Sharp Spike in Ransomware in U.S. as Pandemic Inspires Attackers

malware report pandemic ransomware

COVID-19 has changed the face of cybercrime, as the latest malware statistics show.

The COVID-19 pandemic continues to shape the face of cybercrime in 2020, with ransomware and attacks on internet of things (IoT) devices seeing sharp increases in the U.S. for the first half of the year.

According to SonicWall’s 2020 Cyber Threat Report ransomware attacks are up, particularly in the U.S., where they have more than doubled year-over-year (up 109 percent). Meanwhile, malware targeting IoT devices has risen to 20.2 million, up 50 percent from this time last year – as cybercriminals target the massive influx of employees working from home.

At the same time, encrypted malware and cryptomining have seen resurgences after dropping off late last year.

“While the historic disruption accompanying the COVID-19 pandemic has been challenging for businesses, it’s been a boon for cybercriminals,” said SonicWall president and CEO Bill Conner, in the report. “The pandemic’s effects can be seen in most every piece of threat data highlighted here — shifting, increasing, decreasing and upending long-standing patterns.”

Less Malware – Except Ransomware

Interestingly, the amount of malware overall picked up in SonicWall’s telemetry is down for the year. In fact, during the first half of 2020, malware fell from 4.8 billion to 3.2 billion cases globally, a drop of 33 percent over 2019’s mid-year total.

“Remarkably, every month in 2020 has seen less total malware volume than any month in 2019,” according to the report. “The latest malware data available, from June 2020, shows 440.3 million total malware hits — less than half of 2019’s high of 1.1 billion set in October.”

However, one segment is decidedly not ebbing, and that’s ransomware. It has instead seen a corresponding jump: By mid-year 2019, global ransomware was up 15 percent. This year, it’s up 20 percent.

Some countries are doing better than others on that front; for instance, ransomware in the U.K has fallen by 6 percent year-over-year, to 5.9 million, and in other places it’s dropped by nearly half. But in North America, ransomware is up 105 percent — including the aforementioned 109 percent increase in the United States, where it rose to 80 million attacks.

“While it’s impossible to determine causation, a strong correlation can be found in the ransomware graph and the patterns of COVID-19 infections,” according to the report. “Asia saw the first COVID-19 cases, and ransomware numbers there spiked in January and March. The pandemic hit Europe next, and we see corresponding spikes there in February and April. In North America, ransomware attacks started low in January, but by March they had nearly tripled, continuing to make more modest gains through April and May before slowing a slight decrease in June, when numbers fell to their lowest point since March.”

As COVID-19 rates rise in the U.S. again, the firm warns businesses to expect rampant ransomware to go along with the spreading virus.

“In most cases, these are not brand new exploits; [attackers] are not creating new malware,” Conner said in an interview with the San Jose Mercury News regarding a $1.14 million ransom demand recently paid by UC San Francisco. “There’s more easy access from home than there was in a building because you have multiple layers of security in your office.”

Some ransomware has however been newly developed during this time of pandemic, including Ada_Covid, which uses WhatsApp to communicate with victims. It was first spotted in April.

“An interesting shift with this malware is that the operators have chosen WhatsApp as a means of communication with infected users,” according to Trustwave researchers. “This could be in response to the social change triggered by the current global pandemic.  The operators perhaps, realize that instant messaging is a more effective negotiation medium when victims are stuck at home…This is opposed to messaging via email, the medium of choice for many ransomware operators in the past.”

IoT Targeting

Even as cybercriminals know that employees working from home might be less protected from ransomware than in-office workers, the same principle applies to the targeting of IoT devices.

Since January, SonicWall recorded 20.2 million IoT attacks; January, February and March each racked up more attacks than their 2018 and 2019 counterparts combined. If the rest of 2020 follows the pattern of previous years — which saw a greater number of IoT attacks in the latter half of the year than the first — this year’s attack total could wind up surpassing the totals for 2018 and 2019 put together, according to the firm.

“A remote workforce can introduce many risks — some of them obvious, some of them less so,” according to SonicWall. “While the increased dangers of things like phishing attacks have been widely reported on, few are talking about the dangers presented by refrigerators, doorbells or gaming consoles.”

The report noted that while most people’s home contain at least some IoT devices, including a basic home Wi-Fi router, many don’t have the time or expertise to adequately secure them.

“But when these devices connect to endpoints that connect to corporate networks, they can provide cybercriminals an open door into what may otherwise be a well-secured organization,” researchers noted.

Encrypted Malware and Cryptomining

As far as other data points in the report, the firm also found that encrypted threats and cryptojacking are both on the rise.

As for the former, aside from a large slide between January and February and a tiny dip in May, encrypted attacks have been on an upward trajectory, even as volumes are down year-over-year after a big ebb last fall.

“Cybercriminals are increasingly using [SSL] and [TLS] to hide malware, ransomware, zero-days and more,” according to the report. “Traditional security controls, such as legacy firewalls, lack the capability or processing power to detect, inspect and mitigate cyberattacks sent via HTTPS traffic, making this a highly successful avenue for hackers to deploy and execute malware within a target environment.”

In a work-from-home environment without corporate security controls, this becomes an even more attractive approach, the report pointed out – as seen in the numbers.

“The total amount of encrypted malware in June, 378,736, is not only the highest number of encrypted threats recorded in all of 2020, it’s also higher than at any point in the latter half of last year,” the report pointed out.

On a geographic basis, encrypted threats in Asia have increased 175 percent year-over-year, mostly due to a big spike in January, when the coronavirus began to fully emerge there.

As far as cryptomining, volumes dropped off substantially after Coinhive closed down in March 2019, with a 78 percent drop in attacks between July 1 and Dec. 31 of last year. However, this type of malware has come roaring back, with an increase in North America in the first half of 2020 of a whopping 252 percent. There were also modest increases in Europe. In Asia meanwhile, cryptojacking had ceased almost entirely by June, making for a decline of 97 percent year-over-year.

The XMRig malware accounted for nearly 30 million of the 32.3 million total cryptojacking hits SonicWall observed in 2020.

“These miners are becoming more sophisticated, with the addition of abilities such as being able to target and kill rival miners,” according to the report. “It’s also becoming more versatile: In April, an XMRig cryptominer infected Kubeflow, a machine-learning toolkit for Kubernetes, and in June, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that XMRig was among the three detection signatures that make up over 90 percent of identified potential threats.”


Suggested articles