into this crisis, all companies have had to adapt to the working world’s same new realities. However, some will adapt to their new cybersecurity reality better than others and will come out the other side secure, resilient, and prepared for the future. Many organizations have provided security awareness training to their employees to increase their business’s resilience and mitigate social engineering campaigns’ impact. Obviously, working from home won’t solve the endemic issues linked with phishing attacks and human biases. Still, suppose we were to find some positive news for the next year. In that case, organizations are not in the same uncertain position they were in during March 2020 and are now better prepared to face the security challenges posed by remote working.



If you’ve been living under a rock for the last year (can’t blame you, can I join you?), from as early as December 2019, ransomware operators realized that there are alternative ways of monetizing the data they have encrypted, which can pressure companies more effectively into paying the ransom demands.

This trend has led to the emergence of many ransomware data dump sites. This “pay or get breached” trend, when combined with a surge in new variants, makes ransomware an understandably heavy-hitting topic right now. Variants like Maze, DoppelPaymer, Sodinokibi, NetWalker, and Egregor have popularized exfiltrating data with ransomware and threatening victims with public disclosure if the ransom goes unpaid.

New attacks were reported every day in 2020, and unknown malware variants emerged unprecedentedly. This year we also observed how different threat actors were keen to study which innovative tactics worked in the wild to replicate them in their operation. 

While on the subject of double extortion techniques, it’s impossible not to mention Maze. The threat actors behind this operation conducted multi-million dollar campaigns across North America and Europe and were among the first using the double extortion technique. Given how successful their campaigns were, we were all surprised when Maze published a press release announcing an end to their operations in early November.

Maze exit press release
Figure 1: A snippet of Maze’s farewell press release

Whatever their reason for halting their successful operations, it will be interesting to discover who will take their place next year and how they will do that. Maze gained a prominent place in the ransomware landscape due to their use of the double extortion technique – and everyone else followed immediately. It would then be natural to expect another big name emerging from that crowded threat actors’ landscape with an innovative malware variant or strategy emulated by less sophisticated actors.

One thing is sure, though. Regardless of who will fill Maze’s spot (@Egregor, this you?), cybercriminals will keep testing innovative ways to conduct ransomware operations next year as the market for their activities looks as profitable and remunerative as ever. In 2020, we witnessed too many costly attacks that crippled companies belonging to every industry; we hope that 2021 will see private and public organizations mitigating this threat.


As if 2020 was not troubling enough, we also witnessed the largest DDoS attack ever recorded which peaked at 2.3 Terabytes per second. This event further proves how threat actors are refining their DDoS techniques to create a product more threatening than ever. DDoS attacks made their comeback within the threat landscape due to a lower barrier of entry and the widespread use of this attack in conjunction with other tactics, techniques, and procedures (TTPs). In our recent blog covering the evolution of DDoS activity in 2020, we extensively covered what we observed this year and why we should carefully prepare for future offensive waves.

The demand for new internet-of-things (IoT) technologies and solutions will likely increase next year thanks to 5G connectivity’s gradual deployment. IoT devices have many outstanding applications, but they often lack the right measures to protect users and processes from cybercriminals from a security standpoint.

Insecure IoT devices represent a goldmine for malicious actors interested in conducting DDoS attacks; they enable attackers to build DDoS botnets: swarms of compromised machines to increase their offensives’ power. The rapid spread of IoT devices without appropriate built-in security measures will likely cause more of these botnets to be developed and rented to low-skilled cybercriminals.

DDoS Service listing
Figure 2: Anubis DDoS service listed on a criminal marketplace

This year we observed several threat actors impersonating known advanced persistent threats (APTs) like Fancy Bear to extort potential victims before launching DDoS attacks. The impersonation of highly skilled actors serves the attackers to elicit a fearful response on the victims and augment the chances of having the requested sum paid even before the launch of an attack. While this is a tactic that requires low capabilities, it yields high potential pay-off. We will probably observe more threat actors employing this attack vector for their malicious purposes.

The digitization of society has inherently increased cyber risks across all geographies and industries. Most notably, the Internet of Things has exponentially grown over the past few years, and cybercriminals are looking to leverage its increased attack surface and double down on users’ unfamiliarity with proper security hygiene. The cybercriminal landscape has also implemented business opportunities for DDoS services and carved out solutions that include lower-level threat actors. 

Finally, as we’ve seen success in threat actors furthering their extortion attempts, DDoS attackers may take a page out of the ransomware operators’ playbook by threatening their victims with persistent attacks until their needs are met – only time will tell.


The coronavirus pandemic did not revolutionize the threat landscape; however, it demonstrated that cybercriminals could quickly exploit any period of high uncertainty and public attention for their selfish interests.

 In our blog covering the impact of COVID-19 on the threat landscape, we discussed how cybercriminals are always among the first attempting to sow discord, spread disinformation, and seek financial gain in light of large-scale global events. Hopefully, next year won’t be as COVID-centered as this one; however, the pandemic forcefully postponed many international events to halt the spread of the virus. Consequently, 2021 will likely be a year rich in global sports competitions and artistic events.

Events like the Dubai Expo, the Tokyo Summer Olympics, and the UEFA Euro Cup are set to happen in 2021. It is highly likely that they will receive considerable attention from cybercriminals willing to capitalize on periods of heightened public awareness. People will likely turn to these events with a great lot of interest following a year that didn’t reserve much space for the entertainment industry. We’ve already discussed how cybercriminals target major sporting events, and criminals will likely try to exploit the public’s need for updates around these events to deploy offensive campaigns in the form of social engineering, identity theft, and spoof websites.

In line with what we observed throughout the COVID-19 pandemic, we’ll likely see the same pattern of scams and fraud throughout the upcoming vaccine deployment, set to begin in early 2021. Cybercriminals will most likely sell the promise to obtain COVID-19 vaccines well in advance of the scheduled worldwide deployment to increase their revenue and spread further misinformation around the official procedures.


If one could predict the future back in the late 1990s when the first cybercriminal web forums emerged, few would have been able to grasp that this model for communication and gathering would endure well into the new millennium. 

Marketplaces are one of the cornerstones of criminal dark web activities. These markets offer their users an efficient way to trade goods and services with common listings, including sales of drugs, malware strains, digital goods, stolen databases, and fraud items. Marketplaces have traditionally flourished in the underground belly of the Internet, but they have recently started to be significantly affected by two main problems.

In the past few months, law enforcement actions and exit scams have thwarted many heavy-hitting marketplaces, such as Apollon and Empire, leaving the dark web marketplaces landscape severely fragmented. This void leaves plenty of space for newer and smaller marketplaces looking to make a name for themselves and establish their prominence in an extremely competitive environment. Simultaneously, marketplace users have had to endure many setbacks lately and may turn their heads somewhere else looking for a safe and reliable place to conduct their activities.

Several factors support the idea that forums are here for the long run: New sites are continually appearing, membership numbers continue to climb, and users frequently express reluctance to deviate from the traditional forum model. The appearance of new forums is driven mainly by the need to replace failed ones.

At Digital Shadows (now ReliaQuest), we’ve argued on multiple occasions that cybercriminal forums – the OG cybercriminal technology – have never lost their popularity despite the appearance of alternative opportunities such as marketplaces, automated vending cart (AVC) sites, and private communication platforms. The latest events that have destabilized the marketplace landscape may push cybercriminals to turn to forums for secure and reliable transactions, as these sites do not require all funds for deals to be deposited into their system – thus preventing potential exit scams.

Private communication channels offer another growth opportunity. Although these applications hide several shortcomings related to security and privacy that may discourage cybercriminals from using them, we’ve already seen how they haven’t discarded this possibility. For example, at the beginning of the Empire exit scam saga, vendors announced they would be using the messaging application Wickr for their activities until they were able to use Empire again.

Wickr Advertisement
Figure 3: Vendor advertising their activity on Wickr during Empire’s exit scam

Ultimately, marketplaces will likely remain their technology of choice in 2021. Marketplaces still guarantee their users unparalleled advantages regarding ease of use, reach, and security during transactions. Exit scams and law enforcement interventions are not a novelty for these marketplaces, and the persistent use of this technology by cybercriminals indicates that the advantages often overshadow the drawbacks. 

That said, the place previously belonging to Empire will need to be replaced, and it will be interesting to analyze which new actors will establish their name on the stage.


This year we observed an unprecedented number of alerts from cybersecurity governmental bodies such as the NCSC and CISA. Not only did they provide timely alerts on the latest critical vulnerabilities and available patches, but they have frequently attributed offensive campaigns to the country behind it. 

Although it may be early to observe this new strategy’s implications on the global threat landscape and cyber diplomacy, we’re watching an essential change of posture in how countries deal with foreign-led cyber attacks on the international stage. This strong stance will likely be carried over to 2021, when we may see more concerted efforts to attribute cyber-attacks regularly. 

Matching an attacker to an offense may minimize uncertainty on a tactical, operational, and strategic level and thus strengthen defensive processes. This practice is fundamental when dealing with potential threats at a diplomatic, political, or military level and can be fundamental during decision-making practices. In addition to this, attributing attacks serves the deterrent purpose of hindering attackers from carrying out their operations under an apparent veil of anonymity and get away with it. Maintaining this posture throughout the next year may have a positive impact on the whole industry and represent a step in the right direction for security in general.

Seizure notice on Hansa and AlphaBay
Figure 4:Site seizure notices on Hansa and AlphaBay cybercriminal marketplaces

Ideally, we would love to say that these law enforcement actions have spooked criminals into dropping off from the cybercriminal scene altogether; however, it’s not realistic. While we are still monitoring for chatter surrounding behavioral changes, criminals will likely continue to carry out their wicked schemes. There’s still so much more money to be made and intelligence to gather. 

Online users will likely comment that these events provide a reminder of the importance of OPSEC and not getting complacent. Cybercriminals will probably use law enforcement action as a learning curve and improve their methodologies in the future. As the story goes, it’s always a story of the good guys trying to catch up to the bad, and that will continue to remain.

The significance of law enforcement coalitions tackling cybercriminal vendors on marketplaces, and their ability to track down vendors, may encourage criminal marketplace administrative teams to take more security-aware approaches, such as implementing PGP encryption, two-factor authentication (2FA), and leveraging Monero (XMR) to avoid tracking. Ultimately, cybercriminal marketplaces still have a purpose; it just might be in a different guise as to what it is now. While this may be the end of the golden era of marketplaces as we currently know them, vendors will still need to advertise via an open platform to acquire as many buyers as they can. 

While many law enforcement entities have adjusted their processes to enable nation-state threat actor arrests, there’s still plenty of red tape to consider, such as extradition laws. Law enforcement has progressed leaps and bounds throughout the last decade; however, many government-sponsored threat groups remain protected. As nation-state operations are investigated and pieced together, the US will likely continue to file indictments against associated actors to add pressure and bring awareness to current cybersecurity events.

APT 41 Group
(Source: FBI)

We still have a way to go when it comes to holding criminals accountable for their dirty deeds. We look forward to seeing policy changes, improvements, and progression in law enforcement activity and its impact on the cybercriminal threat landscape.


After this year, we couldn’t care less about dieting or making our bed every day or drinking fewer pints. On the flipside, let’s cover simple practices that your organization should be exercising to thwart attacks as we wrap up 2020 and embark on our entrance to 2021:

  1. Prioritize patching. Security patches should be applied based on the impact a vulnerability has on organization data, the types of systems that are impacted, the number of systems that are affected, the access level required to exploit the vulnerability, and how widely known the vulnerability is. 
  2. Train staff on cybersecurity best practices. Organizations should create a robust security awareness program that trains employees to identify malicious emails and report them to an incident response authority.
  3. Know thy enemy. Build an extensive knowledge base of threat actor groups and their preferred tactics, techniques, and procedures. If you know how your attackers are going to behave, you can proactively deter respective threats. 
  4. Develop (and update) a threat model as it relates to your organization. By identifying assets, understanding the threat landscape and developing scenarios, organizations are able to know how their defenses stack up to the most likely threats to their assets. Most importantly, they can then focus on improving the areas most relevant to the risks they face.
  5. Enforce account security with MFA and SSO. In this day and age, a password or passphrase isn’t the end-all-be-all to account security. Implementing multi-factor authentication (MFA) in conjunction with Single Sign-On (SSO)  is a great way to provide secure access to an account or a network and its resources.
  6. Be mindful of the language that you use. Zero Trust has become the soup du jour for many cybersecurity practitioners; however, the phrase “zero trust” doesn’t translate well to standard users. Digital Shadows (now ReliaQuest)’ very own, Rick Holland, said it best:
Rick Holland Tweet
Source: Twitter @rickhholland 
10/10, will follow again.


With threat actors increasing their sophistication of techniques and organizations’ attack surfaces growing due to digital transformation and the remote work model, it can be daunting to assess your exposure and prioritize security activities.

If you’d like a wealth of information on your threat landscape— including intelligence reports on threat actors and monitoring of your company’s assets and potential exposures across the open, deep, and dark web, try our industry-leading solution, Search Light (now ReliaQuest GreyMatter Digital Risk Protection), for free here.