SonicWall’s Mid-Year Cyber Threat Report Finds Malicious Microsoft Office Files On Rise, Ransomware Up in US, Globally

July 24, 2020 - 11:25
SonicWall’s Mid-Year Cyber Threat Report Finds Malicious Microsoft Office Files On Rise, Ransomware Up in US, Globally

  • 20% jumpin ransomware globally, 109% spike in United States
  • 24% dropin malware attacks worldwide
  • 7% of phishingattacks capitalized on COVID-19 pandemic
  • 176%increase in malicious Microsoft Office file types
  • 23% ofmalware attacks leveraged non-standards ports
  • 50%rise of IoT malware attacks
  • Reportanalyzes threat intelligence data gathered from 1.1 million sensors in over 215countries and territories

MILPITAS, CALIFORNIA - Media OutReach - 27 July 2020 -The SonicWall Capture Labs threat researchteam today published the mid-year update to the 2020 SonicWall Cyber ThreatReport, highlighting increases in ransomware, opportunistic use of COVID-19pandemic, systemic weaknesses and growing reliance on Microsoft Office files bycybercriminals.

"Cybercriminals can be resourceful,often setting traps to take advantage of people's kindness during a naturaldisaster, panic throughout a crisis and trust in systems used in everydaylife," said SonicWall President and CEO Bill Conner. "This latest cyber threatdata shows that cybercriminals continue to morph their tactics to sway the oddsin their favor during uncertain times. With everyone more remote and mobilethan ever before, businesses are highly exposed and the cybercriminal industryis very aware of that. It's imperative that organizations move away frommakeshift or traditional security strategies and realize this new business normalis no longer new."

Changing Landscape Leads to WaningMalware Volume

During the first half of 2020, global malware attacks fell from4.8 billion to 3.2 billion (-24%) over 2019's mid-year total. This drop is thecontinuation of a downward trend that began last November.

There are regional differences in both the amount of malware andthe percentage change year over year, highlighting shifting cybercriminalfocus. For example, the United States (-24%), United Kingdom (-27%), Germany(-60%) and India (-64%) all experienced reduced malware volume. Less malwaredoesn't necessarily mean a safer world; ransomware has seen a correspondingjump over the same time period.

Ransomware Attackers Raise Stakes Again

Despitethe global decline of malware volume, ransomware continues to be the mostconcerning threat to corporations and the preferred tool for cybercriminals,increasing a staggering 20% (121.4 million) globally in the first half of 2020.

"Remoteand mobile workforces are at a turning point on the subject of security," saidChad Sweet, Founder and CEO The Chertoff Group. "It has never been moreprevalent for enterprises and organizations to prioritize online security andmake what used to be a luxury, a secured and protected necessity."

Comparatively, the U.S. and U.K. are facing different odds. SonicWall CaptureLabs threat researchers logged 79.9 million ransomware attacks (+109%) in theU.S. and 5.9 million ransomware attacks (-6%) in the U.K. -- trends thatcontinue to ebb and flow based on the behaviors of agile cybercriminalnetworks.

Malware-laden COVID-19 Emails

The combination of the global pandemic and social-engineered cyberattacks hasproven to be an effective mix for cybercriminals utilizing phishing and other emailscams. Dating as far back as Feb. 4, SonicWall researchers detected a flurry ofincreased attacks, scams and exploits specifically based around COVID-19 andnoted a 7% increase in COVID-related phishing attempts during the first twoquarters. 

As expected, COVID-19 phishing began risingin March, and saw its most significant peaks on March 24, April 3 and June 19.This contrasts with phishing as a whole, which started strong in January andwas down slightly globally (-15%) by the time the pandemic phishing attemptsbegan to pick up steam.

Office Lures Remain a Staple

MicrosoftOffice is a necessity with millions of employees now more remote and dependenton the business productivity suite of applications. Cybercriminals were quickto leverage this shift, as SonicWall threat researchers found a 176% increasein new malware attacks disguised as trusted Microsoft Office file types.

LeveragingSonicWall Capture Advanced Threat Protection (ATP) with Real-Time Deep MemoryInspection™ (RTDMI) technology, SonicWall discovered that 22% of MicrosoftOffice files and 11% of PDF files made up 33% of all newly identified malwarein 2020. The patent-pending RTDMI™ technology identified a record 120,910 'never-before-seen'malware variants during that time -- a 63% increase over the first sixmonths of 2019.  

"Cybercriminalsare too sophisticated to use known malware variants, so they're re-imaginingand re-writing malware to defeat security controls like traditional sandboxingtechniques -- and it's working," said Conner. 

What are the Riskiest U.S. States for Malware?

With over 1.1 million sensorsworldwide collecting threat intelligence around the clock, SonicWall's new'malware spread' data highlights the riskiest U.S. states for malware attacks.

Inthe U.S., California, home to Silicon Valley, ranked the highest for total malwarevolume in 2020. However, it was not the riskiest state -- or even in the tophalf of those ranked. Rounding out the top five riskiest U.S. states, based onmalware spread, is Virginia (26.6%), Florida (26.6%), Michigan (26.3%), NewJersey (26.3%) and Ohio (25.3%).

Interestingly,organizations in Kansas are more likely to experience a malware encounter, asnearly a third (31.3%) of sensors in the state detected a hit. In contrast,just over a fifth of the sensors in North Dakota (21.9%) logged an attemptedmalware attack.

Thismethod of tracking malware spread is conducted by calculating the percentage ofsensors that detected a malware attack, resulting in more useful and preciseinformation about whether an organization is likely to see malware in an area.The greater the malware spread percentage, the more widespread malware is in agiven region.

Attacks Using Non-standard Ports Make Comeback
Overall, an average of 23% of attacks tookplace over non-standard ports so far in 2020 -- the highest mark since SonicWallbegan tracking the attack vector in 2018.

By sending malware across non-standard ports, assailants can bypasstraditional firewall technologies, ensuring increased success for payloads. A'non-standard' port is leveraged by services running on a port other than itsdefault assignment (e.g., Ports 80 and 443 are standard ports for web traffic).

Two new monthly records were set during thefirst two quarters of 2020. In February, non-standard port attacks reached 26%before climbing to an unprecedented 30% in May. During that month, there was asurge in many specific attacks, such as VBA Trojan Downloader, that may havecontributed to the spike.

IoT Continues to Serve Threats

Work-from-home (WFH) employees or remoteworkforces can introduce many new risks, including Internet of Things (IoT)devices like refrigerators, baby cameras, doorbells or gaming consoles. ITdepartments are besieged with countless devices swarming networks and endpointsas the footprint of their corporate expands beyond the traditional perimeter.

Researchersat SonicWall found a 50% increase in IoT malware attacks, a number that mirrorsthe number of additional devices that are connected online as individuals andenterprise alike function from home. Unchecked IoT devices can providecybercriminals an open door into what may otherwise be a well-securedorganization.

Commentingon the cyber threat landscape, Debasish Mukherjee, SonicWall Vice President ofRegional Sales, APAC, said, "With more people working from home during theCOVID-19 pandemic, the abrupt shift to remote working has sparked anunprecedented increase in cyber threats as opportunistic hackers take advantageof the boundary-less ecosystem. Exploiting the new raft of vulnerabilities inless secure situations and preying on fear, cyberspace has seen a jump in phishingduring global shelter-in-place orders and ransomware in the first half of 2020,including a 50% spike in IoT attacks.

Cybercriminalsare also increasingly using non-standard ports to evade detection and deploymalware, despite a continuation of a downward trend in malware volume sinceNovember 2019 and a 32% decline in encrypted threats."

"Whileinstituting widespread work-from-home policies help to reduce the risk ofcontracting the coronavirus, the pandemic has proven lucrative for cyber attackers.Recognising the heightened cyber risks is thus important for companies workingremotely, to ensure the security of their company data and systems whenaccessing crucial networks without the full protection of corporate firewallsand other security measures. In this hyper-distributed IT reality, businessesshould adopt a fundamentally new approach to mitigate cyber threats and have acomprehensive cybersecurity model to do so."

To download the full mid-year update, please visit