Professional Documents
Culture Documents
2020 Sonicwall Cyber Threat Report PDF
2020 Sonicwall Cyber Threat Report PDF
2020 SONICWALL
CYBER THREAT REPORT
Cyber threat intelligence for navigating
the new business normal
w w w.sonicwall.com | @SonicWall
Table of Contents
A Note From Bill 03
About SonicWall 30
www.sonicwall.com
As a best practice, SonicWall routinely optimizes its methodologies for data collection, analysis and reporting. This includes improvements to data
cleansing, changes in data sources and consolidation of threat feeds. Figures published in previous reports may have been adjusted across different
time periods, regions or industries.
4 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | 2020 GLOBAL CYBERATTACK TRENDS
Profiting off the Pandemic
These are dark days for many businesses and individuals. But "As this pandemic expands and evolves, we stand to see
they’re salad days for cybercriminals. Opportunistic hackers, similar attacks in the future. It's incredibly valuable information
seeing a chance to take advantage of the confusion and fear for millions around the world — IP that would catapult a
surrounding the pandemic, have been out in force. company's economy if seized," Conner said. "[Cyber] criminals
tend to follow the money trail, thus putting a massive bounty
During a June 16 U.S. House meeting on cybercrime, on anything vaccine-related."
representative Emanuel Cleaver stated, “We are seeing a 75%
spike in daily cybercrimes reported by the FBI since the start of While COVID-19 continues to drive cybersecurity trends as
the pandemic.” a whole, it has also inspired new attacks capitalizing on our
desire for news, assistance or guidelines that could help keep
To make matters worse, some are targeting medical facilities, us safe.
research labs, utilities and other institutions we’re relying on for
our continued survival. SonicWall Capture Labs threat researchers began seeing
attacks, scams and exploits specifically based around
"It was only a matter of time before a nation state resorted to COVID-19 on Feb. 4, and since then have detailed at least 20
cybercrime to influence or control global healthcare during a different types of attacks across just about every category.
time of great need,” Bill Conner told Newsweek International.
Corona 32.92%
2,400
2,200
2,000
1,800
1,600
Volume
1,400
1,200
1,000
800
600
400
200
0
1/1 1/8 1/15 1/22 1/29 2/5 2/12 2/19 2/26 3/4 3/11 3/18 3/25 4/1 4/8 4/15 4/22 4/29 5/6 5/13 5/20 5/27 6/3 6/10 6/17 6/24
COVID-19 Phishing
* Not representative of total phishing volume. Weekly data based on sample pool of SonicWall phishing intelligence. Safe emails related to COVID-19 filtered and omitted.
www.sonicwall.com
^63 %
‘Never-Before-Seen’ Malware Variants Found by RTDMITM
80K
73,619
70K Increase in never-before-seen
malware variants identified by
60K RTDMI in the first half of 2020
50K
47,291
41,226
40K 39,082 +3,220%
38,458
35,143 35,010
30K
26,900
20K
10K 8,900
3,500
0
Q1 Q2 Q3 Q4
www.sonicw
Of these, 120,910 were detected by SonicWall Real-Time cybersecurity industry — including threats that do not exhibit
Deep Memory Inspection. Included as part of Capture any malicious behavior and hide their weaponry via encryption.
ATP, RTDMITM leverages proprietary memory inspection, These are attacks that traditional sandboxes likely missed.
CPU instruction tracking and machine learning capabilities
to become increasingly efficient at recognizing and Overall, 63% more never-before-seen malware variants were
mitigating cyberattacks never seen by anyone in the identified by RTDMI in the first half of 2020 than were identified
in the first half of 2019.
7 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | NEW ATTACK VARIANTS
Microsoft Office Files Overtake PDFs
In the first half of 2020, Office files and PDFs made up a third The bad news: just six days into the second half of 2020,
of all new malicious files identified by Capture ATP. For the SonicWall Capture Labs threat researchers have begun
first half of 2019, PDFs showed an edge over Office 365 files, observing advances in the way malicious Excel files distribute
outpacing them 36,488 to 25,461. malware — including new techniques to evade signature-
based, anti-malware engines and hinder sandbox debugging
So far in 2020, we’ve seen a major reversal: While 8% fewer and analysis.
PDF files were uncovered, the number of Office files identified
has exploded, climbing to 70,184 — a 176% increase. This tells us: 1) The aforementioned respite will likely be brief,
2) Attackers are still focusing a significant amount of time and
While the overall number of new threats identified over the energy into these sorts of attacks, so we shouldn’t expect a
past six months is up significantly, there is some good news. sustained drop anytime soon, and 3) Threats are becoming
As we’ve moved through the first half of 2020, both the number more evasive and more nefarious, particularly those leveraging
of malicious PDF files and the number of malicious Office files PDF and Office files — making advanced technology like
seem to have dipped slightly in the second quarter. RTDMI more critical than ever.
^176
2020 New Malicious
ATP File Type Detections | Capture ATP
%
CAPTURE
Other 5.08%
PDF 10.67%
120,910
Archive 22.08%
+3,220%
Number of never-before-seen
Exe 15.78%
malware variants identified by
SonicWall RTDMITM so far in 2020
Office 22.42%
www.sonicwall.com
8 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | NEW ATTACK VARIANTS
Malware Falls in 2020
Instituting widespread work-from-home policies in response
to the COVID-19 pandemic was the right thing to do, both
from a business continuity standpoint and from an employee A WORLD OF DIFFERENCE
safety standpoint.
There are many reasons one region may see
The downside is that organizations are more distributed
more malware than another, including:
than ever before — and this is having an impact on how
cybercriminals approach the targeting and deployment • Allocation of cybersecurity resources
of malware.
• More targeted attacks run by specific
During the first half of 2020, malware fell from 4.8 billion to advanced persistent threats (APT)
3.2 billion cases, a drop of 33% over 2019’s mid-year total.
This drop is the continuation of a downward trend that began • Attacks related to regional events such as
last November. elections, civic actions, natural disasters, etc.
Remarkably, every month in 2020 has seen less total malware • The severity of penalties levied against
volume than any month in 2019. The latest malware data cybercriminals in a specific region
available, from June 2020, shows 440.3 million total malware
hits — less than half of 2019’s high of 1.1 billion set in October.
800M
600M
Volume
400M
200M
1,053,184,081
654,505,348
634,303,564
754,262,784
921,415,383
584,124,643
839,134,375
470,874,463
818,777,770
484,183,357
794,684,976
440,344,977
807,442,867
815,867,604
807,853,755
967,968,400
680,731,555
593,118,194
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
2019 2020
Malware is clearly trending downward. Not shown: What’s picking up the slack.
www.sonicwall.com
2020 First-Half Malware Volume But looking at SonicWall’s exclusive malware spread
percentage data, which tells us how widespread malware is in
COUNTRY TOTAL HITS YTD CHANGE a given region (see next section), reveals one very important
thing these countries have in common. In every case, the
U.S. 1,899,310,121 -24% highest malware spread percentage occurred in March.
U.K. 228,187,476 -27%
What’s so special about March? In a typical year, nothing:
India 80,587,000 -64%
This is one of the more extreme examples of the COVID-19
Brazil 69,583,407 -56% pandemic affecting cybercriminal behavior.
Germany 26,606,635 -60%
Mexico 9,903,771 -3%
UAE 7,073,783 -74%
Japan 5,298,028 22%
Depends on where you are. There are also regional differences in both the amount
of malware and the percentage change year over year,
After a spike in March, malware took a dive in April. Over highlighting shifting cybercriminal focus.
the last few months, however, it’s begun to rise again. This
shows some connection with the rate at which COVID-19 For example, the United States (-24%), United Kingdom (-27%),
cases are being diagnosed. As protective measures began Germany (-60%) and India (-64%) all experienced reduced
to be lifted in May and June, cases began rising again, as did malware volume. As cybercriminals continue shifting their
malware attacks. focus to ransomware and more insidious and stealthy forms of
malware, we may continue to see these numbers fall.
45
40
Spread (% Hit)
35
30
25
20
15
Jan Feb Mar Apr May Jun
The COVID-19 pandemic sparked malware across all continents, pushing the chance an organization would see a malware attack above 35%. www.sonicwall.com
Spread (% Hit)
Total Volume
as
ey
ia
ia
s
r
oi
ga
id
hi
rn
in
rg
Yo
rs
in
or
O
Te
rg
ifo
eo
hi
Je
Ill
Fl
ew
Vi
ic
al
G
M
ew
C
N
Total Hits Spread %
www.sonicwall.co
80M 40
60M 30
Spread (% Hit)
Total Volume
40M 20
20M 10
1,806,439
0 44,207,817 4,464,863 5,491,285 6,291,154 4,406,528 638,661 6,624,796 32,333,038 86,666,225 0
as
na
ia
a
ai
on
n
ah
an
rid
in
aw
ns
ta
la
Io
m
irg
Id
si
o
Is
on
Ka
Fl
H
ui
Ve
tV
de
M
Lo
es
ho
W
R
www.sonicwall.co
300M 30
Spread (% Hit)
Total Volume
200M 20
100M 10
www.sonicwall.com
Once again, the U.S. leads in total malware, with January showing the highest volume,
but March showing the largest spread.
2020 MALWARE
2020 MalwareATTACKS
Attacks | |United
UNITED KINGDOM
Kingdom
70M 70
60M 60
50M 50
Spread (% Hit)
Total Volume
40M 40
30M 30
20M 20
10M 10
Malware spread in the U.K. has begun to rise again in Q2, but still remains well below Q1. www.sonicwall.com
6M 60
Spread (% Hit)
Total Volume
4M 40
2M 20
In Germany, like many other countries, malware volume hit its highest point in March —
www.sonicwall.com
10M 20
5M 10
India’s malware rates plummeted in April, but by June had nearly reached Q1 levels. www.sonicwall.com
15M 50
Spread (% Hit)
Total Volume
10M 33.33
5M 16.67
Total malware volume in Brazil hit its highest point in June, a departure from trends in www.sonicwall.com
other countries.
3M 30 Spread (% Hit)
Total Volume
2M 20
1M 10
In Mexico, malware spread is disproportionately higher than total malware numbers, with www.sonicwall.com
Spread (% Hit)
Total Volume
(U.K., with 231.9 million). So
1M 20
why aren’t these countries
the riskiest?
By calculating the
There is plenty of malware in UAE, but fortunately spread remains comparatively low. www.sonicwall.
percentage of sensors
that saw a malware attack,
we get much more useful
information about whether
an organization is likely to 2020 MALWARE ATTACKS | JAPAN
see malware in an area.
2020 Malware Attacks | Japan
The greater this malware
2M 40
spread percentage, the more
widespread malware is in a
given region.
1.5M 30
It can be helpful to compare
malware spread with how
we explain precipitation.
Spread (% Hit)
Total Volume
the “chance of rain.” Like the Jan Feb Mar Apr May Jun
20M
15M
10M
5M
12,988,126
15,377,103
24,069,513
14,042,569
22,566,999
19,507,744
21,629,240
25,019,792
23,417,843
18,182,727
13,030,740
16,207,088
20,382,825
15,820,088
16,711,734
11,714,948
9,315,964
9,307,465
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
2019 2020
www.sonicwall.com
In North America, ransomware attacks started low in January, But perhaps more importantly, the work many of these
but by March they had nearly tripled, continuing to make more organizations do isn’t just vital to the company itself — it’s
modest gains through April and May before showing a slight vital to the functioning of our society. These attacks have
decrease in June, when numbers fell to their lowest point taken down websites, email, payroll, phone services and
since March. dispatch services, and have even attempted to toxify municipal
water supplies.
Unfortunately, COVID-19 rates have been rising again, this
time even higher than before — so if this pattern holds true, “In most cases, these are not brand new exploits; [attackers]
North America may soon be dealing with the one-two punch of are not creating new malware,” SonicWall President & CEO Bill
COVID-19 and rampant ransomware. Conner said in an interview with the San Jose Mercury News
regarding a $1.14 million ransom demand recently paid by UC
Effects of the pandemic can also be seen in global trends. In San Francisco. “There’s more easy access from home than
the first half of last year, ransomware peaked in May. This year, there was in a building because you have multiple layers of
it peaked in February. security in your office.”
This is more than 13 times the number of ransomware attacks in In response to a string of high-profile ransomware attacks,
the next-highest country, U.K. including one that held the city of Baltimore’s computer
systems hostage for 36 days, Maryland has been working to
pass laws strengthening penalties for ransomware operators in
an attempt to reverse this trend.
2020
2020 RANSOMWARE VOLUME Ransomware
| TOP Volume | Top 10 Countries
10 COUNTRIES
United States 79,985,276
Malaysia 2,535,693
Canada 2,491,377
Netherlands 1,840,836
Country
Brazil 1,190,092
Italy 811,682
France 651,694
Belgium 567,503
Switzerland 545,136
20M 20M
18M 18M
16M 16M
14M 14M
12M 12M
Total Volume
Total Volume
10M 10M
8M 8M
6M 6M
4M 4M
2M 2M
0 18,652,172
0 9,320,0829,320,082
18,652,172 8,230,2788,230,278
6,890,6546,890,654
6,377,7276,377,727
5,130,7785,130,778
4,116,9714,116,971
3,058,8333,058,833
2,744,5202,744,520
2,729,8372,729,837
MarylandMaryland
MichiganMichigan
Florida Florida
Tennessee New YorkNew York
Tennessee Virginia Virginia
CaliforniaCalifornia
New Jersey Pennsylvania
New Jersey AlabamaAlabama
Pennsylvania
www.sonicwall.com
www.sonicwall.com
According to The New York Times, ransom demands Even for companies that cooperate with the criminals’
are skyrocketing: the cities of Riviera Beach and Lake demands, the trouble often doesn’t stop when the
City, both in Florida, recently paid out $600,000 and ransom is paid. Many organizations pay the ransoms,
$500,000 ransoms respectively, and in early July, only to find their files are irretrievably corrupted or have
cybercriminals demanded a staggering $14 million been wiped out altogether. Ransomware attacks are so
ransom from Brazilian power company, Light S.A. devastating that they’ve forced a number of companies
out of business.
While there are more than 40,000 registered ports, only a Newer firewalls that are capable of analyzing specific artifacts
handful are commonly used. They are the ‘standard’ ports. (as opposed to all traffic) can detect these attacks. But until
For example, HTTP uses port 80, HTTPS uses port 443 and the number of organizations deploying these more advanced
SMTP uses port 25. A service using a port other than the one solutions rises considerably, we’re likely to see a continued
increase in these sorts of attacks.
90%
80%
70%
60%
50%
40%
30%
75%
78%
20% 81%
83%
www.sonicwall.com
21 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | NON-STANDARD PORT ATTACKS
IoT Attacks Spike 50%
A remote workforce can introduce many risks — some of them If, on the other hand, 2020 follows the pattern of previous
obvious, some of them less so. While the increased dangers years — which saw a greater number of IoT attacks in the latter
of things like phishing attacks have been widely reported on, half of the year than the first — this year’s attack total could
few are talking about the dangers presented by refrigerators, wind up surpassing the totals for 2018 and 2019 put together.
doorbells or gaming consoles.
According to one source, 31 billion IoT devices will be
While most people have at least some IoT devices, many don’t connected to the web this year, and roughly 93% of
have the time or expertise to adequately secure them. But enterprises and 80% of industrial manufacturing companies
when these devices connect to endpoints that connect to will adopt IoT technology.
corporate networks, they can provide cybercriminals an open
door into what may otherwise be a well-secured organization. This widespread adoption — combined with lax manufacturing
standards and the difficulty IT has traditionally had in being
IoT attacks were rampant the first three months of 2020, as able to see, let alone control and secure, some of these
January, February and March each racked up more attacks devices — makes them an attractive target for criminals.
than their 2018 and 2019 counterparts combined.
Though there have been cases where IoT devices have been
Since January, SonicWall recorded 20.2 million IoT attacks compromised for their own sake, the primary motivation is to
(+50%). If the current pattern holds, total IoT attacks will use these devices as a back door into the network, allowing
surpass both 2018 and 2019 levels. them to deploy serious forms of compromise with lower
chances of detection.
5M
4,722,073
4M 4,032,267 4,045,222
3,841,404
3,734,883
Volume
3,544,283
3,473,299
3M 3,028,701
2,842,618
2,723,441
2M 1,996,995
1,911,338 1,907,340
1,774,276
1,633,436
1,271,285
1M
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
2019 2020
www.sonicwall.com
Developed in collaboration with governments, academic While this may mark a sea of change in how IoT devices
institutions and industries, ETSI EN 303 645 is intended are secured going forward, the large number of smart
to curb the epidemic of attacks resulting from criminals devices sold prior to these standards mean IoT device
gaining control of these devices. attacks will continue being a problem for a long time.
Most regions echo the overall drop in encrypted threats, but Traditional security controls, such as legacy firewalls,
Asia was a huge exception. Encrypted threats in Asia didn’t just lack the capability or processing power to detect,
rise, they skyrocketed, resulting in an increase of 175%. Most inspect and mitigate cyberattacks sent via HTTPS traffic,
of this was driven by the month of January, which racked up making this a highly successful avenue for hackers to
roughly 10 times the average number of encrypted threat hits deploy and execute malware within a target environment.
as the rest of 2020.
10
9.63%
9.39% 9.44% 9.42%
9.17%
9.07%
9 8.96%
Spread %
8.46% 8.51%
7.58% 7.54%
7.47% 7.46%
7 7.04%
6
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
2019 2020
www.sonicwall.com
But in what is perhaps 2020’s most dramatic reversal, An ongoing shift has been observed, however, from Coinhive
cryptojacking rallied in the first half, showing modest increases to XMRig, another Monero cryptocurrency miner. An open-
in Europe and a number of other regions. More surprising source code that is readily available, iterations of XMRig
still, North America recorded an increase of 252%, defying all malware accounted for nearly 30 million of the 32.3 million total
expectations. By June, there was only one region where figures cryptojacking hits SonicWall observed in 2020.
met last year’s predictions: In Asia, cryptojacking has ceased
almost entirely, falling 97% year over year. These miners are becoming more sophisticated, with the
addition of abilities such as being able to target and kill rival
Based on SonicWall analysis, not only did the shuttering of miners. It’s also becoming more versatile: In April, an XMRig
Coinhive fail to kill cryptojacking — it didn’t even properly cryptominer infected Kubeflow, a machine-learning toolkit
kill Coinhive. for Kubernetes, and in June, the U.S. Cybersecurity and
Infrastructure Security Agency (CISA) announced that XMRig
was among the three detection signatures that make up over
90% of identified potential threats.
15M
10M
Volume
5M
2,155,765
1,800,963
1,729,042
1,072,300
770,949
736,230
714,031
15,488,187
11,821,606
397,490
384,790
383,912
8,962,837
8,233,344
7,578,829
8,515,952
9,135,809
4,562,272
5,261,877
3,092,529
2,968,320
2,574,155
2,527,984
7,304,987
6,925,341
5,032,384
9,555,711
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
www.sonicwall.com
While it might be tempting to attribute March’s huge jump in Cryptojacking delivers something of a one-two punch to
cryptojacking to the pandemic, that doesn’t seem to be the victims — not only are they at risk of data compromise,
case here. Comparing the first half of 2020 with the first half of they’re also stuck with the enormous energy bills that
2019, you can see that the past six months basically follow the accompany mining cryptocurrency. According to Ars Technica,
same pattern. While the pandemic may have contributed to the cryptomining is thought to consume almost half a percent of
severity of the spike, the spike itself was right on time. the world’s energy consumption.
240M
220M
200M
180M
160M
Volume
140M
120M
100M
80M
60M
40M
20M
0
2
5
8
1/ 1
1/ 4
1/ 7
1/ 0
1/ 3
1/ 6
29
1
4
2/ 7
10
2/ 3
2/ 6
2/ 9
2/ 2
2/ 5
28
2
5
8
3/ 1
3/ 4
3/ 7
3/ 0
3/ 3
3/ 6
29
1
4
4/ 7
10
4/ 3
4/ 6
4/ 9
4/ 2
4/ 5
28
1
4
5/ 7
10
5/ 3
5/ 6
5/ 9
5/ 2
5/ 5
5/ 8
31
3
6
6/ 9
6/ 2
6/ 5
6/ 8
6/ 1
6/ 4
6/ 7
30
1
1
1/
1/
1/
1
1
2
2
2
2/
2/
2/
1
1
1
2
2
3/
3/
3/
1
1
2
2
2
4/
4/
4/
1
1
1
2
2
5/
5/
5/
1
1
1
2
2
2
6/
6/
6/
1
1
1
2
2
2
1/
3/
2/
4/
5/
www.sonicwall.com
Despite Zoom lagging significantly behind Google Hangouts Video-conferencing software traffic also reveals a lot about
for most of the year, the SonicWall Capture Labs threat our habits. Perhaps unsurprisingly, Sunday is the slowest
research team spotted at least five types of malware aimed at day of the week for videoconferencing software — though
defrauding users attempting to use Zoom: Sundays still show significant traffic, giving credence to the
idea that we’ve shifted to an “anywhere, anytime” work reality.
• APRIL 23 – SonicWall Capture Labs threat researchers
observed several malicious Android apps that use the RingCentral illustrates the most extreme example of this:
name, user interface (UI) elements and parts of code of the Despite having less of a consumer reputation as a social
legitimate Zoom app to infect unsuspecting users. app than either Zoom or Google Hangouts, the percentage
difference between its heaviest traffic days and lightest traffic
• APRIL 18 – A malicious Zoom videoconferencing app days was the smallest of the four.
installer bundled with a cryptocurrency miner installs the
legit program to avoid suspicion, while the cryptominer So when are people meeting? Across all four
runs in the background. videoconferencing solutions, the most popular meeting day
was Tuesday.
215+
countries and territories
24x7x365
Capture Advanced Threat Protection (ATP)
multi-engine sandbox
<24hrs
devices around the globe
140k+
Malware Samples Collected Daily
28m+
Malware Attacks Blocked Daily
SonicWall, Inc.
1033 McCarthy Boulevard | Milpitas, CA 95035
Refer to our website for additional information.
www.sonicwall.com
EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY
WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/ OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL,
PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF
THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to
specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates do not make any commitment to update the information contained in this document.
As a best practice, SonicWall routinely optimizes its methodologies for data collection, analysis and reporting. This includes improvements to data cleansing, changes in data sources and
consolidation of threat feeds. Figures published in previous reports may have been adjusted across different time periods, regions or industries. The materials and information contained in
this document, including, but not limited to, the text, graphics, photographs, artwork, icons, images, logos, downloads, data and compilations, belong to SonicWall or the original creator and is
protected by applicable law, including, but not limited to, United States and international copyright law and regulations.
2020ThreatReport-MidyearUpdate-COG-2610