Cisco Report Finds That Cryptomining Malware Activity Affected 69% of Customers in 2020

News Summary:

  • Nearly 90 percent of organizations had at least one user attempt to connect to a phishing site, most likely by clicking a link in an email.
  • 70 percent of organizations had users that were served malicious browser ads.
  • 51 percent of organizations encountered ransomware-related activity.

Cisco has today published its DNS Security Report, which analyzes malicious DNS activity and threats that occurred between January and December of last year. The report examines data from Cisco Umbrella, the company’s cloud-based network security platform, finding that cryptomining malware affected a vast majority of customers in 2020, generating substantial amounts of malicious DNS traffic, while taking up precious computing resources.

During a year in which security issues have become essential for all to tackle, DNS Threat Analysis, which processes 620 billion global DNS requests daily, found that from January – December 2020 nearly 90 percent of organizations had at least one user attempt to connect to a phishing site, most likely by clicking a link in an email. Among the DNS activity findings: users in 70 percent of organizations got malicious browser ads. Furthermore, 51 percent of organizations encountered ransomware-related activity. Another 48 percent found information-stealing malware activity.

Besides cryptomining, DNS Security report highlights top threat trends that organizations have encountered in 2020 and will most likely encounter this year:


The amount of phishing-related DNS activity was fairly stable throughout the year, with the exception of December, which saw a 52 percent increase around the holidays. In terms of the number of endpoints visiting phishing sites, there were significant increases during August and September.

Overall, phishing is dramatically increasing, and more endpoints began clicking on links in phishing emails. This is due to a very large phishing campaign, where Cisco witnessed a 102 percentage-point shift between July and September.


Trojans started the year strong. The incredibly high number of endpoints connecting to Trojan sites was largely due to Ursnif/Gozi and IcedID—two threats, known to work in tandem to deliver ransomware. These two threats alone comprised 82 percent of Trojans seen on endpoints in January 2020.

Emotet is another banking Trojan which alone is responsible for the large increase in DNS activity from August through September. In all, 45 percent of organizations encountered Emotet.


For most of the year, two key ransomware threats dominated: Sodinokibi and Ryuk.

Beginning in April, the number of computers compromised by Sodinokibi (a.k.a. REvil) increased significantly and continued to rise into autumn. The increase was significant enough that 46 percent of organizations encountered the threat. In September, overall queries from this particular ransomware family shot up to five times that of August, likely indicating that the ransomware payload was being executed across many of the impacted systems.

Ryuk is largely responsible for the November-December spike in activity. Yet the number of endpoints connecting to Ryuk-associated domains remained relatively small and consistent throughout the year, only showing modest increases before query activity skyrocketed.

There is high contrast between the two threats when it comes to the amount of money that each threat reportedly attempts to extort from victims. Sodinokibi tends to hit a large number of endpoints, demanding a smaller ransom. Ryuk compromises far fewer systems, demanding a significantly larger payment.

Commenting on the report, Fady Younes, cybersecurity director, Middle East and Africa, Cisco said: “In today’s threat landscape, the idea that ‘no one is an island’ holds true for threats. The most prevalent attacks these days leverage a variety of threats at different stages. If you find one threat within your network, it’s wise to investigate what threats have been observed working in tandem with it and take precautionary measures to prevent them from causing further havoc.”