COVID-19 brought with it a surge in cyberattacks, and this included a huge rise in destructive attacks and counter incident response, according to VMware Carbon Black’s annual threat report.

“We noted a dramatic increase in destructive attacks — the use of wipers and ransomware, NotPetya style, within networks,” said Tom Kellermann, head cybersecurity strategist at VMware Carbon Black, during a virtual Black Hat happy hour panel. “And in conjunction with that, these destructive attacks will be leveraged as part of counter incident response. So it went beyond just the deletion of logs and the manipulation timestamps. Essentially the defenders are being punished. I’m not personally sure whether that’s due to geopolitical tension, or whether it’s due to the old mantra of burning the evidence after you kill someone metaphorically.”

For the report, VMware Carbon Black conducted an online survey about trends in incident response in April 2020. Forty-nine incident response professionals from around the world participated.

Specifically, the survey found one-third of respondents (33%) encountered instances of attempted counter IR in the 90 days before they took the survey. This represented a 10% increase from last year’s report. The forms of counter incident response used — mostly destruction of logs (50%) and diversion (44%) — signal attackers’ increasingly punitive nature and the rise of destructive attacks more broadly, VMware says.

And while 53% of all incident response professionals surveyed encountered or observed an increase in cyberattacks exploiting Covid-19, attackers hit banks especially hard. More than half of attacks (51%) in the 90 days prior to this survey hit the financial sector, followed by health care (35%), professional services (35%), and retail (31%). Similarly, 59% of those surveyed said attackers’ end goal was financial gain.

VMware Carbon Black’s findings echo other recent security reports that found attacks not only skyrocketing during the pandemic but also becoming more sophisticated.

“You’re seeing this transition from burglary to home invasion or from the heist to a hostage situation,” Kellerman said. “The adversary no longer just wants to burglarize the environment, nor do they want to just act as a hacktivist. They essentially want to commandeer the digital transformation efforts of the victim and use their network, their website, their mobile app, even their mail server to push attacks against their constituency.”

Attackers spend more time on reconnaissance, and more time inside an organization’s IT environment, which now includes their homes, before deploying malware. “This is right out of the Russian playbook, but it’s being adopted by a number of other nation-state actors as well as criminal syndicates,” Kellerman said.

In fact, more than half of respondents (51%) saw attacks from China followed by North America (40%), and Russia (38%). China’s state-sponsored hackers’ capabilities now rival those of Russia, Kellerman said.