Sunday, November 20, 2016

Nemucod downloader spreading via Facebook


Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook's file extension filter:

'Photo_9166.svg'




















What is an .svg file? From Wikipedia:

Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. The SVG specification is an open standard developed by the World Wide Web Consortium (W3C) since 1999.
This means, more specifically, that you can embed any content you want (such as JavaScript). Moreover, any modern browser will therefore be able to open this file.


Contents of our 'photo' are as follows:

Copy of file on Pastebin here












It's a heavily obfuscated script, which, after opening, redirects you to the following website:


Fake Youtube - "You must install the codec extension to watch this video."















A website purporting to be Youtube, including a video from Facebook - of course, you'll need to install an additional extension to view it :)

The extension has no icon and thus seems invisible and has the following permissions:





















Currently, I'm not exactly sure what this extension is supposed to do beside spreading itself automatically via Facebook (harvesting your credentials in the process), but likely it downloads other malware to your machine.

One of my security colleagues had in fact noticed similar behavior and got ransomware (Locky) as payload:



The extensions' description can be one of the following, and seem semi-random. Note that other variations are possible:

One ecavu futolaz corabination timefu episu voloda 
Ubo oziha jisuyes oyemedu kira nego mosetiv zuhum

The Facebook security team as well as Google Chrome's store security team have been notified.

UPDATE 22/11/2016

  • The rogue Chrome extensions are removed from the store. 
  • Facebook is now filtering for SVG files as well:


Test.svg, containing just a window.alert() method







Removal


Remove the malicious extension from your browser immediately:








Additionally, run a scan with your antivirus and change your Facebook password afterwards.

Notify your friends you sent a malicious file, or in the other case, let your friend know he/she is infected. If you keep receiving the same message from your friend, you may want to temporarily block their messages.



Conclusion

As always, be wary when someone sends you just an 'image' - especially when it is not how he or she would usually behave.

Additionally, even though both Facebook and Google have excellent security controls/measures in place, something bad can always happen.

For those interested, all related files have been uploaded to VirusTotal, and their hashes and domains can be found, as always, on AlienVault's OTX:

Monday, November 14, 2016

Cybercrime Report Template



In this blog post I'll be contributing a template or form, made as simple as possible, to enable you to report cybercrime in a more efficient way. Scroll down if you're not interested in the background story.

The purpose or need of this form arose several years ago, when I wrote a blog post about the 'blame game'. In short, I wrote about how we are all guilty of pointing fingers when a cyberincident occurs.

In reality, the only person or entity to blame, is the one that infected you or your organisation. Since publishing that specific post, cooperation has definitely improved - whether that is due to my post or not, I'll leave aside - an example is the No More Ransom project.

The blog post concluded stating that post-infection information is scarce: there is prevention, incident handling, malware cleaning all around - but available information on what to do afterwards was rather poor.

In short: report it to your CERT or local police department!

You can fill in the template below and download and/or print it as a PDF, which you can submit or include to an organisation of your choosing.




The template is also available on the following link:
Cybercrime Report Template

Disclaimer: no information will be sent to me or Jotform at any point.

Additionally to the template included in this blog post, or in link above, it is also seperately available as a PDF.

Organisations that wish to use this template, are free to do so. I have added the source on Github, which you'll be able to find here.



Resources

Please refer to the following websites if you would also like to report this seperately:
Report Cybercrime Online (EU)
IC3 Complaint Referral Form (US)

In case you do not want to report this to a specific law enforcement agency seperately, just fill in the form above. If you are willing, it is possible to share any information through Criminal Intelligence teams - this can be completely anonymous, similar to this form.

Be sure to contact your CERT or local police department to ask if they have such a team or anonymous reporting possiblity (see also links above).

You can find a list of CERTs here:
CERTs by Country - Interactive Map
List of National CSIRTs

APCERT team members

Friday, July 22, 2016

EU cookie law and fake Chrome extensions


When a website is serving up malware to unsuspecting visitors, it's often not too hard to find the culprit. In some cases however, it takes a bit more digging. When visiting a (not named on request) specific website, you're presented with the following message:

Your browser contains MALWARE. You have to install Chrome Malware Removal tool











After some digging on the site, nothing was suspicious at first sight. However... It did have a EU cookie law pop-up/consent:










The script behind it is as follows:









... Which contains:








Both scripts contain the warning message and a redirect to the Google Chrome store:

lang = 'en';
var msg = 'Your browser contains MALWARE. You have to install Chrome Malware Removal tool.';
if (lang == 'es') msg = "Su navegador contiene malware. Usted tiene que instalar la herramienta de eliminación de malware Chrome.";
if (lang == 'it') msg = "Il tuo browser contiene malware. È necessario installare strumento di rimozione malware Chrome.";
if (lang == 'fr') msg = "Votre navigateur contient MALWARE. Vous devez installer l'outil de suppression de logiciels malveillants Chrome.";
if (lang == 'pt') msg = "Seu navegador contém malware. Você tem que instalar o Ferramenta de remoção Chrome Malware.";
if (lang == 'de') msg = "Ihr Browser enthält MALWARE. Sie müssen Chrome Malware Removal Tool zu installieren.";
if (lang == 'ru') msg = "Ваш браузер содержит вредоносный код. Вы должны установить расширение для блокировки вредоносного кода.";
if (lang == 'gr') msg = "Το πρόγραμμα περιήγησής σας περιέχει κακόβουλο λογισμικό. Θα πρέπει να εγκαταστήσετε το Chrome Malware εργαλείο αφαίρεσης.";

You can find both scripts on Pastebin here and here.


Chrome Malware Removal Tool





























At time of writing, it has over 22,000 users. You can find the malicious extension here.

UPDATE 27/07: the malicious extension has now been removed from the Chrome store.

To remove an extension from Chrome:








It is not clear whether the site offering the cookie consent script is hacked, or is in on the ploy.

You can find indicators (for what it's worth) as always on the AlienVault OTX.



Conclusion

Stay clear from scripts offered by 3rd party EU cookie consent websites and rather create your own pop-up. A trustworthy site to create this for example is cookie-script.

As always when managing a website, keep your CMS (if any) updated as well as any plugins that may be running.

You can find more tips on how to prevent, find (and remove) malicious scripts on your website here.

Tuesday, May 10, 2016

A collection of PHP backdoors


Just a quick post to announce I've set up a GitHub repository with a collection of PHP backdoors for educational and/or testing purposes only:






















Feel free to check it out and/or contribute here:
https://github.com/bartblaze/PHP-backdoors

The repository will be updated continuously and gradually.

If you're interested in analysing a PHP backdoor, check out my post on PHP/C99shell:
C99Shell not dead


Additionally, find tools to deobfuscate PHP backdoors here:
PHP tools

Wednesday, May 4, 2016

SteamStealer IP visualisations


Just for fun I decided to visualise all SteamStealer IPs I've encountered (till now). They are hosting multiple fake screenshot websites, fake voice communication software, fake streaming websites, fake Steam websites and others. They may also be a C&C for the malware, or fake gambling/lottery websites.

Any additional information can also be found on my blog:
Malware spreading via Steam chat

Additionally, be sure to read the paper I wrote with Santiago from Kaspersky about SteamStealers here: The evolution of malware targeting Steam accounts and inventory


Now for the fun part:




View SteamStealer IPs in a full screen map



Alternatively, check out the following map and stats:



a

CountryCount
Russian Federation163
United Kingdom19
Netherlands18
United States14
Germany9
Ukraine6
France6
Poland4
Romania1
Italy1
Czech Republic1
Canada1
Australia1
Belarus1
Belize1
Kazakhstan1
Virgin Islands, British1
Spain1
Moldova, Republic of1



As you can see, most of them are hosted in Russia; while the United Kingdom and The Netherlands rank second and third respectively.

Note: CloudFlare is gaining popularity in 'hiding' the real server IP address. CloudFlare IPs are not included.

That's about it, hope you enjoyed! Please find below tools used to create the mapping.


Resources

Geomapping:
Batchgeo
GIPC

Data:
SteamStealer IPs IOCs

Wednesday, April 20, 2016

Nemucod ransomware information



This is a quick post on the recent Nemucod ransomware. Nemucod is (normally) a downloader which uses JavaScript  JScript (thanks Katja) to enter an unsuspecting user's machine and download additional malware (depends on campaign usually).

There's a blog post by Fortinet which explains Nemucod ransomware, so I'm not going to repeat much here: Nemucod Adds Ransomware Routine

It came to our attention that a new, rather peculiar version of Nemucod has been recently landing on users. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to PCs.

This particular campaign is using the lure of a court appeal to spread:










The mail reads:

Notice to Appear,
You have to appear in the Court on the April 22.Please, prepare all the documents relating to the case and bring them to Court on the specified date.Note: If you do not come, the case will be heard in your absence.
The Court Notice is attached to this email.
Yours faithfully,Brian Snider,District Clerk.


It seems Nemucod ransomware got another update, as it now uses 7-zip to actually encrypt the files.

Another change is the slight drop in price. Whereas before it was 0.60358 bitcoins ($267.14 or €236.43), it's now 0.49731 bitcoins ($220.11 or €194.80).

New message reads:

Nemucod ransomware message


























Nemucod encrypting a whole plethora of filetypes, appending the .crypted extension









Disinfection

If you have opened a .JS file (JScript file) from an unknown sender, open Task Manager immediately and stop all the following processes (at least in this version of Nemucod):

a0.exe (actually 7-zip disguised)
a1.exe
a2.exe
cmd.exe
wscript.exe


The faster you do this, the less files will be encrypted. Run a scan with your antivirus program and a scan with another antivirus program to verify the malware has been removed.

Note: It's always useful to keep a copy of the ransomware note handy, as it's easier to identify the ransomware and if it can be decrypted.


Decryption

I'm only briefly reporting on this for those in need, but currently, the known decryptors are suited for this version. However, Fabian from Emsisoft is already working hard to make a decryptor available, so please have patience!

If you have an older version of Nemucod, you can try one of either decryptors:
Emsisoft Decrypter for Nemucod 
nemucod_decrypter (you will need to install Python for this)

You can also try restoring files with Shadow Explorer. (alternate link)

For more information, please visit the following Bleeping Computer topic
.crypted Ransomware (Nemucod) - Decrypt.txt Support and Help Topic



Prevention

In particular for Nemucod, don't open any JScript/JavaScript files from unknown senders.

For more tips on ransomware prevention, be sure to check out this page I've set up:
Ransomware Prevention


Conclusion

Same as with all malware: don't open attachments from unknown senders!

Please find below IOCs and additional resources.



Resources

.crypted Ransomware (Nemucod) - Decrypt.txt Support and Help Topic
ID ransomware
JavaScript-toting spam emails: What should you know and how to avoid them?
JScript
Nemucod ransomware IOCs
Ransomware overview
Ransomware Prevention
TrojanDownloader: JS/Nemucod

Thursday, March 24, 2016

Ransomware prevention


Very short blog post to let you know I now also have an English version of my article 'preventie van ransomware', on how to prevent ransomware.

You can find it as a page (see top of my blog) or here:
Ransomware Prevention

Translations are available in Dutch (Nederlands) and French (français).

Thanks to @WawaSeb for the French translation. If you would like to translate this page in your own language, feel free to do so and send me the link so it can be added.

Tuesday, March 15, 2016

All your creds are belong to us


In the past, I've blogged about Steam Stealers (malware that specifically targets gamers and users of Valve's platform) before (see 1, 2), but this blog post will be a bit different.

Working together with Santiago Pontiroli, Security Researcher at Kaspersky Lab Global Research and Analysis Team, we've written a paper on these infamous Steam Stealers.

Check out our blog post here or directly download the PDF from here.

Enjoy!

Sunday, February 21, 2016

Preventie van ransomware


This blog post will be fully in Dutch. If you'd like to read English material, be sure to check out my Q&A on ransomware. A translation will also be available in one of the next days.


Ransomware heeft in principe geen introductie meer nodig, maar kortgezegd zal deze specifieke soort malware (bijna) al je bestanden encrypteren en een bepaald bedrag vragen (tegenwoordig vaak in Bitcoin) om terug toegang tot al je bestanden te verkrijgen.

Andere benamingen: CryptoLocker, cryptoware, encrypting ransomware.

Deze blog post is opgesplitst in twee luiken: 1 voor thuisgebruikers, 1 voor bedrijven. De meeste tips zijn echter ook uitwisselbaar en kunnen naar believen worden toegepast.

Tot slot worden ook enkele tools ter beschikking gesteld als aanvulling alsook extra resources.


Thuisgebruikers


  • Gebruik, afhankelijk van de mailclient, een degelijke anti-spam filter. In zo goed als alle online diensten (bv. Outlook.com, Gmail, ...) wordt deze reeds standaard aangeboden.
  • Open nooit een bijlage van een onbekende afzender. 
  • Blokkeer de executie van macro's in je Office-pakket
  • Schakel Windows Script Host uit. Gebruik hiervoor bijvoorbeeld optie D in mijn tool.
  • Schakel PowerShell uit. Dit kan via Configuratiescherm > Programma's >
    Windows Onderdelen in- of uitschakelen.
  • Gebruik een degelijke anti-virus/anti-malware en firewall oplossing en houdt deze up-to-date.
  • Verwijder alle oude Java versies, of verwijder Java volledig indien mogelijk.
  • Verwijder SilverLight indien mogelijk.
  • Installeer steeds alle relevante Windows updates.
  • Activeer click-to-play voor Flash in je browser. Dit hangt af van je browser zelf.
  • Installeer NoScript of vergelijkbaar in je browser.
  • Installeer een adblocker in je browser, bijvoorbeeld uBlock Origin.
  • Er is eveneens een freeware programma beschikbaar, dat heel wat zaken voor je automatisch gaat instellen (zoals bekende locaties waarvan ransomware zich start gaat monitoren) genaamd CryptoPrevent.


Last but not least, de twee belangrijkste punten:

  • Denk altijd twee keer na alvorens een link of bijlage aan te klikken/te openen.
  • Neem geregeld backups! Vergeet niet om na de backup je externe harde schijf los te koppelen. Wees ook voorzichtig met backups naar de cloud - eenmaal je merkt dat je geïnfecteerd bent, verbreek meteen de netwerkverbinding en/of sluit het toestel af om de schade te beperken.

    Test ook of de backup geslaagd is en herstel enkele (test)bestanden. Een backup is altijd de beste optie hier om bestanden terug te zetten, maar dan moet je ook weten dat deze gelukt is.




Bedrijven

Ook in bedrijven zijn vele van de bovenstaande tips van toepassing. Het overgrote deel hiervan is ook perfect toepasbaar via Group Policies (GPO).

Enkele aanvullingen:


  • Gebruik steeds sterke wachtwoorden voor je servers (ongeacht domain controller of fileserver, etc...).
  • Installeer steeds alle relevante Windows updates.
  • Schakel indien mogelijk toegang tot RDP uit. Indien dit niet mogelijk is, gebruik een goede firewall oplossing (hardwarematig) met VPN. Gebruik ook hier sterke wachtwoorden/authenticatie.
  • Schakel administrator-rechten uit voor gewone gebruikers. De meeste gebruikers met een bedrijfslaptop zouden in theorie geen programma's of dergelijke moeten installeren.
  • Schakel via GPO het gebruik van macro's in Office uit indien mogelijk (of sta enkel macro's toe die digitaal ondertekend zijn), schakel Windows Script Host uit en verplicht het gebruik van antivirus.
  • Installeer dus ook antivirus op alle toestellen in het netwerk en zeker voor gebruikers die hun toestel mee naar huis (mogen) nemen.
  • Indien aanwezig, activeer de optie om gearchiveerde bestanden te laten scannen door de antivirus.
  • Installeer een degelijke anti-spam oplossing en verbiedt het gebruik van bijlagen met gevaarlijke extensies (.exe, .scr, ....) maar blokkeer ook JavaScript bestanden (.js).
  • Verifieer de file sharing permissies van je gebruikers. Wees hier zo efficiënt mogelijk in. Een gebruiker tot groep X heeft niets te zoeken op de share van groep Y? Beperk de toegang. (maak bijvoorbeeld gebruik van ACLs)
  • Informeer gebruikers over de gevaren van het openen van bijlagen van een onbekende afzender of het zomaar losweg klikken op een link in een onbekende mail. Heb eveneens een actieplan klaar voor moest er zich toch een malware-infectie voordoen (ransomware of anders).
  • Gebruik policies om EXE bestanden vanuit bepaalde locaties niet toe te staan. Link.


Last but not least, de twee belangrijkste punten:
  • 'Failing to prepare is preparing for failure'. Preventie is belangijker dan desinfectie. 
  • Neem geregeld backups! Vergeet niet om na de backup je externe harde schijf los te koppelen. Wees ook voorzichtig met backups naar de cloud - eenmaal je merkt dat je geïnfecteerd bent, verbreek meteen de netwerkverbinding en/of sluit het toestel af om de schade te beperken.

    Test ook of de backup geslaagd is en herstel enkele (test)bestanden. Een backup is altijd de beste optie hier om bestanden terug te zetten, maar dan moet je ook weten dat deze gelukt is.



Tools

Browser:
Gebruik bij voorkeur Internet Explorer of Edge niet - andere browsers zijn namelijk meer 'customizable', wat wil zeggen dat je met een add-on of extensie wat extra bescherming kan instellen.
(vergeet echter niet om deze extensies ook up-to-date te houden)


Activeer click-to-play voor plugins (zoals Flash of Silverlight)
uBlock Origin (Chrome)
uBlock Origin (Firefox)
NoScript

Blokkeer de uitvoering van scripts:
Remediate VBS Worm
Script Defender

CryptoPrevent Malware Prevention:
https://www.foolishit.com/cryptoprevent-malware-prevention/

Java:
Waarom moet ik oudere Java-versies van mijn computer verwijderen?

PowerShell uitschakelen:










Resources

Backups:
Back-ups maken en terugzetten: veelgestelde vragen

Office:
ActiveX-besturingselementen in Office-documenten in- of uitschakelen
Externe inhoud in Office-documenten blokkeren of deblokkeren
Macro's in Office-bestanden in- of uitschakelen

Gebruik makend van GPO:



Identificeer ransomware:
ID Ransomware

Ransomware overzicht:
Ransomware Overview

No More Ransom project (decrypters etc.):
The No More Ransom Project

Ransomware extra informatie:
Ransomware: a Q&A

Windows File Sharing:
Understanding Windows Server 2008 File and Folder Ownership and Permissions

Windows Script Host (WSH):
Disabling Windows Script Host

Tuesday, February 2, 2016

Vipasana ransomware new ransom on the block


Yet another ransomware is going around (since at least the 20th of December), which I've dubbed Vipasana ransomware due to where you need to send your encrypted files to:

Message in Russian, you need to mail vipasana4@aol.com to get your files back



















The name may be derived from Vipassanā or 'insight meditation'.

The message in Russian reads:

твои файлы зашифрованы, если хочешь
все вернуть, отправь 1 зашифрованный файл на эту почту:

vipasana4@aol.com

ВНИМАНИЕ!!! у вас есть 1 неделя что-бы написать мне на почту, по прошествии
этого срока расшифровка станет не возможна!!!!

Translated:

Your files are encrypted, if you want them all returned,
send 1 encrypted file to this email:


vipasana4@aol.com

ATTENTION!!! you have 1 week to send the email, after
this deadline decryption will not be possible !!!!

It seems these ransomware authors first want you to send an email before requiring any other action, rather than immediately (or in a certain timeframe) paying Bitcoins to get your files back. In this sense, their technique is novel. Instead of the usual 24/48/72h to pay up, they give you a week.

Do not be fooled: this does not make them 'good guys' in any way, they encrypted your files and as such are criminals.

Search results for vipasana4@aol.com are non-existent, with the exception of one victim hit by this ransomware:



Email addresses used in this specific ransomware campaign:
johnmen.24@aol.com
vipasana4@aol.com


Files will be encrypted and renamed following below naming convention:
email-vipasana4@aol.com.ver-CL 1.2.0.0.id-[ID]-[DATE-TIME].randomname-[RANDOM].[XYZ].CBF

Where [XYZ] is also a random 'extension', the real extension is .cbf

ver-CL 1.2.0.0 may refer to the version number of the ransomware, indicating there are older versions as well.

Targeted file extensions:

.r3d, .rwl, .rx2, .p12, .sbs, .sldasm, .wps, .sldprt, .odc, .odb, .old, .nbd, .nx1, .nrw, .orf, .ppt, .mov, .mpeg, .csv, .mdb, .cer, .arj, .ods, .mkv, .avi, .odt, .pdf, .docx, .gzip, .m2v, .cpt, .raw, .cdr, .cdx, .1cd, .3gp, .7z, .rar, .db3, .zip, .xlsx, .xls, .rtf, .doc, .jpeg, .jpg, .psd, .zip, .ert, .bak, .xml, .cf, .mdf, .fil, .spr, .accdb, .abf, .a3d, .asm, .fbx, .fbw, .fbk, .fdb, .fbf, .max, .m3d, .dbf, .ldf, .keystore, .iv2i, .gbk, .gho, .sn1, .sna, .spf, .sr2, .srf, .srw, .tis, .tbl, .x3f, .ods, .pef, .pptm, .txt, .pst, .ptx, .pz3, .mp3, .odp, .qic, .wps



I have sent over all necessary files to the good people over at Bleeping Computer, as there may be a way to recover files. If so, I will update this post.

Update - 12/02: thanks to a tweet from Catalin this appears to be another version of so called "offline" ransomware, discovered by Check Point:
“Offline” Ransomware Encrypts Your Data without C&C Communication

Unfortunately, there doesn't appear to be a way to recover your files once encrypted. Your best best in trying to recover files is using a tool like Shadow Explorer, which will check if you can restore files using 'shadow copies' or 'shadow volume copies'.

If that doesn't work, you may try using a data recovery program such as PhotoRec or Recuva




Conclusion


Ransomware is, unfortunately, long from gone. Almost each week or month, new variants or totally new strains of ransomware are popping up. In this way, the first and foremost rule is:

Create (regular) backups!

For more prevention advise, see here

You may also find a list of Indicators of Compromise (IOCs; hashes, domains, ...) over at AlienVault:
Vipasana ransomware

Tuesday, January 19, 2016

Chrome extension empties your Steam inventory


I recently got notified about the following topic (and post) on TeamFortress.tv:
Known scammer alt opening a gambling site

In there, you can see a Steam user named Delta (Steam profile down below) has created several 'helpful' Chrome extensions for Counter-Strike: Global Offensive (CS:GO).

A few examples:


'Read and change all your data on the websites you visit'





























Other examples are:

CSGODouble Theme Changer
CS:GO Double Withdraw Helper
Csgodouble AutoGambling Bot
Improved CSGODouble

Instead of being able to change your CS:GO Double theme, your items from your inventory are getting stolen; instead of trading with X or Y person you trust, the items go to the scammer rather than whoever you're trading with:





All the addons he made can be found here. You can report them to Google as well by clicking 'Report Abuse' > 'Malware'. Note: some of them are still in the store despite several reports.

Update (20/01): all mentioned extensions are now removed from the Chrome Web Store.



76561198254328724 is the Steam ID of the scammer, who currently has a/is on trade probation; which means they recently had a trade ban removed.










Update (20/01): 'Delta' is now trade banned (again):










You can find his Steam profile here and his SteamRep profile here. (SteamRep is "a non-profit site that partners with community administrators to improve the safety of game-related trading.")





Disinfection

As opposed to actual SteamStealers, this one's pretty easy to disinfect or remove, as you can simply remove the extension(s) from Chrome:











In this example:








You may read more about installing, managing and removing extensions here. If you're having problems removing one of the extensions, you can also try resetting your Chrome browser.



Prevention


Does it look suspicious? Does it sound too good to be true? Don't install it!

For more prevention tips on securing your Steam account, see my earlier post about SteamStealers here.

Steam also has a FAQ set up in regards to: Spyware, Malware, Adware, or Virus Interfering with Steam



Conclusion

SteamStealers are (unfortunately) nothing new. Criminals are getting craftier and better in attempting to steal items or account credentials (along with other credentials) from unsuspecting users.

As opposed to actual malware or SteamStealers being loaded on your machine, this time it's a browser extension - thus be wary of anything that looks too good to be true and think twice
before you install anything (whether that be an extension, a 'screensaver' or images that look like you ;) ).

Follow the prevention tips above to stay safe. For any questions or feedback, don't hesitate to comment.


Sunday, January 10, 2016

Security Predictions 2016



Since everyone's doing it, here are some of my security predictions for 2016.


  • More ransomware
  • More misuse of the word 'CryptoLocker' (this ransomware died somewhere in 2014)
  • More malware
  • More misspellings of malware ('mallware', 'maleware', etc.)
  • More IoT devices (Internet of Things)
  • More ransomware or other malware for IoT devices
  • More database/company breaches
  • More spam, phishing, etc.
  • More (ATM) skimming
  • More nation-state malware
  • More governments spying on their citizens
  • More privacy concerns
  • ...

Essentially: more of the same. I also suspect 2016 the year of more nation-state malware to be discovered/uncovered. And of course more encrypting ransomware (aka 'cryptoware') as it's still a succesful recipe. As long as people pay the ransom, they will keep bringing out new & improved versions/variants.

More security predictions (and probably more explained in depth or simply better ones) can be found by performing a search with your favorite search engine.

May you have a safe, malware-free, privacy-friendly 2016!