go2damax 
Statistics across all threats
In Q4 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.1 pp from the previous quarter to 21.9%.
Percentage of ICS computers on which malicious objects were blocked, by quarter, 2022–2024
Compared to Q4 2023, the percentage decreased by 2.8 pp.
The percentage of ICS computers on which malicious objects were blocked during Q4 2024 was highest in October and lowest in November. In fact, the percentage in November 2024 was the lowest of any month in two years.
Percentage of ICS computers on which malicious objects were blocked, Jan 2023–Dec 2024
Region rankings
Regionally, the percentage of ICS computers that blocked malicious objects during the quarter ranged from 10.6% in Northern Europe to 31% in Africa.
Regions ranked by percentage of ICS computers where malicious objects were blocked, Q3 2024
Eight of 13 regions saw their percentages increase from the previous quarter.
Regions and world. Changes in the percentage of attacked ICS computers in Q4 2024
Selected industries
The biometrics sector led the surveyed industries in terms of the percentage of ICS computers on which malicious objects were blocked.
Percentage of ICS computers on which malicious objects were blocked in selected industries
In Q4 2024, the percentage of ICS computers on which malicious objects were blocked decreased across most industries, with the exception of the construction sector.
Changes in the percentage of ICS computers on which malicious objects were blocked in selected industries
Diversity of detected malicious objects
In Q4 2024, Kaspersky’s protection solutions blocked malware from 11,065 different malware families of various categories on industrial automation systems.
Percentage of ICS computers on which the activity of malicious objects from various categories was blocked
Main threat sources
The internet, email clients and removable storage devices remain the primary sources of threats to computers in an organization’s technology infrastructure. Note that the sources of blocked threats cannot be reliably identified in all cases.
In Q4 2024, the percentage of ICS computers on which threats from various sources were blocked decreased for all threat sources described in this report. Moreover, all indicators recorded their lowest values for the observed period.
Percentage of ICS computers on which malicious objects from various sources were blocked
Threat categories
Malicious objects used for initial infection
Malicious objects used for initial infection of ICS computers include dangerous internet resources that are added to denylists, malicious scripts and phishing pages, and malicious documents.
In the fourth quarter of 2024, the percentage of ICS computers on which malicious documents and denylisted internet resources were blocked decreased to 1.71% (by 0.26 pp) and 5.52% (by 1.32 pp), respectively and reached its lowest level since the beginning of 2022.
As noted in the Q3 2024 report, the increase in blocked denylisted internet resources was primarily driven by an increase in the number of newly created domain names and IP addresses used by cybercriminals as command-and-control (C2) infrastructure for distributing malware and phishing attacks.
The decline in the percentage of denylisted internet resources in November–December 2024 was likely influenced not only by proactive threat mitigation measures at various levels – from resource owners and hosting providers to ISPs and law enforcement agencies. Another contributing factor was the tendency of attackers to frequently change domains and IP addresses to evade detection in the initial stages, based on lists of known malicious resources.
In practice, this means that until a malicious web resource is identified and added to a denylist, it may not immediately appear in threat statistics, leading to an apparent decrease in the percentage of ICS computers on which such resources were blocked.
However, in Q4, we also saw a rise in the percentage of the next steps in the attack chain – malicious scripts and phishing pages (7.11%), spyware (4.30%), and ransomware (0.21%).
A significant increase in the percentage of malicious scripts and phishing pages in October was driven by a series of widespread phishing attacks in late summer and early fall 2024, as mentioned in the Q3 2024 report. Threat actors used malicious scripts that executed in the browser, mimicking various windows with CAPTCHA-like interfaces, browser error messages and similar pop-ups to trigger the download of next-stage malware: either the Lumma stealer or the Amadey Trojan.
Next-stage malware
Malicious objects used to initially infect computers deliver next-stage malware – spyware, ransomware, and miners – to victims’ computers. As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.
The percentage of ICS computers on which spyware (spy Trojans, backdoors and keyloggers) was blocked increased by 0.39 pp from the previous quarter to 4.30%.
The percentage of ICS computers on which ransomware was blocked increased by a factor of 1.3 compared to the previous quarter, reaching 0.21%, its highest value in two years.
The percentage of ICS computers on which miners in the form of executable files for Windows were blocked decreased by 0.01 pp to 0.70%.
And, the percentage of ICS computers on which web miners were blocked decreased by 0.02 pp to 0.39%, reaching its lowest value in the observed period.
Self-propagating malware
Self-propagating malware (worms and viruses) is a category unto itself. Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics. To spread across ICS networks, viruses and worms rely on removable media, network folders, infected files including backups, and network attacks on outdated software.
In Q4 2024, the percentage of ICS computers on which worms were blocked increased by 0.07 pp and reached 1,37%. The rate of viruses increased by 0.08 pp to 1.61%.
AutoCAD malware
AutoCAD malware is typically a low-level threat, coming last in the malware category rankings in terms of the percentage of ICS computers on which it was blocked.
In Q4 2024, the percentage of ICS computers on which AutoCAD malware was blocked continued to decrease by losing 0.02 pp and reached 0.38%.
You can find the full Q3 2024 report on the Kaspersky ICS CERT website.
About The Author
