Coronavirus Malware: Cyber Threats Rising

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.

Malware, ransomware, phishing attacks, and social engineering strategies as cyber threats have been rising since the outbreak of COVID-19. The digital landscape has changed, as people are moving more of their lives online. With this move, bad actors are also evolving with new and complex cybercrime methods. It is helpful to know what these attacks look like to best find ways to prevent and thwart them. Defending against cyber threats during the pandemic requires a multifaceted approach with good cyber hygiene and security practices to prevent, block, and stop attacks.

Cyberattacks on the rise during the pandemic

There has been a 400 percent spike in cybersecurity complaints to the FBI since before the pandemic, rising to nearly 4,000 complaints per day compared to around 1,000 daily complaints before the coronavirus outbreak. Whenever there is uncertainty in the world, criminals take note and look for ways to exploit potential weaknesses due to people’s anxiety and shifting online trends. With the pandemic comes heightened anxiety, which has increased the range and number of cyberattacks and the success of these attacks. More and more people are working from home, which can create network insecurities and increased cyber vulnerabilities. Additionally, people are banking, shopping, and doing more of their business online. This means they are putting more financial and personal information in digital forms, making it vulnerable to hackers and cyberattacks. Evolving cyberthreats during the pandemic are targeting healthcare organizations, financial services, retail operations, and public administrations. Fraudsters are also preying on fear and using fake coronavirus emails and websites to perpetuate cybercrime.

Evolution of threats due to coronavirus

As officials have shifted their attention to the public health crisis, Interpol warns that cybercriminals are exploiting this since it can also mean that cyber defenses are down. Cybercriminals look to gain access to systems and networks when key officials have their hands full dealing with something else. Social engineering tactics early in the pandemic used COVID-19 information to try and bait users, and these tactics have now shifted to coronavirus job listings and school updates. For instance, fake health surveys are asking for more information as schools are asking for more details. The pandemic has also caused a lot of job losses, which has more people seeking new employment opportunities. This gives fraudsters a different form of bait to use. Fraudulent emails claiming to have information on new job opportunities are common phishing tactics.

Threat to healthcare organizations

Healthcare organizations and hospitals are prime victims of rising cybercrime due to the coronavirus. Private health data is worth more than financial data on the Dark Web — as much as 20 times more, CISA (Cybersecurity & Infrastructure Security Agency) reports, making the health and public health (HPH) sector a major target for cybercrime. Ransomware is increasingly effective in the healthcare industry, as these institutions must have access to their systems to provide care and cannot afford to be locked out. Healthcare has a fast-growing and evolving technical landscape, budget constraints, highly valuable data, inconsistent cyber hygiene practices, and often overworked and underpaid staff, which can increase the risk for cyberattack. These are some of the challenges of the healthcare sector that are related to the pandemic directly:

  • A quick shift to remote working to limit disease spread led to less trained users, misconfiguration in work technologies and cloud environments, and a lack of endpoint protection.
  • The global scope of the health crisis requires global coordination, evolving risks, and less options for support and aid.
  • The duration of the pandemic breeds continued uncertainty and economic consequences.
  • Procurement and implementation of security tools for a new work environment were done quickly and were not as thorough as necessary.

Types of threats using COVID-19

The number of cyberattacks related to COVID-19 reached as high as 20,000 to 30,000 per day by April and May 2020 in the United States. This followed global trends as well as the rise of the virus. As soon as the World Health Organization (WHO) declared COVID-19 a global health emergency, cybercrime began to rise, mirroring the development of the virus outbreak. There are several ways that cybercriminals use COVID-19 directly in cybercrime attacks. 

  • Malicious domains: Registered domains on the internet use the terms “COVID-19,” “coronavirus,” “coronavirus antivirus,” “corona antivirus,” and “covid19” that are being used to carry out phishing attacks, spam campaigns, or to spread malware.  
  • Embedded malware: Coronavirus websites and maps are often interactive. Some of these are not legitimate and instead contain spyware, malware, or trojans.  
  • Spam emails: Emails containing headers about COVID-19 often attempt to bait users into clicking links that will then download malware.  
  • Business email compromise (BEC) scams: This is another type of spam and scam email that uses the health crisis directly, often posing as relief organizations and asking for money or Bitcoin for support efforts.  
  • Ransomware attacks: Vulnerabilities in a computer system or network are exploited, or users open emails and engage with infected attachments or links to download malware that locks systems down and holds the computer network or data hostage. Payment is demanded in order to gain access back.  
  • Mobile threats: Using malicious apps supposedly designed to track cases of COVID-19, these apps are actually types of ransomwares that lock phones down, demanding Bitcoin payment to regain access.  
  • Browser apps: A fake COVID-19 information app supposedly from known organizations like the World Health Organization (WHO) hacks routers’ DNS (domain name system) settings in Linksys or D-Link routers. This then triggers web browsers to open automatically and display alerts from the apps requesting users to click and download the “COVID-19 Inform App,” which installs a malware variant that steals browser history, browser cookies, saved login credentials, browser payment information, and more.  
  • Social engineering: One of the largest and most well-known attacks during the pandemic is the Twitter hack. A teenage hacker was able to use physical methods to control a cellphone and then convince a Twitter employee that he was a Twitter IT employee to then gain access to high-profile Twitter user accounts. With that access, he conned people into sending him Bitcoin by claiming to be well-known business executives, celebrities, and politicians.
  • Sextortion scams: Sextortion scams typically threaten users via email that they have access to web history, or their web camera, and cybercriminals claim to have evidence of them in compromising positions. They then demand payment or this information will be exposed or publicized. Coronavirus versions of this scam threaten to infect targets or their families with the virus if payment is not made.

Cybercriminals have also targeted companies working on coronavirus research and development, looking to steal their proprietary information. Early on in the hunt for a vaccine, the FBI issued warnings that foreign government hackers were targeting healthcare and research institutions working on treatments and vaccines for the virus.

Malware & coronavirus

Malware is getting increasingly complex, as cybercriminals evolve. One of the major threats that has come up during the pandemic involving malware is MBR-rewriting malware. This type of malware can destroy the system it infects by rewriting the computer’s master boot record (MBR) or wiping files. These malware variants use a coronavirus theme to destroy rather than seek financial gain.

  • MBR-rewriting malware: There have been five identified coronavirus-themed malware strains that either wipe files or rewrite the MBR. One of these variants, COVID-19.exe, infects computers and then disables the Windows Task Manager, displaying a window that cannot be closed. While a user is attempting to manage this window, the malware is rewriting the MBR undetected behind the scenes. The PC is then restarted, triggering the new MBR, blocking users into a pre-boot screen.
    Another strain of MBR-rewriting malware posed as “CoronaVirus ransomware,” which then stole passwords mimicking ransomware to keep its true purpose unknown. The ransomware was only a façade. As soon as the data was stolen, the malware would rewrite the MBR, blocking users into a pre-boot message and denying access to their PCs. Since a user was unable to access their PC and saw a displayed ransom note, most would not think to check if passwords for apps had been stolen as well.  
  • Phishing and coronavirus: The vast majority of data breaches, 85 percent, do not exploit flaws in computer code but instead target human users directly. More than half of these data breaches are schemes aimed at stealing login credentials, such as phishing schemes. Phishing schemes involving the coronavirus typically use email headers or contain information regarding the pandemic in some form. These scams try to get users to click on infected links or download malicious attachments in an effort to steal sensitive data like login credentials. These phishing scams often take users to fake login fields, appearing to look like a legitimate login portal, such as from Facebook. Once a user inputs their credentials, the hacker has access to the user’s account and can go in, lock the user out, and steal all the private information contained within the app. Phishing scams more than doubled in 2020 from 2019 with scammers using phishing emails and text messages in a variety of ways. These scams included:  
    • Fake surveys about COVID-19 vaccines, disguised as coming from one of the manufacturers (Pfizer, Moderna, and AstraZeneca) and promising a reward if users provide a bank or credit card.
    • Emails, phone calls, or text messages claiming a big cash reward for receiving your shot in states with vaccine lotteries and requesting bank data or a Social Security number to claim the prize.
    • Impersonations of FEMA (Federal Emergency Management Agency) officials through emails, phone calls, or text messages to obtain personal information by “registering” individuals for a federal program that provides relief for funeral expenses related to COVID-19. The program is real, but the phishing scam solicits information, which FEMA will not do directly.
    • Phone calls, emails, and text messages supposedly from the IRS (Internal Revenue Service) or other government agencies advising people to either pay a fee, click a link, or confirm personal data such as your Social Security number to secure your stimulus check.
    • Facebook messages claiming to provide “COVID-19 relief grants” by inputting personal and sensitive information.  
  • Ransomware and coronavirus: Ransomware is a hack during which cybercriminals gain access to a victim’s system, generally using malware to hijack it, and then demand a ransom payment to regain control. Ransomware can also involve a data breach, extorting companies or organizations with threats of leaking this sensitive information if the ransom is not paid. Ransomware attacks have spiked nearly 500 percent since the start of the pandemic. Payment demands are also steadily increasing, with the average payment being near $200,000. A particularly infamous ransomware gang operating out of Eastern Europe and known as Wizard Spider, or UNC1878, uses the TrickBot trojan to gain access to a user’s system and then Ryuk ransomware to extort organizations and companies. Healthcare organizations and hospitals have been especially vulnerable to ransomware during the pandemic with three-quarters of all attacks on American healthcare organizations involving Ryuk. A ransomware variant called CoronaVirus has been spread through a seemingly legitimate WiseCleaner site, claiming to promote system optimization. But when a user downloads the WSGSetup.exe from the fake site, two different forms of malware are downloaded. One is the CoronaVirus ransomware, and the other is the trojan Kpot that serves to steal passwords. The CoronaVirus is injected into the boot process of the PC, which triggers threats and demands ransom payment while delaying the Windows Startup process. The requested payment seems minimal — only $50 worth of Bitcoin — but in the meantime, Kpot has stolen important passwords and login credentials.  
  • Coronavirus scams and the dark web: The pandemic has also seen a rise in COVID-19 related services and products for sale on the dark web, using private and hard to trace browsers such as Tor. Cybercriminals are preying on fear and anxiety surrounding the virus. At the beginning, they were offering a multitude of items such as these:  
    • PPE
    • Fake vaccines
    • Drugs claiming to “cure” the virus
    • Blood from allegedly recovered victims
    • Templates for phishing scams and emails
    • Malware targeting weakened cybersecurity of workers at home

Criminals on the dark web have had to change tactics with the pandemic, as it has cost them traditional methods of revenue as well. With fewer people traveling and requesting services related to travel,  such as air miles or forged travel documents, scammers have had to move on to other schemes to keep up their revenue stream. As more people are working from home and spending more time online, cybercriminals are evolving to tap into new markets and schemes. As the pandemic has raged on, criminals are now exploiting additional avenues, including selling forged documents like vaccine cards and fake COVID test results. Between January and March 2021, advertisements for phony COVID-19 test results and faked vaccination cards have jumped 300 percent. People are using the dark web to buy and sell these items. As governments and organizations mandate a negative COVID-19 test or proof of vaccine to participate in activities or even go to work, the dark web has picked up on the demand for falsified documents related to the coronavirus.

Scope of COVID-19 threats

Since the beginning of the pandemic, there has been a huge spike in coronavirus-related cybercrime. Criminals are seeing an opportunity and seeking to seize it. In the first half 2020, CISA reports the following:

  • More than 35,000 take-down notices were issued for malicious websites.
  • Every day in April, 18 million malware and phishing emails were blocked by Google.
  • There were more than 900,000 spam messages and nearly 800 malware-related incidents from January to April. 
  • Close to 50,000 malicious URLs tied to COVID-19 were detected between January and April.

Financial institutions, such as banks and insurance providers, are noticing a major jump in threats related to coronavirus, as nearly three-quarters report a rise in cybercrime since the pandemic started. Close to 40 percent of financial institutions believe that their customers are at a greater risk for cybercrime and fraud. Over 40 percent report that the work-from-home model elevated by the pandemic makes them less secure and more vulnerable to cyberattacks. Data breaches, commonly using ransomware and phishing tactics, are up in 2021 as well, with 281.5 million people impacted by a data breach through October. There have already been more data breaches in 2021 than in all of 2020. The pandemic continues to provide cybercriminals with ample opportunities to exploit security vulnerabilities as well as people’s fear related to COVID-19.

Defense against these threats

Cybercriminals look for vulnerabilities in security systems and exploit human users directly. The best defenses against these threats are awareness, education, and prevention tactics. With more and more workers working remotely, it is more important than ever to practice good cyber hygiene and to keep networks and systems secure. Here are some best practices for defending against cyberthreats:

  • Educate workers on secure practices. Use a standard security protocol and work-from-home organizational policies that are detailed and followed by every employee for every device.
  • Ensure that remote workers are working on a secure network and that the home Wi-Fi router is configured in a secure manner.
  • Use multi-factor authentication and secure passwords that are changed regularly.
  • Make strong passwords that are at least 12 characters, containing letters, numbers, symbols, and a mix of uppercase and lowercase letters.
  • Do not reuse passwords. Create different ones for everything, and do not share them.
  • Keep hardware and software up to date, and ensure patches are installed as needed.
  • Use anti-virus and anti-malware software.
  • Encrypt all devices that contain proprietary, employee, or sensitive information or data.
  • Keep data and devices secured and locked up when not working.
  • Train employees to recognize phishing scams, and educate workers not to click on links or download suspicious attachments contained in emails. Instead, they should send them to the IT security team for verification.
  • Educate users about malicious websites and URLs, and instruct them to only go to authorized websites directly.
  • Keep a secure backup of your data to protect yourself from ransomware attacks. If all sensitive information is not stored in the same place, it will be harder for cybercriminals to hold your data hostage when you are able to access it elsewhere already.
  • Conduct safe remote meetings by using an approved platform, introduce new participants as they join, choose new meeting codes for each meeting and change them regularly, and do not record the meetings if it is not extremely necessary.
  • Perform regular health scans on all computers and mobile devices.
  • When using a mobile device, only download apps from a trusted source.
  • Keep secure and confidential information locked up on a work computer, and do not transfer it to personal devices.
  • Disable outdated and third-party components, as these can be used as entry points.
  • Keep social media accounts secure by regularly updating and checking privacy settings.
  • Keep up with current cybersecurity threats and trends, as malicious websites, known schemes, names of hackers, and cyberattack information is published to help educate the public and prevent future victims.

If you believe you are the victim of cybercrime, report it right away to the local police. Victims of fraud should report the incident directly to the Federal Trade Commission (FTC). There are also a number of security products and services that can help to protect both individuals and organizations from potential data breaches and cybercrime risks. Cybercriminals are expanding their reach during the pandemic. Businesses need to beef up security practices and continually evolve to help prevent, thwart, stop, and minimize potential consequences of a cyberattack.


FBI Sees Spike in Cyber Crime Reports During Coronavirus Pandemic. (April 2020). The Hill.

Cyber Security in the Age of COVID-19: A Timeline and Analysis of Cyber-Crime and Cyber-Attacks During the Pandemic. (June 2021). Computers & Security.

Covid-19 Cyberthreats. Interpol.

Confronting Heightened Cybersecurity Threats Amid Covid-19. Cybersecurity & Infrastructure Security Agency (CISA).

Cybersecurity Challenges to Healthcare Sector. Cybersecurity & Infrastructure Security Agency (CISA).

Exploiting a Crisis: How Cybercriminals Behaved During the Outbreak. (June 2020). Microsoft.

The Teenager Allegedly Behind the Twitter Hack and How He Did It. (August 2020). The Wall Street Journal (WJS).

FBI Official Says Foreign Hackers Have Targeted COVID-19 Research. (April 2020). Reuters.

Covid-19 Malware Will Wipe Your PC, Rewrite MBR. (April 2020). ACM Technews.

Cybercrime Is Thriving During the Pandemic, Driven by Surge in Phishing and Ransomware. (May 2021). CBS News.

Beware of Robocalls, Texts, and Emails Promising COVID-19 Cures or Stimulus Payments. (October 2021). AARP.

The Increase in Ransomware Attacks During the Covid-19 Pandemic May Lead to a New Internet. (June 2021). The Conversation.

A Wave of Ransomware Hits US Hospitals as Coronavirus Spikes. (October 2020). MIT Technology Review.

Coronavirus Ransomware Uses Scare Tactics to Deliver Nasty Info-Stealing Trojan. (March 2020). Forbes.

Dark Web Scammers Exploit Covid-19 Fear and Doubt. (May 2020). BBC News.

COVID-19 Scams Booming on the Dark Web. (March 2021). Fox 5 New York.

COVID-19 Cybersecurity Impacts. (December 2020). Cybersecurity & Infrastructure Security Agency (CISA).

COVID Cyber Crime: 74% of Financial Institutions Experience Significant Spike in Threats Related to COVID-19. (April 2021). Businesswire.

The Number of Data Breaches in 2021 has Already Surpassed Last Year’s Total. (October 2021). Fortune.

Report to Help Fight Fraud. Federal Trade Commission (FTC).