Cybersecurity Report: Record 304.7 Million Ransomware Attacks

BLOG POST by Alice Strange / Heather Santos

SonicWall’s Mid-Year Update to the 2021 Cyber Threat Report: the number of attacks eclipses 2020 global totals in just six months.

There are several documents that many of us in this business open with a bit of trepidation. One is our tax bill, and the other is SonicWall’s annual Cyber Threat Report

There’s not much we can do about the former – being that taxes and death, as Benjamin Franklin once wrote, are the only certainties in life. The latter is a tool for those of us who work to keep networks secure, and this report is often a harbinger of things to come.

SonicWall’s semi-annual releases (one for the annual report, a second one for a mid-year update, because you can never have enough of a good thing, right?) is an authoritative source. Researchers use threat intelligence data from more than 1.1 million sensors in 215 countries and territories. SonicWall also produces the report in such a non-promotional way (they are a cybersecurity services company) that even news organizations like the Wall Street Journal and CNN quote their findings. 

The Mid-year update to the 2021 SonicWall Cyber Threat Report 

So, when we say that 2021’s cyberattack data eclipsed last year’s, we mean that cybercrime reached a new and unsettling paradigm. Established technology and infrastructure are under siege from ransomware. Through the first half of 2021, global ransomware volume hit 304.7 million, which surpasses the entire year of 304.6 million attacks in 2020. That’s a 151% year-to-date increase in case you’re wondering.

The data shows that threat actors are busy adapting ransomware tactics to reap more financial gains. The trend is especially worrisome for security experts because the risk to businesses and organizations will remain high while remote working is still widespread. And as Bill Conner, SonicWall CEO and President, recognizes, “Criminals are acutely aware of uncertainty across the cyber landscape.”

Ransomware attacks continue to wallop us.

After the record highs in April and May, June saw another record high of 78.4 million ransomware attacks. In the U.S., attacks increased by 185% and in the U.K., 144%. The U.S., U.K., Germany, South Africa and Brazil were the hardest-hit countries. In addition, Florida, New York, Idaho, Louisiana and Rhode Island were the states in the U.S. that saw the most confirmed attacks. The report also shows that in the recent rise in attacks, hackers targeted key verticals with a 917% rise in ransomware attacks on government entities, 615% on education, 594% on healthcare, and 264% on retail.

Patented RTDMI software is finding and blocking more original malicious code and variants.

SonicWall also discovered a record number of new and original malicious programming. For example, there was a 54% increase over the first half of 2020 new coding in the current pipeline of threats. The technology that made the discovery is SonicWall’s Real-Time Deep Memory Inspection or RTDMI, which is the core of SonicWall services like Capture Advanced Threat Protection (ATP).  

RTDMI technology blocks more advanced and new malicious code than other behavior-based sandbox methods. In one 33-day test by ICSA, SonicWall’s technology found 100% unique threats and variants with zero false positives. The results of the sixth and most recent test confirmed the high performance of the technology. 

Distribution of malware and non-standard port attacks continues to fall.

Last year, there was a global drop in the number of non-ransomware malware attacks. After hitting record highs in 2020, these attacks fell in the first half of 2021, with a decrease of 24% worldwide. And in another sign that threat actors are getting more sophisticated, there are fewer “spray and pray” attacks and more surgical strikes that target specific organizations or verticals. 

Concerns for Cryptojacking.

With the sharp value fluctuations of cryptocurrencies, there is also an ebb and flow in the number of cryptojacking incidents. After making an unexpected return to prominence in 2020, the number of cryptojacking malware incidents rose in the first half of 2021 (when cryptocurrency prices were the highest). SonicWall’s researchers found 51.1 million cryptojacking attempts from January to June, a 23% increase over the same six-month period last year. Cryptojacking hit Europe particularly hard with a 248% year-to-date increase. 

The Wild West of IoT devices goes wild.

When everyone packed their belongings and went home, they plugged in millions of new IoT (internet of things) digital devices, adding a new and fertile attack vector for cybercriminals, as reported by SonicWall. As a result, attacks on this class of devices rose 59% year-to-date globally, a rate not seen since 2018. Comparing regions, the U.S. saw a slightly smaller increase in IoT attacks (15% year-to-date), but Europe and Asia were slammed (113% and 190%, respectively).


As working situations evolved in 2021, so did the methods of threat actors and motivated perpetrators. SonicWall Capture Labs threat researchers team compiled their findings into the mid-year update to the 2021 SonicWall Cyber Threat Report, which arms enterprises, government agencies, SMBs and other organizations with actionable threat intelligence to safeguard workforces, networks and data in today’s distributed IT reality. Visit our website to view the full report and all of its findings.  




BlackMatter ransomware hits the US food supply chain

September 21, 2021

Published with permission from CyberTalk


In Iowa, over this past weekend, an agrarian business that plays a critical role in the American food supply chain experienced a cyber attack. The Fort Dodge New Cooperative began operations in 1973, and is a member-owned farm cooperative that maintains 60 operating locations across the state. 

Launched by the BlackMatter ransomware group, the attack could have massively disrupted grain, chicken and pork availability within the US. Within the grain business alone, the company is involved in operations such as running grain storage elevators, selling fertilizer, purchasing grain from farmers and providing agricultural enterprises with new technologies. “About 40% of grain production runs on our software,” said a New Cooperative spokesperson.

The National Security Agency’s elite cyber team believes that the BlackMatter threat actors may have electronically mistook the New Cooperative group for an IT firm. The New Cooperative produces a SoilMap software product, which may have contributed to a case of mistaken identities. 

The BlackMatter ransom demand

The BlackMatter group demanded $5.9 million in a New Cooperative ransom payment. In exchange, attackers would provide a decryptor key. Further, if a ransom were not paid by a Saturday deadline, the group would publish 1 terabyte of proprietary data, supposedly stolen from the New Cooperative group. 

Since the attack, New Cooperative took systems offline. IT experts successfully contained the threat. In addition, the group has notified law enforcement and continues to work with information security professionals to investigate and remediate the attack. 

Questions have also been asked regarding the duration of time for which the ransomware group lingered in systems ahead of actually launching the attack. At present, this information remains unknown, although it is under investigation. 

The BlackMatter group’s hidden identity

Experts remain divided over whether the BlackMatter group is a “rebrand” of the REvil group or the DarkSide group. The REvil gang “disappeared” earlier this summer, and the DarkSide group vanished from the dark web shortly after the Colonial Pipeline attack. Or is BlackMatter an entirely independent gang?

High-profile ransomware attacks 

This attack represents the fourth significant and high-profile cyber attack directed towards US critical infrastructure entities in recent months, according to former CIA cyber official, Marcus Fowler. 

The Biden Administration intends for 16 different industry sectors to remain “off-limits” within nation-state backed hacking attempts. Biden has called for cyber crime gangs and politicians to stop the blitz of attacks on critical industry. However, this food and farmland attack indicates that Biden’s talks and warnings may have fallen on deaf ears. 

When addressing the BlackMatter threat actors about this issue, BlackMatter responded by saying that they did not agree with the assessment of agrarian enterprises as ‘critical industry’. The FBI reports that food and agricultural groups are active targets of cyber threats. Downstream effects could impact retail groups, hospitals, restaurants, and the average consumer


How SMBs can plan for the new, new normal

By: Christopher Budd

How businesses can plan for better business operations and improve security and privacy, post-pandemic

As more of the world looks toward a post-pandemic life, it’s important for small and medium business leaders to think about what they want their businesses to look like and how they operate moving forward.

This isn’t just an abstract question. In the United States, businesses are beginning the process of moving into a post-pandemic world and employers are finding two things. First: that it’s difficult for many to attract and keep employees, resulting in a labor shortage in some areas. Second: that employees and potential employees are making it very clear how important remote work is as an option. A recent article in Bloomberg noted that a May 2021 survey of 1,000 U.S. adults showed that 39% of them would consider quitting if their employers weren’t flexible about remote work. That number jumps to 49% when focused on younger generations.

As we approach the “new, new normal” there’s a unique opportunity for business owners and leaders to consciously shape the nature of work moving forward. And, in many cases, it’s essential for attracting and retaining the best talent. 

What is the new, new normal?

During the pandemic, we heard a lot of talk about the “new normal.”  For businesses, this specifically referred to the rush to adopt remote work in order to adapt to  pandemic-imposed lockdowns.

That move forced adoption of new approaches and technologies, including remote work tools like Zoom, Slack, and Teams. Because everything changed quickly and without planning, most businesses didn’t account for security and privacy. They didn’t have time to.

This “new normal” was in contrast to “the old normal”: life before the pandemic. If the “new normal” was characterized by a lot of changes forced by necessity, the “old normal” was characterized by inertia and tradition; a lot of because “we’ve always done it that way.” This applied not only to face-to-face meetings but to the technology we used and the way we used it. A lot of the “old normal” for businesses was focused on-site with people, systems, applications, and customers on premises.  

The “new, new normal” is what comes next. It is a classic synthesis of “the old normal” and the “new normal.” But one thing that makes the “new, new normal” different from either of these is that we can shape it consciously, free from the unthinking inertia and tradition of the “old normal” and the haste and necessity of the “new normal.”

Beyond the obvious business benefits from making thoughtful, conscious decisions about the nature of work in the “new, new normal,” there is another benefit: This is an opportunity to make security and privacy considerations central for your business’ policies and operations. And as we’ll discuss below, this can improve not just your business but its security and privacy — which in turn also helps your business. 

We also see how important maintaining remote work is for many employees and thus for many businesses. Many businesses will need to formally and permanently adopt remote work policies to attract and retain the best talent. That means now is the time to build those policies with security and privacy in mind.

Conscious planning means integrated, and better, security

 Security leaders and teams often have to figure out how to make security and privacy work with operations and policies that have already been decided. We sometimes refer to this as “bolt on” security and privacy, meaning they are attached (“bolted on,”)  to something that’s already complete. “Bolt on” security and privacy is never as good as integrated security and privacy. Integrated security and privacy is always better, more effective, cheaper, and more successful than when it’s “bolted on.”

If you’ve ever built a house or done a remodel, you probably understand this well: Things are always better, cheaper, and more effective when they’re part of the original planning rather than added after the fact. The same is true for security and privacy for businesses.

Give security and privacy a seat at the planning table

The way to integrate security and privacy into your planning and discussions around the new, new normal is actually simple and straightforward: You ensure that both security and privacy have a seat at the planning table, literally and metaphorically.

It’s important to note that this is something any and all businesses, regardless of size, can and should do. If you’re a small business that doesn’t have a dedicated security or privacy team, you can bring in outside security and privacy expertise, like managed security solution providers. Or, at the very least, you can make sure there’s always a security and privacy component to your planning.

For example, let’s say that as part of your planning for the new, new normal you want to enable your billing department staff to work from home some or all of the time. One of the questions you’ll have to answer is how those employees will be able to access your billing system. You decide that the best way to accomplish that is to move from a billing system that’s currently on your employees’ computers in the office to a cloud-based system. 

As part of the plan to move to the new cloud-based system, you look into what options there are to ensure that your employees’ access to the billing system is as secure as possible. As you work through the issue, you decide that you’ll make it your company’s policy that you’ll issue work laptops for those remote workers and this will include security software with antivirus and remote access capabilities that you provide. 

You also decide to implement multifactor authentication to access the new cloud-based billing system. Finally, as part of your evaluation of cloud-based billing system providers, you make a point to check and ensure that the solution you choose can help you comply with the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) because you have customers in California and in Europe and realize that this solution can also make compliance with those regulations easier than doing it yourself.

In the end, you have made a decision on how you want your business to operate in the post-pandemic world. And as part of the process of evaluating and implementing that, you’ve made security and privacy concerns equal priority to other business concerns. And you end up with a cloud-based solution that is more cost-effective, has better overall security, provides better support for privacy regulation compliance, and, most of all, supports your new business requirements.

Planning for a better post-pandemic future

As we prepare for the post-pandemic future, there’s a lot of reason for optimism. One reason is that this situation gives everyone an opportunity to make large-scale revelations. For businesses, this means an opportunity to make conscious decisions about how you want your business to work moving forward. This in turn opens up an opportunity to improve your business, security, and privacy by consciously making them part of your process as you design the future of work for your company.  In many ways, this is probably a once in a lifetime opportunity. It’s best to take fullest advantage of it.


Are Grubhub and Doordash tracking you?

What do your food delivery apps know about you? 
By Emma McBowan

Should you care that these much-loved food delivery apps gather the data that they do?

Even if you weren’t super into takeout before the pandemic, chances are you’ve upped your delivery in the past year. I get it! Cooking gets tedious and boring and we’ve all needed to — literally — spice up our lives while homebound. I know that in my household, takeout has become a much more regular occurrence than I’d probably occur.

But whatever. We all deserve to give ourselves and others some grace right now. But should we be giving food delivery apps grace, too? For this week’s What Does the Internet Know About Me?, I’m going to take a look at DoorDash and GrubHub/Seamless, two of the bigger food delivery app services here in the US. (GrubHub owns Seamless, so I’m batching them together.) I already know that they know I love Chinese food. Let’s see what else they’ve got.

What does DoorDash track? What does GrubHub track?

Both delivery services collect a couple of obvious things that are necessary for them to, you know, bring food to my house. They know my name, my email address, phone number, address, and information about my payment method (i.e. credit card info or PayPal). 

DoorDash specifically says in their Privacy Policy that they know the items I’ve purchased and when, any special instructions, and the payment method used, but GrubHub doesn’t mention that in theirs. It seems odd — they kind of have to know that information to get me my food, right? — but I’m not sure there’s a strong conclusion to draw from that omission. They do mention, however, that they also know of any communications with them directly or with their “Delivery Partners.”

On the technical side, DoorDash is definitely watching me. They “use cookies, web beacons, pixels, session replay/screen capture, and similar technologies to collect information and personalize [my] experience with [their] Services.” They also use “session replay technology” to “collect real-time” information about how I interact with the app, including how I scroll it. They’re careful to note that they don’t record keystroke data. 

If I access their service through a website instead of my phone (which isn’t a thing I do) or the app on my phone, they also “collect information to better understand customer traffic patterns and Site usage.” That includes the website I visited before visiting their site or app, which parts of the site or app I visited and how much time I spent there. 

If I log in with a third party account, like Facebook, DoorDash will exchange information with that service too. They would also access my phone’s phone book for referrals, if I let them. (Which I don’t.) Finally, they track me across different devices “to better tailor content and features” and provide a “seamless experience.”

And speaking of seamless! (See what I did there?) In addition to the obvious stuff listed above, GrubHub/Seamless tracks transaction info, any communications done in-app or via phone or mail, location information, information about my device(s) and software, and analytics info, including through third party services like Google Analytics. 

But perhaps the creepiest thing that Seamless/GrubHub does is track the exact location of your phone. From their Privacy Policy:

“If you have previously opted into Grubhub’s collection and use of location-based information through our mobile application, we may collect and store the precise location of your device when the app is running in the foreground or background of your device.”

Yikes. That means that if you don’t opt out of location tracking on your phone, they potentially know where you are at all times. 

What do DoorDash and GrubHub do with my data?

Both DoorDash and GrubHub need some — to be fair, kind of a lot — of the data they collect in order to tell me what restaurants are nearby and then to deliver my food when I order it. They also have a legitimate interest in learning my likes and recommending similar restaurants in the future. Realistically, the nature of the business of a food delivery app means that they’re going to have to collect a lot of data about me.

However, I do think they step a bit over the line with the technical information they collect. I can see the business argument for it — I’m sure there’s a justification for why they need to know where I am at all times — but I just don’t think it’s valid. I don’t think they need to track as much of the technical information about me as they do, and I don’t like the ways they use it outside of getting food from local businesses to my house. Namely: third-party advertising. And they’re pretty broad about that. From GrubHub’s Privacy Policy:

“We work with third-party Ad Networks and Advertising Partners to deliver advertising and personalized content to you on our Platform and Services, on other sites and services you may use, and across other devices you may use. These parties may collect information directly from your browser or device when you visit the Platform through cookies or other tracking technologies. This collected information is used to provide and inform targeted advertising, as well as to provide advertising-related services such as reporting, attribution, analytics and market research.” 

And while GrubHub doesn’t give instructions on how to opt out of data collection for third party advertising, DoorDash, on the other hand, does so directly in their Privacy Policy. That’s a point in their favor from me. 

Should I care that food delivery apps gather so much data?

I’m bummed out by this investigation because, like all millennials, I like the convenience of ordering on an app — and not having to talk to a person on the phone. (Although honestly, as I’ve gotten older, the talking on the phone thing is less of an issue.) But the many, many ways GrubHub and DoorDash track me definitely has me concerned. Is it worth that much data being sucked up about me just for a slightly easier ordering experience?

Add on the fact that it became very clear during the pandemic just how big of a cut these food delivery apps take — and how shady some of their business practices are — and I think I might go back to ordering on the phone. 

That, or I’ll make my partner order using apps on his phone. Then it’s his info being collected, not mine. (Kidding. Or am I?)


Amazon Scam Warning: Beware of Deliveries You Didn’t Order

Authored By Dave Holcomb

Have you recently received an Amazon package that you didn’t order? It may be part of a scam called “brushing.”

This scheme involves an unordered package from Amazon showing up at your doorstep with your name on it.

Legally, you get to keep any package that’s addressed to you, but this scam isn’t entirely a victimless crime.

Table of Contents

What Is Amazon Brushing?

Third-party online sellers engage in “brushing” scams in an attempt to raise product ratings on websites such as Amazon. The seller pays a third party to purchase their products through fake buyer accounts they’ve created. 

After the purchase, the item gets delivered to a real address. Then the seller can write a positive review of their own product from the fake Amazon buyer account.

Reviews are hugely important to any seller on Amazon. The more reviews a particular product has and the better the reviews are, the higher the product will rank in Amazon’s algorithm. That means more exposure for that product which potentially leads to more sales.

In addition, sellers who engage in brushing scams sometimes write what are called “verified purchase reviews.” Anyone with an Amazon account can write a review for any product, but verified purchase reviews rank higher in the algorithm. And Amazon gives reviews that label only if it confirms that the product was bought at full price from the reviewer’s account.

The Dangers of Amazon Brushing

CNN Business reports brushing scams became popular about five years ago. There have been many examples of brushing made public since then.

A woman in Thousand Oaks, California, received unordered Amazon packages every two weeks for more than six months. The packages contained items ranging from a briefcase to hair straightener to a coffee cup warmer.

In Massachusetts, CBS News reported a couple received 1-2 packages every week for five months. The unsolicited Amazon packages contained items including a humidifier, a flashlight, bluetooth speakers and a computer vacuum cleaner.Advertisement

By law, unsolicited merchandise is yours to keep according to the United States Postal Inspection Service. So you don’t have to return any package you receive, and if you don’t want it, you can donate it to a good cause.

But Amazon brushing is still a threat to you and other consumers.

Your Information Is Compromised

Receiving unordered packages from Amazon means your information has been compromised. A third-party seller somehow acquired your name, shipping address and possibly your Amazon account information.

Amazon provides a help page for victims of brushing scams. I also reached out to the company’s press center and received a statement from an Amazon spokesperson via email.

It said, in part, “… we take action on those who violate our policies, including withholding payments, suspending or removing selling privileges, or working with law enforcement.”

Amazon says it will investigate and “will take action on bad actors that violate” its policies.

Fake Amazon Reviews Inflate Product Ratings

Online purchasers rely on reviews to make shopping choices.

“The real losers here are the consumers who are possibly believing many of these fake positive reviews, or this artificial padding of reviews because they might see 100 positive reviews, and then there may only be 60 or 70 of them that are legitimate,” former Amazon policy enforcement investigator Chris McCabe told CNN.

What To Do If You Get Something From Amazon You Didn’t Order

If you have received an unsolicited Amazon package and have confirmed no one you know sent you a gift, here’s what you can do to protect yourself and future potential victims:

  1. Report the unordered package to Amazon customer service at (888) 280-4331.
  2. Report the scam to the Federal Trade Commission online or by phone at (877) 382-4357.
  3. Change the password on your Amazon account and any other accounts that have the same password.
  4. Keep a close eye on your credit card statements to spot suspicious activity.

Whatever you do, do not pay for an unsolicited package. If the sender calls with a bill, they are trying to scam you again!