G DATA threat report: Number of cyber attacks increases significantly in the first quarter


The current threat analysis by G DATA CyberDefense shows that the number of attacks prevented in March 2020 has increased significantly. The cyber defence company averted almost a third more attacks than in February.

Tim Berghoff

Cyber criminals are quick to sense any opportunity to exploit people's insecurity. They are using well-known and very effective attack vectors to do so, deploying ransomware and encrypting data to demand ransom money. Users should exercise extreme caution if they find an email in their mailbox promising new coronavirus trackers or cheap protective masks, for example”.

Tim Berghoff

Security Evangelist at G DATA CyberDefense

The G DATA CyberDefense threat analysis shows that the number of infections prevented in March 2020 increased by about 30 percent compared to the previous month. And the increase among private users was even higher - the number of averted attacks rose by 46 percent. This enormous growth is also related to the fact that people are spending more time at home and are using private devices online more often, for instance to check the latest news or to order goods in online shops. Private computers are often less well secured than computers in corporate networks.

Cyber criminals are using various ways to exploit the current uncertainty caused by the coronavirus crisis. For example, they are luring people to fake websites or apps relating to coronavirus; these then can install ransomware and lock up the computer. Alternatively, the fraudsters create fake coronavirus emergency assistance websites or apps in order to access personal data such as bank account details and use them for their own fraudulent purposes.

The scattergun approach has had its day

A closer look at the data in our analysis shows that the criminals’ attack methods and tricks have become established. A large proportion of the malware has been in use for several years, but it can still carry out its destructive work because criminals use packers to make it unrecognisable. However, the attackers' targets have shifted - away from private customers to companies. At the same time, they choose their victims carefully in order to maximise their profits.

Companies have therefore become an attractive target for criminals, especially in the current coronavirus pandemic. Since many companies are currently struggling with economic difficulties, the risk of suffering huge financial damage in the event of a ransomware attack rises significantly. After all, it is precisely now that ransom demands have the potential to drive a company to ruin. On top of that, the switch to the home office has increased the complexity of networks in many companies. However, security has not grown to the same extent, especially where the terminal server or sharepoint is freely available on the Internet to ensure business continuity.

The age of large-scale attacks like Wannacry or NotPetya seems to be a thing of the past. Just how devious cyber criminals can be is demonstrated by the attacks by Emotet, the attackers' all-purpose weapon. Recently, not only companies but even public authorities have fallen victim to an Emotet attack. Public administrations not only have valuable –data – usually personal data of citizens - but often also have outdated and poorly secured networks as well. This makes life easy for the attackers.

At the beginning of the coronavirus crisis, smaller corporate IT departments in particular were in a hurry to set up the infrastructure for the home office situation - resulting inlittle attention to the matter of IT security. This omission is now coming back to haunt them, as it is becoming clear that the home office phase will last longer than expected. This is drawing resources away from the important areas of monitoring and maintaining the security infrastructure. In the current situation, cyber attacks could be detected even later than they usually are. Past experience has shown that it usually took considerably more than 180 days for an attacker to be detected in the network.

Anyone working from home should always remember that the work computer is connected to the company network,” warns Berghoff. The situation is even more critical if users use their private computer to work in the company network. Private computers cannot simply be secured centrally by group policies or other IT measures, so the risk of infection increases. “In the home office, the same rules apply as for working in the office: Do not connect unknown removable media, do not click on suspicious links, lock computers when leaving them and be careful when opening mail attachments. After all, phishing mails also arrive in your mailbox at home. And, of course, an up-to-date security solution should be installed on all computers,” continues Berghoff.

Especially active - GuLoader and Trickbot

It seems that the attackers are currently using proven, known malware. GuLoader, for example, is very active. This malware download program is used by cyber criminals to spread remote access Trojans or information stealers, such as Agent Tesla, Formbook, Lokibot, Remcos RAT, Netwire RAT or Arkei/Vidar Stealer. Known variants use links to Google Drive, Onedrive or ufile.io to load the malware.

In addition, virus analysts at G DATA have discovered an increase in the number of Trickbot campaigns. Cyber criminals have been constantly redeveloping the former banking Trojan so that it can still inflict a great deal of damage today. Being a modular Trojan, it has capabilities that attackers might be able to use for multiple purposes. In many cases, it is a component of current Emotet attacks. While the latter acts as a door opener, whereas Trickbot reads important information such as login or business information. Only then does the actual ransomware attack occurs, often using Ryuk, which encrypts all the data and backups. The attackers adapt their ransom demands to the victim's economic capacity.

Old tricks, new losses - tech supports scams

Another of the scammers’ die-hard tricks is the tech support scam. Criminals pretend to be employees of technology companies such as Microsoft in telephone calls or emails, through pop-up windows or website forwarding, in order to gain the trust of those affected. Under the pretext of alleged computer problems, cyber risks or necessary updates, they then try to steal sensitive data such as credit card information and passwords from the victims. Criminals are increasingly trying to profit from this, especially following the end of support for major software versions such as Windows 7.

Conclusion: No let-up in sight

In times of crisis especially, users must be even more vigilant than usual, and IT managers must pay special attention to IT security. After all, such situations are exploited by cyber criminals for their attacks and deceptions and to make a profit from them. If you simply rely on an up-to-date endpoint protection solution and also exercise caution when using digital channels, you and your company can stay protected against damage. Those companies who have allowed their employees to work from home in the wake of the coronavirus crisis must still do their homework. Because, instead of makeshift stop-gap solutions,  a permanent and, above all, secure approach to IT infrastructure is needed now.

from Stefan Karpenstein
Public Relations Manager