IT threat evolution in Q3 2024
IT threat evolution in Q3 2024. Non-mobile statistics
IT threat evolution in Q3 2024. Mobile statistics
The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.
Quarterly figures
In Q3 2024:
- Kaspersky solutions successfully blocked more than 652 million cyberattacks originating from various online resources.
- Web Anti-Virus detected 109 million unique links.
- File Anti-Virus blocked more than 23 million malicious and potentially unwanted objects.
- More than 90,000 users experienced ransomware attacks.
- Nearly 18% of all victims published on ransomware gangs’ data leak sites (DLSs) had been hit by RansomHub.
- More than 297,000 users experienced miner attacks.
Ransomware
Quarterly trends and highlights
Progress in law enforcement
In August, Spain arrested a cybercriminal who founded Ransom Cartel in 2021 and set up a malvertizing campaign. According to the UK’s National Crime Agency (NCA), this individual also was behind the infamous Reveton ransomware Trojan spread in 2012 — 2014. Reveton was among the most notorious PC screen lockers. This type of cyberextortion predated Trojans, which encrypt the victim’s files.
Two other cybercriminals, arrested earlier and suspected of spreading LockBit, pleaded guilty. In 2020 — 2023, one of them was an active cyberextortionist who attacked organizations in several countries, causing a total of at least $1.9 million in damage. The other one, according to the source, had caused damage estimated at roughly $500,000.
Vulnerability exploitation attacks
Ransomware gangs continue to exploit software vulnerabilities, mostly to penetrate networks and escalate their privileges.
- In September the Akira ransomware attacked SonicWall devices powered by SonicOS to exploit the CVE-2024-40766 vulnerability in the operating system, patched in August.
- Akira and Black Basta launched ransomware attacks on VMware ESXi by exploiting the CVE-2024-37085 vulnerability in the hypervizor, which allowed escalating privileges.
High-profile incidents
Dark Angels, which operates a DLS known as “Dunghill Leak”, extracted what was probably the largest ransom payment ever: $75 million. Researchers who reported the incident did not mention the organization that paid up. Before that, the highest known ransom paid was $40 million, received by Phoenix ransomware operators from CNA Financial in 2021.
The most prolific groups
The statistics on the most prolific ransomware gangs draw on the number of victims added by attackers to their DLSs during the period under review. The third quarter’s most prolific ransomware gang was RansomHub, which accounted for 17.75% of all victims.
The group’s victims according to its DLS as a percentage of all groups’ published victims during the period under review (download)
Number of new modifications
In Q3 2024, we detected three new ransomware families and 2109 new variants, or half of what we discovered in the previous reporting period.
New ransomware modifications, Q3 2023 — Q3 2024 (download)
Number of users attacked by ransomware Trojans
Despite the decrease in new variants, the number of users encountering ransomware has increased compared to the second quarter. Kaspersky security solutions successfully defended 90,423 individual users from ransomware attacks from July through September 2024.
Unique users attacked by ransomware Trojans, Q3 2024 (download)
Geography of attacked users
TOP 10 countries attacked by ransomware Trojans
Country/territory* | %** | |
1 | Israel | 1.08 |
2 | China | 0.95 |
3 | Libya | 0.68 |
4 | South Korea | 0.66 |
5 | Bangladesh | 0.50 |
6 | Pakistan | 0.48 |
7 | Angola | 0.46 |
8 | Tajikistan | 0.41 |
9 | Rwanda | 0.40 |
10 | Mozambique | 0.38 |
* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.
TOP 10 most common families of ransomware Trojans
Name | Verdict | Share of attacked users* | |
1 | (generic verdict) | Trojan-Ransom.Win32.Gen | 23.77% |
2 | WannaCry | Trojan-Ransom.Win32.Wanna | 8.58% |
3 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 7.25% |
4 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 5.70% |
5 | (generic verdict) | Trojan-Ransom.Win32.Agent | 4.25% |
6 | (generic verdict) | Trojan-Ransom.MSIL.Agent | 3.47% |
7 | LockBit | Trojan-Ransom.Win32.Lockbit | 3.21% |
8 | (generic verdict) | Trojan-Ransom.Win32.Phny | 3.18% |
9 | PolyRansom/VirLock | Virus.Win32.PolyRansom / Trojan-Ransom.Win32.PolyRansom | 2.97% |
10 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 2.50% |
* Unique Kaspersky users attacked by the ransomware Trojan family as a percentage of all users attacked by ransomware Trojans.
Miners
Number of new modifications
In Q3 2024, Kaspersky solutions detected 15,472 new miner variants, or twice fewer than in Q2.
New miner modifications, Q3 2024 (download)
Users attacked by miners
We observed a 12% decline in miner-related attacks during the third quarter. Kaspersky solutions worldwide detected this type of malware on 297,485 unique user devices.
Unique users attacked by miners, Q3 2024 (download)
Geography of miner attacks
TOP 10 countries attacked by miners
Country/territory* | % | |
1 | Venezuela | 1.73 |
2 | Tajikistan | 1.63 |
3 | Kazakhstan | 1.34 |
4 | Ethiopia | 1.30 |
5 | Uzbekistan | 1.20 |
6 | Belarus | 1.20 |
7 | Kyrgyzstan | 1.16 |
8 | Panama | 1.10 |
9 | Bolivia | 0.92 |
10 | Sri Lanka | 0.87 |
* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.
Attacks on macOS
Password stealers were the third quarter’s most noteworthy findings associated with attacks on macOS users. Security researchers discovered two new subscription-based stealers, Banshee Stealer and Ctulhu Stealer, which were being distributed via Telegram channels and dark web forums. These bore a strong similarity to the previously known AMOS Trojan, but they were written in C++ and Go, respectively. Furthermore, an independent security researcher released an analysis of a new version of BeaverTail, another type of information stealer designed to exfiltrate data from web browsers and cryptocurrency wallets. This malware also possessed the capability to install a backdoor on compromised systems.
In addition to the new stealers, the third quarter saw the discovery of a new macOS backdoor. HZ Rat is the macOS-compatible version of a similarly named Windows backdoor. It targets the users of the Chinese messaging services WeChat and DingTalk.
TOP 20 threats to macOS
Unique users* who encountered the threat as a percentage of all users of Kaspersky security solutions for macOS who were attacked (download)
* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.
Adware and other potentially unwanted applications were as usual the most widespread threats for macOS. For example, AdWare.OSX.Angent.ap (9%) adds advertising links as browser bookmarks without the user’s knowledge.
Additionally, a variety of malicious applications were among the most active threats. These included MalChat (5.08%), a modified Telegram client that stole user data, and Amos, a stealer often bundled with cracked software.
Geography of threats to macOS
TOP 10 countries and territories by share of attacked users
Q2 2024* | Q3 2024* | |
Mainland China | 0.47% | 1.47% |
Hong Kong | 0.97% | 1.36% |
Spain | 1.14% | 1.21% |
France | 0.93% | 1.16% |
Germany | 0.59% | 0.95% |
Mexico | 1.09% | 0.75% |
Brazil | 0.57% | 0.61% |
India | 0.70% | 0.46% |
Russian Federation | 0.33% | 0.37% |
Japan | 0.22% | 0.36% |
** Unique users who encountered threats targeting macOS as a percentage of all unique users of Kaspersky products in the country/territory.
There was a noticeable increase in the percentage of users who encountered macOS threats in mainland China (1.47%) and Hong Kong (1.36%). The metric also increased in Spain (1.21%), France (1.16%), Germany (0.95%), Brazil (0.61%), Russia (0.37%), and Japan (0.36%). Conversely, India (0.46%) and Mexico (0.75%) both experienced a slight decrease. Both the United Kingdom and Italy fell out of the TOP 10 most vulnerable countries.
IoT threat statistics
The distribution of devices that targeted Kaspersky honeypots across protocols went through only minor shifts in Q3 2024. Following a decline in the previous quarter, Telnet attacks witnessed a slight uptick, while SSH-based attacks decreased.
Attacked services by number of unique attacking device IP addresses, Q2 — Q3 2024 (download)
When analyzing the distribution of attacks across different protocols, we observed a slight increase in the share of Telnet, which accounted for 98.69% of all attacks.
Distribution of attackers’ sessions in Kaspersky honeypots, Q2 — Q3 2024 (download)
TOP 10 threats downloaded to IoT devices:
Share of each threat uploaded to an infected device as a result of a successful attack in the total number of uploaded threats (download)
Attacks on IoT honeypots
There was a slight decrease in the percentage of SSH attacks originating in mainland China (22.72%), the United States (11.31%), Singapore (5.97%) and South Korea (4.28%). The freed percentage was distributed across other countries and territories.
Country/territory | Q2 2024 | Q3 2024 |
Mainland China | 23.37% | 22.72% |
United States | 12.26% | 11.31% |
Singapore | 6.95% | 5.97% |
India | 5.24% | 5.52% |
Germany | 4.13% | 4.67% |
South Korea | 6.84% | 4.28% |
Australia | 2.71% | 3.53% |
Hong Kong | 3.10% | 3.23% |
Brazil | 2.73% | 3.17% |
Indonesia | 1.91% | 2.77% |
The percentage of Telnet attacks originating in India (32.17%) increased, surpassing other countries and territories.
Country/territory | Q2 2024 | Q3 2024 |
India | 22.68% | 32.17% |
Mainland China | 30.24% | 28.34% |
Tanzania | 0.01% | 5.01% |
Brazil | 4.48% | 2.84% |
Russian Federation | 3.85% | 2.83% |
South Korea | 2.46% | 2.63% |
Taiwan | 2.64% | 2.42% |
United States | 2.66% | 2.34% |
Japan | 3.64% | 2.21% |
Thailand | 2.37% | 1.35% |
Attacks via web resources
The statistics in this section are based on data provided by Web Anti-Virus, which protects users when malicious objects are downloaded from malicious or infected web pages. Cybercriminals set up malicious pages on purpose. User-generated content platforms, such as forums, and compromised legitimate websites are both susceptible to malware infection.
Countries that serve as sources of web-based attacks: the TOP 10
The following statistics show the geographic distribution of sources of online attacks on user computers that were blocked by Kaspersky products. These attacks included web pages redirecting to exploits, websites hosting exploits and other malware, botnet command and control centers, and so on. Any unique host could be the source of one or more web-based attacks.
To determine the geographical origin of web-based attacks, we mapped the domain names to the domain IP addresses and determined the geographical location of the IP address (GEOIP).
In Q3 2024, Kaspersky solutions blocked 652,004,741 attacks from online resources located around the world. A total of 109,240,722 unique URLs triggered a Web Anti-Virus detection.
Geographical distribution of web-based attack sources, Q3 2024 (download)
Countries and territories where users faced the greatest risk of online infection
To assess the risk of online malware infection faced by users in various countries and territories, for each country or territory, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.
These rankings only include attacks by malicious objects that belong in the Malware category. Our calculations do not include Web Anti-Virus detections of potentially dangerous or unwanted applications, such as RiskTool or adware.
Country/territory* | %** | |
1 | Qatar | 11.95 |
2 | Peru | 11.86 |
3 | Morocco | 11.56 |
4 | Algeria | 11.52 |
5 | Tunisia | 11.24 |
6 | Greece | 11.11 |
7 | Ecuador | 10.95 |
8 | Bolivia | 10.90 |
9 | Serbia | 10.82 |
10 | Bahrain | 10.75 |
11 | Sri Lanka | 10.62 |
12 | Slovakia | 10.58 |
13 | Bosnia and Herzegovina | 10.29 |
14 | Botswana | 10.01 |
15 | Egypt | 9.93 |
16 | North Macedonia | 9.91 |
17 | Libya | 9.87 |
18 | Jordan | 9.85 |
19 | Thailand | 9.67 |
20 | UAE | 9.62 |
* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by Malware attacks as a percentage of all unique users of Kaspersky products in the country/territory.
On average during the quarter, 7.46% of internet users’ computers worldwide were subjected to at least one Malware-category web attack.
Local threats
Statistics on local infections of user computers are an important indicator. Objects detected as local are those that infiltrated a computer through file or removable media infection or were initially introduced to the computer in a non-obvious form, for example as programs included in complex installers, encrypted files, and so on.
Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The statistics are based on detection verdicts from OAS (on-access scan) and ODS (on-demand scan) modules, which were consensually provided by users of Kaspersky products. The data includes detections of malicious programs located on user computers or removable media connected to the computers, such as flash drives, camera memory cards, phones or external hard drives.
In Q3 2024, Kaspersky File Anti-Virus detected 23,196,497 malicious and potentially unwanted objects.
Countries and territories where users faced the highest risk of local infection
For each country and territory, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories worldwide.
These rankings only include attacks by malicious objects that belong in the Malware category. Our calculations exclude File Anti-Virus detections of potentially dangerous or unwanted applications, such as RiskTool or adware.
Country/territory* | %** | |
1 | Turkmenia | 46.00 |
2 | Afghanistan | 38.98 |
3 | Yemen | 38.43 |
4 | Tajikistan | 34.56 |
5 | Cuba | 33.55 |
6 | Syria | 32.56 |
7 | Uzbekistan | 30.45 |
8 | Niger | 27.80 |
9 | Burkina Faso | 27.55 |
10 | Burundi | 27.27 |
11 | Bangladesh | 27.24 |
12 | South Sudan | 26.90 |
13 | Tanzania | 26.53 |
14 | Cameroon | 26.35 |
15 | Benin | 25.80 |
16 | Vietnam | 25.52 |
17 | Iraq | 25.15 |
18 | Mali | 24.82 |
19 | Belarus | 24.81 |
20 | Angola | 24.67 |
* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers Malware local threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.
Overall, 13.53% of user computers globally faced at least one Malware-type local threat during Q3.