As the coronavirus outbreak brought the U.S. and many other countries to a standstill earlier this year, cybercriminals circulated COVID-19 themed phishing emails in an effort to capitalize on the public’s fears. But those types of attacks have sharply declined in recent months, new data suggests.
References to COVID-19 themed attacks declined by about 70% between May and July, according to data from the Recorded Future platform. Lea Cure, a researcher at Recorded Future, said attackers have shifted their tactics in recent months likely because the emails stopped being effective.
“These scams feed on emotion, and we’ve seen a decline in COVID-19 related phishing lures because it’s not something people are struggling to get information on anymore — it’s something we’re all living with,” Cure said.
COVID-19 themed attacks appeared to rise sharply in March and April, and plateaued for about two months until they started to recede, according to data collected by Recorded Future from sources including hacker forums, threat feeds, news reports, and code repositories.
In March, the Department of Homeland Security’s acting chief information officer Beth Cappello warned that scammers were using COVID-19 themed phishing emails “in an attempt to profit on people’s confusion and fear surrounding the virus.” Health organizations including the Centers for Disease Control and Prevention and the World Health Organization said they were aware of impersonation scams that asked for money or included malware that could could be used to steal a victim’s private information.
Those types of incidents haven’t completely stopped, according to Cure. But they’ve declined dramatically in recent months as businesses, schools, and other organizations in many parts of the country have started to reopen. Scammers have also shifted their efforts to focus on other topics that have garnered national attention, such as the Black Lives Matter protests. In the coming months, Cure said she expects cybercriminals to launch phishing campaigns around election season, with emails focusing on things like where people can get voting information. Although no such attacks have been observed yet, Recorded Future has tracked over 300 new domain registrations that appear to be associated with the upcoming election, but may be used maliciously.
A Rise in Extortion Malware
In addition to the decline in COVID-19 related attacks, cybersecurity analysts have observed an uptick in extortion ransomware attacks that involve threats to leak breached data if a ransom isn’t paid, Cure said.
The tactic started gaining attention late last year, when Maze ransomware operators stole data and publicly exposed it when victims missed ransomware payment deadlines. Other popular ransomware families, including DoppelPaymer, Ragnar Locker, LockBit, and Sodinokibi, have been used in extortion campaigns since then.
Cybersecurity researchers expect the trend to continue, Cure said, because extortion ransomware is particularly challenging for companies to deal with.
“In the past, an organization could recover from ransomware attacks by having offline backups,” Cure said. “With extortion ransomware, you now have to treat it as a general data breach — your data is in the hands of the threat actors.”