- IT threat evolution Q3 2021
- IT threat evolution in Q3 2021. PC statistics
- IT threat evolution in Q3 2021. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.
Quarterly figures
According to Kaspersky Security Network, in Q3 2021:
- Kaspersky solutions blocked 1,098,968,315 attacks from online resources across the globe.
- Web Anti-Virus recognized 289,196,912 unique URLs as malicious.
- Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 104,257 unique users.
- Ransomware attacks were defeated on the computers of 108,323 unique users.
- Our File Anti-Virus detected 62,577,326 unique malicious and potentially unwanted objects.
Financial threats
Financial threat statistics
In Q3 2021, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 104,257 unique users.
Geography of financial malware attacksTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country.
Top 10 countries by share of attacked usersCountry* | %** | |
1 | Turkmenistan | 5.4 |
2 | Tajikistan | 3.7 |
3 | Afghanistan | 3.5 |
4 | Uzbekistan | 3.0 |
5 | Yemen | 1.9 |
6 | Kazakhstan | 1.6 |
7 | Paraguay | 1.6 |
8 | Sudan | 1.6 |
9 | Zimbabwe | 1.4 |
10 | Belarus | 1.1 |
* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.
Top 10 banking malware families
Name | Verdicts | %* | |
1 | Zbot | Trojan.Win32.Zbot | 17.7 |
2 | SpyEye | Trojan-Spy.Win32.SpyEye | 17.5 |
3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 9.6 |
4 | Trickster | Trojan.Win32.Trickster | 4.5 |
5 | RTM | Trojan-Banker.Win32.RTM | 3.6 |
6 | Nimnul | Virus.Win32.Nimnul | 3.0 |
7 | Gozi | Trojan-Banker.Win32.Gozi | 2.7 |
8 | Danabot | Trojan-Banker.Win32.Danabot | 2.4 |
9 | Tinba | Trojan-Banker.Win32.Tinba | 1.5 |
10 | Cridex | Backdoor.Win32.Cridex | 1.3 |
* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.
In Q3, the family ZeuS/Zbot (17.7%), as usual, became the most widespread family of bankers. Next came the SpyEye (17.5%) family, whose share doubled from 8.8% in the previous quarter. The Top 3 was rounded out by the CliptoShuffler family (9.6%) — one position and just 0.3 p.p. down. The families Trojan-Banker.Win32.Gozi (2.7%) and Trojan-Banker.Win32.Tinba (1.5%) have made it back into the Top 10 in Q3 — seventh and ninth places, respectively.
Ransomware programs
Quarterly trends and highlights
Attack on Kaseya and the REvil story
In early July, the group REvil/Sodinokibi attempted an attack on the remote administration software Kaseya VSA, compromising several managed services providers (MSP) who used this system. Thanks to this onslaught on the supply chain, the attackers were able to infect over one thousand of the compromised MSPs’ client businesses. REvil’s original $70 million ransom demand in exchange for decryption of all the users hit by the attack was soon moderated to 50 million.
Following this massive attack, law enforcement agencies stepped up their attention to REvil, so by mid-July the gang turned off their Trojan infrastructure, suspended new infections and dropped out of sight. Meanwhile, Kaseya got a universal decryptor for all those affected by the attack. According to Kaseya, it “did not pay a ransom — either directly or indirectly through a third party”. Later it emerged that the company got the decryptor and the key from the FBI.
But already in the first half of September, REvil was up and running again. According to the hacking forum XSS, the group’s former public representative known as UNKN “disappeared”, and the malware developers, failing to find him, waited awhile and restored the Trojan infrastructure from backups.
The arrival of BlackMatter: DarkSide restored?
As we already wrote in our Q2 report, the group DarkSide folded its operations after their “too high-profile” attack on Colonial Pipeline. And now there is a “new” arrival known as BlackMatter, which, as its members claim, represents the “best” of DarkSide, REvil and LockBit.
From our analysis of the BlackMatter Trojan’s executable we conclude that most likely it was built using DarkSide’s source codes.
Q3 closures
- Europol and the Ukrainian police have arrested two members of an unnamed ransomware gang. The only detail made known is that the ransom demands amounted to €5 to €70 million.
- Following its attack on Washington DC’s Metropolitan Police Department, the group Babuk folded (or just suspended) its operations and published an archive containing the Trojan’s source code, build tools and keys for some of the victims.
- At the end of August, Ragnarok (not to be confused with RagnarLocker) suddenly called it a day, deleted all their victims’ info from their portal and published the master key for decryption. The group gave no reasons for this course of action.
Exploitation of vulnerabilities and new attack methods
- The group HelloKitty used to distribute its ransomware by exploiting the vulnerability CVE-2019-7481 in SonicWall gateways.
- Magniber and Vice Society penetrated the target systems by exploiting the vulnerabilities from the PrintNightmare family (CVE-2021-1675, CVE-2021-34527, CVE-2021-36958).
- The group LockFile exploited ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to penetrate the victim’s network; for lateral expansion they relied on the new PetitPotam attack that gained control of the domain controller.
- The group Conti also used ProxyShell exploits for its attacks.
Number of new ransomware modifications
In Q3 2021, we detected 11 new ransomware families and 2,486 new modifications of this malware type.
Number of users attacked by ransomware Trojans
In Q3 2021, Kaspersky products and technologies protected 108,323 users from ransomware attacks.
Geography of ransomware attacks
Top 10 countries attacked by ransomware TrojansCountry* | %** | |
1 | Bangladesh | 1.98 |
2 | Uzbekistan | 0.59 |
3 | Bolivia | 0.55 |
4 | Pakistan | 0.52 |
5 | Myanmar | 0.51 |
6 | China | 0.51 |
7 | Mozambique | 0.51 |
8 | Nepal | 0.48 |
9 | Indonesia | 0.47 |
10 | Egypt | 0.45 |
* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.
Top 10 most common families of ransomware Trojans
Name | Verdicts | %* | ||
1 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 27.67% | |
2 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 17.37% | |
3 | WannaCry | Trojan-Ransom.Win32.Wanna | 11.84% | |
4 | (generic verdict) | Trojan-Ransom.Win32.Gen | 7.78% | |
5 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.58% | |
6 | (generic verdict) | Trojan-Ransom.Win32.Phny | 5.57% | |
7 | PolyRansom/VirLock | Virus.Win32.Polyransom / Trojan-Ransom.Win32.PolyRansom | 2.65% | |
8 | (generic verdict) | Trojan-Ransom.Win32.Agent | 2.04% | |
9 | (generic verdict) | Trojan-Ransom.MSIL.Encoder | 1.07% | |
10 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.04% |
* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware.
Miners
Number of new miner modifications
In Q3 2021, Kaspersky solutions detected 46,097 new modifications of miners.
Number of users attacked by miners
In Q3, we detected attacks using miners on the computers of 322,131 unique users of Kaspersky products worldwide. And while during Q2 the number of attacked users gradually decreased, the trend was reversed in July and August 2021. With slightly over 140,000 unique users attacked by miners in July, the number of potential victims almost reached 150,000 in September.
Geography of miner attacks
Top 10 countries attacked by minersCountry* | %** | |
1 | Ethiopia | 2.41 |
2 | Rwanda | 2.26 |
3 | Myanmar | 2.22 |
4 | Uzbekistan | 1.61 |
5 | Ecuador | 1.47 |
6 | Pakistan | 1.43 |
7 | Tanzania | 1.40 |
8 | Mozambique | 1.34 |
9 | Kazakhstan | 1.34 |
10 | Azerbaijan | 1.27 |
* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.
Vulnerable applications used by cybercriminals during cyberattacks
Quarter highlights
Much clamor was caused in Q3 by a whole new family of vulnerabilities in Microsoft Windows printing subsystem, one already known to the media as PrintNightmare: CVE-2021-1640, CVE-2021-26878, CVE-2021-1675, CVE-2021-34527, CVE-2021-36936, CVE-2021-36947, CVE-2021-34483. All those vulnerabilities allow for local escalation of privileges or remote execution of commands with system rights and, as they require next to nothing for exploitation, they are often used by popular mass infection tools. To fix them, several Microsoft patches are required.
The vulnerability known as PetitPotam proved no less troublesome. It allows an unprivileged user to take control of a Windows domain computer — or even a domain controller — provided the Active Directory certificate service is present and active.
In the newest OS Windows 11, even before its official release, the vulnerability CVE-2021-36934 was detected and dubbed HiveNightmare/SeriousSam. It allows an unprivileged user to copy all the registry threads, including SAM, through the shadow copy mechanism, potentially exposing passwords and other critical data.
In Q3, attackers greatly favored exploits targeting the vulnerabilities ProxyToken, ProxyShell and ProxyOracle (CVE-2021-31207, CVE-2021-34473, CVE-2021-31207, CVE-2021-33766, CVE-2021-31195, CVE-2021-31196). If exploited in combination, these open full control of mail servers managed by Microsoft Exchange Server. We already covered similar vulnerabilities — for instance, they were used in a HAFNIUM attack, also targeting Microsoft Exchange Server.
As before, server attacks relying on brute-forcing of passwords to various network services, such as MS SQL, RDP, etc., stand out among Q3 2021 network threats. Attacks using the exploits EternalBlue, EternalRomance and similar are as popular as ever. Among the new ones is the grim vulnerability enabling remote code execution when processing the Object-Graph Navigation Language in the product Atlassian Confluence Server (CVE-2021-26084) often used in various corporate environments. Also, Pulse Connect Secure was found to contain the vulnerability CVE-2021-22937, which however requires the administrator password for it to be exploited.
Statistics
As before, exploits for Microsoft Office vulnerabilities are still leading the pack in Q3 2021 (60,68%). These are popular due to the large body of users, most of whom still use older versions of the software, thus making the attackers’ job much easier. The share of Microsoft Office exploits increased by almost 5 p.p. from the previous quarter. Among other things, it was due to the fact that the new vulnerability CVE-2021-40444 was discovered in the wild, instantly employed to compromise user machines. The attacker can exploit it by using the standard functionality that allows office documents to download templates, implemented with the help of special ActiveX components. There is no proper validation of the processed data during the operation, so any malicious code can be downloaded. As you are reading this, the relevant security update is already available.
The way individual Microsoft Office vulnerabilities are ranked by the number of detections does not change much with time: the first positions are still shared by CVE-2018-0802 and CVE-2017-8570, with another popular vulnerability CVE-2017-11882 not far behind. We already covered these many times — all the above-mentioned vulnerabilities execute commands on behalf of the user and infect the system.
The share of exploits for the popular browsers fell by 3 p.p. from the previous reporting period to 25.57% in Q3. In the three months covered by the report several vulnerabilities were discovered in Google Chrome browser and its script engine V8 — some of them in the wild. Among these, the following JavaScript engine vulnerabilities stand out: CVE-2021-30563 (type confusion error corrupting the heap memory), CVE-2021-30632 (out-of-bounds write in V8) and CVE-2021-30633 (use-after-free in Indexed DB). All these can potentially allow remote execution of code. But it should be remembered that for modern browsers a chain of several exploits is often required to leave the sandbox and secure broader privileges in the system. It should also be noted that with Google Chromium codebase (in particular the Blink component and V8) being used in many browsers, any newly detected Google Chrome vulnerability automatically makes other browsers built with its open codebase vulnerable.The third place if held by Google Android vulnerabilities (5.36%) — 1 p.p. down from the previous period. They are followed by exploits for Adobe Flash (3.41%), their share gradually decreasing. The platform is no longer supported but is still favored by users, which is reflected in our statistics.
Our ranking is rounded out by vulnerabilities for Java (2.98%), its share also noticeably lower, and Adobe PDF (1.98%).
Attacks on macOS
We will remember Q3 2021 for the two interesting revelations. The first one is the use of malware code targeting macOS as part of the WildPressure campaign. The second is the detailed review of the previously unknown FinSpy implants for macOS.
Speaking of the most widespread threats detected by Kaspersky security solutions for macOS, most of our Top 20 ranking positions are occupied by various adware apps. Among the noteworthy ones is Monitor.OSX.HistGrabber.b (second place on the list) — this potentially unwanted software sends user browser history to its owners’ servers.
Top 20 threats for macOS
Verdict | %* | |
1 | AdWare.OSX.Pirrit.j | 13.22 |
2 | Monitor.OSX.HistGrabber.b | 11.19 |
3 | AdWare.OSX.Pirrit.ac | 10.31 |
4 | AdWare.OSX.Pirrit.o | 9.32 |
5 | AdWare.OSX.Bnodlero.at | 7.43 |
6 | Trojan-Downloader.OSX.Shlayer.a | 7.22 |
7 | AdWare.OSX.Pirrit.gen | 6.41 |
8 | AdWare.OSX.Cimpli.m | 6.29 |
9 | AdWare.OSX.Bnodlero.bg | 6.13 |
10 | AdWare.OSX.Pirrit.ae | 5.96 |
11 | AdWare.OSX.Agent.gen | 5.65 |
12 | AdWare.OSX.Pirrit.aa | 5.39 |
13 | Trojan-Downloader.OSX.Agent.h | 4.49 |
14 | AdWare.OSX.Bnodlero.ay | 4.18 |
15 | AdWare.OSX.Ketin.gen | 3.56 |
16 | AdWare.OSX.Ketin.h | 3.46 |
17 | Backdoor.OSX.Agent.z | 3.45 |
18 | Trojan-Downloader.OSX.Lador.a | 3.06 |
19 | AdWare.OSX.Bnodlero.t | 2.80 |
20 | AdWare.OSX.Bnodlero.ax | 2.64 |
* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.
Geography of threats for macOS
Top 10 countries by share of attacked usersCountry* | %** | |
1 | France | 3.05 |
2 | Spain | 2.85 |
3 | India | 2.70 |
4 | Mexico | 2.59 |
5 | Canada | 2.52 |
6 | Italy | 2.42 |
7 | United States | 2.37 |
8 | Australia | 2.23 |
9 | Brazil | 2.21 |
10 | United Kingdom | 2.12 |
* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.
In Q3 2021, France took the lead having the greatest percentage of attacks on users of Kaspersky security solutions (3.05%), with the potentially unwanted software Monitor.OSX.HistGrabber being the prevalent threat there. Spain and India came in second and third, with the Pirrit family adware as their prevalent threat.
IoT attacks
IoT threat statistics
In Q3 2021, most of the devices that attacked Kaspersky honeypots did so using the Telnet protocol. Just less than a quarter of all devices attempted brute-forcing our traps via SSH.
Telnet | 76.55% |
SSH | 23.45% |
Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2021
The statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.
Telnet | 84.29% |
SSH | 15.71% |
Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2021
Top 10 threats delivered to IoT devices via Telnet
Verdict | %* | |
1 | Backdoor.Linux.Mirai.b | 39.48 |
2 | Trojan-Downloader.Linux.NyaDrop.b | 20.67 |
3 | Backdoor.Linux.Agent.bc | 10.00 |
4 | Backdoor.Linux.Mirai.ba | 8.65 |
5 | Trojan-Downloader.Shell.Agent.p | 3.50 |
6 | Backdoor.Linux.Gafgyt.a | 2.52 |
7 | RiskTool.Linux.BitCoinMiner.b | 1.69 |
8 | Backdoor.Linux.Ssh.a | 1.23 |
9 | Backdoor.Linux.Mirai.ad | 1.20 |
10 | HackTool.Linux.Sshbru.s | 1.12 |
* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.
Detailed IoT threat statistics are published in our Q3 2021 DDoS report: https://securelist.com/ddos-attacks-in-q3-2021/104796/#attacks-on-iot-honeypots
Attacks via web resources
The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.
Countries that serve as sources of web-based attacks: Top 10
The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.
To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.
In Q3 2021, Kaspersky solutions blocked 1,098,968,315 attacks launched from online resources located across the globe. Web Anti-Virus recognized 289,196,912 unique URLs as malicious.
Countries where users faced the greatest risk of online infection
To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.
This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.
Country* | % of attacked users** | |
1 | Tunisia | 27.15 |
2 | Syria | 17.19 |
3 | Yemen | 17.05 |
4 | Nepal | 15.27 |
5 | Algeria | 15.27 |
6 | Macao | 14.83 |
7 | Belarus | 14.50 |
8 | Moldova | 13.91 |
9 | Madagascar | 13.80 |
10 | Serbia | 13.48 |
11 | Libya | 13.13 |
12 | Mauritania | 13.06 |
13 | Mongolia | 13.06 |
14 | India | 12.89 |
15 | Palestine | 12.79 |
16 | Sri Lanka | 12.76 |
17 | Ukraine | 12.39 |
18 | Estonia | 11.61 |
19 | Tajikistan | 11.44 |
20 | Qatar | 11.14 |
* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.
These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.
On average during the quarter, 8.72% of computers of Internet users worldwide were subjected to at least one Malware-class web attack.
Local threats
In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).
In Q3 2021, our File Anti-Virus detected 62,577,326 malicious and potentially unwanted objects.
Countries where users faced the highest risk of local infection
For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.
Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.
Country* | % of attacked users** | |
1 | Turkmenistan | 47.42 |
2 | Yemen | 44.27 |
3 | Ethiopia | 42.57 |
4 | Tajikistan | 42.51 |
5 | Uzbekistan | 40.41 |
6 | South Sudan | 40.15 |
7 | Afghanistan | 40.07 |
8 | Cuba | 38.20 |
9 | Bangladesh | 36.49 |
10 | Myanmar | 35.96 |
11 | Venezuela | 35.20 |
12 | China | 35.16 |
13 | Syria | 34.64 |
14 | Madagascar | 33.49 |
15 | Rwanda | 33.06 |
16 | Sudan | 33.01 |
17 | Benin | 32.68 |
18 | Burundi | 31.88 |
19 | Laos | 31.70 |
20 | Cameroon | 31.28 |
* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.
IT threat evolution in Q3 2021. PC statistics