“…well, of course!” This is exactly what you may think. This is a biological danger, how can it impact digital assets?
But hang on. This pandemic, among other things, has caused a major shift in many technological areas. It forced many organizations, which were previously reluctant, to get digital.
It also made remote working (and the involved tools) grow in double-digits, causing the good old perimeter (which was already in a questionable state due to cloud adaption) to be basically shattered. The office is now anywhere. Access to data must be available everywhere, too.
Keeping all of this in mind, the general assumption was that in the wake of the pandemic we would face a virtual nightmare with vulnerable users, compromised corporate networks en masse and the end of the (digital) world. But let’s look at some interesting numbers of what actually happened.
Are hackers locked down too?
Let us take a look to see how many droppers were observed in MDR data. We will also compare it with data regarding COVID lockdown intensity over time. Droppers can be a great indicator of malignant activity as they are often a sign of early stages of an attack, which we attempt to stop from getting further.
The COVID stringency index[1] reflected in the bar chart comes to us from Oxford University and is a composite measure based on nine response indicators, including school closures, workplace closures, and travel bans, rescaled to a value from 0 to 100. In other words, the closer the bar is to 100, the more severe the restrictions at that time. We’ve averaged the indices for the Nordics, Benelux, Germany, France, the UK and South Africa, which represent the bulk of our operational area.
It’s also interesting to correlate the data we have from our Threat Detection services, with data we have from observing cyber extortion’ leak sites’ (which we have already written about earlier).
Several observations emerge from an examination of the charts above:
We observe a distinctive decrease in confirmed downloader activity in the months of November and December 2020 after the Trickbot botnet was taken down by law enforcement, and in January and February 2021, directly after Emotet was taken down. After those two events, downloader activity increases steadily until peaking over the European vacation period in July.
It appears that there is a loose connection between downloadeders, which are the beginning of the cyber-kill chain, and ransomware activity. This would be the end of the kill-chain. That’s what you would expect.
Downloader, Ransomware activity both increase during major holidays – Easter and Mid-summer. We don’t see such a spike over Christmas 2020, but that might be because of the disruptive impact of the Trickbot and Emotet takedowns we alluded to earlier.
In general there seems to be an inverted correlation between the severity of COVID lockdowns, and the volume of downloadeder activity. The more stringent the lockdowns, the less of this activity we see. This general observation appears to hold for other forms of malware activity also. As we had already observed in earlier research, this runs contrary to the prevailing narrative that attacks increase when users are working from home.
It takes two to make a compromise
The conclusion here appears to be, therefore, that the volume trends and patterns in malware activity are overwhelmingly influenced by the patterns and behaviors of the potential victims, not the choices of the attacker. The exception may be vacation periods, where it appears that attackers may step their activity up.
Law enforcement activity has a notable impact, but this appears to be short-lived because new actors and new tools tend to pop up after another one is taken down or some of its members arrested.
So, the final diagnosis? The final diagnosis is that COVID did not reach digital. At least not in the fatal way that was predicted. This is some great news.
This is just another excerpt of the analysis. More details like the incident- and malware distribution across industries or business sizes (as well as a ton of other interesting research topics) can be found in the Security Navigator. It’s available for download on the Orange Cyberdefense website, so have a look. It’s worth it!
Note — This article was written and contributed by Diana Selck-Paulsson, Lead Security Researcher at Orange Cyberdefense.
