Site icon GIXtools

IT threat evolution in Q3 2024. Non-mobile statistics

IT threat evolution in Q3 2024
IT threat evolution in Q3 2024. Non-mobile statistics
IT threat evolution in Q3 2024. Mobile statistics

The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

In Q3 2024:

Ransomware

Quarterly trends and highlights

Progress in law enforcement

In August, Spain arrested a cybercriminal who founded Ransom Cartel in 2021 and set up a malvertizing campaign. According to the UK’s National Crime Agency (NCA), this individual also was behind the infamous Reveton ransomware Trojan spread in 2012 — 2014. Reveton was among the most notorious PC screen lockers. This type of cyberextortion predated Trojans, which encrypt the victim’s files.

Two other cybercriminals, arrested earlier and suspected of spreading LockBit, pleaded guilty. In 2020 — 2023, one of them was an active cyberextortionist who attacked organizations in several countries, causing a total of at least $1.9 million in damage. The other one, according to the source, had caused damage estimated at roughly $500,000.

Vulnerability exploitation attacks

Ransomware gangs continue to exploit software vulnerabilities, mostly to penetrate networks and escalate their privileges.

High-profile incidents

Dark Angels, which operates a DLS known as “Dunghill Leak”, extracted what was probably the largest ransom payment ever: $75 million. Researchers who reported the incident did not mention the organization that paid up. Before that, the highest known ransom paid was $40 million, received by Phoenix ransomware operators from CNA Financial in 2021.

The most prolific groups

The statistics on the most prolific ransomware gangs draw on the number of victims added by attackers to their DLSs during the period under review. The third quarter’s most prolific ransomware gang was RansomHub, which accounted for 17.75% of all victims.

The group’s victims according to its DLS as a percentage of all groups’ published victims during the period under review (download)

Number of new modifications

In Q3 2024, we detected three new ransomware families and 2109 new variants, or half of what we discovered in the previous reporting period.

New ransomware modifications, Q3 2023 — Q3 2024 (download)

Number of users attacked by ransomware Trojans

Despite the decrease in new variants, the number of users encountering ransomware has increased compared to the second quarter. Kaspersky security solutions successfully defended 90,423 individual users from ransomware attacks from July through September 2024.

Unique users attacked by ransomware Trojans, Q3 2024 (download)

Geography of attacked users

TOP 10 countries attacked by ransomware Trojans

Country/territory*
%**

1
Israel
1.08

2
China
0.95

3
Libya
0.68

4
South Korea
0.66

5
Bangladesh
0.50

6
Pakistan
0.48

7
Angola
0.46

8
Tajikistan
0.41

9
Rwanda
0.40

10
Mozambique
0.38

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

Name
Verdict
Share of attacked users*

1
(generic verdict)
Trojan-Ransom.Win32.Gen
23.77%

2
WannaCry
Trojan-Ransom.Win32.Wanna
8.58%

3
(generic verdict)
Trojan-Ransom.Win32.Encoder
7.25%

4
(generic verdict)
Trojan-Ransom.Win32.Crypren
5.70%

5
(generic verdict)
Trojan-Ransom.Win32.Agent
4.25%

6
(generic verdict)
Trojan-Ransom.MSIL.Agent
3.47%

7
LockBit
Trojan-Ransom.Win32.Lockbit
3.21%

8
(generic verdict)
Trojan-Ransom.Win32.Phny
3.18%

9
PolyRansom/VirLock
Virus.Win32.PolyRansom / Trojan-Ransom.Win32.PolyRansom
2.97%

10
(generic verdict)
Trojan-Ransom.Win32.Crypmod
2.50%

* Unique Kaspersky users attacked by the ransomware Trojan family as a percentage of all users attacked by ransomware Trojans.

Miners

Number of new modifications

In Q3 2024, Kaspersky solutions detected 15,472 new miner variants, or twice fewer than in Q2.

New miner modifications, Q3 2024 (download)

Users attacked by miners

We observed a 12% decline in miner-related attacks during the third quarter. Kaspersky solutions worldwide detected this type of malware on 297,485 unique user devices.

Unique users attacked by miners, Q3 2024 (download)

Geography of miner attacks

TOP 10 countries attacked by miners

Country/territory*
%

1
Venezuela
1.73

2
Tajikistan
1.63

3
Kazakhstan
1.34

4
Ethiopia
1.30

5
Uzbekistan
1.20

6
Belarus
1.20

7
Kyrgyzstan
1.16

8
Panama
1.10

9
Bolivia
0.92

10
Sri Lanka
0.87

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Attacks on macOS

Password stealers were the third quarter’s most noteworthy findings associated with attacks on macOS users. Security researchers discovered two new subscription-based stealers, Banshee Stealer and Ctulhu Stealer, which were being distributed via Telegram channels and dark web forums. These bore a strong similarity to the previously known AMOS Trojan, but they were written in C++ and Go, respectively. Furthermore, an independent security researcher released an analysis of a new version of BeaverTail, another type of information stealer designed to exfiltrate data from web browsers and cryptocurrency wallets. This malware also possessed the capability to install a backdoor on compromised systems.

In addition to the new stealers, the third quarter saw the discovery of a new macOS backdoor. HZ Rat is the macOS-compatible version of a similarly named Windows backdoor. It targets the users of the Chinese messaging services WeChat and DingTalk.

TOP 20 threats to macOS

Unique users* who encountered the threat as a percentage of all users of Kaspersky security solutions for macOS who were attacked (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

Adware and other potentially unwanted applications were as usual the most widespread threats for macOS. For example, AdWare.OSX.Angent.ap (9%) adds advertising links as browser bookmarks without the user’s knowledge.

Additionally, a variety of malicious applications were among the most active threats. These included MalChat (5.08%), a modified Telegram client that stole user data, and Amos, a stealer often bundled with cracked software.

Geography of threats to macOS

TOP 10 countries and territories by share of attacked users

Q2 2024*
Q3 2024*

Mainland China
0.47%
1.47%

Hong Kong
0.97%
1.36%

Spain
1.14%
1.21%

France
0.93%
1.16%

Germany
0.59%
0.95%

Mexico
1.09%
0.75%

Brazil
0.57%
0.61%

India
0.70%
0.46%

Russian Federation
0.33%
0.37%

Japan
0.22%
0.36%

** Unique users who encountered threats targeting macOS as a percentage of all unique users of Kaspersky products in the country/territory.

There was a noticeable increase in the percentage of users who encountered macOS threats in mainland China (1.47%) and Hong Kong (1.36%). The metric also increased in Spain (1.21%), France (1.16%), Germany (0.95%), Brazil (0.61%), Russia (0.37%), and Japan (0.36%). Conversely, India (0.46%) and Mexico (0.75%) both experienced a slight decrease. Both the United Kingdom and Italy fell out of the TOP 10 most vulnerable countries.

IoT threat statistics

The distribution of devices that targeted Kaspersky honeypots across protocols went through only minor shifts in Q3 2024. Following a decline in the previous quarter, Telnet attacks witnessed a slight uptick, while SSH-based attacks decreased.

Attacked services by number of unique attacking device IP addresses, Q2 — Q3 2024 (download)

When analyzing the distribution of attacks across different protocols, we observed a slight increase in the share of Telnet, which accounted for 98.69% of all attacks.

Distribution of attackers’ sessions in Kaspersky honeypots, Q2 — Q3 2024 (download)

TOP 10 threats downloaded to IoT devices:

Share of each threat uploaded to an infected device as a result of a successful attack in the total number of uploaded threats (download)

Attacks on IoT honeypots

There was a slight decrease in the percentage of SSH attacks originating in mainland China (22.72%), the United States (11.31%), Singapore (5.97%) and South Korea (4.28%). The freed percentage was distributed across other countries and territories.

Country/territory
Q2 2024
Q3 2024

Mainland China
23.37%
22.72%

United States
12.26%
11.31%

Singapore
6.95%
5.97%

India
5.24%
5.52%

Germany
4.13%
4.67%

South Korea
6.84%
4.28%

Australia
2.71%
3.53%

Hong Kong
3.10%
3.23%

Brazil
2.73%
3.17%

Indonesia
1.91%
2.77%

The percentage of Telnet attacks originating in India (32.17%) increased, surpassing other countries and territories.

Country/territory
Q2 2024
Q3 2024

India
22.68%
32.17%

Mainland China
30.24%
28.34%

Tanzania
0.01%
5.01%

Brazil
4.48%
2.84%

Russian Federation
3.85%
2.83%

South Korea
2.46%
2.63%

Taiwan
2.64%
2.42%

United States
2.66%
2.34%

Japan
3.64%
2.21%

Thailand
2.37%
1.35%

Attacks via web resources

The statistics in this section are based on data provided by Web Anti-Virus, which protects users when malicious objects are downloaded from malicious or infected web pages. Cybercriminals set up malicious pages on purpose. User-generated content platforms, such as forums, and compromised legitimate websites are both susceptible to malware infection.

Countries that serve as sources of web-based attacks: the TOP 10

The following statistics show the geographic distribution of sources of online attacks on user computers that were blocked by Kaspersky products. These attacks included web pages redirecting to exploits, websites hosting exploits and other malware, botnet command and control centers, and so on. Any unique host could be the source of one or more web-based attacks.

To determine the geographical origin of web-based attacks, we mapped the domain names to the domain IP addresses and determined the geographical location of the IP address (GEOIP).

In Q3 2024, Kaspersky solutions blocked 652,004,741 attacks from online resources located around the world. A total of 109,240,722 unique URLs triggered a Web Anti-Virus detection.

Geographical distribution of web-based attack sources, Q3 2024 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online malware infection faced by users in various countries and territories, for each country or territory, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

These rankings only include attacks by malicious objects that belong in the Malware category. Our calculations do not include Web Anti-Virus detections of potentially dangerous or unwanted applications, such as RiskTool or adware.

Country/territory*
%**

1
Qatar
11.95

2
Peru
11.86

3
Morocco
11.56

4
Algeria
11.52

5
Tunisia
11.24

6
Greece
11.11

7
Ecuador
10.95

8
Bolivia
10.90

9
Serbia
10.82

10
Bahrain
10.75

11
Sri Lanka
10.62

12
Slovakia
10.58

13
Bosnia and Herzegovina
10.29

14
Botswana
10.01

15
Egypt
9.93

16
North Macedonia
9.91

17
Libya
9.87

18
Jordan
9.85

19
Thailand
9.67

20
UAE
9.62

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by Malware attacks as a percentage of all unique users of Kaspersky products in the country/territory.

On average during the quarter, 7.46% of internet users’ computers worldwide were subjected to at least one Malware-category web attack.

Local threats

Statistics on local infections of user computers are an important indicator. Objects detected as local are those that infiltrated a computer through file or removable media infection or were initially introduced to the computer in a non-obvious form, for example as programs included in complex installers, encrypted files, and so on.

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The statistics are based on detection verdicts from OAS (on-access scan) and ODS (on-demand scan) modules, which were consensually provided by users of Kaspersky products. The data includes detections of malicious programs located on user computers or removable media connected to the computers, such as flash drives, camera memory cards, phones or external hard drives.

In Q3 2024, Kaspersky File Anti-Virus detected 23,196,497 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories worldwide.

These rankings only include attacks by malicious objects that belong in the Malware category. Our calculations exclude File Anti-Virus detections of potentially dangerous or unwanted applications, such as RiskTool or adware.

Country/territory*
%**

1
Turkmenia
46.00

2
Afghanistan
38.98

3
Yemen
38.43

4
Tajikistan
34.56

5
Cuba
33.55

6
Syria
32.56

7
Uzbekistan
30.45

8
Niger
27.80

9
Burkina Faso
27.55

10
Burundi
27.27

11
Bangladesh
27.24

12
South Sudan
26.90

13
Tanzania
26.53

14
Cameroon
26.35

15
Benin
25.80

16
Vietnam
25.52

17
Iraq
25.15

18
Mali
24.82

19
Belarus
24.81

20
Angola
24.67

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers Malware local threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.

Overall, 13.53% of user computers globally faced at least one Malware-type local threat during Q3.

Source:: Securelist

Exit mobile version