Malware statistics and facts

“Malware” describes any malicious program created to wreak havoc or mischief on a computer system. It’s also an ever-evolving ecosystem thanks to the constant push-and-pull between security professionals and cybercriminals. Shifts in the malware environment change every year, although long-term trends are identifiable in year-over-year data reports.

Despite numerous anti-malware measures, cybercriminals and hackers aren’t ones to give up easily, especially not as long as there’s money to be made in malware. Even still, some traditionally-popular forms of malware appear to be losing favor in 2021 as hackers and cybercriminals change their tactics to attack new or underutilized vulnerabilities.

Signs currently point to hackers shifting their focus more toward discrete infections through IoT and email, with a continued focus on enterprise businesses and governments versus average web users, especially when it comes to ransomware infections.

Here’s a rundown of the most interesting malware statistics:

1. Employees with infected machines are spreading viruses more broadly

In 2020, 61% of organizations experienced malware activity that spread from one employee to another. In 2021, that number rose to 74%, its highest since the SOES survey began in 2016. The increase in the employee-to-employee spreading of malware could be one of any number of reasons; for instance, phishing attacks are becoming more sophisticated while, at the same time, employees may encounter more distractions while working from home.

2. Business-disrupting ransomware attacks are on the rise

In its 2021 State of Email Security Report, Mimecast found that 61% of organizations experienced a ransomware attack that led to at least a partial disruption of business operations. The previous year, 51% of organizations reported experiencing these types of malware attacks, so the number has risen substantially.

3. Organizations in the US report the largest number of ransomware attacks, followed closely by those in the UK

Organizations worldwide report ransomware attacks impacting business, but it seems businesses in the US and UK have been hit the hardest in the past year, with 55% and 54% of companies impacted, respectively. This is a significant reduction since last year, though, when 62% of American businesses were victim to a ransomware attack. However, in 2019, only 39% of UK businesses report being impacted by ransomware.

4. Over 60% of organizations may have understaffed cybersecurity teams

In its 2021 State of Cybersecurity report, ISACA found that 61% of cybersecurity professionals believe their organization’s cybersecurity team is understaffed. Understaffing among organizations, including business and government, could create a strain on existing staff and lead to an increased risk from malware threats.

Almost half (47%) reported their organizations were “somewhat” understaffed, while 14% reported they were “significantly” understaffed. A further 34% reported that their organization is “appropriately” staffed, while just 4% reported being either “somewhat” or “significantly” overstaffed.

The demand for workers is also increasing year-over-year. From C-suite executives to technical and contributors, jobs across the cybersecurity industry continue to go unfilled as demand outpaces the growth in the number of workers with the requisite skills.

ISACA Unfilled Position Reporting for 2018-2021
Source: ISACA

5. Some types of malware are on the decline

A collection of recent data and research points to a change in how consumers and businesses experience and receive malware. The SecureList IT Threat Evolution Report for Q3 of 2020 shows that both miners and ransomware are rarer (reduced by 47% and 31%, respectively) than they were at the same time last year.

6. Traditional malware attack vectors taking a huge hit

The number of websites serving up malware is at its lowest point since 2007, according to Google’s Transparency Report. Instead, consumers are increasingly dealing with phishing websites that seek to glean passwords, credit card numbers, Social Security Numbers, and other private information directly from visitors without requiring any direct malware downloads. In fact, phishing sites have seen an increase of more than 750% since 2007.

Source: Google

Google’s data shows the number of malware sites detected per week continues to fall every year. As of January 2021, Google detected around 600-800 malware-infected sites per week. By contrast, Google was detecting 3000+ malware sites weekly between January and March of 2019, and between 5000-7000+ during that same time period in 2018.

Source: Google

7. Phishing sites are now an incredibly popular attack method

Phishing sites are typically designed to look like the official version of other websites. PayPal is a commonly-mimicked site, for example, as gaining access to users’ PayPal credentials can be distinctly profitable for hackers. Banking and social media sites are also fairly common targets.

Read more: 70+ common online scams used by cybercriminals.

8. Google removing far fewer malware-infected sites

According to Google’s Transparency Report, 2.195 million websites made its list of “Sites Deemed Dangerous by Safe Browsing” category, as of January 17, 2021. The vast majority of those (over 2.1 million) were phishing sites. Only 27,000 of Google’s removed sites were delisted because of malware. That’s more than a 800 percent difference in favor of phishing sites, which have seen a year-over-year increase of 28 percent.

9. China remains a malware hotspot with 2% of scanned sites hosting malware

Google’s Safe Browsing tool automatically scans websites across the world to help detect which sites are infected with Malware. As of April 2020, China and Russia were the worst off with 2% of scanned sites hosting malware. Fewer than 1% of scanned sites in the US, UK, and Germany, and Spain were found to contain malware (although Spain did spike to 3% briefly earlier in the year).

10. The number of malware attacks declined for the first time since 2016

The number of new malware attacks declined for the first time since 2015. According to SonicWall’s 2020 Cyber Threat Report, the company detected 9.9 million malware attacks in 2019, compared to 10.5 million in 2018.

11. New malware variants decreasing year-over-year

SonicWall reported 5.6 billion malware attacks took place this past year, which sounds bad but actually represents a 43% decrease from the previous year. For contrast, there were 10.5 billion attacks in 2018 and just 8.6 billion in 2017.

12. Domain Generation Algorithms are still hampering malware mitigation efforts

Domain Generation Algorithms, or DGAs, allow malware architects to automatically generate a large number of domain names which then serve as rendevous points to help control and collect data from the active malware infections. DGAs make investigation and analysis efforts difficult, which in turn makes it difficult to shut down botnets.

Over 40 malware families employ DGAs, including well-known malware including CCleaner, Emotet, and Mirai. SonicWall identified over 172 million randomly-generated domains in 2019.

13.  Malware attacks on non-standard ports reach all-time high

SonicWall’s 2021 report found that attacks on the tens of thousands of non-standard ports available increased from 2019’s 13% to 25% in 2020. The vast majority of attacks still (and likely will remain) a problem for standard ports, such as HTTP (port 80).

SonicWall 2019-2020 Global Malware Attacks

14. Malware attacks down, but ransomware and IoT malware are up

IoT devices are proliferating, and many come with far more limited malware protection than devices operating more common operating systems. In 2020, SonicWall found malware was down 43% but ransomware was up a record 62% while IoT malware saw a 66% increase with a total of 56.9 million attacks against IoT devices.

15. Over 268,000 new malware variants were detected in 2020

SonicWall identified 268,362 “never-before-seen” malware variants in 2020. This was an increase of 74% from 2019 when SonicWall recorded a total of 153,909 “never-before-seen” malware variants.

Related post: Best Malware Detection Tools

16. PDFs and Microsoft Office files were used in nearly 35% of new malware detections

Their ubiquity across devices makes PDFs and Office files, such as Word and Excel documents, extremely popular as payload mechanisms for malware authors. SonicWall found almost 25% of “never-before-seen” malware files were couched in Office files. Nearly 10% were carried in PDF files.

17. As cryptocurrencies rebounded, so did cryptojacking

Cryptojacking rose 28% in 2020 with 81.9 million attempts compared to the 64.1 million of 2019, In particular, there was an unprecedented spike in March. Now, you may be tempted to blame the pandemic for this, but as SonicWall observes, there’s usually a spike at around this time; the worldwide lockdowns likely only enhanced the severity of this one.

SonicWall Global Cryptojacking Volume

The chaotic ups and downs in cryptojacking activity highlight just how much cybercriminals respond to market demands. Malware has always been about achieving the best possible outcome (stolen information and money) with the least amount of effort. An increase in the use of website malware blocking technologies is why phishing sites are far more popular, but cryptojacking also makes for an easy money-making venture for cybercriminals who, for all intents and purposes, follow the same principle as Wall Street brokers: “buy low, sell high”.

18. Coinhive’s shutdown revealed its startling contribution to cryptojacking

Although the Coinhive cryptocurrency mining service was legitimate, it was quickly co-opted by cybercriminals who installed it surreptitiously onto websites to collect cryptocurrency revenue.

Originally launched in 2017, Coinhive voluntarily shut down in March 2019. SonicWall found that after the Coinhive shutdown, cryptojacking hits on its cybersecurity monitoring network fell by 78%.

19. Cerber takes the lead in hackers’ favorite ransomware tool

Notably, Cerber is part of what’s known as “Ransomware as a Service” or RaaS. Cybercriminals can hire others to launch attacks using the Cerber malware, and receive around 40 percent of the paid ransom. In 2017, SophosLabs investigated 5 RaaS kits and found that some can be extremely inexpensive (less than $40), while others can exceed several hundred dollars to purchase and employ. However, they’re highly customizable, and hackers appear to operate their ransomware services with a surprising degree of professionalism.

20. Ryuk surpassed Cerber as the top ransomware signature of 2020

There were over 189 million ransomware signatures detected in 2019. Of that, 77 million were part of the Cerber family. The many different Cerber ransomware variants were responsible for 33% of ransomware attacks in 2019. However, Ryuk had a prolific surge in 2020 going from as little as one case per day in January 2020 to some 19.9 million cases in September 2020, equivalent to nearly eight cases of Ryuk per second.

SonicWall Global Ryuk Ransomeware Volume

21. 3.7 million malware attacks were sent using encrypted traffic

A growing number of threat actors are sending malware attacks over encrypted SSL/TSL traffic. Encrypted channels make detection and mitigation more difficult, resulting in higher success rates for the malware packages in question. SonicWall detected 3.7 million malware attacks of this nature in 2019, which marked a 27% increase compared to 2018.

22. Symantec’s data confirms malware variant declines

Symantec also recorded a strong decline in malware. The security company found a 61 percent year-over-year decrease in new malware variants between 2017 and 2018. For its part, WatchGuard reported that zero-day malware accounted for over 50 percent of all malware blocked in Q3 2020, an increase of 14% year on year.

23. “Formjacking” is a growing problem for websites

Symantec also noticed a stark rise in what’s known as “formjacking”, which BrightTALK called the “breakthrough threat of 2019”. Formjacking occurs when hackers insert malicious Javascript into a website’s code that allows it to “skim” financial information from payment forms. Security researchers currently compare it to ATM skimmers, which attach to the card reader on ATM machines to skim the information from a credit card’s magnetic strip.

Malware facts and stats 2019
Source: Symantec

Symantec identified an average of 4,800 websites compromised with formjacking code each month in 2018. The security company also blocked 3.7 million formjacking attacks that year, highlighting the growing threat. There’s little data related to formjacking to draw upon prior to 2018, which helps indicate the rapid growth of this malware attack vector.

Overall, it appears cybercriminals have massively switched their tactics from trying to get web users to download malware directly from infected web pages and instead now prefer alternative malware delivery methods. Even formjacking, which is in effect a type of malware, doesn’t require the user to download a file. Hackers appear to now prefer more discrete methods.

24. The City of Baltimore suffered a major ransomware attack

In May 2019, news reports rolled in covering the Baltimore City government’s painstaking (and embarrassing) efforts to recover from a major ransomware infection. It took Baltimore City’s government 36 days to loosen hackers’ grip on its data, and even longer to fully recover all of the systems that were locked down. The city spent over $18 million recovering from the attack.

Although—to our knowledge—Baltimore did not pay a dime of that money to the hackers who held the city’s files hostage, many ransomware victims do choose to pay instead of eating such high costs associated with recovery.

As with most malware, ransomware isn’t a guaranteed income source for cybercriminals, but it’s far more successful than most traditional malware attempts. As a result, some ransomware avenues are still on the rise in 2019, even as security companies develop more effective mitigation methods and tools.

25. Enterprises are the main target for ransomware

Symantec noted a 12 percent increase in enterprise ransomware in 2018, for example, although it also recorded a 20 percent decline in ransomware overall that year. The company also identified a 33 percent rise in mobile ransomware, which highlights a new trend of criminals targeting mobile users with file-encrypting malware.

Worringly, Postive Technologies found that there’s a growing “access for sale” market on the dark web. In fact, hackers were advertising access to the networks of major US service sector and industrial companies, with some buyers offering up to 30% commission on the proceeds of any hack performed.

26. Ransomware payment demands are increasing in size

One of the biggest reasons hackers appear to prefer ransomware versus more traditional viruses and malware is because of the payoff. Ransomware payments are now totaling around $1 billion per year, making them far more lucrative than traditional malware operations. Ransomware is so financially-viable, in fact, that hackers have upped the amounts they’re asking for in ransom payments. According to Beazley, the criminals’ asking price for ransomware removal increased 93 percent in Q1 2019.

Malware projections for 2021 and beyond

Based on what we’ve seen so far in 2020, we can expect to see a few key takeaways for the remainder of 2021:

  • Malware-infected sites will likely continue to fall out of favor and decrease in volume
  • Cybercriminals will continue to target larger enterprises with malware in the hopes of securing a large, one-off payment
  • The demanded ransomware payment amount will continue to increase
  • Formjacking may continue to increase, although security professionals may start paying more attention and stem its growth into 2021
  • The cryptojacking threat to IoT devices will grow, in no small part thanks to the growing number of unsecured IoT devices that consumers purchase in ever-increasing numbers

There’s no telling what new threats may emerge, and how the malware landscape may shift. As major security companies have reported in the past, a fair amount of activity tends to increase in Q4 in most years, which is often associated with the holiday shopping season.

As ever, hackers tend to be reactive instead of proactive, going for low hanging fruit whenever possible, or easily-exploited vulnerabilities in systems where they can be found. Their tactics tend to change only when their efforts become unprofitable.

It’s also hard to ignore the ever-present danger posed by state-sponsored malware attacks, which are rarely profit-driven and tend to be politically-motivated. Such attacks will likely increase into 2020 and 2021, with all eyes on China, Russia, and North Korea, and a keen focus toward the US as the 2020 election season rolls in.

See also: