MID-YEAR UPDATE | JULY 2020

2020 SONICWALL
CYBER THREAT REPORT
Cyber threat intelligence for navigating
the new business normal

w w w.sonicwall.com | @SonicWall
Table of Contents
A Note From Bill 03

2020 Global Cyberattack Trends 04

Profiting off the Pandemic 05

Phishing for Fear 06

What’s Hiding in Your Office Files? 07

Malware Falls in 2020 09

What’s Your Malware Risk? 11

Ransomware Still on the Rise 17

Non-Standard Port Attacks Gain Ground 21

IoT Attacks Spike 50% 22

Encrypted Threats Make Late Surge 24

Cryptojacking: 2020’s Comeback Kid 25

Connection in the Time of COVID 27

About the SonicWall Capture Labs Threat Network 29

About SonicWall 30

2 | Mid-Year Update: 2020 SonicWall Cyber Threat Report

A Note From Bill
We’re in the midst of one of the most turbulent times in
cybersecurity history. Over the past six months, as the
COVID-19 pandemic ravaged its way across the globe,
we’ve seen shifts we thought would take decades happen
virtually overnight.
Full-scale remote work went from being a long-term plan to
an imminent necessity. With traditional work solutions no
longer sufficient to protect and enable employees working
from home, cybersecurity had to pivot — without precedent
and, in many cases, without budget — to secure employees at
significantly greater risk than ever before.
In April 2020, SonicWall introduced the new Boundless
Cybersecurity model, designed to help organizations navigate
a hyper-distributed IT reality where everyone is remote,
everyone is mobile and everyone is less secure.
By knowing the unknown, providing real-time visibility and
leveraging breakthrough economics, SonicWall enables
businesses to close the cybersecurity business gap and guard
against the growing ranks of opportunistic cyberattackers.
While the historic disruption accompanying the COVID-19
pandemic has been challenging for businesses, it’s been a
boon for cybercriminals.
3 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | INTRODUCTION
SonicWall Capture Labs threat researchers have detailed at
least 20 COVID-19-themed threats aimed at ensnaring worried
and distracted victims.
The pandemic’s effects can be seen in most every piece of
threat data highlighted here — shifting, increasing, decreasing
and upending long-standing patterns.
Amid the disruption, a few key takeaways emerge: Malware
is down, but changing and spreading. Ransomware is up,
particularly in the U.S. (+109%). Office files continue to
be leveraged for malicious agenda. SonicWall Capture
Advanced Threat Protection (ATP) with Real-Time Deep
Memory Inspection™ is catching more attacks than ever.
Malware targeting Internet of Things (IoT) devices has risen to
20.2 million, up 50% from this time last year. Cybercriminals are
increasingly targeting the massive influx of employees working
from home. And intrusion attempts are up 19%, to 2.3 trillion.
By gaining a fuller understanding about where we find
ourselves in 2020, we can move as safely and resolutely as
possible toward the future, whatever it has in store.
BILL CONNER
PRESIDENT & CEO
SONICWALL
2020 Global
2020 GLOBAL CYBERATTACK TRENDS
Cyberattack Trends

Malware Encrypted Intrusion Ransomware IoT

Cryptojacking
Attacks Threats Attempts Attacks Malware

+19% +20% +50%

–33% –32% –12%

3.2 1.7 41.4 2.3 121.4 20.2

BILLION MILLION MILLION TRILLION MILLION MILLION

www.sonicwall.com

As a best practice, SonicWall routinely optimizes its methodologies for data collection, analysis and reporting. This includes improvements to data
cleansing, changes in data sources and consolidation of threat feeds. Figures published in previous reports may have been adjusted across different
time periods, regions or industries.

4 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | 2020 GLOBAL CYBERATTACK TRENDS
Profiting off the Pandemic
These are dark days for many businesses and individuals. But
they’re salad days for cybercriminals. Opportunistic hackers,
seeing a chance to take advantage of the confusion and fear
surrounding the pandemic, have been out in force.
During a June 16 U.S. House meeting on cybercrime,
representative Emanuel Cleaver stated, “We are seeing a 75%
spike in daily cybercrimes reported by the FBI since the start of
the pandemic.”
To make matters worse, some are targeting medical facilities,
research labs, utilities and other institutions we’re relying on for
our continued survival.
"It was only a matter of time before a nation state resorted to
cybercrime to influence or control global healthcare during a
time of great need,” Bill Conner told Newsweek International.
"As this pandemic expands and evolves, we stand to see
similar attacks in the future. It's incredibly valuable information
for millions around the world — IP that would catapult a
company's economy if seized," Conner said. "[Cyber] criminals
tend to follow the money trail, thus putting a massive bounty
on anything vaccine-related."
While COVID-19 continues to drive cybersecurity trends as
a whole, it has also inspired new attacks capitalizing on our
desire for news, assistance or guidelines that could help keep
us safe.
SonicWall Capture Labs threat researchers began seeing
attacks, scams and exploits specifically based around
COVID-19 on Feb. 4, and since then have detailed at least 20
different types of attacks across just about every category.

• MALWARE Corona Anti-Locker Ultimate, a data-stealing malware

• RANSOMWARE Ada_Covid, which uses WhatsApp to communicate with victims
• CRYPTOMINER A cryptominer trojan that comes as a WinRAR self-extracting archive and is
capable of killing and deleting running rival cryptominers
• ANDROID LOCKER Various versions of Android Locker, repackaged to look like apps such as
WhatsApp, Netflix and others
• TROJAN Infostealer Trojan, delivered via an email purportedly coming from the U.S. Centers for
Disease Control (CDC)
• RAT Remote Access Trojan distributed via spam attachment disguised as COVID-19 response and
preparedness document
• SPAM SCAM Malicious executable file in email supposedly regarding COVID-19 relief package
• SCAREWARE Lansom scareware demands ransom but in reality does not encrypt any files

“It was only a matter of time before a nation

state resorted to cybercrime to influence or control
global healthcare during a time of great need.”
BILL CONNER
PRESIDENT & CEO
SONICWALL
NEWSWEEK INTERNATIONAL, JULY 16, 2020

5 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | COVID-19 ATTACKS

Phishing for Fear
In the first half of 2020 global phishing volume was Top 5PHISHING
TOP 5 COVID-19 COVID-19 Phishing
KEYWORDS Keywords
down 15%, but roughly 7% of those attacks leveraged
fears around COVID-19. SonicWall phishing intelligence
derived this figure from a large sample of spam emails Mask 6.26%
containing COVID-19-related search terms. The safe, or COVID 8.77%
non-phishing, emails about COVID and related terms were
filtered out and omitted.

As expected, COVID-19 phishing began rising in March, Quarantine 9.72%

Virus 42.33%
and saw its most significant peaks on March 24, April 3 +3,220%

and June 19. This contrasts with phishing as a whole,

which started strong in January and was down by the time
the pandemic phishing attempts began to pick up steam.

Corona 32.92%

2020 COVID-19 PHISHING TRENDS

2020 COVID-19 Phishing Trends
2,600

2,400

2,200

2,000

1,800

1,600
Volume

1,400

1,200

1,000

800

600

400

200

0
1/1 1/8 1/15 1/22 1/29 2/5 2/12 2/19 2/26 3/4 3/11 3/18 3/25 4/1 4/8 4/15 4/22 4/29 5/6 5/13 5/20 5/27 6/3 6/10 6/17 6/24

COVID-19 Phishing
* Not representative of total phishing volume. Weekly data based on sample pool of SonicWall phishing intelligence. Safe emails related to COVID-19 filtered and omitted.

www.sonicwall.com

6 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | COVID-19 ATTACKS

 The number of new malware variants found by SonicWall
What’s Hiding in Your Capture Advanced Threat Protection (ATP) with Real-Time

Office Files? Deep Memory InspectionTM continues to rise: During the

first six months of 2020, the pair discovered 315,395 new
malware variants.

Each year has brought significant advancements, and the first

half of 2020 is no exception.

So far in 2020, every month has seen significant year-over-

year increases in the number of malware variants found —
combined, they represent a 62% increase over 2019’s first
half totals.

'NEVER-BEFORE-SEEN' MALWARE VARIANTS FOUND BY RTDMITM

^63 %
‘Never-Before-Seen’ Malware Variants Found by RTDMITM
80K

73,619
70K Increase in never-before-seen
malware variants identified by
60K RTDMI in the first half of 2020

50K
47,291

41,226
40K 39,082 +3,220%

38,458
35,143 35,010

30K
26,900

20K

10K 8,900

3,500
0
Q1 Q2 Q3 Q4

2018 2019 2020

www.sonicw

Of these, 120,910 were detected by SonicWall Real-Time
Deep Memory Inspection. Included as part of Capture
ATP, RTDMITM leverages proprietary memory inspection,
CPU instruction tracking and machine learning capabilities
to become increasingly efficient at recognizing and
mitigating cyberattacks never seen by anyone in the
cybersecurity industry — including threats that do not exhibit
any malicious behavior and hide their weaponry via encryption.
These are attacks that traditional sandboxes likely missed.
Overall, 63% more never-before-seen malware variants were
identified by RTDMI in the first half of 2020 than were identified
in the first half of 2019.

7 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | NEW ATTACK VARIANTS
 Microsoft Office Files Overtake PDFs
In the first half of 2020, Office files and PDFs made up a third
of all new malicious files identified by Capture ATP. For the
first half of 2019, PDFs showed an edge over Office 365 files,
outpacing them 36,488 to 25,461.
So far in 2020, we’ve seen a major reversal: While 8% fewer
PDF files were uncovered, the number of Office files identified
has exploded, climbing to 70,184 — a 176% increase.
While the overall number of new threats identified over the
past six months is up significantly, there is some good news.
As we’ve moved through the first half of 2020, both the number
of malicious PDF files and the number of malicious Office files
seem to have dipped slightly in the second quarter.
2020 NEW MALICIOUS FILE TYPE DETECTIONS |
2020 New Malicious
ATP File Type Detections | Capture ATP
CAPTURE
Other 5.08%
PDF 10.67%
Scripts 23.98%
Archive 22.08%
+3,220%
Exe 15.78%
Office 22.42%
‘ZERO-DAY’ VS. ‘NEVER BEFORE SEEN’ ATTACKS
The ‘zero-day attack’ is among the most well-known
cybersecurity terms due to its connection to high-
profile breaches. These attacks are completely new
and unknown threats that target a zero-day vulnerability
without any existing protections (e.g., patches,
updates, etc.) from the target vendor or company.
VIEW ATTACK DATA
8 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | NEW ATTACK VARIANTS
The bad news: just six days into the second half of 2020,
SonicWall Capture Labs threat researchers have begun
observing advances in the way malicious Excel files distribute
malware — including new techniques to evade signature-
based, anti-malware engines and hinder sandbox debugging
and analysis.
This tells us: 1) The aforementioned respite will likely be brief,
2) Attackers are still focusing a significant amount of time and
energy into these sorts of attacks, so we shouldn’t expect a
sustained drop anytime soon, and 3) Threats are becoming
more evasive and more nefarious, particularly those leveraging
PDF and Office files — making advanced technology like
RTDMI more critical than ever.
^176
%
Increase in the number of
malicious Office files
120,910
Number of never-before-seen
malware variants identified by
SonicWall RTDMITM so far in 2020
www.sonicwall.com
Conversely, SonicWall tracks detection and mitigation
of ‘never-before-seen’ attacks, which are the first time
SonicWall Capture ATP identifies a signature/SHA256
as malicious. These discoveries often closely align
with zero-day attack patterns due to the volume of
attacks analyzed by SonicWall.
Malware Falls in 2020
Instituting widespread work-from-home policies in response
to the COVID-19 pandemic was the right thing to do, both
from a business continuity standpoint and from an employee A WORLD OF DIFFERENCE
safety standpoint.
There are many reasons one region may see
The downside is that organizations are more distributed
more malware than another, including:
than ever before — and this is having an impact on how
cybercriminals approach the targeting and deployment • Allocation of cybersecurity resources
of malware.
• More targeted attacks run by specific
During the first half of 2020, malware fell from 4.8 billion to advanced persistent threats (APT)
3.2 billion cases, a drop of 33% over 2019’s mid-year total.
This drop is the continuation of a downward trend that began • Attacks related to regional events such as
last November. elections, civic actions, natural disasters, etc.

Remarkably, every month in 2020 has seen less total malware • The severity of penalties levied against
volume than any month in 2019. The latest malware data cybercriminals in a specific region
available, from June 2020, shows 440.3 million total malware
hits — less than half of 2019’s high of 1.1 billion set in October.

2020 GLOBAL MALWARE ATTACKS 2020 Global Malware Attacks

800M

600M
Volume

400M

200M
1,053,184,081
654,505,348

634,303,564

754,262,784

921,415,383

584,124,643

839,134,375

470,874,463

818,777,770

484,183,357

794,684,976

440,344,977

807,442,867

815,867,604

807,853,755

967,968,400

680,731,555
593,118,194

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2019 2020

Malware is clearly trending downward. Not shown: What’s picking up the slack.
www.sonicwall.com

9 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | MALWARE

It’s worth noting, however, that less malware doesn’t
necessarily mean a safer world. As we’ll explore later in this
report, ransomware has seen a corresponding jump over the
same time period.
And across all categories of malware, SonicWall researchers
have noted that attacks are both more tactical and more
targeted than ever, giving them a greater chance of success.
The malware that we are seeing is evolving to be sneakier and
more malicious. As detection tools are refined, hackers are
increasingly turning to fileless malware attacks that operate
in memory and take advantage of legitimate tools such as
Microsoft Windows Powershell.
As the table shows, there’s a large regional difference in both
the amount of malware and the percentage change year
over year.

2020 First-Half Malware Volume But looking at SonicWall’s exclusive malware spread
percentage data, which tells us how widespread malware is in
COUNTRY TOTAL HITS YTD CHANGE a given region (see next section), reveals one very important
thing these countries have in common. In every case, the
U.S. 1,899,310,121 -24% highest malware spread percentage occurred in March.
U.K. 228,187,476 -27%
What’s so special about March? In a typical year, nothing:
India 80,587,000 -64%
This is one of the more extreme examples of the COVID-19
Brazil 69,583,407 -56% pandemic affecting cybercriminal behavior.
Germany 26,606,635 -60%
Mexico 9,903,771 -3%
UAE 7,073,783 -74%
Japan 5,298,028 22%

10 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | MALWARE

What’s Your
Malware Risk?

Depends on where you are.
After a spike in March, malware took a dive in April. Over
the last few months, however, it’s begun to rise again. This
shows some connection with the rate at which COVID-19
cases are being diagnosed. As protective measures began
to be lifted in May and June, cases began rising again, as did
malware attacks.
There are also regional differences in both the amount
of malware and the percentage change year over year,
highlighting shifting cybercriminal focus.
For example, the United States (-24%), United Kingdom (-27%),
Germany (-60%) and India (-64%) all experienced reduced
malware volume. As cybercriminals continue shifting their
focus to ransomware and more insidious and stealthy forms of
malware, we may continue to see these numbers fall.

2020 GLOBAL MALWARE ATTACK TRENDS

2020 Global Malware Attack Trends
50

45

40
Spread (% Hit)

35

30

25

20

15
Jan Feb Mar Apr May Jun

North America South America Europe Asia Africa Oceania

The COVID-19 pandemic sparked malware across all continents, pushing the chance an organization would see a malware attack above 35%. www.sonicwall.com

11 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | MALWARE

Malware Risk 2020 MALWARE VOLUME | TOP 10 U.S. STATES
2020 Malware Volume | Top 10 U.S. States
Across U.S. States
350M 35
In the U.S., California had by far the
largest number of malware hits, 300M 30

with 304.1 million total. But it isn’t

250M 25
the riskiest state — or even in the
top half.
200M 20

Spread (% Hit)
Total Volume

You’re most likely to encounter

150M 15
malware in Kansas, where nearly
a third, or 31.3%, of sensors saw
100M 10
a hit. In contrast, just over a fifth
of the sensors in North Dakota 50M 5
(21.9%) logged an attempted
malware attack. 0 304,139,812 195,745,013 120,074,140 110,220,280 86,666,225 86,363,003 64,408,989 59,477,538 56,784,468 53,410,890 0
ia

as

ey

ia

ia

s
r

oi
ga

id

hi
rn

in

rg
Yo

rs

in
or

O
Te

rg
ifo

eo
hi

Je

Ill
Fl
ew

Vi
ic
al

G
M

ew
C

N
Total Hits Spread %

www.sonicwall.co

2020 MALWARE SPREAD | TOP 10 RISKIEST U.S. STATES

2020 Malware Spread | Top 10 Riskiest U.S. States

80M 40

60M 30

Spread (% Hit)
Total Volume

40M 20

20M 10

1,806,439
0 44,207,817 4,464,863 5,491,285 6,291,154 4,406,528 638,661 6,624,796 32,333,038 86,666,225 0
as

na

ia

a
ai

on
n

ah

an

rid
in
aw
ns

ta

la

Io

m
irg

Id

si

o
Is
on
Ka

Fl
H

ui
Ve
tV
de
M

Lo
es
ho

W
R

Total Hits Spread %

www.sonicwall.co

12 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | MALWARE

Regional Malware  2020 MALWARE ATTACKS | UNITED STATES
Volume & Risk 2020 Malware Attacks | United States
400M 40

300M 30

Spread (% Hit)
Total Volume

200M 20

100M 10

0 381,131,637 345,505,572 327,920,093 276,211,437 300,833,750 267,707,632 0

Jan Feb Mar Apr May Jun

Total Hits Spread %

www.sonicwall.com
Once again, the U.S. leads in total malware, with January showing the highest volume,
but March showing the largest spread.

2020 MALWARE
2020 MalwareATTACKS
Attacks | |United
UNITED KINGDOM
Kingdom

70M 70

60M 60

50M 50

Spread (% Hit)
Total Volume

40M 40

30M 30

20M 20

10M 10

0 60,610,835 48,075,126 50,234,614 30,939,228 20,708,580 17,619,093 0

Jan Feb Mar Apr May Jun

Total Hits Spread %

Malware spread in the U.K. has begun to rise again in Q2, but still remains well below Q1. www.sonicwall.com

Meanwhile, total malware continues to drop.

13 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | MALWARE

 2020 MALWARE ATTACKS | GERMANY
2020 Malware Attacks | Germany

6M 60

Spread (% Hit)
Total Volume

4M 40

2M 20

0 6,647,629 3,097,015 6,937,798 3,630,038 3,675,687 2,618,468 0

Jan Feb Mar Apr May Jun

Total Hits Spread %

In Germany, like many other countries, malware volume hit its highest point in March —
www.sonicwall.com

but it showed an uncharacteristic drop between January and February.

2020 MALWARE ATTACKS | INDIA

2020 Malware Attacks | India
20M 40

15M 30 Spread (% Hit)

Total Volume

10M 20

5M 10

0 15,190,794 16,145,661 16,417,236 7,561,983 11,349,595 13,931,731 0

Jan Feb Mar Apr May Jun

Total Hits Spread %

India’s malware rates plummeted in April, but by June had nearly reached Q1 levels. www.sonicwall.com

14 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | MALWARE

 2020
2020 MalwareATTACKS
MALWARE Attacks | |Brazil
BRAZIL

15M 50

Spread (% Hit)
Total Volume

10M 33.33

5M 16.67

0 6,889,661 12,725,278 14,735,597 8,793,391 10,430,832 16,008,648 0

Jan Feb Mar Apr May Jun

Total Hits Spread %

Total malware volume in Brazil hit its highest point in June, a departure from trends in www.sonicwall.com

other countries.

2020 MALWARE ATTACKS | MEXICO

2020 Malware Attacks | Mexico
4M 40

3M 30 Spread (% Hit)
Total Volume

2M 20

1M 10

0 768,614 1,367,004 3,944,488 589,195 1,528,869 1,705,601 0

Jan Feb Mar Apr May Jun

Total Hits Spread %

In Mexico, malware spread is disproportionately higher than total malware numbers, with www.sonicwall.com

totals remaining low in every month but March.

15 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | MALWARE

 WHAT IS 2020 MALWARE ATTACKS | UNITED ARAB EMIRATES
MALWARE 2020 Malware Attacks | United Arab Emirates
SPREAD? 2M 40

SonicWall recorded 1.8 billion

malware hits in the United
States through June 2020 1.5M 30

— more than four times

the next-highest ranked

Spread (% Hit)
Total Volume
(U.K., with 231.9 million). So
1M 20
why aren’t these countries
the riskiest?

Malware totals are useful

0.5M 10
in calculating trends, but
they’re of limited usefulness
when determining relative
risk: They ignore factors such 0 1,190,654 1,727,572 1,667,696 780,235 824,135 883,491 0
as size, population, number Jan Feb Mar Apr May Jun

of sensors and more. Total Hits Spread %

By calculating the
There is plenty of malware in UAE, but fortunately spread remains comparatively low. www.sonicwall.
percentage of sensors
that saw a malware attack,
we get much more useful
information about whether
an organization is likely to 2020 MALWARE ATTACKS | JAPAN
see malware in an area.
2020 Malware Attacks | Japan
The greater this malware
2M 40
spread percentage, the more
widespread malware is in a
given region.
1.5M 30
It can be helpful to compare
malware spread with how
we explain precipitation.

Spread (% Hit)
Total Volume

Knowing the total amount 1M 20

of rainfall in an area can be
useful for year-over-year
comparisons, but it can’t tell
you whether you’re likely to 0.5M 10
need an umbrella.

For that, you need the

Probability of Precipitation, or 0 667,024 580,982 1,991,392 515,255 717,826 825,549 0

the “chance of rain.” Like the Jan Feb Mar Apr May Jun

malware spread percentage, Total Hits Spread %

this calculation takes into

account a number of other Japan showed the biggest month-over-month percentage change in total malware volume. www.sonicwall.c

factors to provide a more

meaningful risk assessment.

16 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | MALWARE

 Due to its low barrier of entry, ease of use and anonymous
Ransomware Still payouts, ransomware continues to grow — and is growing at an

on the Rise increasing clip. By mid-year 2019, global ransomware was up

15%. This year, it’s up 20%.

Within this 20% lies a great deal of variation, however.

Ransomware in the U.K. has fallen by 6% year over year, to
5.9 million, and in other places it’s dropped by nearly half.

In North America, ransomware is up 105% — including a 109%

increase in the United States, where it rose to 80 million.

2020 GLOBAL RANSOMWARE ATTACKS

2020 Global Ransomware Attacks
25M

20M

15M

10M

5M
12,988,126

15,377,103

24,069,513

14,042,569

22,566,999

19,507,744

21,629,240

25,019,792

23,417,843

18,182,727

13,030,740

16,207,088

20,382,825

15,820,088
16,711,734

11,714,948
9,315,964

9,307,465
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2019 2020

www.sonicwall.com

When asked what type of cyberattacks influenced

their decision to purchase a SonicWall TZ firewall,
79% of surveyed organizations said “ransomware.”

17 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | RANSOMWARE

While it’s impossible to determine causation, a strong
correlation can be found in the ransomware graph and the
patterns of COVID-19 infections. Asia saw the first COVID-19
cases, and ransomware numbers there spiked in January
and March. The pandemic hit Europe next, and we see
corresponding spikes there in February and April.
In North America, ransomware attacks started low in January,
but by March they had nearly tripled, continuing to make more
modest gains through April and May before showing a slight
decrease in June, when numbers fell to their lowest point
since March.
Unfortunately, COVID-19 rates have been rising again, this
time even higher than before — so if this pattern holds true,
North America may soon be dealing with the one-two punch of
COVID-19 and rampant ransomware.
Effects of the pandemic can also be seen in global trends. In
the first half of last year, ransomware peaked in May. This year,
it peaked in February.
18 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | RANSOMWARE
Unfortunately, exploiting a global pandemic isn’t the only
reprehensible thing ransomware operators did in 2020. They’ve
also been increasing focus on so-called “soft targets” — local
governments, public administration agencies, education,
and even hospitals. Due to their small size and generally tight
budgets, they often lack the security of larger companies.
But perhaps more importantly, the work many of these
organizations do isn’t just vital to the company itself — it’s
vital to the functioning of our society. These attacks have
taken down websites, email, payroll, phone services and
dispatch services, and have even attempted to toxify municipal
water supplies.
“In most cases, these are not brand new exploits; [attackers]
are not creating new malware,” SonicWall President & CEO Bill
Conner said in an interview with the San Jose Mercury News
regarding a $1.14 million ransom demand recently paid by UC
San Francisco. “There’s more easy access from home than
there was in a building because you have multiple layers of
security in your office.”
Ransomware by Location
In some places ransomware is getting better. But in others, it’s Like the country-level data, the state-level data shows
getting much worse. In terms of total ransomware, the United one region far outpacing the rest when it comes to total
States had far more than any other country, with nearly 80 ransomware attacks. Maryland had roughly twice as many
million ransomware attacks. ransomware attacks as the next-highest state, Michigan.

This is more than 13 times the number of ransomware attacks in In response to a string of high-profile ransomware attacks,
the next-highest country, U.K. including one that held the city of Baltimore’s computer
systems hostage for 36 days, Maryland has been working to
pass laws strengthening penalties for ransomware operators in
an attempt to reverse this trend.

2020
2020 RANSOMWARE VOLUME Ransomware
| TOP Volume | Top 10 Countries
10 COUNTRIES
United States 79,985,276

United Kingdom 4,295,721

Malaysia 2,535,693

Canada 2,491,377

Netherlands 1,840,836
Country

Brazil 1,190,092

Italy 811,682

France 651,694

Belgium 567,503

Switzerland 545,136

10M 20M 30M 40M 50M 60M 70M 80M 90M

Volume

2020 RANSOMWARE VOLUME | TOP

20202020 10 U.S. STATES
Ransomware
Ransomware Volume
Volume
| Top
| Top
10 U.S.
10 U.S.
States
States www.sonicwall.com

20M 20M

18M 18M

16M 16M

14M 14M

12M 12M
Total Volume

Total Volume

10M 10M

8M 8M

6M 6M

4M 4M

2M 2M

0 18,652,172
0 9,320,0829,320,082
18,652,172 8,230,2788,230,278
6,890,6546,890,654
6,377,7276,377,727
5,130,7785,130,778
4,116,9714,116,971
3,058,8333,058,833
2,744,5202,744,520
2,729,8372,729,837
MarylandMaryland
MichiganMichigan
Florida Florida
Tennessee New YorkNew York
Tennessee Virginia Virginia
CaliforniaCalifornia
New Jersey Pennsylvania
New Jersey AlabamaAlabama
Pennsylvania

Total HitsTotal Hits

www.sonicwall.com
www.sonicwall.com

19 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | RANSOMWARE

 SMALL, BUT MIGHTY
While these ransomware numbers may seem small,
it’s worthwhile to remember a few things. One, they’re
growing — and two, the stakes are rising.
According to The New York Times, ransom demands
are skyrocketing: the cities of Riviera Beach and Lake
City, both in Florida, recently paid out $600,000 and
$500,000 ransoms respectively, and in early July,
cybercriminals demanded a staggering $14 million
ransom from Brazilian power company, Light S.A.
20 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | RANSOMWARE
To make matters worse, many ransomware operators
have taken to selling or otherwise releasing company
data if the organization refuses to or cannot pay.
Even for companies that cooperate with the criminals’
demands, the trouble often doesn’t stop when the
ransom is paid. Many organizations pay the ransoms,
only to find their files are irretrievably corrupted or have
been wiped out altogether. Ransomware attacks are so
devastating that they’ve forced a number of companies
out of business.
Non-Standard Port
Attacks Gain Ground
Cybercriminals are increasingly using non-standard ports to
evade detection and deploy malware. SonicWall found that Q1
and Q2 each set new quarterly records for these attacks.
Two new monthly records were set during this time as well:
In February, non-standard port attacks reached 26% before
climbing to an unprecedented 30% in May.
During that month, there was a surge in many specific attacks,
such as VBA Trojan Downloader, that may have contributed
to the spike. Overall, an average of 23% of attacks took place
over non-standard ports so far in 2020.
assigned to it by default, usually as defined by the IANA port
numbers registry, is using a non-standard port.
There is nothing inherently wrong with using non-standard
ports. But traditional proxy-based firewalls typically focus their
protection on traffic going through the standard ports.
Because there are so many ports to monitor, these legacy
firewalls can’t mitigate attacks over non-standard ports.
Cybercriminals are well aware of this and target non-
standard ports to increase the chances their payloads can be
deployed undetected.

While there are more than 40,000 registered ports, only a
handful are commonly used. They are the ‘standard’ ports.
For example, HTTP uses port 80, HTTPS uses port 443 and
SMTP uses port 25. A service using a port other than the one
Newer firewalls that are capable of analyzing specific artifacts
(as opposed to all traffic) can detect these attacks. But until
the number of organizations deploying these more advanced
solutions rises considerably, we’re likely to see a continued
increase in these sorts of attacks.

2019-2020 GLOBAL MALWARE ATTACKS

2019-20 Global Malware Attacks
100%

90%

80%

70%

60%

50%

40%

30%
75%
78%
20% 81%
83%

10% 89% 89%

0% 11% 19% 17% 11% 22% 25%

Q1 Q2 Q3 Q4 Q1 Q2

Non-Standard Ports Standard Ports

www.sonicwall.com

21 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | NON-STANDARD PORT ATTACKS
IoT Attacks Spike 50%
A remote workforce can introduce many risks — some of them
obvious, some of them less so. While the increased dangers
of things like phishing attacks have been widely reported on,
few are talking about the dangers presented by refrigerators,
doorbells or gaming consoles.
While most people have at least some IoT devices, many don’t
have the time or expertise to adequately secure them. But
when these devices connect to endpoints that connect to
corporate networks, they can provide cybercriminals an open
door into what may otherwise be a well-secured organization.
IoT attacks were rampant the first three months of 2020, as
January, February and March each racked up more attacks
than their 2018 and 2019 counterparts combined.
Since January, SonicWall recorded 20.2 million IoT attacks
(+50%). If the current pattern holds, total IoT attacks will
surpass both 2018 and 2019 levels.
If, on the other hand, 2020 follows the pattern of previous
years — which saw a greater number of IoT attacks in the latter
half of the year than the first — this year’s attack total could
wind up surpassing the totals for 2018 and 2019 put together.
According to one source, 31 billion IoT devices will be
connected to the web this year, and roughly 93% of
enterprises and 80% of industrial manufacturing companies
will adopt IoT technology.
This widespread adoption — combined with lax manufacturing
standards and the difficulty IT has traditionally had in being
able to see, let alone control and secure, some of these
devices — makes them an attractive target for criminals.
Though there have been cases where IoT devices have been
compromised for their own sake, the primary motivation is to
use these devices as a back door into the network, allowing
them to deploy serious forms of compromise with lower
chances of detection.

2020 Global IoT Malware Volume

2020 GLOBAL IoT MALWARE VOLUME
6M 5,922,565

5M
4,722,073

4M 4,032,267 4,045,222
3,841,404
3,734,883
Volume

3,544,283
3,473,299

3M 3,028,701
2,842,618
2,723,441

2M 1,996,995
1,911,338 1,907,340
1,774,276
1,633,436

1,271,285

1M
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2019 2020

www.sonicwall.com

22 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | IoT ATTACKS

 HOPE ON THE HORIZON?
At the end of June the European Telecommunications
Standards Institute, the organization responsible for
the standardization of information and communications
technologies, released a new cybersecurity standard for
IoT devices.
Developed in collaboration with governments, academic
institutions and industries, ETSI EN 303 645 is intended
to curb the epidemic of attacks resulting from criminals
gaining control of these devices.
23 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | IoT ATTACKS
These standards will apply to connected children’s toys
and baby monitors; door locks; smart cameras and TVs;
health trackers; smart appliances and home assistants;
and more. The label has already been awarded to a
number of products that merit these standards.
While this may mark a sea of change in how IoT devices
are secured going forward, the large number of smart
devices sold prior to these standards mean IoT device
attacks will continue being a problem for a long time.
Encrypted Threats
Make Late Surge
During the first half of 2020, 1 in 12 SonicWall customers with
DPI-SSL turned on (8.46% average) saw malware on encrypted
traffic. While the total number of encrypted malware attacks is
down 32% over this time last year, a closer look shows some
disturbing trends.
Aside from a large slide between January and February and
a tiny dip in May, these attacks have been on an upward
trajectory — sometimes a steep one.
Moreover, the total amount of encrypted malware in June,
378,736, is not only the highest number of encrypted threats
recorded in all of 2020, it’s also higher than at any point in the
latter half of last year.
WHAT ARE
ENCRYPTED THREATS?
In simple terms, SSL (Secure Sockets Layer) can create
an encrypted tunnel for securing data over an internet
connection. TLS (Transport Layer Security) is a newer,
more secure version of SSL.
While TLS and SSL provide legitimate security benefits
for web sessions and internet communications,
cybercriminals are increasingly using these encryption
standards to hide malware, ransomware, zero-day
and more.

Most regions echo the overall drop in encrypted threats, but
Asia was a huge exception. Encrypted threats in Asia didn’t just
rise, they skyrocketed, resulting in an increase of 175%. Most
of this was driven by the month of January, which racked up
roughly 10 times the average number of encrypted threat hits
as the rest of 2020.
Traditional security controls, such as legacy firewalls,
lack the capability or processing power to detect,
inspect and mitigate cyberattacks sent via HTTPS traffic,
making this a highly successful avenue for hackers to
deploy and execute malware within a target environment.

2020 ENCRYPTED MALWARE SPREAD

2020 Encrypted Malware Spread
11 10.91%

10

9.63%
9.39% 9.44% 9.42%
9.17%
9.07%
9 8.96%
Spread %

8.46% 8.51%

7.58% 7.54%
7.47% 7.46%

7 7.04%

6.45% 6.49% 6.45%

6
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2019 2020

www.sonicwall.com

24 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | ENCRYPTED THREATS

 Cryptojacking:
2020’s Comeback Kid
When Coinhive, by far the largest legitimate cryptocurrency During the first half of 2020, nine months after Coinhive
mining operation, closed down in March 2019, the death ceased operation, two of the top 10 cryptojacking signatures
of cryptojacking seemed imminent — and the 78% drop in SonicWall identified belonged to Coinhive, demonstrating that
attacks between July 1 and Dec. 31 of last year seemed to this malware is still alive — even if they are just leftover relics of
drive the final nail into its crypto coffin. past attacks.

But in what is perhaps 2020’s most dramatic reversal,
cryptojacking rallied in the first half, showing modest increases
in Europe and a number of other regions. More surprising
still, North America recorded an increase of 252%, defying all
expectations. By June, there was only one region where figures
met last year’s predictions: In Asia, cryptojacking has ceased
almost entirely, falling 97% year over year.
Based on SonicWall analysis, not only did the shuttering of
Coinhive fail to kill cryptojacking — it didn’t even properly
kill Coinhive.
An ongoing shift has been observed, however, from Coinhive
to XMRig, another Monero cryptocurrency miner. An open-
source code that is readily available, iterations of XMRig
malware accounted for nearly 30 million of the 32.3 million total
cryptojacking hits SonicWall observed in 2020.
These miners are becoming more sophisticated, with the
addition of abilities such as being able to target and kill rival
miners. It’s also becoming more versatile: In April, an XMRig
cryptominer infected Kubeflow, a machine-learning toolkit
for Kubernetes, and in June, the U.S. Cybersecurity and
Infrastructure Security Agency (CISA) announced that XMRig
was among the three detection signatures that make up over
90% of identified potential threats.

2020 GLOBAL CRYPTOJACKING VOLUME

2020 Global Cryptojacking Volume

15M

10M
Volume

5M
2,155,765

1,800,963
1,729,042

1,072,300

770,949
736,230

714,031
15,488,187
11,821,606

397,490

384,790
383,912
8,962,837

8,233,344
7,578,829

8,515,952

9,135,809
4,562,272

5,261,877
3,092,529

2,968,320
2,574,155

2,527,984

7,304,987

6,925,341

5,032,384
9,555,711

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2018 2019 2020

www.sonicwall.com

25 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | CRYPTOJACKING

It remains difficult to fully align cryptojacking attempts (and
criminal intentions) with cryptocurrency value, but correlation
can frequently be observed. In most of the first half of 2020,
prices of Monero and ZCash, two anonymous cryptocurrencies
used in the overwhelming majority of cryptojacking cases,
were up.
Cryptojacking, also known as malicious mining, occurs when
cybercriminals install malicious programs on target computers
without the user’s knowledge, allowing them to harness the
victim’s processing power to mine cryptocurrency. This can be
done through fileless malware, through a website with a mining
script embedded in the browser, and more.

While it might be tempting to attribute March’s huge jump in
cryptojacking to the pandemic, that doesn’t seem to be the
case here. Comparing the first half of 2020 with the first half of
2019, you can see that the past six months basically follow the
same pattern. While the pandemic may have contributed to the
severity of the spike, the spike itself was right on time.
Cryptojacking delivers something of a one-two punch to
victims — not only are they at risk of data compromise,
they’re also stuck with the enormous energy bills that
accompany mining cryptocurrency. According to Ars Technica,
cryptomining is thought to consume almost half a percent of
the world’s energy consumption.

Notable Cryptojacking Top 10 Cryptojacking

Malware in the First Signatures in 2020
Half of 2020 1. XMRig.XMR_11 27,887,268
• JAN 24 – The SonicWall Capture Labs team
encountered a cryptominer that pretends to be 2. CoinMiner.C_4 1,629,068
a media player, even loading a .wav file to hide its
real intent. 3. XMRig.XMR_4 1,420,685

• APRIL 18 – A malicious Zoom videoconferencing

4. Coinhive.JS_2 728,519
app installer bundled with a cryptocurrency
miner was identified. It installs the genuine
5. XMRig.XMR_8 314,789
program, but also installs the cryptominer, which
runs in the background.
6. XMRig.XMR_3 313,667
• JULY 10 – A cryptominer that comes as a
WinRAR self-extracting archive and can connect
7. CoinMiner.BRL 27,447
and download additional files, manipulate access
controls and file attributes, change network
8. CoinMiner.A_39 11,225
configuration, and more was identified. Notably,
the file is capable of killing and deleting running
9. BitCoinMiner.IY 5,714
rival cryptominers.

10. Coinhive.JS 2,445

26 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | CRYPTOJACKING

 As expected, the COVID-19 pandemic has massively
Connection in the influenced the adoption and use of video-conferencing

Time of COVID software, but it has affected different solutions in

different ways.

Based on SonicWall’s daily DNS and traffic data, Google

Hangouts — one of the most popular globally before the onset
of the pandemic — lost 73% of its traffic by mid-April. Clearly
this wasn’t the result of fewer meetings, however. WebEx, while
remaining remarkably consistent, still recorded a slight rise in
overall usage. RingCentral also showed a modest increase.

The real success story here is Zoom. Now a household

name, Zoom had eight times as much traffic by mid-June,
a 632% increase.

2020 GLOBAL VIDEO CONFERENCE SERVICE USAGE

2020 Global Video Conference Service Usage
260M

240M

220M

200M

180M

160M
Volume

140M

120M

100M

80M

60M

40M

20M

0
2
5
8
1/ 1
1/ 4
1/ 7
1/ 0
1/ 3
1/ 6
29
1
4
2/ 7
10

2/ 3
2/ 6
2/ 9
2/ 2
2/ 5
28
2
5
8
3/ 1
3/ 4
3/ 7
3/ 0
3/ 3
3/ 6
29
1
4
4/ 7
10

4/ 3
4/ 6
4/ 9
4/ 2
4/ 5
28
1
4
5/ 7
10

5/ 3
5/ 6
5/ 9
5/ 2
5/ 5
5/ 8
31
3
6
6/ 9
6/ 2
6/ 5
6/ 8
6/ 1
6/ 4
6/ 7
30
1

1
1/
1/
1/

1
1
2
2
2

2/
2/
2/

1
1
1
2
2

3/
3/
3/

1
1
2
2
2

4/
4/
4/

1
1
1
2
2

5/
5/
5/

1
1
1
2
2
2

6/
6/
6/
1
1
1
2
2
2
1/

3/
2/

4/

5/

RingCentral WebEx Google Hangouts Zoom

* Volume comparisons based on daily DNS data.

www.sonicwall.com

27 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | VIDEO-CONFERENCING MALWARE

It’s worth mentioning, however, that the app is not without
its security risks. Its popularity has been a double-edged
sword, as hackers, pranksters and other bad actors wrongfully
exploited the solution to wreak havoc.
Despite Zoom lagging significantly behind Google Hangouts
for most of the year, the SonicWall Capture Labs threat
research team spotted at least five types of malware aimed at
defrauding users attempting to use Zoom:
• APRIL 23 – SonicWall Capture Labs threat researchers
observed several malicious Android apps that use the
name, user interface (UI) elements and parts of code of the
legitimate Zoom app to infect unsuspecting users.
• APRIL 18 – A malicious Zoom videoconferencing app
installer bundled with a cryptocurrency miner installs the
legit program to avoid suspicion, while the cryptominer
runs in the background.
28 | Mid-Year Update: 2020 SonicWall Cyber Threat Report | VIDEO-CONFERENCING MALWARE
In response to a series of high-profile attacks, Zoom has
instituted new password protection measures and added a
new layer of encryption to help make its platform safer and
more secure.
Video-conferencing software traffic also reveals a lot about
our habits. Perhaps unsurprisingly, Sunday is the slowest
day of the week for videoconferencing software — though
Sundays still show significant traffic, giving credence to the
idea that we’ve shifted to an “anywhere, anytime” work reality.
RingCentral illustrates the most extreme example of this:
Despite having less of a consumer reputation as a social
app than either Zoom or Google Hangouts, the percentage
difference between its heaviest traffic days and lightest traffic
days was the smallest of the four.
So when are people meeting? Across all four
videoconferencing solutions, the most popular meeting day
was Tuesday.
About the
SonicWall Capture
Labs Threat Network
Intelligence for the mid-year update to the 2020
SonicWall Cyber Threat Report was sourced from
real-world data gathered by the SonicWall Capture
Threat Network, which securely monitors and
collects information from global devices including:
1.1m+
Global Sensors
• More than 1.1 million security sensors in 215

215+
countries and territories

• Cross-vector, threat-related information

shared among SonicWall security systems,
including firewalls, email security devices,
endpoint security solutions, honeypots,
Countries & Territories
content filtering systems and the SonicWall

24x7x365
Capture Advanced Threat Protection (ATP)
multi-engine sandbox

• SonicWall internal malware analysis

automation framework

• Malware and IP reputation data from tens

Monitoring
of thousands of firewalls and email security

<24hrs
devices around the globe

• Shared threat intelligence from more than

50 industry collaboration groups and
research organizations

• Analysis from freelance security researchers

Threat Response

140k+
Malware Samples Collected Daily

28m+
Malware Attacks Blocked Daily

29 | Mid-Year Update: 2020 SonicWall Cyber Threat Report

About SonicWall
SonicWall delivers Boundless Cybersecurity for the hyper-distributed
era in a work reality where everyone is remote, mobile and unsecure.
SonicWall safeguards organizations mobilizing for their new business
normal with seamless protection that stops the most evasive
cyberattacks across boundless exposure points and increasingly remote,
mobile and cloud-enabled workforces. By knowing the unknown, providing
real-time visibility and enabling breakthrough economics, SonicWall
closes the cybersecurity business gap for enterprises, governments and
SMBs worldwide. For more information, visit www.sonicwall.com or follow
us on Twitter, LinkedIn, Facebook and Instagram.

SonicWall, Inc.
1033 McCarthy Boulevard | Milpitas, CA 95035
Refer to our website for additional information.
www.sonicwall.com

© 2020 SonicWall Inc.

SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their
respective owners. The information in this document is provided in connection with SonicWall Inc. and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any
intellectual property right is granted by this document or in connection with the sale of SonicWall products.

EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY
WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/ OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL,
PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF
THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to
specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates do not make any commitment to update the information contained in this document.

As a best practice, SonicWall routinely optimizes its methodologies for data collection, analysis and reporting. This includes improvements to data cleansing, changes in data sources and
consolidation of threat feeds. Figures published in previous reports may have been adjusted across different time periods, regions or industries. The materials and information contained in
this document, including, but not limited to, the text, graphics, photographs, artwork, icons, images, logos, downloads, data and compilations, belong to SonicWall or the original creator and is
protected by applicable law, including, but not limited to, United States and international copyright law and regulations.

2020ThreatReport-MidyearUpdate-COG-2610