“…well, of course!” is what you might think. It’s a biological threat, so how could it affect digital assets?

But hang on. Among other effects, this pandemic has brought about a massive shift in several technological areas. Not only did it force numerous organizations – that up to now were reluctant – to gear up in cyber to go digital, all at once, oftentimes with hastily pieced together strategies.

It also made remote working (and the involved tools) grow in double-digits, causing the good old perimeter (which was already in a questionable state due to cloud adaption) to be basically shattered. The office is now anywhere. And that means access to data needs to be everywhere too.

Keeping all of this in mind, the general assumption was that in the wake of the pandemic we would face a virtual nightmare with vulnerable users, compromised corporate networks en masse and the end of the (digital) world. But let’s look at some interesting numbers of what actually happened.

Are hackers locked down too?

Let’s take a look at the number of droppers we observed in our MDR data and correlate it with other data we have regarding the intensity of COVID lockdown restrictions over time, Droppers are a good overall indicator of malicious activity, as they often indicate an early stage of an attack (which of course we try to prevent in getting any further).

The COVID stringency index[1] reflected in the bar chart comes to us from Oxford University and is a composite measure based on nine response indicators, including school closures, workplace closures, and travel bans, rescaled to a value from 0 to 100. In other words, the closer the bar is to 100, the more severe the restrictions at that time. We’ve averaged the indices for the Nordics, Benelux, Germany, France, the UK and South Africa, which represent the bulk of our operational area.

It’s also interesting to correlate the data we have from our Threat Detection services, with data we have from observing cyber extortion’ leak sites’ (which we have already written about earlier).

Several observations emerge from an examination of the charts above:

We observe a distinctive decrease in confirmed downloader activity in the months of November and December 2020 after the Trickbot botnet was taken down by law enforcement, and in January and February 2021, directly after Emotet was taken down. After those two events, downloader activity increases steadily until peaking over the European vacation period in July.

There does appear to be a loose correlation between downloaders – which represent the start of the cyber kill chain – and confirmed ransomware activity – which represents the last phase of the kill chain, which is what one would expect.

Downloader and Ransomware activities both appear to increase over major holiday periods – Easter and mid-summer. We don’t see such a spike over Christmas 2020, but that might be because of the disruptive impact of the Trickbot and Emotet takedowns we alluded to earlier.

In general, there appears to be an inverse correlation between the stringency of COVID lockdowns and the volumes of downloader activity. The more stringent the lockdowns, the less of this activity we see. This general observation appears to hold for other forms of malware activity also. As we had already observed in earlier research, this runs contrary to the prevailing narrative that attacks increase when users are working from home.

It takes two to make a compromise

The conclusion here appears to be, therefore, that the volume trends and patterns in malware activity are overwhelmingly influenced by the patterns and behaviors of the potential victims, not the choices of the attacker. The exception may be vacation periods, where it appears that attackers may step their activity up.

Law enforcement activity has a notable impact, but this appears to be short-lived because new actors and new tools tend to pop up after another one is taken down or some of its members arrested.

So, the final diagnosis? We can confirm that actually COVID has not spread to digital. At least not in the fatal way that was predicted. And that is finally some good news.

This is just another excerpt of the analysis. More details like the incident- and malware distribution across industries or business sizes (as well as a ton of other interesting research topics) can be found in the Security Navigator. It’s available for download on the Orange Cyberdefense website, so have a look. It’s worth it!

Note — This article was written and contributed by Diana Selck-Paulsson, Lead Security Researcher at Orange Cyberdefense.