CIRA Canadian Shield blocked 2.2 million DNS requests associated with 15 known botnets in Q3. The high volume of blocks was largely attributed to Sodinokibi/REvil, a sophisticated type of ransomware that was first identified by CIRA Canadian Shield in July 2021.
The other most common botnet blocked by Canadian Shield were Qsnatch, a backdoor malware tailored to attack storage hardware, and Simda, well-known malware and botnet, and Tinba, which is often used for financial fraud.
Canadian Shield also blocked Flubot Malware, a mobile spyware, which made its first appearance in September with 1,043 DNS requests blocked. Pykspa, a type of malware that spreads using Skype, also saw a higher volume in Q2 of 2021, as compared to the first six months of the year, with over 2,700 DNS requests blocked in September alone.
Most common botnets:
- REvil (or Sodinokibi)
Botnets are busy while you sleep.
When aggregating the volume of botnet blocks by hour of day, we find that there is an increased volume of blocks around midnight ET, with an average of over 300,000 recorded between 12 am and 1am.
This is a consistent pattern based on historical data going back to October 2020.