What’s the Malware Capital of the US?


A lot of the dangers in the U.S. follow logical and predictable patterns. If you want to avoid tornadoes, you shouldn’t live in Oklahoma, Kansas or Nebraska. If you’re worried about hurricanes and earthquakes, you should avoid the East Coast and West Coast, respectively.

And while dangers such as traffic accidents and property crime are more dynamic and complex, these issues are studied at length, with data released periodically on what areas have shown increases and decreases. In short, it’s easy to find out what sorts of dangers one might encounter in a given area in order to prepare accordingly.

While the damage from cybercrime isn’t as immediately visible as the damage from things like drought and flood, it still has the potential to be extremely devastating and costly. According to the FBI, cybercrime cost individuals and businesses a staggering $3.5 billion in 2019 alone.

To help organizations better assess their risks, SonicWall Capture Labs threat researchers continually monitor cybercrime and release the data collected in reports, such as the recently released mid-year update to the 2020 SonicWall Cyber Threat Report.

The threat research gathered during the first half of 2020 offers insight into not only what modes of attack criminals are using, but also what areas they’re targeting. While no city or state has a monopoly on (or immunity from) malware, there were some notable hotspots. From January to June, researchers identified 304.1 million malware attacks in California — more than 100 million more than in the next-highest state (New York.)

So that means businesses in California see a lot more malware, right? Not so fast. According to the Census Bureau’s Survey of Entrepreneurs, firms with fewer than 500 employees accounted for 99.7% of employer firms in the U.S. — and California has by far the largest number of such businesses (791,268 out of 6.4 million total for the entire U.S.).

Simply put, there’s a similarly massive number of endpoints, networks and sensors. In terms of states where any given person is most likely to encounter malware, California is actually tenth … from the bottom.

We call this phenomenon “malware spread.” Knowing the total malware is useful — it allows us to compare year-over-year trends for a given area. But it doesn’t tell us much about the odds a particular person will encounter malware.  For that, we need to calculate the malware spread, or the percentage of sensors in an area that saw a malware attack. The greater the malware spread percentage, the more widespread malware is in a given region.

It can be useful to think of malware totals vs. malware spread in terms of how we think about rain. Knowing the total rainfall for a defined area is useful, but it doesn’t tell us whether we’re likely to need an umbrella. For that, we need the Probability of Precipitation, or “chance of rain.” Like the malware spread percentage, this calculation takes into account a number of other factors to provide a more meaningful risk assessment.

To find the state with the highest malware spread, you’ll need to travel 1,523 miles east, to Kansas. Nearly a third of organizations there, or 31.3%, saw malware. (For comparison’s sake, fewer than a quarter of those in California — 24.1% — did.) Moreover, there’s a significantly higher risk of malware in Kansas than in the second-riskiest state, Montana. The percentage decrease between Kansas and Montana is greater than the percentage decrease between Montana and the ninth-riskiest state (Louisiana).

Using the same data set, we can also determine the least-risky states for malware. Here, North Dakota takes top honors — only 21.9% of organizations here saw malware. Georgia, Texas, Maine, New York, Arizona, Missouri, Alaska, Minnesota and California rounded out the list of top 10 safest states in terms of malware.

It’s tempting to try and find commonalities among the riskiest and least risky states, but it’s not likely to yield much more than frustration. For example, the list of riskiest states includes states in the heartland, but also Hawaii — the most coastal state there is. Three of the top five most populous states are on the “least risky” list, but so is Alaska, which is No. 48 — and Florida, the third-most populous, appears on the “riskiest” list. Similarly, each list includes both northern states and southern states, hot states and cold states, red states and blue states. The state malware rankings don’t even line up with the rankings for ransomware risk.

At first glance, this randomness might suggest there are no lessons that can be taken from this data. On the contrary: That is exactly the lesson. There is no “cybercrime capital.” There are no safe harbors. Anyone can be targeted by cybercrime, but the good news is that, with proper safeguards, compromise can be prevented.

Amber Wolff
Senior Digital Copywriter | SonicWall
Amber Wolff is the Senior Digital Copywriter for SonicWall. Prior to joining the SonicWall team, Amber was a cybersecurity blogger and content creator, covering a wide variety of products and topics surrounding enterprise security. She spent the earlier part of her career in advertising, where she wrote and edited for a number of national clients.