Why has there been an increase in cyber security incidents during COVID-19?

By Andy Auld and Jason Smart, PwC UK Cyber Threat Intelligence

In recent weeks there has been a rise in the number of public high-profile cyber security incidents, the majority being ransomware attacks involving exfiltrated data being leaked. This adds challenging operational issues on top of responding to COVID-19, but also sharpens focus on the connectivity and potential conflict between investigative findings (e.g. the potential absence of evidence of data exfiltration) and the possibility of regulatory action (e.g. following exfiltrated data being leaked). 

But is this the work of threat actors seeking to take advantage of the disruption the pandemic has brought, or have there been longer term plans involved?

Increase in ransomware attacks

Though there have been several major cyber incidents reported in the past few weeks, initial access to networks is typically established well before such attacks are made public or identified by the victim organisation. Analysis by our Threat Intelligence team shows that the recent breaches have also come at a time when ransomware threat actors are increasingly setting up ‘leak sites’ specifically to post stolen data.

In December 2019, the threat actor in control of Sodinokibi ransomware began stealing data from victim networks prior to its encryption. They then posted links to the stolen data on a private, Russian-speaking dark web forum. At the beginning of January 2020, the actors controlling Maze ransomware took this one step further, creating a semi-public site specifically to post stolen data. 

Since then, nine further ransomware actors have created their own leak sites and we expect additional actors to do the same. By 20 May, over 150 organisations globally have had their data published on leak sites; the majority of these (60%) have occurred after 11 March, when the WHO first declared the COVID-19 outbreak to be a pandemic. Of these, the overwhelming majority (80%) were leaked after 23 March, when the lockdown commenced in the UK.

Not only does this ransoming of systems mean companies immediately lose critical business functions at a crucial time, but leaking data adds a wide variety of external pressures and increases attention from information regulators. On top of changing operations to respond to the pandemic, companies don’t want their ability to protect customer and employee data coming into question, bringing the threat of GDPR fines. 

The frequency of cyber breaches coupled with the obvious difficulties of recovering from these attacks highlights the need for businesses to create a well-defined incident response plan. This ensures they can respond quickly and effectively in the event of a breach, helping to minimise business impact and residual risk.

Cyber threats during COVID-19

What’s caused the increase in cyber incidents?

Overall, there could be a number of reasons why we’ve seen an increase in cyber attacks becoming public. These include: 

  • Espionage actors operating for governments with economic interests at play or increased geopolitical tensions;
  • Reduced spending from consumers means groups that traditionally go after credit card details need to find new income sources;
  • Organised crime groups likely see this as an opportunity to target organisations in desperate situations; 
  • Most high-profile ransomware operations are run as affiliate programmes, which has triggered a growth in the number of actors and affiliates who participate in their programmes. Ransom demands (and therefore revenues) are growing, encouraging other actors to enter the market;
  • Opportunistic reconnaissance identifying vulnerabilities, possibly related to rapidly stood up remote working practices.

Reducing cyber risk

Alongside the increase in ransomware and phishing attacks linked to COVID-19, businesses need to consider how the rapid shift to remote working might have increased the risk of a cyber incident. Organisations may have bypassed existing cyber security procedures and good practice or taken shortcuts which now need to be reviewed.

There are three areas organisations can focus on to reduce the immediate risk of a cyber incident:

  • Secure newly implemented working practices and supply your workforce with updated guidance on what suspicious activity looks like and how they might be targeted during this pandemic.
  • Ensure the continuity of critical security functions – you should be looking beyond simply being reactive to actively monitoring your network and resource needs and planning ahead.
  • Counter opportunistic threats by monitoring for suspicious activity across your IT estate while also ensuring you have an incident response strategy in place.

You can find more information on priorities to respond to COVID-19 in our latest whitepaper, available here.

Contact us

Sean Sutton

Sean Sutton

Partner, Cyber Security, PwC United Kingdom

Tel: +44 (0)7483 407797

Kris  McConkey

Kris McConkey

Cyber Threat Operations Lead Partner, PwC United Kingdom

Tel: +44 (0)7725 707360

Follow us