Global statistics
Statistics across all threats
In the first quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.3 pp from the previous quarter to 24.4%.
Compared to the first quarter of 2023, the percentage decreased by 1.3 pp.
Selected industries
Building automation has historically led the surveyed industries in terms of the percentage of ICS computers on which malicious objects were blocked.
In the first quarter of 2024, the percentage of ICS machines that blocked malicious objects decreased across all industries.
Diversity of detected malware
In the first quarter of 2024, Kaspersky’s protection solutions blocked malware from 10,865 different families belonging to various categories on industrial automation systems.
Compared to the previous quarter, in the first quarter of 2024, the most significant increase in the percentage of ICS computers on which malicious objects in various categories were blocked was detected for AutoCAD malware: by 1.16 times.
Main threat sources
The internet, email clients, and removable storage devices remain the primary sources of threats to computers in an organization’s operating technology infrastructure. Note that the sources of blocked threats cannot be reliably identified in all cases.
In the first quarter of 2024, the percentage of ICS computers on which threats from various sources were blocked decreased for every major source.
Regions
Regionally, the percentage of ICS computers that blocked malicious objects during the quarter ranged from 32.4% in Africa to 11.5% in Northern Europe.
The two regions with the highest percentage of attacked ICS computers, Africa and South-East Asia, saw their percentages increase from the previous quarter.
Malicious activity in numbers
Malicious objects used for initial infection
Malicious objects that are used for initial infection of computers include dangerous internet resources that are added to denylists, malicious scripts and phishing pages, and malicious documents.
By cybercriminals’ logic, these malicious objects can spread easily. As a result, they are blocked by security solutions more often than everything else. This is also reflected in our statistics.
Globally and in almost all regions, denylisted internet resources and malicious scripts and phishing pages occupy first place in the rankings of malware categories by percentage of ICS computers on which this malware is blocked.
The sources of most malicious objects used for initial infection are the internet and email. The leading regions by percentage of ICS computers on which threats from these sources were blocked are the following:
Internet threats
Africa – 14.82%;
South-East Asia – 14.01%.
Email threats
Southern Europe – 6.85%;
Latin America – 5.09%.
Denylisted internet resources
The leading regions by percentage of ICS computers on which denylisted internet resources were blocked were:
Africa – 8.78%;
Russia – 7.49%;
South Asia – 7.48%.
Malicious scripts and phishing pages
The leading regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked were:
Latin America – 7.23%;
Southern Europe – 6.96%;
Middle East – 6.95%.
Malicious documents
The leading regions by percentage of ICS computers on which malicious documents were blocked were:
Southern Europe – 3.24%;
Latin America – 2.94%;
Eastern Europe – 2.33%.
Next-stage malware
Malicious objects used for initial infection of computers deliver next-stage malware – spyware, ransomware, and miners – to victims’ computers.
Among the miners designed to run on Windows, some of the most common are those distributed by attackers in the form of NSIS installer files with legitimate software.
Spyware
As a rule, the higher the percentage of ICS computers on which initial infection malware is blocked, the higher the percentage of next-stage malware.
The three leading regions by percentage of ICS computers on which spyware was blocked were as follows:
Africa – 6.65%;
Middle East – 5.89%;
Southern Europe – 5.45%.
Spyware ranks no higher than third place in the threat category rankings by percentage of ICS computers on which it was blocked in almost every region except for:
East Asia: in this region, spyware is the number one malware category in terms of the percentage of ICS computers on which it was blocked, at 3.68%.
Central Asia: in this region, in the relevant rankings, spyware sits at second place with 4.40%.
Covert crypto mining programs
Miners in the form of executable files for Windows
The leading regions by percentage of ICS computers on which miners in the form of executable files for Windows were blocked were:
Central Asia – 1.78%;
Russia – 1.38%;
Eastern Europe – 1.06%.
Miners in the form of Windows executable files are seventh in the global rankings of threat categories by percentage of ICS computers on which they were blocked.
They are fourth in the relevant rankings for Russia.
They are in fifth place in Central Asia.
We should note that during Q1 2024, the percentage of ICS computers on which miners in the form of Windows executable files were blocked increased in all regions except for Russia and Central Asia.
Web miners running in browsers
The leading regions by percentage of ICS computers on which browser-based web miners were blocked were:
Africa – 0.91%;
Middle East – 0.84%;
Australia and New Zealand – 0.78%.
In the regional rankings of threat categories by percentage of ICS computers on which they were blocked, web miners ended up in fifth place in the following regions:
Australia and New Zealand – 0.78%;
US and Canada – 0.45%;
Northern Europe – 0.27%.
Globally, this threat ranked eighth.
In Q1 2024, the percentage of ICS computers on which browser-based web miners were blocked increased in all regions except for Russia and Central Asia.
Ransomware
The regions with the highest percentage of ICS computers on which ransomware was blocked were:
Middle East – 0.28%;
Africa – 0.27%;
South Asia – 0.22%.
Self-propagating malware. Worms and viruses
Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.
To spread across ICS networks, viruses and worms rely on removable media, network folders, infected files including backups, and network attacks on outdated software.
In three regions, the percentage of ICS computers on which threats were blocked when connecting removable media is higher than the percentage of ICS computers on which mail threats were blocked – although it was lower in all others:
Africa – 5.6% (leads this ranking);
South Asia – 2.46%;
Central Asia – 1.51%.
Worms
The leading regions by percentage of ICS computers on which worms were blocked were:
Africa – 5.29%;
Central Asia – 2.88%;
Middle East – 2.40%.
Globally, worms are in sixth place in the threat category ranking by percentage of ICS computers on which they were blocked. In similar regional rankings, worms are in fourth place in four regions:
Africa – 5.29%;
Central Asia – 2.88%;
Middle East – 2.40%;
South Asia – 1.95%.
Two of these regions led by percentage of ICS computers on which threats were blocked when connecting removable media:
Africa – 5.60%;
South Asia – 2.46%.
Viruses
The leading regions by percentage of ICS computers on which viruses were blocked were:
Southeast Asia – 7.61%;
Africa – 4.09%;
East Asia – 2.89%.
In Southeast Asia, viruses are in first place (!) in the threat category rankings by percentage of ICS computers on which they were blocked.
Note that two of the three top regions are also leaders by percentage of ICS computers on which network folder threats were blocked.
Southeast Asia – 0.43%;
East Asia – 0.32%.
AutoCAD malware
AutoCAD malware can spread in a variety of ways, so it falls into a separate catogory.
The same regions that lead in the virus rankings are also the leaders by percentage of ICS computers on which AutoCAD malware was blocked:
Southeast Asia – 2.81%;
East Asia – 1.49%;
Africa – 0.61%.
Normally, AutoCAD malware is a minor threat that usually comes last in the malware category rankings by percentage of ICS computers on which it is blocked. In Southeast Asia in Q1 2024, this category was fifth.
The full global and regional reports have been published on the Kaspersky ICS CERT website.