Malware statistics and facts

“Malware” describes any malicious program created to wreak havoc or mischief on a computer system. Thanks to the constant push-and-pull between security professionals and cybercriminals, it’s also an ever-evolving ecosystem. Shifts in the malware environment change every year, although long-term trends are identifiable in year-over-year data reports.

Despite numerous anti-malware measures, cybercriminals and hackers don’t give up quickly, especially not as long as there’s money to be made in malware. Some traditionally-popular forms of malware appear to be losing traction in 2022 as cybercriminals change their tactics to attack new or underutilized vulnerabilities.

Signs currently point to hackers shifting their focus toward discrete infections through IoT and email. There is a continued focus on enterprise businesses and governments versus average web users, especially when it comes to ransomware infections.

Here’s a rundown of the most interesting malware statistics:

1. Employees with infected machines are spreading viruses more broadly

In 2020, 61 percent of organizations experienced malware activity that spread from one employee to another. In 2021, that number rose to 74 percent, and in 2022, it hit 75 percent — the highest rate of infection since the SOES survey began in 2016.

The increase in the employee-to-employee spreading of malware could be one of any number of reasons; for instance, phishing attacks are becoming more sophisticated while, at the same time, employees may encounter more distractions while working from home.

2. Business-disrupting ransomware attacks are on the rise

In its 2021 State of Email Security Report, Mimecast found that 61% of organizations experienced a ransomware attack that led to at least a partial disruption of business operations. The previous year, 51% of organizations reported experiencing these types of malware attacks, so the number has risen substantially.

3. Organizations in the US are among the most prepared for cyberattacks

Organizations worldwide report ransomware attacks impacting business, but it seems businesses in the US are increasingly prepared, with 47 percent having cyber-resilience strategies in place. However, in places like the Netherlands, only 21 percent of companies have a plan to deal with any cyberattacks they might face.

4. Almost 70% of organizations may have understaffed cybersecurity teams

In its 2022 State of Cybersecurity Report, ISACA found that 69 percent of cybersecurity professionals believe their organization’s cybersecurity team is understaffed, up from 61 percent last year. Understaffing among organizations, including businesses and government, could create a strain on existing staff and lead to an increased risk from malware threats.

Almost half (47 percent) reported their organizations were “somewhat” understaffed, while 15 percent reported they were “significantly” understaffed. A further 34 percent reported that their organization is “appropriately” staffed, while just three percent reported being either “somewhat” or “significantly” overstaffed.

The demand for workers is also increasing year-over-year. From C-suite executives to technical and contributors, jobs across the cybersecurity industry continue to go unfilled as demand outpaces the growth in the number of workers with the requisite skills.

cybersecurity staffing levels
Source: ISACA

5. Some types of malware are on the decline

A collection of recent data and research points to a change in how consumers and businesses experience and receive malware. The SecureList IT Threat Evolution report for Q3 of 2021 shows that ransomware modifications are rarer (reduced by 36.2 percent) than they were at the same time last year.

6. Phishing sites are now an incredibly popular attack method

Phishing sites are typically designed to look like the official version of other websites. PayPal is a commonly-mimicked site, for example, as gaining access to users’ PayPal credentials can be distinctly profitable for hackers. Banking and social media sites are also fairly common targets.

Read more: 70+ common online scams used by cybercriminals.

7. Google removing far fewer malware-infected sites

According to Google’s Transparency Report, 2.195 million websites made its list of “Sites Deemed Dangerous by Safe Browsing” category, as of January 17, 2021. The vast majority of those (over 2.1 million) were phishing sites. Only 27,000 of Google’s removed sites were delisted because of malware. That’s more than a 800 percent difference in favor of phishing sites, which have seen a year-over-year increase of 28 percent.

8. The number of malware attacks is rising again

In 2020, the number of new malware attacks declined for the first time since 2015. However, according to SonicWall’s 2022 Cyber Threat Report, this was just a temporary dip, with malware attacks now sitting at 10.4 million per year, roughly where they were back in 2018.

9. New malware variants decreasing year-over-year

SonicWall reported 5.4 billion malware attacks took place in 2021, which sounds bad but actually represents a small decrease from the previous year. More notably, 2020 saw attacks fall by 43 percent, so we’re still seeing a downward trend.

10. Domain Generation Algorithms are still hampering malware mitigation efforts

Domain Generation Algorithms, or DGAs, allow malware architects to automatically generate a large number of domain names which then serve as rendezvous points to help control and collect data from the active malware infections. DGAs make investigation and analysis efforts difficult, which in turn makes it difficult to shut down botnets.

Over 40 malware families employ DGAs, including well-known malware including CCleaner, Emotet, and Mirai. SonicWall identified over 172 million randomly-generated domains in 2019.

11. Iran is the most impacted country for malware infections distributed by mobile

Kaspersky Labs reported that of all the users of its mobile security product worldwide, Iran faced the highest number of malware attacks in Q1 2022 with the share of mobile users attacked reaching a significant 35.25 percent, up from 23.79 in 2021.

12.  Malware attacks on non-standard ports fall by 10 percent

SonicWall’s 2022 report found that attacks on the tens of thousands of non-standard ports available decreased to nine percent in 2021. This is a significant drop since last year and actually the lowest rate of incidence since 2019. The vast majority of attacks still (and likely will remain) a problem for standard ports, such as HTTP (port 80).

malware attack non standard ports
Source: SonicWall

13. Ransomware and IoT malware are more common than ever

IoT devices are proliferating, and many come with far more limited malware protection than devices operating more common operating systems. In 2021, SonicWall found ransomware was up a record 105 percent while IoT malware saw a slight 6 percent increase with a total of 60.1 million attacks against IoT devices.

14. Over 268,000 new malware variants were detected in 2020

SonicWall identified 442,151 “never-before-seen” malware variants in 2021. This was an increase of over 60 percent since the prior year, which saw 268,362 new variants.

Related post: Best Malware Detection Tools

15. PDFs and Microsoft Office files were used in over 20% of new malware detections

Their ubiquity across devices makes PDFs and Office files, such as Word and Excel documents, extremely popular as payload mechanisms for malware authors. SonicWall found almost 9% of “never-before-seen” malware files were couched in Office files. Over 14% were carried in PDF files.

16. As cryptocurrencies rebounded, so did cryptojacking

Cryptojacking rose 19 percent in 2021 with 97 million attempts compared to the 81.9 million of 2020, In particular, there was an unprecedented spike in March, although previous data suggests that this is a fairly predictable trend (though it’s unclear why).

sonicwall 2022 cryptojacking volume
Source: SonicWall

The chaotic ups and downs in cryptojacking activity highlight just how much cybercriminals respond to market demands. Malware has always been about achieving the best possible outcome (stolen information and money) with the least amount of effort. An increase in the use of website malware blocking technologies is why phishing sites are far more popular, but cryptojacking also makes for an easy money-making venture for cybercriminals who, for all intents and purposes, follow the same principle as Wall Street brokers: “buy low, sell high”.

17. Coinhive’s shutdown revealed its startling contribution to cryptojacking

Although the Coinhive cryptocurrency mining service was legitimate, it was quickly co-opted by cybercriminals who installed it surreptitiously onto websites to collect cryptocurrency revenue.

Originally launched in 2017, Coinhive voluntarily shut down in March 2019. SonicWall found that after the Coinhive shutdown, cryptojacking hits on its cybersecurity monitoring network fell by 78%.

18. Cerber takes the lead in hackers’ favorite ransomware tool

Notably, Cerber is part of what’s known as “Ransomware as a Service” or RaaS. Cybercriminals can hire others to launch attacks using the Cerber malware, and receive around 40 percent of the paid ransom. In 2017, SophosLabs investigated 5 RaaS kits and found that some can be extremely inexpensive (less than $40), while others can exceed several hundred dollars to purchase and employ. However, they’re highly customizable, and hackers appear to operate their ransomware services with a surprising degree of professionalism.

19. Ryuk surpassed Cerber as the top ransomware signature of 2020

There were over 189 million ransomware signatures detected in 2019. In 2021, however, the most common ransomware family, Ryuk, accounted for 180 million hits on its own, up 64 percent year on year. The runners up remained the same as in 2020: SamSam (103 million hits) and Cerber (102 million hits).

sonicwall 2022 ransomware family

20. 60% of total malware attacks were sent using encrypted traffic

Threat actors like to send malware attacks over encrypted SSL/TLS traffic. Encrypted channels make detection and mitigation more difficult, resulting in higher success rates for the malware packages in question. However, WatchGuard reported that in Q1 2022, 60.1 percent of all detected malware were attacks of this nature, down from 91 percent in Q2 of 2021.

21. Log4j breach shows threats can come from any angle

In 2021, a vulnerability was found in a hugely-popular logging tool that allowed attackers to remotely run code on affected systems. The scale of this problem (and its potential impact) were far-reaching, and while a fix was rapidly rolled out, the incident only further illustrates the need for regular software updates and a strong cyber-resilience plan.

22. The University of California at San Francisco suffered a major ransomware attack

In June 2019, the University of California made the headlines after the IT systems at the UCSF School of Medicine were involved in a ransomware attack by the hacking group known as Netwalker. A cure for COVID was the major project the medicines team was working on at the time.

Netwalker had planned to gain access to financial records held by UCSF, who cited billions of dollars in annual revenue. The hacking group demanded a ransom payment of $3 million. The ransom attack wasn’t entirely successful, but Netwalker still managed to negotiate a ransom payment of the bitcoin equivalent to $1,140,895 paid by the medicines group to rectify the damage caused by the cyberattack. The BBC also reported that the hacker group was also responsible for two other university-targeted cyberattacks in 2020.

23. Enterprises are the main target for ransomware

Coveware noted that professional services were the most common targets for ransomware in Q1 of 2022, accounting for 20.2 percent of all attacks. Next in line were public sector organizations (16.7 percent), with financial services and consumer services both tied for third place at 8.9 percent.

coveware ransomware target industries
Source: Coveware

24. The University of California at San Francisco suffered a major ransomware attack

In June 2019, the University of California made headlines after the IT systems at the UCSF School of Medicine were involved in a ransomware attack by the hacking group known as Netwalker. A cure for COVID was the major project the medicines team was working on at the time.

Netwalker had planned to gain access to financial records held by UCSF, which reported billions of dollars in annual revenue. The hacking group demanded a ransom payment of $3 million. The ransom attack wasn’t entirely successful, but Netwalker still managed to negotiate a ransom payment of the bitcoin equivalent to $1,140,895 paid by the medicines group to rectify the damage caused by the cyberattack. The BBC reported that the hacker group was also responsible for two other university-targeted cyberattacks in 2020.

As with most malware, ransomware isn’t a guaranteed income source for cybercriminals, but it’s far more successful than most traditional malware attempts. As a result, some ransomware avenues are still on the rise in 2022, even as security companies develop more effective mitigation methods and tools.

25. Ransomware payment demands are increasing in size

One of the biggest reasons hackers appear to prefer ransomware versus more traditional viruses and malware is because of the payoff. There was an 82% increase in ransomware payments in 2021, now costing  $570,000 on average. Ransomware attacks are far more profitable making them a more lucrative attack than traditional malware operations.

Ransomware is so financially-viable, in fact, that hackers have upped the amounts they’re asking for in ransom payments. According to Emsisoft, the minimum price criminals charged for ransomware removal in the United States is $920,353,010 in 2021.

Malware projections for 2022 and beyond

Based on what we’ve seen so far in 2022, we can expect to see a few key takeaways for the remainder of the year:

  • Malware-infected sites will likely continue to fall out of favor and decrease in volume
  • Cybercriminals will continue to target larger enterprises with malware in the hopes of securing a large, one-off payment
  • The demanded ransomware payment amount will continue to increase
  • The cryptojacking threat to IoT devices will grow, in no small part thanks to the growing number of unsecured IoT devices that consumers purchase in ever-increasing numbers

There’s no telling what new threats may emerge, and how the malware landscape may shift. As major security companies have reported in the past, a fair amount of activity tends to increase in Q4 in most years, which is often associated with the holiday shopping season.

As ever, hackers tend to be reactive instead of proactive, going for low-hanging fruit whenever possible, or easily-exploited vulnerabilities in systems where they can be found. Their tactics tend to change only when their efforts become unprofitable.

It’s also hard to ignore the ever-present danger posed by state-sponsored malware attacks, which are rarely profit-driven and tend to be politically motivated. Such attacks will likely increase in 2023, with all eyes on Russia, China, and North Korea.