2

0 SONICWALL
CYBER THREAT
2
1

REPORT
Cyber threat intelligence for navigating
the new business reality
sonicwall.com | @sonicwall
Table of Contents
A Note From Bill 3 Ransomware by Region 37

Introduction 4 Ransomware by Signature 38

2020 Global Cyberattack Trends 5 Ransomware by Industry 42

Top Data Exposures of 2020 6 Intrusion Attempts 44

Power Shifts Changing Future of Cybersecurity 7 Top Intrusion Attacks 46

Published CVEs Nearly Triple Since 2015 10 Intrusion Attempts by Region 47

Top 8 CVEs Exploited in 2020 10 Capture ATP and RTDMI 48

2020 Zero-Day Vulnerabilities 12 ‘Never‑Before-Seen’ Malware 50

COVID Threats: Exploiting a Pandemic 13 Malicious Office and PDF Files 51

COVID-19-Related Attacks by Industry 14 Cryptojacking 52

2020’s Biggest Cybersecurity Events 16 Cryptojacking Attempts by Industry 56

Key Findings from 2020 19 IoT Malware Attacks 58

Malware Attempts 21 A Year in IoT Malware Attacks 62

Malware Spread 22 IoT Malware Attacks by Industry 64

Malware Risk by Country 24 Non-Standard Ports 66

Malware Spread by Country 30 Conclusion 67

Malware Attempts by Industry 31 About the SonicWall Capture Labs Threat Network 68

Encrypted Attacks 33 Featured Threat Researchers 69

Ransomware 35 About SonicWall 70

2 | 2021 SonicWall Cyber Threat Report

A Note From Bill
The World Economic Forum asked respondents in a recent Cyber-resiliency means expanding your focus beyond
study which dangers will pose the largest threat to the world simply securing your network and your data, to ensuring
over the next two years. business continuity in the event of an attack or some other
unforeseen event.
Unsurprisingly for a pandemic year, “infectious diseases”
and “livelihood crises” topped the list. But rounding Almost all organizations in high-stakes environments —
out the top four were “extreme weather events” and whether it be power plants, government agencies, law
“cybersecurity failure.” enforcement or another group depended on to fulfill a vital
need — have a philosophy of resiliency. It may be known as a
And the latter concerns have more in common than you may
contingency plan, a fallback, or even by a code name, but the
think, particularly now. In fact, the cybersecurity challenges
idea is the same: This is how we maintain operations when
of 2020 have played out a bit like an extreme weather
things don’t go as expected.
event: They’ve come on suddenly, most found themselves
unprepared, there was significant damage and, in some And 2020 — a year in which very little went as expected —
cases, businesses are still sorting through the rubble. highlighted the danger of approaching cyber-resiliency as
merely a best practice. It is vital that we expand our thinking
While history will note the still-untold number of social,
from just “How are we going to prevent an attack?” to also
economic and political changes brought by the pandemic,
include “What will we do when (not if ) we get attacked?”
it also brought about a sea change in cybersecurity. As
COVID-19 spread across the globe, an unprecedented wave We encourage you to review the threat intelligence found
of cybercrime followed in its wake, driving the rates of almost only in the 2021 SonicWall Cyber Threat Report. This latest
every sort of cyberattack up (sometimes way up.) cyber threat data offers a look at how cybercriminals shifted
and refined their tactics in a world greatly changed … and
This culminated in the discovery of a successful breach of
an idea of what they might do amid the uncertain world
software company SolarWinds in December — which has
that lies ahead.
become widely regarded as one of the largest and most
extensive cyberattacks of all time. (Read more about the
SolarWinds incident on page 7.)
BILL CONNER
The event also brought lessons, the foremost being the PRESIDENT & CEO
importance of cyber resiliency. SONICWALL

3 | 2021 SonicWall Cyber Threat Report | A Note From Bill

 INTRODUCTION

Cybercriminals’
Perfect Storm
Cybercriminals have always been opportunists, and cryptocurrency payment has allowed threat actors of all
the 2020 COVID-19 pandemic offered more proof sizes to inflict the sort of heavy damage typically associated
of this than perhaps any other event before it. with the most sophisticated nation-state campaigns. And
Threat actors are becoming more powerful, more aggressive many of them rode this perfect storm to untold riches as
and more numerous, increasingly abandoning the tendency their targets faced devastation on many fronts.
to look for the biggest quarry in favor of attacking the
In 2020, SonicWall Capture Labs threat researchers
least defended.
recorded 5.6 billion malware attacks — a sharp decrease
And 2020 was rife with vulnerable targets. from the previous year. But this isn’t cause for celebration.
From a new class of remote workers, millions strong and in With many employees working from home, cybersecurity
many cases completely unaware of the security implications vendors are losing visibility into traffic, and potential attacks
and best practices tied to such a power shift … along with it. So this number may in fact be much higher.

… to a panicked and confused populace, some of whom were Worse, almost across the board, we’ve seen cybercrime
willing to trust anything claiming to offer more information numbers pushed up, in several cases to new records.
about COVID-19 … While it’s unclear whether cybercrime’s perfect storm will
… to hospitals, overworked and over capacity … continue to rage into 2021, it’s already apparent that the
confluence of factors at work over the past year has pushed
… cybercriminals found themselves in the midst of a perfect
cybercrime to a new level, requiring increased security,
storm of opportunity. The combination of cloud-scale
vigilance and cunning as we move into the new year.
infrastructure; widespread availability of attacker tools such
as PowerShell, Mimikatz and Cobalt Strike; and anonymous

4 | 2021 SonicWall Cyber Threat Report | Introduction

2020 Global
Cyberattack Trends

5.6 Billion 3.8 Million 4.8 Trillion 81.9 Million 304.6 Million 56.9 Million
MALWARE ENCRYPTED INTRUSION CRYPTOJACKING RANSOMWARE IoT
ATTACKS THREATS ATTEMPTS ATTACKS ATTACKS ATTACKS

-43%
+4% +20% +28% +62% +66%

Year-Over-Year Change, 2019-2020

As a best practice, SonicWall routinely optimizes its methodologies for data collection, analysis and reporting. This includes improvements to data
cleansing, changes in data sources and consolidation of threat feeds. Figures published in previous reports may have been adjusted across different time
periods, regions or industries.

5 | 2021 SonicWall Cyber Threat Report | 2020 Global Cyberattack Trends

Top Data Exposures
of 2020
We’ve alluded to the fact that there aren’t many bright spots Unfortunately, we can’t say this list represents a triumph.
in this year’s Cyber Threat Report — but this is one of them. While the last two entries on this list may be small in terms of
In 2020, the largest breach affected 440 million — less than number of records exposed, the ripples of these breaches
a quarter as many as 2019’s largest breach, which affected are shaking large multinational corporations and federal
more than 2 billion. governments to their core, and may be felt for years, if not
decades, to come.

Top Data Breaches

NAME INDUSTRY REPORT DATE NUMBER OF RECORDS
Estée Lauder Skin Care 1/30/20 440 million

Microsoft Software 1/22/20 280 million

Facebook Social Networking 4/1/20 267 million

MGM Grand Hotels Hospitality 7/14/20 142 million

Pakistani mobile users Telecommunication 5/6/20 44 million

Wishbone Social Networking 5/20/20 40 million

Vetrafore Software 11/13/20 27.7 million

Unacademy Education 5/7/20 22 million

Bigbasket Online Grocery Store 10/30/20 20 million

Couchsurfing Social Networking 7/23/20 17 million

Home Chef Food Delivery 5/22/20 8 million

Marriott International Hospitality 3/31/20 5.2 million

Dunzo Delivery Services 7/29/20 3.4 million

Edureka Education 9/30/20 2 million

Denmark's government tax portal Government Services 2/10/20 1.26 million

Zoom Software 4/14/20 500,000

Magellan Health Healthcare 5/13/20 365,000

WhiteHat Jr Education 11/25/20 280,000

Defense Information Systems Agency

Combat Support 2/24/20 200,000
(DISA)

Nintendo Consumer Electronics 4/24/20 160,000

U.S. Department of Veterans Affairs Government Services 9/15/20 46,000

NHS, Wales Healthcare 9/15/20 18,105

SolarWinds IT Management Software 12/13/20 18,000

FireEye Cybersecurity 12/8/20 Red Team Tools

6 | 2021 SonicWall Cyber Threat Report | Top Data Exposures of 2020

Power Shifts Changing
Future of Cybersecurity
During the height of the COVID-19 global pandemic, the The trojan family, dubbed SUNBURST, was disguised as a
threat landscape reached a critical tipping point that will legitimate component of Orion and went to great lengths
change cybersecurity forever. The new work-from-home to evade detection. The trojan was subsequently used to
reality brought about exponentially greater attack surfaces conduct a massive spying and data exfiltration operation on
to introduce an untold number of new vectors and infinite mostly American enterprises and government networks.
opportunities for disruption. The attack was targeted, sophisticated and is considered
Cloud-scale infrastructure and widely available attacker to be wildly successful. In mid-December 2020, the
tools (PowerShell, Mimikatz and Cobalt Strike, all developed U.S. Department of Homeland Security (DHS) and the
for legitimate use), combined with anonymous payment Cybersecurity Infrastructure Security Agency (CISA)
via Bitcoin, are tilting the playing field and arming threat determined that the exploitation of SolarWinds products
actors of all sizes. This is empowering criminal groups new “poses an unacceptable risk,” and CISA issued an emergency
and old with the ability to launch both global and targeted directive instructing all U.S. federal agencies to disconnect
cyberattacks — from anywhere in the world — with the devices immediately.
same force, volume and damaging impact as nation- According to General Paul M. Nakasone, commander of U.S.
state campaigns. Cyber Command, the hack actually took place nine months
The results of this dramatic shift are resulting in some of the before it was identified by cybersecurity company FireEye
most damaging attacks the industry has ever seen. — and so far it’s believed to have impacted 250 businesses
and federal agencies. As of the time of this report, the list of
Highly Sophisticated Threat Actors organizations affected by the SolarWinds attack continues
Target SolarWinds Supply Chain to grow, and it comprises targets from hospitals to federal
In November, FireEye reported an attack on its own government agencies to software giants.
network and quickly concluded the attack originated from a
As the investigation into the attack continues and the true
compromised version of the Orion product from American
extent of the damage continues to be assessed, there are
software company SolarWinds. Shortly after, in December,
a few certain takeaways from this attack: the importance
SolarWinds confirmed that its product Orion had been
of supply chain integrity and the reality that organizations
targeted in an extensive supply chain attack.
should operate under a threat model that assumes at some
While supply chain attacks have been around for some time point they will be breached.
in the field of cybersecurity, they took on a minor role in the
The former is especially critical in today’s highly
headlines due to their very targeted and esoteric nature.
interconnected world, and the latter highlights the
That, of course, has changed with the massive SolarWinds
necessity and real-world applicability of zero-trust
hack. The Orion software is used to manage IT networks and,
networking principles.
therefore, makes a perfect target, since a successful attack
places the attacker in a very privileged position on a network, In this case, the threat actor doubled down on their success,
allowing them to burrow and embed themselves further. targeting tech companies in order to turn the victims into
further attack vectors on other organizations. For example,
According to FireEye, the threat actor was able to hide
even software giant Microsoft wasn’t immune — the
malicious code in software updates provided to Orion
company has acknowledged that attackers gained access.
customers, and through these trojanized updates
gain a foothold in the network through which to gain
elevated credentials.

7 | 2021 SonicWall Cyber Threat Report | Power Shifts Changing Future of Cybersecurity
 What is a Supply-Chain Attack?
Supply-chain attacks are cyberattacks intended to damage organizations by targeting
the supply chain, or the process of distributing, handling, manufacturing or processing
products. These attacks usually involve sneaking malware into software or electronics
in order to gain access or otherwise cause harm to a company somewhere further
along in the manufacturing or usage process.

Now other companies, some of which had no relationship But until organizations stop blindly trusting vendors, cloud
with SolarWinds, have said they were attacked via software services and other third parties, we will continue to see
obtained through Microsoft resellers. According to a recent these sorts of attacks proliferate.
report from the Wall Street Journal, roughly 30% of the In the future, we expect third-party certification of software
networks found to be infected with back doors did not have distribution as another mechanism to develop deeper
SolarWinds software installed. trust levels in downloadable install packages and software
The attack is likely the work of threat actor APT29 (aka Cozy updates. Software packages could soon be digitally signed
Bear), believed to be associated with one or more Russian (or published via hashes) to not only securely confirm it
intelligence agencies. Researchers now suspect that Russia is authentic and from a specific vendor, but also that it
exploited several layers of the supply chain. has been deemed safe (i.e., uncompromised) by a trusted
third-party vendor.
We should expect a surge in similar attacks in the upcoming
few years, as the proverbial flashlight has been pointed
Hafnium Launches Next Salvo
on this soft underbelly of global IT systems. For example,
In March 2021, just before publication of
while hardware supply-chain integrity was questioned and
this report, researchers discovered that
subsequently tightened in light of the Snowden NSA leaks,
a China-based hacking group, known
the SolarWinds attack exposes the weakness in the IT
as Hafnium, spent the past several
software space.
months breaching Microsoft Exchange
So, what will be next? What about third-party software email software.
that end-users can install on their machines? What about
“Microsoft has detected multiple 0-day exploits being used
developers, IT staff and other tech-savvy employees who, in
to attack on-premises versions of Microsoft Exchange
their day-to-day job, may rely on a plethora of highly useful
Server in limited and targeted attacks,” Microsoft stated in a
tools available on the internet?
real-time blog used to communicate mitigation steps. “In the
There’s no preventing such attacks, but there is the ability attacks observed, the threat actor used these vulnerabilities
to detect, react, contain and remediate. Companies to access on-premises Exchange servers, which enabled
have succeeded in thwarting untold numbers of attacks access to email accounts, and allowed installation of
through things like employee security awareness additional malware to facilitate long-term access to
training, comprehensive cybersecurity solutions and victim environments.”
multifactor authentication.

8 | 2021 SonicWall Cyber Threat Report | Power Shifts Changing Future of Cybersecurity
The vulnerability was so concerning, government officials way to automate the attack process, allowing them to target
were warning of the ramifications. a massive number of victims in a very short period of time.

“This is a significant vulnerability that could have far-reaching These changes in criminal access, scale, process and
impacts,” said U.S. White House Press Secretary Jen Psaki economics are already changing the future of cybersecurity.
during a March 5 briefing. “First and foremost, this is an
active threat. And as the National Security Advisor tweeted
last night, everyone running these servers — government,
private sector, academia — needs to act now to patch
them … We are concerned that there are a large number of
victims and are working with our partners to understand the
scope of this.”

SonicWall Capture Labs threat researchers tracked the

Hafnium exploits of the following Microsoft Exchange
vulnerabilities, including CVE-2021-26855, CVE-2021-26857,
CVE-2021-26858 and CVE-2021-27065, affecting Microsoft
Exchange Server 2013, 2016 and 2019. SonicWall released
four IPS signatures to protect against such attacks.

While the breach has impacted an estimated 60,000 victims

worldwide so far, threat actors also appear to have found a

9 | 2021 SonicWall Cyber Threat Report | Power Shifts Changing Future of Cybersecurity
Published CVEs Nearly
Triple Since 2015
According to NIST, 18,353 Common Vulnerabilities and The CVE program is effective because an entire network of
Exposures (CVEs) were published in 2020. This marks the certified organizations works together, with the backing of
fourth year in a row that a record number of vulnerabilities numerous researchers and support personnel, to identify
has been discovered, and amounts to nearly three times the and stay ahead of emerging cyber threats.
number that were identified just five years ago.

This trend signifies that the industry is working more

quickly and more efficiently together to identify critical
vulnerabilities and ensure the greater public has guidance to 18,353 Common Vulnerabilities
correct any issues. and Exposures (CVEs)
As one of just 150 trusted CVE Numbering Authorities (CNA),
SonicWall closely collaborates with the global cybersecurity
were published in 2020.
industry to help identify vulnerabilities and quickly ensure
greater security awareness.

Top 8 CVEs
Exploited in 2020
In a perfect world, zero-day vulnerabilities would be patched, These impacted a range of applications, including Microsoft
fixed or otherwise mitigated before they could result in Windows, Oracle WebLogic Server, WordPress and more.
serious damage. SonicWall implemented automatic Intrusion Prevention
Service (IPS) or Gateway Antivirus (GAV) signatures
Unfortunately, this isn’t a perfect world. In 2020, SonicWall
for each exploit.
recorded and analyzed the top eight CVEs that were
exploited “in the wild.”

10 | 2021 SonicWall Cyber Threat Report | Common Vulnerabilities and Exposures (CVEs)
Top 8 CVEs Exploited in 2020
NAME REFERENCE DESCRIPTION PRODUCTS AFFECTED
Zerologon CVE-2020-1472 A vulnerability in the cryptography of • Microsoft Windows Server 2008
Microsoft’s Netlogon process that allows an • Microsoft Windows Server 2012
attack against Microsoft Active Directory
domain controllers. This makes it possible for a • Microsoft Windows Server 2016
hacker to impersonate any computer, including • Microsoft Windows Server 2019
the root domain controller. • Microsoft Windows Server Version 1903
• Microsoft Windows Server Version 1909
• Microsoft Windows Server Version 2004

SMBGhost CVE-2020-0796 A remote code execution vulnerability in the • Microsoft Windows 10

way that the Microsoft Server Message Block • Microsoft Windows Server Version 1903
3.1.1 (SMBv3) protocol handles certain requests,
also known as ‘Windows SMBv3 Client/Server • Microsoft Windows Server Version 1909
Remote Code Execution Vulnerability.’

SIGRed CVE-2020-1350 A remote code execution vulnerability in • Microsoft Windows Server 2008
Windows Domain Name System servers in • Microsoft Windows Server 2012
which they fail to properly handle requests, also
known as ‘Windows DNS Server Remote Code • Microsoft Windows Server 2016
Execution Vulnerability.’ • Microsoft Windows Server 2019
• Microsoft Windows Server Version 1803
• Microsoft Windows Server Version 1903
• Microsoft Windows Server Version 1909
• Microsoft Windows Server Version 2004

Curveball CVE-2020-0601 A vulnerability affecting the certificate • Microsoft Windows 10

verification function in the Crypt32.dll module • Microsoft Windows Server 2016
provided by Microsoft.
• Microsoft Windows Server 2019
• Applications that rely on Windows for
trust functionality

F5 TMUI RCE CVE-2020-5902 A critical vulnerability in the F5 BIG-IP Traffic • F5 BIG-IP versions 11.6.1 – 11.6.5
Vulnerability Management User Interface (TMUI), also known • F5 BIG-IP versions 12.1.0 – 12.1.5
as the Configuration Utility.
• F5 BIG-IP versions 13.1.0 – 13.1.3
• F5 BIG-IP versions 14.1.0 – 14.1.2
• F5 BIG-IP versions 15.0.0 – 15.0.1 and 15.1.0

Oracle WebLogic CVE-2020-14882 A critical and easily exploitable remote • Oracle WebLogic Server
RCE Vulnerability code execution vulnerability in Oracle
WebLogic Server.

Microsoft CVE-2020-0688 A remote code execution vulnerability in • Microsoft Exchange Server

Exchange Memory Microsoft Exchange software in which the
Corruption software fails to properly handle objects
Vulnerability in memory.

WordPress CVE-2020–25213 The File Manager (wp-file-manager) plugin • WordPress

‘WP-FILE-MANAGER’ before 6.9 for WordPress allows remote
Plugin Exploit attackers to upload and execute arbitrary
PHP code.

11 | 2021 SonicWall Cyber Threat Report | Common Vulnerabilities and Exposures (CVEs)
2020 Zero-Day
Vulnerabilities
Of the more than 18,000 new CVEs published in 2020,
24 were published to immediately identify and correct
zero-day vulnerabilities.

MONTH CVE RECORD VULNERABILITY

January CVE-2019-17026 Type confusion vulnerability in IonMonkey JIT compiler of Firefox

February CVE-2020-0674 Microsoft IE scripting engine memory corruption vulnerability

February CVE-2020-6418 Type confusion vulnerability in v8 of Google Chrome

March CVE-2020-8467 Remote code execution in Trend Micro Apex One

March CVE-2020-8468 Content validation escape vulnerability in Trend Micro Apex One

April CVE-2020-0938, CVE-2020-1020 Windows Adobe Font Manager Library remote code execution vulnerability

April CVE-2020-6819, CVE-2020-6820 Firefox use-after-free vulnerability

April CVE-2020-1027 Windows Kernel elevation of privilege vulnerability

April CVE-2020-12271 SQL injection vulnerability in Sophos XG Firewall

July CVE-2020-16009 Google Chrome heap corruption via a crafted HTML page

July CVE-2020-16010 Heap buffer overflow in UI in Google Chrome on Android

August CVE-2020-1464 Windows spoofing vulnerability

August CVE-2020-1380 Microsoft IE scripting engine memory corruption vulnerability

August CVE-2020-17087 Windows Kernel local elevation of privilege vulnerability

August CVE-2020-1472 Windows Netlogon elevation of privilege vulnerability

September CVE-2020-3566, CVE-2020-3569 Denial-of-Service (DoS) vulnerability in Cisco IOS XR software

October CVE-2020-25213 Unauthenticated arbitrary file upload vulnerability in WordPress File Manager plugin

October CVE-2020-27930 Memory corruption in Apple macOS

November CVE-2020-15999 Heap buffer overflow in Google Chrome

November CVE-2020-14871 Buffer overflow vulnerability in Oracle Solaris

November CVE-2020-27932 Local privilege escalation vulnerability in Apple macOS

November CVE-2020-27950 Out-of-bounds read in Apple macOS

November CVE-2020-16013 Memory corruption vulnerability in Google Chrome

November CVE-2020-16017 Use-after-free in Google Chrome

12 | 2021 SonicWall Cyber Threat Report | 2020 Zero-Day Vulnerabilities

 COVID Threats:
Exploiting a Pandemic
Of all the threat types that really took off in March, COVID- And likely because the vast majority of malware targets
19-related threats are perhaps the least surprising. As the the United States, the COVID-19 data it happens to most
mysterious new pandemic spread to country after country, closely resemble is that for the United States. Everywhere
cybercriminals saw an opportunity to take advantage of the we see jumps in the number of cases — namely, in April,
fear and confusion in its wake to achieve their own nefarious July and October — we see jumps in the number of
ends. And in very short order, a deluge of phony COVID-19 COVID‑19‑related malware.
tracking apps, malicious “COVID-19 information” docs and Interestingly, while cases continue to rise in November and
PDFs supposedly full of “cures” sprang up. December, COVID-19-related malware falls off. There are a
(It’s worth mentioning, though, that COVID-19-related few reasons this could be occurring: It’s possible that, with a
malware doesn’t always have anything to do with the vaccine on the horizon and a much larger body of legitimate
pandemic. With phishing trends, for example, we can be fairly sources from which to gather information, people are
certain that emails containing words like “coronavirus” are, spending less time researching and thus encountering fewer
by definition, pandemic-related. But threat actors can name threats. Perhaps by the end of 2020, some people developed
any piece of malware something like “pandemic,” “COVID” “COVID fatigue” and began to actively avoid anything to do
or “coronavirus,” and it’ll get flagged — even if there isn’t with the virus.
anything related to the virus whatsoever on the front end.) Of course, it’s also possible that people began hearing
Perhaps unsurprisingly, trends in COVID-19 malware and about COVID-19-related threats and became too savvy to
phishing attempts bear some resemblance with those for fall for many of the methods that had worked before, leading
COVID-19 case data. criminals to shift their efforts elsewhere.

2020 Global COVID-Themed Malware Attacks

4M

3M

2M

1M
071,341,4

759,568,1

519,196,1

069,369,3

408,876,2

127,614,1
106,608

032,455

873,568

995,535

0
5

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

www.sonicwall.com

13 | 2021 SonicWall Cyber Threat Report | COVID Threats: Exploiting a Pandemic

COVID-19-Related Attacks
By Industry
While there was no shortage of attempted COVID-19-related
attacks in 2020, that doesn’t mean that everyone necessarily
saw a lot of attempts. While the healthcare industry
That the number of COVID-19 malware attempts per saw 15% more COVID-19-related
customer overall began to spike in March isn’t surprising. Nor
is the fact that those in the education industry saw a spike in
malware attempts per customer
attempts right around the time school started back in the fall. than average, customers in the
But the fact that healthcare saw very little COVID-19- rest of the verticals examined
related malware until it skyrocketed in September and
October, only to crash just as spectacularly to finish out the
fell below this baseline, with
year, is a bit more puzzling — particularly since COVID-19 education 8% lower, government
case levels continued to rise through the end of the year,
straining hospitals already struggling amidst the pandemic
44% lower and retail 92% lower.
and creating exactly the sort of situation cybercriminals
love to exploit.

2020 COVID-Themed Malware Attempts Per Customer

65

60

55

50

45

40
stpmettA

35

30

25

20

15

10

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Overall Government Education Healthcare Retail

www.sonicwall.com

14 | 2021 SonicWall Cyber Threat Report | COVID-19-Related Attacks By Industry

While the data for number of attempts per customer was While the highest number of attempted COVID-themed
fairly lopsided in terms of industries targeted, the trends for malware attacks per customer in the first half occurred in
percentage of customers targeted by COVID-19-themed April, we don’t see a peak in the percentage of customers
malware are much more egalitarian. targeted until May — suggesting that cybercriminals
ramped up attacks on their existing targets before
This doesn’t mean there weren’t still winners and losers,
widening their nets.
however. Those in government were roughly 1.83 times more
likely to be targeted by COVID-19-related malware than
those in retail, who were the least likely to see an attempt.

% of Customers Targeted by COVID-Themed Malware

1

0.9

0.8

0.7

0.6
detegraT %

0.5

0.4

0.3

0.2

0.1

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Overall Government Education Healthcare Retail

www.sonicwall.com

15 | 2021 SonicWall Cyber Threat Report | COVID-19-Related Attacks By Industry

2020’s Biggest
Cybersecurity Events
While the biggest news in 2020 was, of course, the spread
of COVID-19, the pandemic set into motion a wave of
2020
cybersecurity incidents, the ripples of which are still being
felt nearly a year into the so-called “new normal.”

JANUARY FEBRUARY
• The U.S. Army banned TikTok from government • Security researchers identified a JavaScript
devices over concerns about the platform’s vulnerability in WhatsApp that could allow malware,
relationship with China. ransomware or phishing to be spread through
notification messages that appear completely
• Authentication bypass bugs in two WordPress
normal to users.
plugins allow anyone with the admin username to
access a site’s backend. • Researchers find that over 55% of medical
imaging devices, such as X-rays, MRIs and
ultrasound machines, are powered by outdated
Windows versions still vulnerable to the
Bluekeep vulnerability.

BLUEKEEP

MARCH APRIL
• As COVID-19 spreads and countries around the • A vulnerability is discovered in Apple iPhones
world enter lockdown, cyberattacks rapidly double, and other iOS/macOS devices that causes them
including a sophisticated hacking attempt against to crash when loading messages or posts in the
the World Health Organization (WHO). Sindhi language.

16 | 2021 SonicWall Cyber Threat Report | 2020’s Biggest Cybersecurity Events

2020’s Biggest
Cybersecurity Events
2020
MAY JUNE
• German Chancellor Angela Merkel implicates Russia • With many employees working remotely
in a series of hacking attempts on her emails and full time during the pandemic, mobile
those of other German lawmakers. phishing increases 37%.

• Cell towers in several states are burned or otherwise • A large German multinational corporation charged
damaged by conspiracy theorists who believe 5G is with procuring PPE for front-line healthcare
responsible for the spread of the novel coronavirus. workers is targeted in a massive phishing attack.

• 15-year-old hacker Ellis Pinsky and a group of friends • Researchers discover an unpatched, zero-day
steal $24 million in cryptocurrency from blockchain vulnerability in Netgear router firmware, leaving 79
advisory firm Transform Group. device models at risk for full takeover.

• An unidentified European bank is the target of

an 809 million packet-per-second DDoS attack,
believed to be the largest to hit any network.

• The U.S. Federal Communications Commission

(FCC) formally designates China’s Huawei
Technologies Co. and ZTE Corp. as threats to
national security.
JULY
• Millions of Microsoft Office 365 users, including
business leaders across a variety of industries
and 62 countries, are targeted in a massive
phishing campaign.

• In a bid to steal invaluable vaccine research

data, Chinese government-linked hackers target
U.S.-based biotech company Moderna. AUGUST
• The Twitter accounts of U.S. politicians Joe • Researchers discover social media app TikTok
Biden and Barack Obama, musician Kanye West, used encryption to conceal its tracking and
businessmen Bill Gates and Elon Musk, and other collecting of unique identifiers from millions of
high-profile individuals are hacked and used in an Android users without their consent.
attempt to scam Bitcoin from followers.
• FritzFrog, a unique and advanced worming P2P
botnet that drops backdoors and cryptominers,
attacks millions of SSH servers.

17 | 2021 SonicWall Cyber Threat Report | 2020’s Biggest Cybersecurity Events

2020’s Biggest
Cybersecurity Events
2020
SEPTEMBER OCTOBER
• A woman dies after a ransomware attack on • A politically motivated spear-phishing attack
Germany’s Dusseldorf University Clinic leads to her targets hundreds of U.S. organizations with
being diverted to a distant facility, resulting in care emails that claimed to be from the Democratic
being delayed for over an hour. National Committee, but were in reality vehicles for
Emotet malware.
• Cybercriminals threaten thousands of organizations,
from various industries around the world, with DDoS • Iranian state-sponsored hackers exploit the
attacks within six days unless they pay a ransom. Zerologon vulnerability, which allows attackers to
take over domain controllers and gain full control
over their targets.

• The Maze cybercrime gang, among the most

prominent ransomware groups, announces it is
shutting down operations.

NOVEMBER
• In a unique and highly targeted cyberattack,
suspected state-sponsored attackers steal
cybersecurity firm FireEye’s Red Team
assessment tools.

• A cyberattack on UVM Health Networks halted

DECEMBER
chemotherapy, mammogram and screening • A compromised update to tech company SolarWinds’
appointments, and led to 300 staff being Orion software enables state-sponsored attackers
to access government and other systems. According
furloughed or reassigned.
to Dmitri Alperovitch, head of the Silverado Policy
• Manchester United, one of the wealthiest and most Accelerator think tank, the SolarWinds intrusion
popular soccer clubs in the world, is targeted in a had the greatest impact of any cyberattack in
American history.
suspected ransomware attack.

18 | 2021 SonicWall Cyber Threat Report | 2020’s Biggest Cybersecurity Events

 KEY FINDINGS FROM 2020

^
43%
MALWARE HITS LOW POINT
In 2020, malware fell dramatically, reaching 5.6 billion
attacks— a 43% decrease from 2019’s totals.
READ MORE ON PAGE 21

RANSOMWARE HITS RECORD HIGH

^ 62
% The effects of a global pandemic, combined with record
highs in the price of cryptocurrency, drove ransomware to a
staggering 62% increase over 2019.
READ MORE ON PAGE 35

INTRUSION ATTEMPTS RISE, ATTACK PATTERNS CHANGE

^20
% The number of intrusion attempts in 2020 was 20% higher
than in 2019, but year-over-year attacks in Europe nearly
quadrupled. Meanwhile, changes in attack types and patterns
evolved over the year.
READ MORE ON PAGE 44

74
DEEP MEMORY INSPECTION: BETTER THAN EVER
%
^
SonicWall’s patented Real-Time Deep Memory Inspection™
(RTDMI) found 268,362 ‘never-before-seen’ threats in
2020— an increase of 74% from 2019.
READ MORE ON PAGE 48

19 | 2021 SonicWall Cyber Threat Report | Key Findings from 2020

 KEY FINDINGS FROM 2020

FASTER IDENTIFICATION OF ‘NEVER-BEFORE-SEEN’ MALWARE

The sooner new threats can be identified, the sooner they
+ D1 can be neutralized. Based on VirusTotal data, on average
SonicWall is identifying never-before-seen malware
variants a full day before VirusTotal receives samples —
sometimes much earlier.
READ MORE ON PAGE 50

MALICIOUS OFFICE FILES OVERTAKE MALICIOUS PDFs

^ 25
% In 2019, cybercriminals preferred malicious PDFs and
malicious Office files in roughly equal numbers. But in 2020,
malicious Office files were the clear choice: They now make
up more than a quarter of all malicious files.
READ MORE ON PAGE 51

REPORTS OF CRYPTOJACKING’S DEATH

^3
HAVE BEEN GREATLY EXAGGERATED
YH Despite all predictions to the contrary, the death of
Coinhive wasn’t enough to kill illegal mining. Instead, record
cryptocurrency prices drove cryptojacking up from its low
point in 2019 to a three-year high.
READ MORE ON PAGE 52

IoT MALWARE SKYROCKETS

66
When the pandemic sent workers home, their unsecured
%
^
personal devices were there waiting for them — and
so were cybercriminals. Recognizing the potential
to use compromised devices for personal gain,
attackers pushed IoT malware to a 66% increase.
READ MORE ON PAGE 58

20 | 2021 SonicWall Cyber Threat Report | Key Findings from 2020

 Malware Hits
Low Point
In 2019, malware began to slip downward. In 2020, it fell like a Unlike most other forms of cybercrime in 2020, SonicWall
rock, reaching 5.6 billion total attacks — a mind-blowing 43% observed malware starting high in January and then
decrease from last year’s total. dropping — and this decrease was so pronounced
that even a rebound through September and all of Q4
Where Did The Malware Go? couldn’t reverse it.
SonicWall is exercising caution when using the 2020 global
But even though malware is ending 2020 at near-historic
malware data. During the pandemic, fewer employees were
lows, criminals continue to refine their tactics to be even
accessing corporate networks through traditional means,
more targeted and effective than ever, requiring fewer total
thereby relying solely on whatever security is included in
attacks to be successful.
their ISP’s consumer-grade hardware. This reduced visibility
for corporate networks worldwide, and by extension reduced Worse, as we’ll see later on, the decreases in malware
visibility for cybersecurity vendors, including SonicWall. coincide with record or near-record highs in other forms of
attack — meaning cybercriminals aren’t calling it a day, but
But as contrarian as malware was in its overall trends, it was
simply switching their strategies yet again.
equally so from month to month.

2020 Global Malware Attacks

800M

600M
emuloV

400M

200M
180,481,350,1
843,505,456
465,303,436

487,262,457
491,811,395

383,514,129
346,421,485

573,431,938
364,478,074

077,777,818
753,381,484

679,486,497
779,443,044

768,244,708
177,387,193

406,768,518
332,774,663

557,358,708
284,525,524

217,385,814

004,869,769
610,151,824

555,137,086
386,552,683

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2019 2020

www.sonicwall.com

21 | 2021 SonicWall Cyber Threat Report | Malware Attempts

 2020 Global Malware Spread Trend
50

45

40
)tiH %( daerpS

35

30

25

20

15
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

North America South America Europe Asia Africa Oceania

The COVID-19 pandemic caused a worldwide spike in malware, pushing the chance any given organization would see a malware
attack above 35%. By December, the odds had fallen considerably, to about 21%. www.sonicwall.com

22 | 2021 SonicWall Cyber Threat Report | Malware Spread

Want to get a sense for how much malware dropped in 2020?
Consider this: In 2019, every region had more than 1 billion
malware hits total. In 2020, only one did.

In both 2019 and 2020, SonicWall observed by far the most

malware in North America, but it fell 42% in 2020, from
5.86 billion to 3.40 billion. Unfortunately for North America,
however, its percentage share of total malware actually
increased: in 2019, malware in North America made up 59% ^
42
of all malware, but in 2020 that rose to 61%. With 984 million
malware hits in 2020, Europe saw a 44% drop in overall
malware. Asia, meanwhile, experienced a 53% decrease in
malware attempts.
%
SonicWall saw total malware volume in 
North America fall in 2020, from 5.86 billion
to 3.40 billion.

What is Malware Spread?

SonicWall recorded 2.8 billion malware hits in the United States in 2020 — nearly
nine times the next-highest ranked (U.K., with 322 million.) So why aren’t these
countries the riskiest?
Malware totals are useful in calculating trends, but they’re of limited usefulness when
determining relative risk: They ignore factors such as size, population, number of
sensors and more.
To find out the odds that an organization will see malware in a particular area, we use
the malware spread percentage — a calculation of what percentage of sensors saw a
malware attack.
If we think of malware volume as being similar to the total amount of rainfall in a
given region, then malware spread percentage could be compared to the probability of
precipitation, or “chance of rain.”
Think of it this way: Annual precipitation numbers can be useful in determining whether
your area has seen more rain than it did last year, but they don’t tell you whether
your umbrella will see heavier use than your tube of SPF. Like the “chance of rain,”
malware spread percentage considers a variety of additional factors to provide a more
meaningful risk assessment.

23 | 2021 SonicWall Cyber Threat Report | Malware Spread

Malware Risk by Country
In a relatively small sample size of eight countries, there’s This is one of several places you can see the direct effects of
still a huge variation in outcomes. But one thing remains COVID-19 on the threat data.
remarkably consistent regardless of where the country Interestingly enough, in all but one country, malware
is located, what its total malware volume is, or how its spread was lowest in December. We’ll see in 2021 whether
trend lines fall. this proves to be a seasonal blip or a further sign of
When looking at SonicWall’s exclusive malware spread malware losing ground.
percentage data — which tells us how widespread malware
is in a given region (see next section) — the highest malware
spread percentage occurred in March, at the peak of the
initial pandemic lockdown.

2020 Malware Attacks | United States

400M 40

300M 30

)tiH %( daerpS
emuloV latoT

200M 20

100M 10

0 354,497,281 302,923,116 309,273,999 268,047,569 213,795,621 194,066,919 173,889,533 181,672,763 195,543,135 177,691,621 202,416,559 215,170,958 0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Total Hits Spread %

9x
www.sonicwall.com

Once again, SonicWall observed the highest volume

of malware in the United States, with nearly nine
times the volume seen in No. 2 U.K.

24 | 2021 SonicWall Cyber Threat Report | Malware Risk by Country

 2020 Malware Attacks | United Kingdm

70M 70

60M 60

50M 50

)tiH %( daerpS
emuloV latoT

40M 40

30M 30

20M 20

10M 10

0 59,610,714 55,637,260 48,785,414 27,700,979 14,668,019 13,036,808 17,344,863 17,560,505 24,965,868 19,948,792 13,568,161 8,943,844 0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Total Hits Spread %

In the U.K., over half of all malware hits occurred within the first three months of the year, another indication of the impact of COVID-19.
www.sonicwall.com

2020 Malware Attacks | Germany

6M 60

)tiH %( daerpS
emuloV latoT

4M 40

2M 20

0 6,105,974 3,012,483 6,644,032 3,478,091 3,405,249 2,235,879 2,111,284 2,854,375 2,863,409 3,765,953 5,234,685 4,159,349 0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Total Hits Spread %

Malware dropped more in Germany than in any other countr y, falling by a remarkable 67%. Its roughly U-shaped graph is a complete
departure from 2019, when volume was highest in spring and summer. www.sonicwall.com

25 | 2021 SonicWall Cyber Threat Report | Malware Risk by Country

 2020 Malware Attacks | India
30M 45

20M 30

)tiH %( daerpS
emuloV latoT

10M 15

0 14,147,196 15,370,952 16,099,153 7,410,346 7,973,053 9,974,914 12,633,208 9,772,889 7,991,159 25,463,665 20,241,920 25,540,695 0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Total Hits Spread %

India was the only countr y to see its lowest spread percentage in a month other than December. Instead, malware spread was
lowest in April, meaning it saw both its highest malware spread percentage and its lowest within a 60-day period. India also www.sonicwall.com
experienced the largest spike, with monthly volume more than tripling between September and October.

2020 Malware Attacks | Brazil

15M 45

10M 30

)tiH %( daerpS
emuloV latoT

5M 15

0 6,930,695 12,387,350 14,487,712 8,529,684 9,783,309 12,059,356 12,224,271 11,183,227 12,329,696 10,794,841 9,541,701 10,507,174 0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Total Hits Spread %

Brazil, which experienced a 46% overall drop in malware, saw both its lowest malware volume and highest malware spread in Q1.
www.sonicwall.com

26 | 2021 SonicWall Cyber Threat Report | Malware Risk by Country

 2020 Malware Attacks | Mexico

6M 60

)tiH %( daerpS
emuloV latoT

4M 40

2M 20

0 752,977 1,378,311 1,869,596 593,446 696,255 1,623,922 6,616,707 2,956,976 3,127,820 2,918,687 4,251,551 4,013,334 0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Total Hits Spread %

In Mexico, malware actually rose, spiking 73% over 2019’s volume.

www.sonicwall.com

2020 Malware Attacks | United Arab Emirates

3M 30

2M 20

)tiH %( daerpS
emuloV latoT

1M 10

0 1,449,409 1,980,531 1,954,597 778,822 833,509 846,449 1,828,904 1,161,744 1,752,117 1,983,772 2,021,923 2,435,045 0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Total Hits Spread %

Malware volume in the UAE was largely suppressed by a ver y favorable Q2, when numbers fell to their lowest point and stayed there
the entire quarter. www.sonicwall.com

27 | 2021 SonicWall Cyber Threat Report | Malware Risk by Country

 2020 Malware Attacks | Japan
2M 40

1.5M 30

)tiH %( daerpS
emuloV latoT

1M 20

0.5M 10

0 663,072 575,332 1,976,371 509,605 710,331 822,871 604,595 384,976 517,458 582,882 524,649 688,453 0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Total Hits Spread %

Japan was the only countr y that had roughly the same amount of malware in Januar y as in December. Aside from a large spike in
March (the second largest in any countr y), malware in Japan remained the most consistent throughout the year. www.sonicwall.com

Malware Risk Across U.S. States

2020 Malware Volume | Top 10 U.S. States

450M 45

400M 40

350M 35

300M 30

)tiH %( daerpS
emuloV latoT

250M 25

200M 20

150M 15

100M 10

50M 5

0 408,368,370 243,719,884 206,879,635 183,836,048 166,177,752 136,433,020 112,708,882 94,876,248 90,081,363 76,834,700 0
California New York Florida New Jersey Texas Michigan Georgia Illinois Virginia Alabama

Total Hits Spread %

www.sonicwall.com

28 | 2021 SonicWall Cyber Threat Report | Malware Risk by Country

 2020 Malware Spread | Top 10 Riskiest U.S. States

400M 40

300M 30

)tiH %( daerpS
emuloV latoT

200M 20

100M 10

9,704,438 6,132,882
0 93,446,907 62,539,643 92,000,490 56,860,176 420,679,448 187,329,631 76,185,155 17,679,239 0
Kansas Rhode Island Montana Vermont Iowa Hawaii Michigan Louisiana Oregon Idaho

Total Hits Spread %

www.sonicwall.com

If California’s malware volume — at 408.3 million, nearly 70% So what state is the riskiest? Kansas, where 26.7% of
more than the next-highest state — has you wondering how SonicWall sensors saw a malware hit. Fortunately for those in
Californians have time to do anything besides battle malware, the Sunflower State, though, this stat appears to be trending
it might be a good time to also take a look at California’s in the right direction: In our 2020 Mid-Year Update, 31.3% of
malware spread percentage. sensors saw a hit.

Keep in mind that there are a lot of Californians: 39.5 million At the other end of the spectrum, in North Dakota only 18.5%
at last count, making it the most populous state by far. of sensors logged an attempted malware attack.
Moreover, its $3.2 trillion economy (if it were a country, it’d On a per-person basis, the riskiest state in 2020 was Rhode
be the fifth-largest GDP on Earth) needs a massive number Island, where there were 37 malware attempts for each
of devices to power it. resident. In contrast, Mississippi and Delaware each saw just
Taking these factors into consideration, California isn’t a single attempt per person on average.
anywhere close to being the riskiest state — it’s actually near
the bottom of the list, at No. 43.

37/
Malware attempts for each resident in Rhode Island.

26.7%
of SonicWall sensors saw a malware hit in Kansas.

29 | 2021 SonicWall Cyber Threat Report | Malware Risk by State

Malware Spread by Country
Based on the malware spread data, an organization is
not most likely to see malware in the U.S. or the U.K. An
organization in South Korea, however, is actually more likely
to see malware than not, as the spread percentage there is
51.4%. (Conversely, in the Bahamas, you’ve only got about a
16% chance of seeing malware.)

2020 Malware Spread | Top 10 Countries

South Korea 51.42%

Jordan 46.83%

Croatia 44.50%

Egypt 43.44%

Sri Lanka 40.29%

yrtnuoC

Guam 38.97%

Ghana 38.94%

Slovenia 38.79%

China 38.34%

Portugal 38.32%

5 10 15 20 25 30 35 40 45 50 55
% Hit

www.sonicwall.com

30 | 2021 SonicWall Cyber Threat Report | Malware Spread by Country

Which Industries Saw the Most Malware? On a longer timeline, however, these spikes are of much
In the first half of 2020, the number of attempted malware less concern. Across every industry, year-over-year
attacks per government customer started at more than attempted malware attacks per customer were way
double other industries, and only rose from there. In down. This decrease ranged from 22% for retail, to 78%
March, government customers saw an unbelievable 12,725 for government.
attempted malware attacks each on average — that’s
17 every hour.

Fortunately, this spike was short-lived, but the rates In March, government
for government stayed (un)comfortably above all other
industries for the entire first half of the year. customers saw an unbelievable
But in late summer — just in time for schools to 12,725 attempted malware
reopen — a surge in the number of attempted attacks
targeting the education sector coincided with a drop
attacks each on average —
in attacks on government. By September, there were that’s 17 every hour.
nearly triple the number of attempts on education as on
government. Education would remain far ahead of the
pack for the rest of the year.

2020 Malware Attempts Per Customer

14K

12K

10K

8K
stpmettA

6K

4K

2K

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Overall Government Education Healthcare Retail

www.sonicwall.com

31 | 2021 SonicWall Cyber Threat Report | Malware Attempts by Industry

But even though the government customers being Those working in healthcare and retail were least likely to
targeted saw the most malware attempts overall, not all be targeted, as both fell below the overall average for the
government customers were targeted — or even close. In majority of the year.
fact, the highest percentage of customers targeted in a
given industry was in education, and this held true for every
single month in 2020.

% of Customers Targeted by Malware

45

40

35
detegraT %

30

25

20

15
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Overall Government Education Healthcare Retail

www.sonicwall.com

32 | 2021 SonicWall Cyber Threat Report | Malware Attempts by Industry

 Encrypted Attacks
Rise Slightly
In an ordinary year, a rise in any given threat category An Uneven Upswing
is cause for concern. But this is 2020 — and with While there was an overall increase of 4% in encrypted
cybercriminals ramping up activity across the board, attacks in 2020, due to large variations in regional totals, this
any report that doesn’t require a new synonym for number doesn’t really represent the experiences of anyone
“skyrocketing” can be considered a bright spot, even if it outside North America (where attacks increased 3%).
isn’t technically good news.
For example, Europe saw an average of 21% more encrypted
Over the past year, SonicWall Capture Labs threat attacks — while in Asia, year-over-year totals increased
researchers recorded a 4% increase in encrypted threats 151%. However, most other places in the world actually saw
(i.e., malware sent across HTTPs traffic). During each month fewer encrypted attacks in 2020, with an average 16% drop
from January through June, the number of encrypted over 2019’s totals.
attacks fell short of 2019’s corresponding monthly total.

% of Customers Targeted by Malware over HTTPs

30

25

20
detegraT %

15

10

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Overall Government Education Healthcare Retail

www.sonicwall.com

33 | 2021 SonicWall Cyber Threat Report | Encrypted Attacks

This 4% increase in encrypted attacks can be attributed in no This makes the data for encrypted attacks an outlier:
small part to two industries: education and healthcare, which For other threat types, those working in government and
rose 292% and 351% year over year, respectively. education tended to be targeted at a higher rate. Encrypted
attacks are the only threat type that saw a higher percentage
Of the industries we focused on in the scope of this report,
targeted in healthcare.
one seems to be driving overall trends in encrypted threats
more than any other: Healthcare. Not only did it post a Another thing makes this data unique: It’s the only threat
huge increase, it was also the only industry to show a huge type for which those in government have the least chance
spike in August. being targeted.

What Are Encrypted Threats?

In simple terms, TLS (Transport Layer Security) and its predecessor SSL (Secure
Sockets Layer) are used to create an encrypted tunnel for securing data over an
internet connection. TLS is the replacement of SSL. When one encounters the technical
term “SSL” in products or solutions, one must assume the TLS protocol is being used
unless specified.
While TLS provides legitimate security benefits for web sessions and internet
communications, cybercriminals are increasingly using this encryption protocol to hide
malware, ransomware, zero-day attacks and more.
Traditional security controls, such as legacy firewalls, lack the capability or processing
power to detect, inspect and mitigate cyberattacks sent via HTTPs traffic, making
this a highly successful avenue for hackers to deploy and execute malware within a
target environment.

34 | 2021 SonicWall Cyber Threat Report | Encrypted Attacks

 Ransomware Runs
Rampant

2020 Global Ransomware Attacks

40M

30M

20M

10M
621,889,21

301,773,51

315,960,42

965,240,41

999,665,22

447,705,91

042,926,12

297,910,52

348,714,32

727,281,81

437,117,61

047,030,31

398,887,81

849,417,11

213,064,52

880,702,61

189,211,43

528,283,02

279,769,33

880,028,51

912,648,73

551,970,33
469,513,9

564,703,9
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2019 2020

It didn’t look too bad at first: In the Mid-Year Update to last But all the usual balance and predictability that can usually
www.sonicwall.com
year’s SonicWall Cyber Threat Report, we noted a 20% be found in ransomware data went out the window in 2020.
year-over-year jump in ransomware. With numbers for July For example, in 2019, there was a general upward trend until
trending downward and people settling into the “new normal” May, when numbers peaked, dropping until August. At that
brought by the pandemic, we hoped for the best. point they reversed and peaked again in October, before
By the time we released our Q3 threat data, however, that falling off for the rest of the year.
20% increase had turned into a 40% increase. But with past In 2020, the peak happened three months earlier, in February.
years showing a dropoff toward the end of the year, there While it remained on a downward trajectory until June, it
was still room for some (very cautious) optimism that things would never again return to its low pre-COVID level of 13
might yet turn around. million. And while ransomware levels showed a late-summer
Unfortunately, they never did, and 2020 ended with increase in both 2019 and 2020, in 2020 they soared to
ransomware up a staggering 62% worldwide. unprecedented heights — and then stayed there.

How unusual was 2020 in terms of ransomware? When December is a good case in point. In 2020, December was
graphed and visualized, ransomware hit data from previous the fourth-highest month (and it was close, at that). But in
years shows mostly gentle rises and falls, with the two halves every single other year since we began tracking, December
of the year fairly balanced in terms of quantity. 2019’s graph, was in the bottom half for monthly ransomware totals — and
with its sine-wave consistency, is a prime example of this. in all but one year, it was in the bottom quarter.

35 | 2021 SonicWall Cyber Threat Report | Ransomware

But if the pandemic can explain some of the increase, why Meanwhile, other investors — wary of 2020’s unprecedented
did numbers rise to a new high in July, at the same time that stock market volatility stemming from a swirling mass
COVID-19 cases began a two-month drop? of political unrest, skyrocketing unemployment and the
uncharted territory of a post-COVID world — wanted
To understand the behavior of ransomware in 2020, we have
someplace a little more stable to invest their money.
to look at another factor.
And Bitcoin fit the bill. While no one knows whether we will be
For ransomware to be lucrative, you need a pool of likely
going to the movies, buying jeans, or favoring drive-through
victims — which the pandemic provided in spades, in the
restaurants in 2021, Bitcoin will always be a rare and limited
form of employees working from home for the first time,
resource. And unlike the literal standard of rare and limited
many oblivious to security best practices and distracted by a
resources (gold), Bitcoin is easier to store and transfer, and is
rapidly changing world.
more divisible.
But you also need a profit motive. And as it turned out, there
was enough happening on the profit side to cancel out any
pandemic-related trough altogether.

Just as COVID-19 numbers were hitting their lowest point To put Bitcoin’s rise into
since late spring, something else was hitting its highest point
all year: Bitcoin. Bitcoin rose roughly 300% in 2020, and as
perspective, if you owned one
Bitcoin went and stayed up during the second part of the Bitcoin on March 14, it was
year, ransomware followed.
worth $5,304 — enough to
And while ransomware operators usually wrap their year up
early, leading to lower numbers in November and December, finance a nice vacation (not that
staying in the game in 2020 was simply too lucrative.
anyone was going anywhere).
Bitcoin’s Big Score
A number of things happened in 2020 to
influence the price of Bitcoin. The media, If you resisted the urge to sell and rang in the New Year
no doubt hungry for stories about anything with that same Bitcoin, its value would have grown to
not related to pandemic or politics, covered $29,112 — almost six times its original value, and enough
the uptick in Bitcoin prices extensively, to buy a brand-new Toyota RAV4 (with enough left over
attracting others looking to cash in. to finance your Netflix, Hulu, Disney+ and Amazon Prime
At the same time, Bitcoin began to shake a lot of its shady streaming habits for an entire year afterward.)
associations. While none other than Warren Buffet referred By the end of the first week in January, Bitcoin had jumped
to Bitcoin as “probably rat poison squared” as recently as even higher, breaking the $40,000 mark for the first time in
May 2018, in mid-2020 institutional finance firms began history and continuing to rise in fits and starts thereafter,
investing in Bitcoin, bringing the currency an increased ultimately reaching $50,000 in February. If the Bitcoin-
sense of legitimacy. ransomware connection continues to hold, historic highs in
ransomware are unfortunately likely to follow.

36 | 2021 SonicWall Cyber Threat Report | Ransomware

Ransomware by Region ransomware attacks. With 53.5 million ransomware hits,
Ransomware trends by region ran the gamut in 2020. In Florida had almost twice as many ransomware attacks as the
Europe, there was no increase, but other areas weren’t next-highest state, New Jersey.
as fortunate: ransomware volume spiked 158% in North Florida saw an unusually large number of attacks in the
America, and a mind-boggling 455% in Asia, according to second half, on diverse targets such as state and local
SonicWall’s sensor network. governments, one of the largest healthcare provider chains
In terms of total ransomware volume, the United States once in the U.S., nonprofit organizations, Miami-based Carnival
again had more than any other country, with over 203 million Cruise Lines and more.
ransomware hits. This is more than 13 times the volume of
ransomware in South Africa, the next-highest country. A New Safe Haven?
In 2020, SonicWall Cyber Labs threat researchers noticed an
Like the country-level data, the state-level data shows
unusual characteristic in some of the ransomware identified.
one region far outpacing the rest when it comes to total
In at least two cases, Exorcist ransomware and Erica
ransomware, the software is designed to spare those living
in certain Eastern European countries.

With 53.5 million ransomware In the case of Exorcist, the malware performs a check to
avoid encrypting systems in Commonwealth of Independent
hits, Florida had almost twice States countries. In the case of Erica, files are encrypted
as many ransomware attacks regardless of the victim’s location, but according to the
ransomware note left in each directory, the ransomware
as the next-highest state. operators promise to help with decryption if a victim lives in
Russia, Kazakhstan or Ukraine, with no time limit on these
requests for assistance.

2020 Ransomware Volume | Top 10 Countries

United States 203,474,707

South Africa 15,091,363

Italy 10,829,304

United Kingdom 8,580,230

Belgium 4,941,401
yrtnuoC

Mexico 4,421,996

Netherlands 4,326,642

Canada 4,073,226

Brazil 3,862,362

Malaysia 2,894,218

20M 40M 60M 80M 100M 120M 140M 160M 180M 200M 220M
Volume

www.sonicwall.com

37 | 2021 SonicWall Cyber Threat Report | Ransomware by Region

 2020 Ransomware Volume | Top 10 U.S. States

50M

40M
emuloV latoT

30M

20M

10M

0 53,536,364 27,728,554 18,733,255 17,188,407 12,483,328 12,453,692 8,509,682 7,235,516 7,020,945 5,388,125
Florida New Jersey Maryland Kentucky Michigan Georgia New York California District of Virginia
Columbia

Total Hits

Top Ransomware by Signature Two Ryuk signatures made it into the top 10, including
Cybercriminals continued to rely on readily available Ryuk.RSM_27, which was No. 1. The fact that we recorded so
www.sonicwall.com

ransomware kits in 2020, but there has been some many hits for this signature is especially remarkable when
movement in the rankings since last year’s Cyber Threat considering that there were no hits at all recoded in January,
Report. Cerber, last year’s No. 1 ransomware family, slipped and (comparatively) very few in February, when researchers
to second place as a new ransomware family shot up the recorded 667,000 hits, compared with an average of about
rankings: Ryuk. 9.5 million for every month thereafter.

While Ryuk signatures got their start in 2020, no signatures

Top Ransomware Signatures of 2020 died out, or even came close — in fact, only one signature
family, Nemucod, ended the year at a lower point than where
1 Ryuk.RSM_27
it started in January.
2 CryptoJoker.RSM A note on GandCrab: In mid-2019, the creators of the
GandCrab Ransomware-as-a-Service (RaaS) announced that
3 Samsam.RSM_9
they were shutting down their operation, giving those using
4 Cerber.RSM the software a month to cease operations and cash out.

5 JScript.Nemucod.AW_10 Indeed, as SonicWall threat researchers noted in last year’s

Cyber Threat Report, few attacks were recorded after
6 Cerber.RSM_20
summer 2019. So why are we seeing GandCrab now at all —
7 Ryuk.RSM_28 let alone in the list of top 10 signatures?

It turns out the GandCrab authors are still active, and

8 MalAgent.RSM_99
researchers are reasonably sure they’re the same group
9 JScript.Nemucod.D_2 responsible for the REvil/Sodinokibi ransomware, a more
sophisticated form of ransomware created just before
10 GandCrab.RSM_5
GandCrab shut down.

38 | 2021 SonicWall Cyber Threat Report | Ransomware by Signature

So while the operation GandCrab as we knew it is truly detection from our signatures. This would also explain
defunct, it’s likely that the GandCrab software has been how new signatures are still being created for “GandCrab”
rebranded to some other RaaS, which could trigger (the most recent in October 2020).

Notable Ransomware Identified in 2020

JANUARY JULY

Jan. 7 MZP Ransomware Actively Spreading in the Wild BadBoy Ransomware, Variant of Spartacus,
Jul. 1 Charges $1,000 for Decryption
New Version of Cryakl Ransomware Demands $10k
Jan. 17 for File Decryption Reha Ransomware Targeting Arabic-
Jul. 23 Speaking Countries
Jan. 28 Maze Ransomware That Contains A Maze of Code
Exorcist Ransomware Casts Triple Punishment for
Jul. 31 Non-Payment
FEBRUARY

Feb. 7 ENC Ransomware Actively Spreading in the Wild AUGUST

Ako Ransomware Demands $3,000; Operators VoidCrypt Ransomware Actively Spreading in

Feb. 14 Aug. 14 the Wild
Hide Behind Tor

Darkside Ransomware Targets Large Corporations,

MARCH Aug. 28 Charges Up to $2M

Marracrypt Ransomware Actively Spreading in

Mar. 5 the Wild SEPTEMBER

Legion Ransomware Variant, King Ouroboros, Jackpot Ransomware Actively Spreading in

Mar. 13 Sep. 4 the Wild
Charges $3,000 for File Recovery

Sep. 25 Zhen Ransomware Actively Spreading in the Wild

APRIL

Project23 Ransomware Actively Spreading in OCTOBER

Apr. 2 the Wild
Operator of New Phobos Variant Gives Blunt
Oct. 2 Response During Negotiation
MAY
Oct. 22 Nibiru Ransomware Actively Spreading in the Wild
Project Zorgo Ransomware Actively Spreading in
May 4 the Wild
Oct. 26 A New Variant of Clop Ransomware Surfaces
Instabot Ransomware Demands $490 in Bitcoin
May 8 After 50% Discount NOVEMBER

DragonCyber Ransomware Actively Spreading in Nov. 6 Ragnar Locker Ransomware

May 28 the Wild
Exerwa Ransomware Leaked from CTF
Nov. 25 Hacker Event
JUNE

Fake Image File Containing JavaScript Leads to DECEMBER

Jun. 5 Avaddon Ransomware
Dec. 7 Egregor Ransomware
Fake Ransomware Decryptor Spreads Zorab
Jun. 18 Ransomware Dec. 18 Mobef Ransomware Actively Spreading in the Wild

CobraLocker Ransomware Actively Spreading in

Jun. 25 the Wild

39 | 2021 SonicWall Cyber Threat Report | Ransomware by Signature

Ryuk on a Rampage But while Ryuk was quicker than ransomware in general to
First identified in August 2018, Ryuk got off to a slow start. In rise, it was also quicker to fall. While ransomware levels in
2019, SonicWall Capture Labs threat researchers recorded general tenaciously remained near the top of the graph as
5,000 cases of Ryuk worldwide all year long. In February 2020 drew to a close, Ryuk did what ransomware usually
and September, researchers recorded zero cases of Ryuk does and fell through the end of Q4.
anywhere. And no matter where you were in the world, you Despite ending on a down note, Ryuk still had 11 million more
spent at least a quarter of the year Ryuk-free. hits in December than it had in January, suggesting we’re
Even as late as January 2020, Ryuk didn’t appear outside likely to continue seeing plenty of it in 2021.
of North America, Europe or Asia. At the time researchers
noted a mere 41 cases total — or a little more than one case
of Ryuk a day in the entire world.

The very next month, there were more than 16,272 times
Ryuk’s Astronomical Growth
as many.

February’s total of 667,163 continued to climb. It crossed

January 2020: Just over one
the 1 million threshold on its way to March, and would stay case of Ryuk a day
there the rest of the year, overtaking Cerber as the top September 2020: Nearly eight
ransomware family.
cases of Ryuk every second
While Ryuk and ransomware as a whole both slumped in
the summer, Ryuk rebounded more quickly: In September,
researchers noted a record 19.9 million cases of Ryuk —
equivalent to nearly eight cases of Ryuk each second.

Global Ryuk Ransomware Volume

20M 19,883,962

16,730,474

15M
14,350,692

11,422,046
emuloV

10,778,862 10,639,189
10M
8,465,070
8,039,714

6,235,705
5M

2,561,855

667,163
0 8 20 3 173 5 1,006 3,879 0 3 109 71

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2019 2020

www.sonicwall.com

40 | 2021 SonicWall Cyber Threat Report | Ransomware by Signature

 Ryuk on the Rebound?
Ryuk finished the year down somewhat from the meteoric heights it reached in autumn.
However, in January, the U.S. Cybersecurity and Infrastructure Security Agency warned
that it had been seeing a fresh surge in Emotet attacks.
What does this have to do with Ryuk? Well, Ryuk is often leveraged via a multi-stage
attack (Emotet > Trickbot > Ryuk.) So a surge in Emotet may mean that a surge in Ryuk
may not be far behind.

Cerber Slips to No. 2 In contrast to Ryuk, the current No. 1 signature (and family),
When looking at signatures, Cerber is Nos. 4 and 6 Cerber has been around for quite a while — it was originally
(Cerber.RSM and Cerber.RSM_20 respectively). But when discovered in March 2016. It follows the RaaS model: As one
looking at the top 10 families, Cerber’s two entries of the first examples of this business model, the operators of
on the list combine to catapult it above SamSam and Cerber originally offered their ransomware for a 40% cut of
CryptoJoker to No. 2. any ransoms paid.

In 2019, Cerber was the No. 1 ransomware family identified Cerber has been known to spread via exploit kits, malicious
by SonicWall Capture Labs threat researchers. It boasted JavaScript attached to spam, infected websites, fake
four of the top 10 ransomware signatures of the year, making software downloads and malvertising (infected ads placed
up 33% of all ransomware attacks. on legitimate websites.)

Global Cerber Ransomware Volume

15M
14,329,226

10M 9,930,251
9,448,585 9,598,667
8,929,538
emuloV

8,173,213

6,677,005
6,048,478
5,740,516
5,282,685 5,312,774
5M
4,577,671
4,146,171
3,874,053 3,882,344
3,063,125 2,933,076 2,746,689
2,336,786
1,904,068 1,877,733
1,457,264 1,567,936

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2019 2020

www.sonicwall.com

41 | 2021 SonicWall Cyber Threat Report | Ransomware by Signature

Ransomware by Industry
In the industry-specific data for ransomware, we see the What about the healthcare-related ransomware attacks
effects of the pandemic, just as we do in the overall 2020 widely reported on in the media? Those attacks tend to grab
ransomware data. But a closer look shows this expected the headlines — and, in most cases, rightfully so — since
outcome playing out in an unexpected way. they were both successful and are critical in nature.

In other threat types, such as malware, IoT malware attacks But unlike government, retail and education, there were no
and encrypted threats, spikes in the overall data usually huge spikes in healthcare ransomware attempts — just a
coincide with spikes in each industry, as they rise and fall widespread, overall increase.
more or less in concert.

The number of attempted ransomware attacks per customer,

however, shows something very different. Instead of across-
the-board increases, we see three distinct instances in The number of ransomware
which one industry peaks, while the others remain nearly or
attempts per customer for
completely inert. No other data set collected in 2020 shows
a pattern quite like this. healthcare jumped 123%
In the case of government and retail, these spikes translated year-over-year.
to overall year-over-year ransomware increases of 21%
and 365%, respectively. But even with a sizable jump in the
number of ransomware attempts per customer in Q4, the
total volume of ransomware targeting education was still
down 14% over 2019’s levels.

2020 Ransomware Attempts Per Customer

900

800

700

600

500
stpmettA

400

300

200

100

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Overall Government Education Healthcare Retail

www.sonicwall.com

42 | 2021 SonicWall Cyber Threat Report | Ransomware by Industry

It’s one thing to say that attempted ransomware attacks As ransomware as a whole shows a great deal of increase
are getting more targeted, but industry data gives us an toward the end of the year, we actually see the percentage
opportunity to see this in action — as a relatively high of customers targeted fall throughout the year, with every
number of attempts per customer combined with a relatively industry showing a lower percentage of customers targeted
low percentage of customers targeted tends to indicate in Q4 as in Q1 — the opposite of what we would expect
precisely that. based on the graph of global ransomware volume.

% of Customers Targeted by Ransomware

1.6

1.4

1.2

1
detegraT %

0.8

0.6

0.4

0.2

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Overall Government Education Healthcare Retail

www.sonicwall.com

43 | 2021 SonicWall Cyber Threat Report | Ransomware by Industry

 Intrusion Attempts Rise,
Upending Existing Patterns
In 2020, SonicWall Capture Labs threat researchers noted a From that point on, each month saw more hits in 2020 than
slow and (relatively) steady rise in intrusion attempts, marked the same month saw in 2019.
by uniform growth across regions. With every month but But monthly totals for the second half of the year were
January exceeding 2019’s high point, intrusion attempts as a especially concerning: they averaged nearly double their
whole (including low, medium and high severity) for the year 2019 counterparts.
were up an average of 20% overall — with malicious intrusion
September saw numbers once again on the rise — but
attempts (medium and high severity) up 112% overall.
instead of topping out in October and falling off, like they did
While this is itself unremarkable compared with past years, a in 2019, they kept rising, and did so at an increasing pace.
closer look reveals changes in the month-to-month pattern.
This culminated in a December with 422.4 billion intrusion
In 2019, intrusion attempts started the year at roughly 345 attempts, by far the largest number all year. This stands in
billion and then dropped, not again reaching January’s contrast with the 296.2 billion intrusion attempts seen in
heights until October. In 2020, however, we see the yearly December 2019 — that year’s low point.
distribution of attacks take on an entire new character,
It’s important to note that the intrusion attempt data here
possibly as the result of the changes wrought by the
is a combination of three severity types: low, moderate
COVID-19 pandemic.
and high. Low-severity hits generally consist of things like
2020 also started with around 345 billion attacks. But then scanners and pings — these are non-malicious and pose no
they rose, increasing by 14% in February and another 6% in threat to the target.
March, before dipping slightly and then leveling off through
late spring and summer.

Intrusion Attempts by Year

5

4.5

3.5
)snoillirt ni( emuloV

2.5

1.5

0.5

0 1.06 1.68 2.17 2.83 3.05 3.91 3.99 4.77

2013 2014 2015 2016 2017 2018 2019 2020

www.sonicwall.com

44 | 2021 SonicWall Cyber Threat Report | Intrusion Attempts

After removing low-severity intrusions, the behaviors of A lot of this gain came at the expense of server-application
malicious actors — and how these behaviors are changing attacks (whose share fell from 15% to 4% of attacks)
over time — become much clearer. In 2020, Directory and client application attacks (which fell from 16% of
Traversal attacks grew dramatically, going from 21% of total attacks to 5%).
attacks in 2019 to 34% percent in 2020.

2019 Malicious Intrusions

Denial of Service (DoS) 1%

SQL Injection 2%

Remote File Access 3%

Post Infection 3%

Malformed HTTP Traffic +3,220%

8%

Cross-Site Scripting (XSS) 10%

Server Application Attack 15%

Client Application Attack 16%

Directory Traversal 21%

Remote Code Execution (RCE) 21%

2020 Malicious Intrusions

www.sonicwall.com

Server Application Attack 4%

Client Application Attack 5%

SQL Injection 5%

Remote File Access 6%

+3,220%

Cross-Site Scripting (XSS) 15%

Malformed HTTP Traffic 15%

Remote Code Execution (RCE) 16%

Directory Traversal 34%

www.sonicwall.com

45 | 2021 SonicWall Cyber Threat Report | Intrusion Attempts

Top Intrusion Attacks

Directory Traversal
Also known as a path traversal attack, a directory traversal
attack is an exploit that aims to access files and directories
that are not located under the root directory. This is done by
manipulating file variables, so that characters representing Remote File Access
“traverse to parent directory” are passed through to the Remote file access refers to an unauthorized individual
operating system’s file system API. This allows attackers to gaining access to a file meant to be accessed by authorized
obtain sensitive files. individuals only.

Remote Code Execution (RCE) SQL Injection

An RCE attack takes place when a cybercriminal actor uses SQL injections occur when malicious SQL statements are
a vulnerability to run malicious programming code, usually injected into vulnerable applications or websites. This
in an unexpected path and with system-level privileges. The allows attackers to manipulate backend databases and
Bluekeep vulnerability is an example of this. retrieve or alter database information that was not meant to
be accessible, in some cases giving the attacker complete
Malformed HTTP Traffic control over your database.
Malformed HTTP traffic consists of patterns not seen in
legitimate HTTP requests or responses — for example, Client-Application Attack
oversized HTTP headers. Client-application attacks occur when attackers target client
applications directly — for example, memory leaks.
Cross-Site Scripting (XSS)
XSS attacks are client-side code injection attacks that insert
Server-Application Attack
malicious code, most commonly JavaScript, into the script
Server-application attacks include attacks in which a
of legitimate applications or websites. When a user visits
threat actor targets server applications — for example,
these hacked pages or apps, the malicious code is executed,
authentication bypasses.
sending the malicious script to the victim’s browser, with the
ultimate goal of stealing the victim’s information.

46 | 2021 SonicWall Cyber Threat Report | Top Intrusion Attacks

Intrusion Attempts by Region
In 2019, North America had roughly twice as many attacks
as Europe (3.08 billion vs. 1.57 billion). While attacks in North
America rose only slightly in 2020, to 3.99 billion, attacks in
Europe nearly quadrupled, reaching 6.02 billion. This huge
What is an
increase in attacks propelled Europe to the top of the list for Intrusion Attempt?
IPS attacks in 2020. An intrusion attempt is a
security event in which an
2019 Intrusion Attempts by Region intruder, hacker, cybercriminal
or threat actor attempts to gain
Africa 0.99%
Oceania 2.97% access to a system or resource
South America 3.96%
Asia 6.93%
without authorization.

+3,220%

North America 56.44%

Europe 28.71%

2020 Intrusion Attempts by Region www.sonicwall.com

Africa 0.99%
Oceania 0.99%
South America 2.97%
Asia 6.93%

North America 34.65%

+3,220%

Europe 53.47%
^4X In 2020, intrusion attempts in Europe
nearly quadrupled, reaching 6.02 billion.

www.sonicwall.com

47 | 2021 SonicWall Cyber Threat Report | Intrusion Attempts by Region

 Capture ATP and RTDMI:
Better than Ever
In 2004, before SIEM, widespread encryption and the Each year since the introduction of the SonicWall Capture
cloud, few could anticipate threats such as Zeus, Petya Advanced Threat Protection (ATP) sandbox service
and WannaCry — let alone the generation of threats that with Real-Time Deep Memory Inspection™ has brought
would come after. significant increases in the number of threats identified, and
2020 was no exception: the pair found a combined 589,313
If you were SonicWall, however, you’d already seen more
new malware variants.
than a decade of the worst cybercriminals had to offer and
had a good idea of where they were going. That’s why, just In all but three months of 2020, Capture ATP with RTDMI
four years into the new millennium, SonicWall was already found not only more, but significantly more, threats than it
pioneering the use of machine learning for threat analysis. had during the same time in 2019, driving a 34% increase in
the number of new malware variants found.
Today, an evolved form of this early machine learning
technology powers SonicWall’s threat intelligence. And each Of the 589,313 new malware variants found in 2020,
year, this technology grows faster, more vigilant and more 268,362 were detected by SonicWall Real-Time Deep
intelligent, making it progressively better at identifying new Memory Inspection.
malware variants.

‘Nevereoreeen’ Malware Variants Found by RTDMITM

100K

90K 90,966

80K
73,619
70K

60K
56,486

50K
47,291
+3,220%

40K 41,226
39,082 38,458
35,143 35,010
30K
26,900

20K

10K 8,900
3,500
0
Q1 Q2 Q3 Q4

2018 2019 2020

www.sonicwall.com

48 | 2021 SonicWall Cyber Threat Report | Capture ATP and RTDMI

Overall, an unprecedented 74% more never-before-seen What are Capture ATP and RTDMI?
malware variants were identified by RTDMI in 2020 than Introduced in 2016, the SonicWall Capture Advanced Threat
were identified in 2019, which recorded 153,909. Protection (ATP) sandbox service was designed to mitigate
millions of new forms of malware that attempt to circumvent
Patented RTDMI Ready for First traditional network defenses via evasion tactics. It was built
Weaponized Side-Channel Attack
as a multi-engine architecture in order to give the malicious
Researchers and security experts predicted that the first
code different environments to detonate within.
weaponized side-channel attack was still two to three years
away. In March 2021, however, the first side-channel attack To improve the speed and accuracy of determinations,
was discovered against Apple M1 Chips. SonicWall developed Real-Time Deep Memory Inspection, a
patented technology that allows malware to go straight to
SonicWall’s newly patented Real-Time Deep Memory
memory and extract the payload within the 100-nanosecond
Inspection™ (RTDMI) is able to mitigate devastating
window in which it is exposed. Included as part of Capture
side-channel attacks. Patching systems against
ATP, RTDMI™ leverages proprietary memory inspection, CPU
side-channel and memory-based vulnerabilities often
instruction tracking and machine learning capabilities to
requires organizations to update BIOS/firmware and
become increasingly efficient at recognizing and mitigating
software, which are not easy to deploy across large
cyberattacks never seen by anyone in the cybersecurity
workforces or user populations.
industry — including threats that do not exhibit any
malicious behavior and hide their weaponry via encryption.
These are attacks that traditional sandboxes likely missed.
SonicWall Capture ATP Since it can detect malicious code or data in memory and
with RTDMI identifies and in real time during execution, no malicious system behavior
is necessary for detection. In other words, the presence
stops more than 1,600 new of malicious code can be identified prior to any malicious

malware variants each day. behavior taking place, allowing for a quicker verdict.

What is a “Never-Before-Seen” Malware Attack?

SonicWall tracks the detection and mitigation of “never-before-seen” attacks, which are
recorded the first time SonicWall Capture ATP identifies a signature as malicious.
This differs from “zero-day” attacks, which are new or unknown threats that target a
zero-day vulnerability without existing protections, such as patches or updates.
Due to the volume of attacks SonicWall analyzes, however, the discovery of never-
before-seen attacks often closely correlates with zero-day attack patterns.

49 | 2021 SonicWall Cyber Threat Report | Capture ATP and RTDMI

 Faster Identification of malware variants on average an entire day before VirusTotal
‘Never‑Before-Seen’ Malware receives the samples. This extends to 1.81 days for PDF files,
To minimize the damage done by a new threat, it must be 1.9 days for PE files, and 5.4 days for APK files.
identified, analyzed and blocked as quickly as possible.
In some cases (see table below), SonicWall is discovering
That’s why SonicWall Capture Labs threat researchers new threats nearly half a year before samples are submitted.
and engineers are dedicated to increasing the speed and
This is accomplished by leveraging the SonicWall Capture
accuracy with which they identify attacks leveraging never-
ATP with RTDMI. Together, they identify and stop more
before seen malware variants.
than 1,600 new malware variants each day. SonicWall
Based on data from VirusTotal, a market-leading malware immediately deploys signatures for these samples to protect
repository, SonicWall is identifying never-before-seen active customers.

Fast Detection in Action: A Sample of SonicWall’s

Never-Before-Seen Malware Variants
SONICWALL VIRUSTOTAL
TYPE FILE HASH
DETECTION SUBMISSION
PE32
Jan. 28, 2020 July 21, 2020 26a422e8ae54096f64ddf2fabd4d8da550cf74cbdfb43a11cca3353a4109714f
executable (GUI)

PE32
Jan. 29, 2020 July 21, 2020 486d956b449cf689aebeb251b0455b352da7c1191bd9985f65074f376c6fa2bb
executable (GUI)

PE32
March 5, 2020 Aug. 13, 2020 18f35b06a7cf09062a51987819c415b510285491d2d9ad4e244a3dc3cb230a9d
executable (GUI)

PE32
May 20, 2020 Aug. 22, 2020 2a8c6937aa3fd0ace698ad7e12fc2cc354a76bffdae65c5e6182bbc16119e673
executable (GUI)

PE32
Jan. 8, 2020 April 12, 2020 28618c5e0244682e7f98a6b51ccbc9904cef5b32145caadc6a403e2ca9f13967
executable (GUI)

PE32
July 30, 2020 Oct. 13, 2020 029e4e886a3001167319dc2095f47e36881b4f9e600742bf32e2b95a8890b8cb
executable (GUI)

PE32
Feb. 13, 2020 April 17, 2020 18577a4c15b6c78d62be3a4f8086a36313b5dcc44c5a55ac4d78b3691bceaf9d
executable (GUI)

PE32
July 3, 2020 Aug. 13, 2020 0886a52a4f08c32b3e7a75f38345600bc6aa0296c8f7cc1b372e5ed5c7cc78f1
executable (GUI)

PDF June 22, 2020 June 29, 2020 65fac50a84aca7b8ae9102ec1da54c7cda4d7a4cad8e64cfdbc9ba504df7cff4

Composite
Document June 3, 2020 July 5, 2020 e6f6add79b87507658b0a254f2f51fbca3f00b63cdd926f7d9667d94e15b500f
File V2

PE32
March 2, 2020 April 10, 2020 501fcc0cbb3a4057c638d5c3e4d249133f40573295683acae44b07b08b096ba0
executable (GUI)

PDF June 17, 2020 June 29, 2020 793a1e5b017e7275e5193b3a56dc90546832ffe22e1f1d822644b727492c240f

50 | 2021 SonicWall Cyber Threat Report | Capture ATP and RTDMI: Never-Before-Seen Malware
 Malicious Office Files
Overtake Malicious PDFs
In 2019, cybercriminals utilized new malicious Office files On the other hand, PDF files are searchable, can be viewed
and new malicious PDFs in fairly equal number (20% and on any device, are easy to create, and may be encrypted
17% of total malicious files, respectively.) The two filetypes for security, password-protected or digitally signed
went back and forth the entire year, with each spending for authentication.
about six months ahead of the other.

But in 2020, this gap widened significantly. By the end of the

year, the share of new malicious Office files had risen 67%, By the end of 2020, the share
to roughly 1 in 4. In contrast, the share of new malicious PDF of new malicious Office files
files actually fell 22%, to 1 in 10.

Looking at the trend graph for 2020, there’s none of the

increased 67%, to roughly 1 in 4.
volatility of the previous year, and Office files led by a
significant number from September 2019 until November of
Criminals use both file types to spread phishing URLs,
the following year.
embedded malicious files and other exploits. Unlike .exe files,
There are several reasons Office files may have taken such
which used to make up a larger share of total malicious files,
a definitive lead in 2020, but a lot of it likely had to do with
businesses tend not to restrict the ability of Office files or
working from home. In spring 2020, Microsoft announced
PDF files to be sent and received.
its total number of active commercial Office 365 users had
Unfortunately, cybercriminals have gotten better and better
topped 258 million. That’s a lot of Office files flying back
at fooling their targets by imitating trusted individuals and
and forth, making a malicious Office file more likely to blend
businesses. And with malicious PDFs and Office files now
in with legitimate files. As people collaborate at a distance,
able to infect unrelated files on a target’s devices, even
they’re unlikely to see an Office file that appears to come
completely legitimate files from known senders aren’t
from their boss or coworker as being suspicious.
necessarily safe.
2020 New Malicious File Type Detections | Capture ATP
2020 New Malicious File Type Detections | Capture ATP
Other 4.80% PDF 9.92%
Other 4.80% PDF 9.92%

Scripts 22.54%
Scripts 22.54%

Archive 22.37%
Archive 22.37%
+3,220%

+3,220%

Exe 15.50%
Exe 15.50%

Office 24.87%
Office 24.87%

www.sonicwall.com

www.sonicwall.com
51 | 2021 SonicWall Cyber Threat Report | Malicious Office and PDF Files
 Reports of Cryptojacking’s
Death Have Been Greatly
Exaggerated
In March 2019, Coinhive, by far the largest legitimate of 2020 showing an appreciable increase. Defying all reports
cryptocurrency mining operation, shut down. Headlines of its demise, December 2020 had twice the volume as
around the world predicted the subsequent death of December 2019, and wound up being the second-highest
cryptojacking, and indeed, attacks fell 78% between July point since SonicWall began recording cryptojacking.
and Dec. 31 of last year. These unexpected spikes in Q1 and Q4 pushed total
When attacks then tripled between December 2019 and cryptojacking for 2020 to 81.9 million, up 28% from last
March 2020, reaching a three-year high, it seemed like little year’s total of 64.1 million. In fact, Q2 was the only quarter in
more than a swan song — one last cash-out before shifting 2020 that didn’t register an increase over 2019.
to other attack vectors. Last year, Asia had 35.7 million cryptojacking hits, while
After all, Coinhive was (still) dead, with no heir apparent, and North America had 19.4 million. But in 2020, the tables
the number of cryptojacking hits crashed hard in April. When turned, as cryptojacking fell 87% in Asia and rose 260% in
we published our mid-year update to the 2020 SonicWall North America.
Cyber Threat Report, cryptojacking volume was hovering at This reversal is actually the continuation of a
around 20% of that (seemingly) anomalous high-water mark. long-established trend. In 2018, the first year SonicWall
But during the second half of 2020, something curious tracked cryptojacking, North America was third out of four
happened. Cryptojacking pulled out of its stagnation and regions, trailed only by Europe and only recording half of
began to rise, with five of the six months in the second half Asia’s total cryptojacking volume.

2020 Global Cryptojacking Volume

15M

10M
emuloV

5M
567,551,2

369,008,1
240,927,1

003,270,1

949,077
032,637

130,417
606,128,11
781,884,51

540,360,01
094,793

097,483
219,383
117,555,9
738,269,8

443,332,8
928,875,7

259,515,8

908,531,9
272,265,4

778,162,5
925,290,3

023,869,2
551,475,2
730,423,3

489,725,2

072,591,6

789,403,7

865,039,6

143,529,6

220,273,5

022,306,8

483,230,5

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2018 2019 2020

www.sonicwall.com

52 | 2021 SonicWall Cyber Threat Report | Cryptojacking

What’s Responsible for the Rise? cryptojacking groups can forego the risks of using the more
The data for cryptojacking bears little resemblance to any transparent Bitcoin, and focus their attention on so-called
of the COVID-19 data — that may be a factor, but it doesn’t “privacy currencies” — particularly Monero.
appear to be the driving factor here. And a look at historical Indeed, comparing the graph of cryptojacking with that
Bitcoin data might make it tempting to assume the vagaries of Monero shows a much closer correlation that can be
of the coin market aren’t having much of an impact, either. seen throughout the year — only a week or two removed.
But unlike with ransomware, Bitcoin doesn’t tell the Cryptojacking’s largest fall, between March and April,
real story here. corresponded with a freefall in the price of Monero.
This pattern was also seen in the shared dip in early autumn,
When it comes to ransomware, cybercriminals depend on
and a sustained rise through the end of the year.
people who are often cryptocurrency novices to find, obtain
and remit coin to pay the ransom. While Bitcoin isn’t as
The Fall of Browser-Based Cryptojacking
anonymous as other forms of cryptocurrency, this additional
Coinhive started as a legitimate way for websites to earn
level of risk is justified by the fact that using Bitcoin is easier
revenue without showing ads. Coinhive-enabled websites
and more palatable for ransomware marks.
allocated a small portion of visitors’ processing power to
But cryptojacking, also known as malicious mining, legitimately mine cryptocurrency.
makes its money in the shadows. The process starts
Unfortunately, attackers instead used this technology to
when cybercriminals install malicious programs on
infect a large number of websites with Coinhive scripts,
target computers without the user’s knowledge, allowing
using the processing power of unsuspecting victims to
them to harness the victim’s processing power to
surreptitiously mine cryptocurrency for themselves.
mine cryptocurrency.
While cryptojacking wasn’t directly implicated in Coinhive’s
This can be done through fileless malware, through a website
decision to shutter (operators cited the drop in hash rate and
with a mining script embedded in the browser, and more. By
an 85% depreciation in the price of Monero), the shuttering
mining cryptocurrency directly rather than demanding it,
of Coinhive was expected to kill cryptojacking.

Global Coinhive Hits

20M

15M
emuloV

10M

5M

738,202
0 20,944,900 16,399,701 1,876,735 1,178,864 4,231,111 1,317,494 1,626,955
Q1 Q2 Q3 Q4

2019 2020

www.sonicwall.com

53 | 2021 SonicWall Cyber Threat Report | Cryptojacking

This prediction wasn’t entirely wrong: the closing of Coinhive concealment; low and indirect damage to victims reduces
did succeed in helping lower the amount of browser-based chances of exposure and extends the valuable lifespan of a
cryptojacking (though internet browsers that check for successful attack.”
cryptojacking-related JavaScript files also deserve some Unfortunately, this prediction has come true, as we’ve seen
of the credit.) a drastic rise in file-based cryptojacking, which works by
A good example of what’s happened to browser-based compromising a device in order to download and deploy
malware can be seen in the trends of Coinhive signatures payloads designed to mine cryptocurrency.
themselves. In 2019, there were 39.8 million Coinhive hits, While the easy-money era of Coinhive was over and a new
37.3 million (94%) of which occurred in Q1. era of browser crackdowns had dawned, cryptocurrency
In 2020, there were 8.5 million Coinhive hits all year, a 79% prices were still rising and cybercriminals still
year-over-year drop (though, paradoxically, the second half wanted to cash in.
of 2020 finished with more hits than second half of 2019.) So they began increasingly turning to file-based
cryptojacking such as XMRig, an open-source cross-
And the Rise of File-Based Cryptojacking
platform miner. XMRig, whose name is a play on the symbol
As mentioned before, the death of cryptojacking was
for Monero, “XMR,” is dropped on the victim’s machine
widely predicted from the moment Coinhive announced it
by a number of different types of malware, like Vivin and
would be ceasing operations. However, as early as the 2019
BlueMockingbird.
SonicWall Cyber Threat Report, which was released just a
couple months after the February announcement, SonicWall XMRig signatures hit an all-time high in Q1, reaching 29.6
Capture Labs threat researchers predicted there would “still million and almost singlehandedly accounting for the spike
be a surge in new cryptojacking variants and techniques to in overall cryptojacking we see in March. In the second
fill the void.” quarter, XMRig hits fell to roughly a fourth of that total
(handily accounting for the mid-spring drop.) XMRig hits rose
Cryptojacking, the report noted, “could still become
to nearly 12 million in Q3, and remained more or less steady
a favorite method for malicious actors because of its
through Q4 (11,742,081).

Global XMRig Hits

30M

20M
emuloV

10M

0 7,036,594 29,623,694 6,087,862 7,277,806 2,819,517 11,967,968 6,220,728 20,295,327

Q1 Q2 Q3 Q4

2019 2020

www.sonicwall.com

54 | 2021 SonicWall Cyber Threat Report | Cryptojacking

Top Cryptojacking Signatures
2019 2020

Coinhive.JS_2 35,702,439 Coinhive.JS_2 77,585,213

XMRig.XMR_11 7,619,428 XMRig.XMR_11 43,243,304

XMRig.XMR_3 5,710,905 XMRig.XMR_3 15,481,435

CoinHive.JS 4,505,299 XMRig.XMR_4 10,065,366

XMRig.XMR_4 2,457,058 CoinHive.JS 6,814,769

XMRig.XMR_8 2,259,016 CoinMiner.OF_3 6,413,194

Minerd.LC 949,848 BitCoinMiner.CA 5,672,621

BitMiner.KJ_2 877,284 CoinMiner.IA 3,425,952

XmrMiner.A 174,438 XMRig.XMR_8 3,015,872

CoinMiner.A_30 128,117 CoinMiner.C_4 1,965,274

The Crushing Cost of There’s also the loss of productivity due to diverted
Cryptocurrency resources, potential damage to systems, and risk of data
In the beginning, mining compromise and other security dangers.
cryptocurrency was accessible to
Unfortunately, unlike with other forms of malware,
anyone with a decent rig. But after a
cryptojacking can take place entirely in secret — meaning
while, mining became complex enough
these costs can compound for a significant amount of time
that even those with top-of-the-line PCs and high-end
without the victim becoming aware.
processors had trouble making much money.

But as cybercriminals soon discovered, the costs of Gamers Vs. Miners: The Other
cryptomining become much less of a drawback when they’re Battle for Resources
borne by someone else. In early February, NVIDIA released its GeForce RTX 3060,
a highly anticipated GPU (graphics processing unit) that
And there are actually a number of costs associated with
touted unprecedented performance for its price point.
the illegal mining of cryptocurrency. First of all, there are
While gamers flocked to retailers to purchase the card, they
the enormous energy bills: Mining Bitcoin alone uses up
soon found themselves in competition with cryptominers,
the energy equivalent of a country of more than 200 million
who had discovered it could be programmed to mine
people, or seven nuclear power plants worth of power.
cryptocurrency, particularly Ethereum.

55 | 2021 SonicWall Cyber Threat Report | Cryptojacking

To help ease the shortage and ensure the card found its way Cryptojacking Attempts by Industry
into the hands of its intended market (i.e., gamers), NVIDIA As previously noted, Cryptojacking is up, but within this
took two drastic steps. First, it modified the software to category lay a lot of variation.
detect the Ethereum mining algorithm. If identified, the
Large year-over-year decreases were recorded for
card would limit the hash rate by roughly half, making
government and retail (68% and 67% respectively).
the GPU much less desirable to miners while maintaining
Education saw an even larger change, but in the other
performance for gaming and other applications.
direction, with 110% more attempts per person than
At the same time, NVIDIA announced the introduction of in 2019 — a figure fueled almost entirely by spikes in
NVIDIA CMP, or Cryptocurrency Mining processor, designed June and October.
specifically to mine Ethereum. These cards feature the
improved airflow and lower peak core voltage and frequency
that miners look for in a card — and because these
improvements were made possible by eliminating the card’s Healthcare saw an astounding
graphics component, there’s no worry that gamers will turn 1,391% increase in numbers of
around and monopolize the CMP market.
attempted attacks per customer.

2020 Cryptojacking Attempts Per Customer

100

90

80

70

60
stpmettA

50

40

30

20

10

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Overall Government Education Healthcare Retail

www.sonicwall.com

56 | 2021 SonicWall Cyber Threat Report | Cryptojacking Attempts by Industry

The data for the percentage of customers in a given industry This suggests that the increases in total cryptojacking
targeted by cryptojacking shows an odd phenomenon: while volume were fueled almost entirely by an increase in the
cryptojacking as a whole peaked in late Q1 and late Q4, these number of attempted attacks, rather than the number of
are precisely the periods in which we see the percentage of targets — and were driven by industries not examined in the
customers targeted contracting. scope of this report.

% of Customers Targeted by Cryptojacking

1

0.9

0.8

0.7

0.6
detegraT %

0.5

0.4

0.3

0.2

0.1

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Overall Government Education Healthcare Retail

www.sonicwall.com

57 | 2021 SonicWall Cyber Threat Report | Cryptojacking Attempts by Industry

 IoT Malware
Attacks Skyrocket
When the COVID-19 pandemic struck, work went home — This anomalous behavior persisted into Q2, as the summer
and cybercriminals followed, propelling IoT malware attacks spike exhibited in 2018 and 2019 never arrived. Instead,
to new heights. While IoT malware attacks have been rising we see a trough in the data, with its low point in July — the
since SonicWall began tracking them in 2017, in 2020 they month that in previous years has been a high-water mark.
skyrocketed, based on a number of factors, including the use This may be due to the reopening efforts that began in
of compromised home IoT devices for personal gain. early summer — as employees sporadically headed back
In 2019, SonicWall Capture Labs threat researchers to the office, the amount of time they spent connected
recorded 34.3 million IoT malware attacks. In 2020, that to the corporate network from home would fall, perhaps
number rose to 56.9 million, a 66% increase. driving cybercriminals back to other, more sure ways
of making money.
The circumstances surrounding the pandemic did more
than add to the total, however. They also upended some But in fall, two things happened: COVID-19 cases began
longstanding trends. In 2017, 2018 and 2019, IoT malware rising more rapidly, and children returned to school, both
attacks dropped from January to February. 2020 bucked of which may have brought more employees back home.
this trend, however, as February’s numbers marked a climb Suddenly, cybercriminals had two options to exploit — the
that would persist until April. Rather than occurring in corporate network, and that of any schools or universities
February, 2020’s dip occurred two months later, as April’s that were also connected to through that network.
totals fell to 2.1 million, roughly half the 4.0 million attacks IoT attacks generally reach their highest point in fall, as can
recorded in January. be seen in 2017 and 2018 data; 2020 was no different.

2020 Global IoT Malware Volume

10,828,141

10M

8M
7,466,353

6,824,073
emuloV

6,241,519
6M 5,922,565

4,722,073

4M 4,032,267 4,045,222
3,734,883 3,841,404
3,473,299 3,544,283
3,028,701
2,842,618 2,878,788
2,529,981
2M 1,996,995 1,911,338 1,907,340 1,774,276 1,633,436
1,271,285

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2019 2020

www.sonicwall.com

58 | 2021 SonicWall Cyber Threat Report | IoT Malware Attacks

But with attack levels in 2020 already much higher, October’s
spike set a new record. During that month, there were 10.8
million IoT malware attacks — more than the October totals
for 2018 and 2019 put together. Even more shockingly, this
number is higher than the number of IoT malware attacks
SonicWall recorded for the entirety of 2017.

IoT Malware by Region: Europe Sees a Boom,

North America Sees an Explosion
IoT attacks rose in every region in 2020, but it wasn’t an
even rise. Asia saw an increase of 18%, slightly edging out
^17% In Africa, Australia and South America,
Africa, Australia and South America, where IoT malware IoT malware attacks increased 17%
attacks increased 17%. In Europe, attacks increased an
alarming 48% — but that was nowhere near the increase
recorded in North America, where IoT malware attacks rose a
staggering 152%.

Oddly enough, given this inconsistency, three out of four

regions recoded their highest month in October, including
North America, Europe and Asia — where October’s
numbers were more than double the average for the rest
of the year, and largely drove the region’s more modest
year-over-year increase.

^18% IoT malware attacks in Asia

increased by 18%

^48% IoT malware attacks in Europe

increased by 48% ^152% IoT malware attacks in North America
increased by 152%

59 | 2021 SonicWall Cyber Threat Report | IoT Malware Attacks

More Devices, Greater Reward … Same Security Until recently, IoT attacks have generally been thought of
While the spike in IoT attacks is alarming, it isn’t surprising, as “low risk, low reward.” Sure, it isn’t hard to hack into an
for a number of reasons. For starters, there’s never been individual’s internet-enabled coffeemaker. But aside from
more IoT devices to target. According to Security Today, knowing how and when you enjoy your brew, what would
from 2018 through 2020, the number of devices jumped from there be to gain? Even if they used that as a back door into
7 billion to 31 billion, with an average of 127 new devices your home computer, the potential financial gains are likely
coming online every second. to be minuscule even compared to other forms of attacks on
private individuals (e.g., ransomware, cryptojacking, social
By the end of 2020, IoT technology was projected to be
engineering) — let alone attacks on large organizations.
present in the designs of 95% of new electronics products.
And over the next five years, the number of connected But when the COVID-19 pandemic forced offices to close,
devices is forecasted to climb to 41.6 billion and generate it changed this calculus completely. According to Gallup,
a mind-boggling 79.4 zettabytes (ZB) of data (for reference, by April the remote workforce jumped from 7% to 62%. As
the entirety of the World Wide Web, as it existed in 2009, was people began accessing corporate networks from their
estimated to be less than half of one ZB.) often unsecure home network — which also connected to
countless, often unsecure devices — cybercriminals began
seeing attacks on home networks less as small potatoes,
and more as the whole enchilada.
And while the variety and But even as vaccine efforts have begun to turn the tide in the
complexity of IoT devices grows, fight against COVID-19, experts are predicting remote work
is here to stay. If this holds true — particularly if the number
there’s one area that remains of poorly secured IoT devices continues to increase — we
largely ignored: the means are likely to continue seeing elevated rates of IoT attacks
into 2021 and beyond.
by which to secure them.

There is still no standard for securing IoT devices —

meaning that companies are free to make them as secure
or unsecure as they want, though this is beginning to
change (see page 62).

Many times, particularly with lower-cost items, security is

scant or nonexistent to save money on manufacturing. Even
when this isn’t the case, if vulnerabilities are discovered, in
many cases updates to address them are never pushed
out, leaving these devices open to exploitation for their
entire lifespan.

But the growth in IoT devices has been ongoing for years, in
a fairly predictable manner. And we’ve been talking about
the need for greater IoT security for over a decade and a half
now. So why would attacks suddenly spike in 2020?

As with a lot of what has happened in cybersecurity in 2020,

you can thank COVID-19.

60 | 2021 SonicWall Cyber Threat Report | IoT Malware Attacks

The Tempest in Your (Wi-Fi Enabled) Teapot
In 2020, SonicWall Capture Labs threat researchers
identified 72 new signatures associated with IoT threats.
Here are the top 15:

SIGNATURE NAME HITS IoT DEVICE TYPE

NETGEAR DGN Devices Remote Command Execution 2 19,081,149 Router

D-Link HNAP Request Buffer Overflow 16,517,156 Router

NETGEAR DGN Devices Remote Command Execution 5,889,012 Router

Cisco RV320 and RV325 Information Disclosure 4,188,984 Router

NVMS-9000 Digital Video Recorder Remote Code Execution 3,173,477 DVR/NVR

Dasan GPON Routers Command Injection 2,758,616 Router

D-Link DSL-2750B Remote Code Execution 1,498,603 Router

Vacron NVR Remote Command Execution 1,002,542 Camera

ZyXEL Products Command Execution (CVE-2017-18368) 645,793 Camera

Hikvision IP Cameras Authentication Bypass 523,828 Camera

Netlink GPON Router Remote Command Execution 344,079 Router

Wireless IP Camera (P2P) WIFICAM Authentication Bypass 1 308,853 Camera

Avtech IP Camera Command Injection 1 285,407 Camera

NUUO NVRMini2 Authenticated Command Injection 265,905 DVR/NVR

Linksys Smart Wi-fi Information Disclosure 222,150 Router

While IoT technology has continued to expand into new However, despite the longstanding tendency to not change
device categories, including socks, cookware and even router passwords from factory defaults, routers still have
toilets, routers are still at the top of the list when it comes to stronger security protection than other IoT devices, such as
attack targets. This is because routers are mostly internet IP cameras or home automation devices.
accessible, compared to other devices that either are not For example, once exploited, IoT devices, such as
directly accessible on the internet, or sit behind the VPN. cameras, could be leveraged to form massive malicious
Routers also have relatively static IP addresses, putting botnets to launch DDoS attacks against larger companies
them at risk for consistent attacks. or organizations.

61 | 2021 SonicWall Cyber Threat Report | IoT Malware Attacks

A Year in IoT Malware Attacks

Linear eMerge E3 Access Controller

Actively Being Exploited
While Nortek Security and Control’s Liner eMerge E3
Ripple Vulnerability affecting
access controller is generally used to control access to
millions of IoT Devices
A TCP/IP library released in 1997, which has been used
designated places based on identity and time of day, remote
ever since to allow software and devices to connect to the
unauthenticated attackers can exploit it to alter or corrupt
internet, was found to contain 19 vulnerabilities, including
databases, steal records, launch DDoS attacks or even
some that are highly dangerous and could result in hackers
compromise other parts of the housing infrastructure. This
remotely taking over affected systems. Using the CVSSv3
access may be retained even after the vulnerability is fixed.
vulnerability severity scale, the Department of Homeland
Security has assigned two of these vulnerabilities a 10/10
BlueKeep Flaw Plagues Outdated rating, and a further two a 9.8/10.
Connected Medical Devices
While patches for the BlueKeep vulnerability were released
in early 2019, researchers discovered that, due to running
Attackers Actively Targeting Tenda
outdated versions of Windows, roughly half of an average
Wi-Fi Router Vulnerability
The SonicWall Capture Labs threat research team
hospital’s medical devices are still vulnerable.
observed attackers exploiting the arbitrary remote code
execution vulnerability reported in TENDA AC15 router. The
Your Philips Hue Light Bulbs Can Still vulnerability can result in attackers exploiting it to allow
Be Hacked — And Until Recently, arbitrary code execution. When the usb.sh command is
Compromise Your Network executed, it downloads payloads from the attacker server
An update was thought to have addressed the vulnerability
and executes them one by one.
in the firmware of Phillips Hue bulbs, but the actual bulbs
may still be at risk from anybody with a laptop and an
antenna — ­even as far as 300 feet away.
Attackers Actively Targeting
Vulnerable AVTECH Devices
Researchers observed attacks exploiting old vulnerabilities
Hackers Actively Exploit Zero-Day in AVTECH devices. By exploiting this issue, attackers can
in CCTV Camera Hardware execute any system command with root privileges without
Injection vulnerabilities in commercial DVRs manufactured
authentication. By exploiting another, attackers can execute
by LILIN were exploited by hackers, who then deployed
arbitrary system commands with root privileges. Both of
malware on the devices to execute Chalubo, Moobot
these exploits connect to malicious domains and download
and FBot botnets.
a shell script, which is used to change file permissions and
connect to the attacker-controlled server to download more
Hackers Actively Targeting Remote Code malicious files.
Execution Vulnerability on Zyxel Devices
Researchers observed attackers targeting Zyxel Network
Attackers Actively Targeting Vulnerable
Attached Storage (NAS) and firewall products affected by a
Dasan GPON Home Routers
remote code execution vulnerability. By sending a specially
The SonicWall Capture Labs threat researchers also
crafted HTTP POST or GET request to a vulnerable ZyXEL
observed attackers exploiting old vulnerabilities in Dasan
device, a remote, unauthenticated attacker may be able to
GPON home routers. One allows attackers to bypass
execute arbitrary code with root privileges on the device.
authentication simply by appending “?images” to any URL
of the device that requires authentication. The other can be
Netgear Zero-Day Allows Full Takeover used to inject and execute commands that can download
of Dozens of Router Models and execute malicious executables.
79 models (and 758 firmware versions) of Netgear routers are
discovered to be vulnerable to a flaw that allows attackers to
bypass authentication and gain root privileges.

62 | 2021 SonicWall Cyber Threat Report | A Year in IoT Malware Attacks

A New Tool in the Fight Against UNITED STATES
IoT Attacks: Legislation On January 1, 2020, the first IoT security law in the U.S., the
The abundance of IoT devices — combined with the ease of California Internet of Things Security Law, went into effect.
exploitation and ever-increasing rewards for doing so — has It requires that all connected devices sold in the state have
created something of a Wild West atmosphere for attackers. “reasonable” and appropriate security measures, such as
But there are a number of new regulations dedicated to a preprogrammed password unique to each device and
bringing this era of lawlessness to a close. extra layers of authentication when accessing a device for
the first time.
EUROPE
At the end of June, the European Telecommunications
Standards Institute, the organization responsible for
the standardization of information and communications In December, the IoT
technologies, released a new cybersecurity standard
for IoT devices.
Cybersecurity Improvement
Developed in collaboration with governments, academic Act of 2020 was signed into
institutions and industries, ETSI EN 303 645 is intended to
curb the epidemic of attacks resulting from criminals gaining
law. Under the legislation, the
control of these devices. National Institute of Standards
These standards will apply to connected children’s toys and and Technology (NIST) will
baby monitors, door locks, smart cameras and TVs, health
trackers, smart appliances, home assistants and more. The issue standards for IoT devices
label has already been awarded to a number of products that
owned or controlled by federal
merit these standards.
agencies. NIST will also work
with cybersecurity researchers,
industry experts and the
Department of Homeland
Security to publish guidelines
on federal IoT security.

New IoT devices purchased by the federal government must

comply with the new NIST standards. Contractors will also
be required to comply with the standards, and agencies
must confirm compliance before obtaining an IoT device
from a contractor.

63 | 2021 SonicWall Cyber Threat Report | IoT Malware Attacks

IoT Malware Attacks by Industry This suggests that, while cybercriminals were clearly working
Compared to other threat vectors, the industry-specific harder in October, their energies were focused on doubling
data for attempted IoT malware attacks per customer is down on existing targets, rather than seeking out new ones.
fairly straightforward. The dip in April, spike in October and Alternatively, it could also indicate that, while there might
dropoff at the end of the year that we see in the overall IoT be more devices behind each firewall, they are often
malware data are also visible here, and, particularly after Q1, on the same network and therefore wouldn’t increase
the industries generally trend in sync with one another. the percentage of customers targeted — just the
In October, every single industry — as well as the overall number of targets.
per-customer average — had the highest number of attacks Looking at the data for percentage of customers targeted
per customer it would see all year. Those working in the by IoT malware attacks suggests that these threat actors
education industry were hit the hardest, with an average of are nothing if not creatures of habit. We see none of the
71 IoT malware attempts a month. sharp peaks and valleys and none of the crisscrossing as
But while October stands out for having the highest one industry falls out of favor with attackers and another
number of IoT malware attempts per customer, we comes into vogue.
don’t see a corresponding spike in the percentage of
customers targeted. In fact, across industries, October
marked the beginning of a decrease in the percentage of
customers targeted.

2020 IoT Malware Attempts Per Customer

80

70

60

50
stpmettA

40

30

20

10

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Overall Government Education Healthcare Retail

www.sonicwall.com

64 | 2021 SonicWall Cyber Threat Report | IoT Malware Attacks by Industry

 % of Customers Targeted by IoT Malware
16

15

14

13

12

11
detegraT %

10

4
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Overall Government Education Healthcare Retail

www.sonicwall.com

65 | 2021 SonicWall Cyber Threat Report | IoT Malware Attacks by Industry

 Attacks on Non-Standard
Ports Reach All-Time High
In 2020, SonicWall Capture Labs threat researchers saw the SMTP uses port 25. A service using a port other than the one
percentage of attacks across non-standard ports grow from assigned to it by default, usually as defined by the IANA port
2019’s 13% to 25% in 2020. numbers registry, is using a nonstandard port.

In July, 46% of all malware attacks came via non-standard There is nothing inherently wrong with using non-standard
ports — the highest level since SonicWall began tracking ports. But traditional proxy-based firewalls typically focus
these attacks. The volume of non-standard port attacks in their protection on traffic going through the standard ports.
July exceeded those of the two highest months in 2019 — Because there are so many ports to monitor, these
themselves record-breaking — put together. legacy firewalls can’t mitigate attacks over non-standard
The percentages for Q3 and Q4 were down slightly from the ports. Cybercriminals are well aware of this and target
highs we saw at midyear, but not much — they still managed non-standard ports to increase the chances their payloads
to tie one another for second-highest quarter of all time, can be deployed undetected.
a sure sign that nonstandard port attacks aren’t going New firewalls that are capable of analyzing specific artifacts
away anytime soon. (as opposed to all traffic) can detect these attacks. But until
the number of organizations deploying these more advanced
What is a Non-Standard Port Attack?
solutions rises considerably, we’re likely to see a continued
While there are more than 40,000 registered ports, only a
increase in these sorts of attacks.
handful are commonly used. They are the ‘standard’ ports.
For example, HTTP uses port 80, HTTPS uses port 443 and

2019-2020 Global Malware Attacks

100%

90%

80%

70%

60%

50%

40%

30%
75%
78% 77% 77%
20% 81%
83%

10% 89% 89%

0% 11% 19% 17% 11% 22% 25% 23% 23%

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

Non-Standard Ports Standard Ports

www.sonicwall.com

66 | 2021 SonicWall Cyber Threat Report | Non-Standard Ports

 CONCLUSION

Cybersecurity in a
Post-Pandemic World
2020 taught the world more about cybersecurity than
perhaps any year before it. While we don’t know yet how
many of those lessons will be generalizable to a time when
COVID-19 is no longer seen as a clear and present danger,
what we do know is that the fundamentals of cybersecurity
will continue on as they always have:

The cybersecurity business gap will continue to grow over

time. Threats will become more evasive, and skilled staff
will only get harder to find. Businesses will ultimately be
faced with two options: Bridge the gap, or fall in.

While knowledge, such as that found in this 2021 SonicWall

Cyber Threat Report, can help fill some of the voids, to truly
protect yourself in tomorrow’s threat landscape, you’ll need
a new way of looking at cybersecurity — and solutions that
can detect and prevent even the most advanced threats.

At SonicWall, we’re dedicated

to providing industry-proven solutions at a lower
total cost of ownership — allowing you to know the
unknown, and unify visibility and control for less.
Plus, every solution we sell is backed by our team
and partners, who make it their mission to exceed
your business and security objectives.
To learn more, visit sonicwall.com

67 | 2021 SonicWall Cyber Threat Report | Conclusion

 ABOUT THE SONICWALL
CAPTURE LABS THREAT NETWORK

1.1m+
Intelligence for the 2021 SonicWall Cyber Threat Report
was sourced from real-world data gathered by the
SonicWall Capture Threat Network, which securely monitors
and collects information from global devices including:

• More than 1.1 million security sensors in 215 countries Global Sensors

and territories

215+
• Cross-vector, threat related information shared among
SonicWall security systems, including firewalls, email
security devices, endpoint security solutions, honeypots,
content filtering systems and the SonicWall Capture
Advanced Threat Protection (ATP) multi-engine sandbox Countries & Territories

• SonicWall internal malware analysis

24x7x365
automation framework

• Malware and IP reputation data from tens of thousands of

firewalls and email security devices around the globe

• Shared threat intelligence from more than 50 industry

Monitoring
collaboration groups and research organizations

<24hrs
• Analysis from freelance security researchers

Threat Response

140k+
Malware Samples Collected Daily

28m+
Malware Attacks Blocked Daily

68 | 2021 SonicWall Cyber Threat Report | About the SonicWall Capture Labs Threat Network
 FEATURED THREAT
RESEARCHERS

Terry He Rhoda-Mae Aronce Lalith Dampanaboina

Director Senior Engineer Principal Engineer
Software Engineering Software Development Software Development

Justin Jose Michael King Edward Cohen

Senior Manager Senior Engineer Vice President
Software Engineering Software Development Strategy & Operations

69 | 2021 SonicWall Cyber Threat Report | Featured Threat Researchers

 © 2021 SonicWall Inc. ALL RIGHTS RESERVED.

SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A.
and/or other countries. All other trademarks and registered trademarks are property of their
respective owners. The information in this document is provided in connection with SonicWall Inc. and/
or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any intellectual
property right is granted by this document or in connection with the sale of SonicWall products.

The materials and information contained in this document, including, but not limited to, the text,
graphics, photographs, artwork, icons, images, logos, downloads, data and compilations, belong to
SonicWall or the original creator and is protected by applicable law, including, but not limited to, United
States and international copyright law and regulations.

EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT
FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER
AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/
OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL
OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS,
BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO
USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.

SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy
or completeness of the contents of this document and reserves the right to make changes to
specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates
do not make any commitment to update the information contained in this document. If you have any
questions regarding your potential use of this material, contact:

SonicWall Inc.
1033 McCarthy Boulevard
Milpitas, CA 95035
Refer to our website for additional information.
www.sonicwall.com

About SonicWall
SonicWall delivers Boundless Cybersecurity for the hyper‑distributed era and a work reality where everyone is remote,
mobile and unsecure. By knowing the unknown, providing real-time visibility and enabling breakthrough economics,
SonicWall closes the cybersecurity business gap for enterprises, governments and SMBs worldwide. For more information,
visit www.sonicwall.com or follow us on Twitter, LinkedIn, Facebook and Instagram.

SonicWall, Inc.
1033 McCarthy Boulevard | Milpitas, CA 95035

As a best practice, SonicWall routinely optimizes its methodologies for data collection, analysis and reporting. This includes improvements to data cleansing, changes in data sources and
consolidation of threat feeds. Figures published in previous reports may have been adjusted across different time periods, regions or industries.

2021-SonicWall-Cyber-Threat-Report-3599