Use of SSL Certificates in Malware and Phishing Attacks Up 260% in 2020

Abuse of SSL certificates in phishing and malware attacks has increased by 260% in the first 9 months of 2020, according to a new report from Zscaler.

Zscaler analyzed more than 6.6 billion threats for the report and found a major rise in the use of encryption to hide attacks. Encryption was being used across the full attack cycle, according to the researchers, including the initial delivery of malware or malicious links to the malicious payload delivery and exfiltration of data.

“SSL encryption was designed to protect traffic from prying eyes, but adversaries have also leveraged it to hide attacks, turning the use of encryption into a potential threat without proper inspection,” explained Zscaler in the report.

While many different attacks involved the use of encryption, one of the biggest increases was seen in the delivery of ransomware. In the first 9 months of 2020 there was a 500% increase in ransomware delivery using encrypted channels, most commonly to deliver FileCrypt, Sodinokibi, Maze, and Ryuk ransomware.

The healthcare industry was the most targeted industry sector during the period of study, with 1.6 billion encrypted threats detected and blocked by Zscaler. The finance and manufacturing sectors were also heavily targeted.

The increase in the use of SSL certificates by threat actors highlights how important it is to implement security solutions with SSL inspection and to ensure the feature is enabled; however, SSL inspection can cause issues. Many security solutions have the option of SSL inspection, but are unable to inspect SSL traffic effectively at scale. 80% of websites now use SSL encryption so decrypting, inspecting, and re-encrypting all SSL traffic could easily lead to performance issues.

One solution is to whitelist certain traffic, such as traffic from legitimate cloud services; however, that is far from ideal. The report also revealed increasing abuse of legitimate cloud-based file sharing services such as OneDrive, Dropbox, and Google Drive to deliver threats and evade security solutions. More than 30% of encrypted threats are hidden in collaboration services such as these.

Even if an organization has the capability and capacity to inspect all SSL traffic, there may be legal issues with decrypting traffic, which could be viewed as an invasion of privacy; however, Zscaler notes that any organization that is not using SSL inspection at scale faces a greater risk of cyberattacks succeeding.

“SSL inspection is the only effective way to block the malicious files delivered, because security engines cannot block what they can’t see,” said Zscaler.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of