The COVID-19 pandemic continues to have a huge impact on businesses across the globe. Strategies for 2020 went out of the window when the world was brought to a standstill, requiring organisations across all sectors to rethink operating models and shift direction just to stay afloat.
An unwelcome constant throughout the chaos has been the presence of cyber criminals, always ready and waiting to seize upon any perceived cybersecurity weakness. According to Interpol, adversaries have taken advantage of the widespread global communications on the coronavirus to mask their activities.
Malware, spyware and trojans have been found embedded in interactive coronavirus maps and websites. Spam emails are also tricking users into clicking on links which download malware to their computers or mobile devices.
Ransomware remains rampant
Healthcare organisations, already under massive COVID-19 strain, have not been spared. Interpol has seen an increase in ransomware targeting hospitals and medical centres– the same form of malicious program used in the WannaCry attack in 2017 is causing disruption once again. The ransomware can enter systems through emails containing infected links or attachments, through compromised employee credentials, or by exploiting a vulnerability in the system.
On March 24 2020, one Orange Cyberdefense CERT team tracked 23 unique COVID-19-based phishing mails over a 24-hour period. In addition, during the same week customers reported more than 600 potentially fraudulent emails, 10% of which has proven to be malicious – four times higher than in the previous week.
Of course, these types of attack are nothing new – malware has long been a favored tactic of those intent on causing cyber carnage. However, our own data suggests that we just might be starting to make progress in reducing the damage caused by malware. In the past year through our CyberSOCs, Orange Cyberdefense analysed over 50 billion security events daily.
According to our latest Security Navigator, 11.17% of the analysed events were identified as verified security incidents. This represents a 34.4% increase over the previous year’s rate of 8.31%. This is significant considering the total number of events grew by less than 3%. However, of the events analysed only 22% of incidents could be classified as malware-related in 2019 compared to 45% in the previous year.
During the same period, application anomalies increased from 36% to 46% to claim the top spot as the most common incident cause in 2019. This in no way means that malware is no longer a threat, but it does show that endpoint prevention can significantly reduce risk.
In recent years, desktops and mobile devices have faced increasingly complex and numerous attacks by malware authors attempting to gain an entry point into the network to steal data or, through ransomware, for financial benefit.
Most businesses don’t have enough internal resources, time or skills to granularly configure and manage specialist security devices, maintain patching levels, perform ongoing policy reconfiguration or investigate and respond to numerous device-status alerts.
What we are seeing in the decreasing rate of malware is very likely the immediate result of next-generation endpoint protection. While AI-based solutions have been around for a while now, their widespread application has taken some time. Now, more and more customers have started investing in next-generation preventive endpoint protection. And we see the results quite clearly: the common cybercriminal simply does not match up-to-date endpoint protection anymore.
While this progress is encouraging, malware continues to pose a serious threat – particularly to large organisations. The Security Navigator found that 24% of security incidents in companies with more than 10,000 employees resulted from malware, compared to just 10% in small organisations.
Those behind malware attacks are also become increasingly professional in their approach. The data shows a drop in attack activities during the beginning of April, mid-July and early December. These are likely due to a trend we already observed in previous years: with cybercriminals getting more professional, we see them adopting a nine-to-five-mentality. As odd as this seems, hackers now take regular holidays. This may explain the drop in April, when attacks slowed due to an early Easter holiday, as well as summer vacation and Christmas at the end of the year.
It is also remarkable that Monero, Ethereum, Litecoin and Bitcoin prices reached a new peak in early summer, but there was next to no effect on the frequency of mining attacks, while we had previously seen mining directly following the trade value of cryptocurrencies. This indicates that Cryptomining as a threat is gone for good and likely will not return in widespread campaigns.
Finally, it should be remembered that investment in endpoint protection should not be limited to technology: having access to experts with the right skills is essential, and many cybersecurity courses are available. And in a market where cyber expertise is scarce – 65% of organisations report a shortage of cybersecurity staff according to non-profit ISC2 – managed detection and response should be a consideration in any strategy to counter malware threat.