The COVID-19 pandemic forced businesses to move to a largely remote workforce and cybercriminals took advantage by targeting vulnerabilities in Remote Desktop Protocol (RDP). Between Q1 and Q4, 2020, RDP attacks increased by 768%, according to the ESET Q4 2020 Threat Report.
RDP attacks slowed in Q4, 2020 as cybercriminals started to favor other methods of attack. The decrease suggests businesses have managed to improve the security of remote working. Coveware reported similar findings in its Q4 Ransomware Report, which showed a sharp decline in RDP attacks for delivering ransomware, with phishing now the most common method of ransomware delivery.
2020 was a year when ransomware became the biggest threat to businesses. Not only did the volume of attacks substantially increase, but threat actors also used much more aggressive tactics including data exfiltration and double extortion. Ransom demands increased significantly throughout the year, although demands and payments declined in Q4. Coveware noted in its report that after 8 consecutive quarters where the average ransom payment increased, there was a fall in payments in Q4 as more victims chose not to pay the ransoms, even when threatened with the publication or sale of stolen data. The average ransom payment fell by 34% in Q4, 2020 from $233,817 to $154,108. The fall is good news but Coveware and ESET predict the high number of ransomware attacks will continue throughout 2020.
ESET notes in its report that there was a major reduction in the use of banking Trojans in 2020, and even more so in Q4, 2020, suggesting banking Trojans are being abandoned in favor of ransomware and other more lucrative malicious activities. That said, ESET did report a rise in Android banking malware detections in Q4.
The rise in phishing attacks in Q4 was also reported by ESET, which registered a major increase in COVID-19 themed phishing emails in response to the rollout of COVID-19 vaccines. Phishing emails mentioning vaccines increased in volume by 50% in Q4, 2020, and that trend is likely to continue in Q1, 2021 and beyond as vaccine rollouts gather pace.
While 2020 was a terrible year for many reasons, Q4 did see some positives. The TrickBot botnet was disrupted by Microsoft and its partners and 94% of its servers were taken out of action. That resulted in a massive decrease in TrickBot related activities. The threat actors behind TrickBot have been rebuilding their infrastructure and activity has started to increase, but ESET reports that so far in Q1 TrickBot activity remains at low levels.
ESET also uncovered several supply chain attacks in Q4, 2020. ESET identified a supply chain attack by the Lazarus group in South Korea, an attack in Mongolia dubbed StealthyTrident, and an attack against a certification authority in Vietnam dubbed SignSight.