Posted: 3 Min ReadFeature Stories

Top 5 Symantec Cybersecurity Predictions for 2025

Increased nation state cyber aggression and a shift in ransomware operations are just a few of the expected threat landscape changes in the new year

Over the last 12 months, the Symantec Threat Hunter Team has shared revealing first-hand investigations into the latest cyberattacks and the bad actors behind them, from nation states to ransomware groups. Drawing on this work, here are its top five cybersecurity predictions for next year: 

Be prepared for more Russian aggression in cyberspace

With the war in Ukraine reaching a critical phase, a change of government in the U.S., and elections taking place in several European countries, there is a real risk of resumption of Russia-sponsored disruptive activity. Russian espionage actors have a long track record of targeting critical infrastructure in Ukraine (Sandworm) and the U.S. (Dragonfly). Recent acts of sabotage against undersea communications cables in Europe may be a prelude to what lies in store. 

A shift in the balance of power is underway in the criminal underworld

Historically, the operators of the large ransomware families stood at the top of the cybercrime food chain. They franchised their businesses, using the Ransomware-as-a-Service (RaaS) business model, where “affiliate” attackers leased their tools and infrastructure in exchange for a cut of ransom payments. However, the unintended consequence of this business model has been to make the ransomware ecosystem more robust by placing more power in the hands of affiliates, who can quickly migrate to rival operations if one is shut down. Ransomware operations are now competing with one another for affiliates, offering increasingly better terms for their business.

The honeymoon for cloud security is over 

For a long time, cloud services seemed to avoid major intrusions, leading to the assumption that robust security was deterring attacks. However, this trend may be starting to change. The Microsoft breach by Russian intelligence actors illustrated the scale of breach that can be achieved by a skilled attacker with an in-depth knowledge of the systems they are targeting. Other attackers will have taken notice of and will almost certainly attempt similar attacks. 

Living off the land tool usage to expand

The heyday for living off the land tool usage by motivated adversaries is going to continue for at least a few more years. Attackers of all stripes, from espionage actors to ransomware groups, are continuing to leverage native tools to great effect, most notably PowerShell, PsExec, WMI, and Vssadmin. What’s notable is that that the range of living off the land tool usage is expanding, as attackers broaden their knowledge of the tools at their disposal on victim networks and find alternatives for widely known tools and techniques. For example, in recent months, Symantec has seen an upsurge in the malicious use of Esentutl, a Windows command-line tool that provides database utilities for the Extensible Storage Engine (ESE). It can also be used by attackers to dump credentials. In addition to this, we’ve also seen a growing number of attackers using the Deployment Image Servicing and Management (DISM) utility, a Microsoft tool used for managing and repairing Windows images. A feature of the tool is that it can be used to enable or disable Windows features. Attackers are using DISM to attempt to disable Windows Defender.

Ransomware gangs expand into South America, Asia, and beyond 

There was a period of time where North America, particularly the U.S., was seen as the low- hanging fruit for ransomware gangs. Today, ransomware is a global phenomenon, with an increasing number of attacks in South America, Asia and other regions of the world. Why? The number of ransomware gangs is growing and the gangs themselves are becoming much bigger operations, with lots of small groups of attackers working for them. 

As we look towards 2025, one thing is certain. The threat landscape will continue to evolve. As ransomware gangs expand their reach, living off the land techniques diversify and geopolitical tensions drive cyber aggression, businesses must prioritize robust security measures, invest in threat intelligence and foster resilience against emerging risks. 

For fresh findings and insight, explore the Threat Intelligence blog on Security.com.

Symantec Enterprise Blogs
You might also enjoy
14 Min Read

Likely China-based Attackers Target High-profile Organizations in Southeast Asia

Espionage campaign targeted organizations in various sectors, including government, aviation, telecommunications, and more.

Symantec Enterprise Blogs
You might also enjoy
5 Min Read

Exposing the Danger Within: Hardcoded Cloud Credentials in Popular Mobile Apps

Examining the hidden risks posed to user privacy and security due to presence of hardcoded credentials within popular mobile apps.

About the Author

Dick O'Brien

Principal Editor, Threat Hunter Team

Dick O’Brien works for the Symantec Threat Hunter Team, where he helps develop, edit, and write research into new and emerging threats. Prior to joining Symantec, he worked for 13 years as a newspaper reporter, where he specialized in business and technology.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.