Hackers Likely to Leverage Coronavirus Epidemic to Execute Ransomware Attacks, RiskIQ Predicts

March 11, 2020 GMT

SAN FRANCISCO, March 11, 2020 (GLOBE NEWSWIRE) -- RiskIQ, the global leader in attack surface management, today issued an intelligence briefing assessing that cybercriminals are likely to leverage the global anxiety around the coronavirus outbreak to execute ransomware attacks against businesses.

After extensive analysis of past ransomware attacks during global epidemics and current phishing campaigns leveraging the coronavirus, the company predicts threat actors will eventually begin using ransomware against victims they infect with the AZORult and Emotet varieties of malware.

According to the briefing written by the company’s i3 threat intelligence group comprised of former U.S. government agency analysts, these attacks will focus primarily on large corporations, which rely on markets and supply chains originating in China and other coronavirus-affected regions. Personnel at these organizations have heightened interest in news and developments related to the virus, potentially making them more susceptible to social engineering that tricks them into clicking on malicious links.


Clicking on malicious links is necessary to execute the attacker’s malware, which opens the door for ransomware infection. Ransomware takes over and blocks access to computer systems until victims pay a sum of money.

“In the past, cybercriminals have found success using disasters and global epidemics in ransomware and other malware attacks and developed a pattern we expect will continue with the coronavirus,” said Aaron Inness, Protective Intelligence Analyst at RiskIQ. “They execute layered attack campaigns, first with phishing and social engineering to infect users with malware, then taking over the entire system with ransomware or other malware.”

The briefing assesses there are two possible methods of attack, both the result of phishing campaigns. The first involves the AZORult malware, which researchers witnessed was the basis for a phishing campaign targeting members of the shipping industry in January of this year. On at least three different occasions since 2018, however, attackers have used AZORult to deploy ransomware.


The second phishing campaign relies on the Emotet Trojan. Victims in Japan have received emails claiming to contain important information about the coronavirus, but clicking on the link activates Emotet. In September 2019, criminals partnered Emotet with TrikBot and Ryuk ransomware to take over an organization’s network, a scenario that could play out similarly over the coming weeks and months.

According to the briefing, secondary targets could include health organizations involved in tracking the spread, finding a cure, or providing associated public service functions. Targets of opportunity could consist of any institution or individual seeking general information about the spread and impact of the virus.

“Company executives, mid-level managers, administrators of local governments, and, of course, healthcare professionals all have a vested interest in following the latest developments around the spread of coronavirus,” Inness said. “It only takes one tired or overworked individual to click on what they believe is a legitimate alert or update.”

While RiskIQ has not seen either AZORult or Emotet used to deploy ransomware yet, based on its analysis, the company believes organizations should begin preparing for ransomware attacks.

RiskIQ has included detailed guidance and steps organizations should take to protect their attack surface.

Download the threat intelligence briefing here: https://www.riskiq.com/research/ransomware-attacks-the-next-consequence-of-the-coronavirus-outbreak/

Read our blog here: https://www.riskiq.com/blog/external-threat-management/ransomware-coronavirus

About RiskIQ

RiskIQ is the leader in digital attack surface management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 75 percent of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social and mobile exposures. Trusted by thousands of security analysts, security teams, and CISO’s, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk, and take action to protect the business, brand, and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners, and MassMutual Ventures.

Visit https://www.riskiq.com or follow us on Twitter. Try RiskIQ Community Edition for free by visiting https://www.riskiq.com/community/

© 2020 RiskIQ, Inc. All rights reserved. RiskIQ is a registered trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are the property of their respective owners.

ContactHolly HitchcockFront Lines Media805-801-9798 Holly@FrontLines.io