- IT threat evolution in Q1 2023
- IT threat evolution in Q1 2023. Non-mobile statistics
- IT threat evolution in Q1 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
Quarterly figures
According to Kaspersky Security Network, in Q1 2023:
- Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe.
- Web Anti-Virus detected 246,912,694 unique URLs.
- Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 106,863 unique users.
- Ransomware attacks were defeated on the computers of 60,900 unique users.
- Our File Anti-Virus detected 43,827,839 unique malicious and potentially unwanted objects.
Financial threats
Financial threat statistics
In Q1 2023, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 106,863 unique users.
Number of unique users attacked by financial malware, Q1 2023 (download)
Geography of financial malware attacks
To evaluate and compare the risk of being infected by banking Trojans or ATM/POS malware worldwide, for each country and territory, we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.
TOP 10 countries/territories by share of attacked users
Country/territory* | %** | |
1 | Turkmenistan | 4.7 |
2 | Afghanistan | 4.6 |
3 | Paraguay | 2.8 |
4 | Tajikistan | 2.8 |
5 | Yemen | 2.3 |
6 | Sudan | 2.3 |
7 | China | 2.0 |
8 | Switzerland | 2.0 |
9 | Egypt | 1.9 |
10 | Venezuela | 1.8 |
* Excluded are countries/territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country/territory.
TOP 10 banking malware families
Name | Verdicts | %* | |
1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 28.9 |
2 | Emotet | Trojan-Banker.Win32.Emotet | 19.5 |
3 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 18.3 |
4 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 6.5 |
5 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 5.9 |
6 | Danabot | Trojan-Banker.Win32.Danabot | 2.3 |
7 | IcedID | Trojan-Banker.Win32.IcedID | 1.9 |
8 | SpyEyes | Trojan-Spy.Win32.SpyEye | 1.6 |
9 | Gozi | Trojan-Banker.Win32.Gozi | 1.1 |
10 | Qbot/Qakbot | Trojan-Banker.Win32.Qbot | 1.1 |
* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.
Ransomware programs
Quarterly trends and highlights
Attacks on Linux and VMWare ESXi servers
An increasing number of ransomware families are extending their attack surfaces by adding support for operating systems other than Windows, which they have targeted traditionally. In Q1 2023, we discovered builds from several ransomware families intended for running on Linux and VMWare ESXi servers, namely: ESXiArgs (new family), Nevada (a rebranding of Nokoyawa, which is written in Rust), Royal, IceFire.
Thus, the arsenals of most professional extortion groups today include ransomware builds designed for several platforms, thus maximizing the damage they can cause to their victims.
Progress in combating cybercrime
Europol and the U.S. Department of Justice announced that as a result of a joint operation with the FBI that started in July 2022, the FBI penetrated networks belonging to the Hive group and obtained decryption keys for more than 1,300 victims. The law enforcement agencies also obtained information about 250 Hive affiliates and seized several servers belonging to the group.
The Netherlands Police arrested three individuals suspected of stealing confidential data and extorting €100,000 to €700,000 from each victim company.
Europol announced it had arrested two suspected core members of DoppelPaymer during a joint operation with the FBI and the law enforcement agencies of Germany, Ukraine, and the Netherlands. The team also seized hardware, which the law enforcement agencies will inspect during further investigation.
Conti-based Trojan decrypted
Kaspersky analysts released a utility for decrypting files affected by a Trojan known to researchers as MeowCorp. The malware was compiled from Conti source code, which was published last year. An archive containing the secret keys, 258 in all, was posted on an online forum. We added these, along with data decryption code, to the latest version of RakhniDecryptor.
Most prolific groups
This section looks at ransomware groups that engage in so-called “double extortion”, that is stealing confidential data in addition to encrypting it. Most of these groups target large companies, and many maintain a DLS (data leak site), where they publish a list of organizations they have attacked. The diagram below reflects the most prolific extortion gangs, that is, the ones that added the largest numbers of victims to their DLSs.
Most prolific ransomware gangs. The diagram shows each group’s share of victims out of the total number of victims published on all the groups’ DLSs in Q1 2023 (download)
Number of new modifications
In Q1 2023, we detected nine new ransomware families and 3089 new modifications of the malware of this type.
Number of new ransomware modifications, Q1 2022 — Q1 2023 (download)
Number of users attacked by ransomware Trojans
In Q1 2023, Kaspersky products and technologies protected 60,900 users from ransomware attacks.
Number of unique users attacked by ransomware Trojans, Q1 2023 (download)
Geography of attacked users
TOP 10 countries/territories attacked by ransomware Trojans
Country/territory* | %** | |
1 | Yemen | 1.50 |
2 | Bangladesh | 1.47 |
3 | Taiwan | 0.65 |
4 | Mozambique | 0.59 |
5 | Pakistan | 0.47 |
6 | South Korea | 0.42 |
7 | Venezuela | 0.32 |
8 | Iraq | 0.30 |
9 | Nigeria | 0.30 |
10 | Libya | 0.26 |
* Excluded are countries/territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.
TOP 10 most common families of ransomware Trojans
Name | Verdicts* | Percentage of attacked users** | |
1 | Magniber | Trojan-Ransom.Win64.Magni / Trojan-Ransom.Win32.Magni | 15.73 |
2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.40 |
3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 12.27 |
4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 8.77 |
5 | (generic verdict) | Trojan-Ransom.Win32.Agent | 6.65 |
6 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.52 |
7 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 5.90 |
8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 3.74 |
9 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 3.52 |
10 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 2.06 |
* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.
Miners
Number of new miner modifications
In Q1 2023, Kaspersky solutions detected 1733 new modifications of miners.
Number of new miner modifications, Q1 2023 (download)
Number of users attacked by miners
In Q1, we detected attacks using miners on the computers of 403,211 unique users of Kaspersky products worldwide.
Number of unique users attacked by miners, Q1 2023 (download)
Geography of miner attacks
TOP 10 countries/territories attacked by miners
Country/territory* | %** | |
1 | Tajikistan | 2.87 |
2 | Kazakhstan | 2.52 |
3 | Uzbekistan | 2.30 |
4 | Kyrgyzstan | 2.18 |
5 | Belarus | 1.80 |
6 | Venezuela | 1.77 |
7 | Ethiopia | 1.73 |
8 | Ukraine | 1.73 |
9 | Mozambique | 1.63 |
10 | Rwanda | 1.50 |
* Excluded are countries/territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.
Vulnerable applications used in cyberattacks
Quarterly highlights
Q1 2023 saw a number of Windows vulnerabilities remediated and published. Some of those were the following:
- CVE-2023-23397: probably the most high-profile vulnerability, which provoked much online debate and discussion. This Windows vulnerability allows starting automatic authentication on behalf of the user on a host running Outlook.
- CVE-2023-21674: a vulnerability in the ALPC subsystem that allows a malicious actor to escalate their privileges to system level.
- CVE-2023-21823: a Windows Graphics Component vulnerability that allows running commands in the system on behalf of the user. This can be reproduced both in Windows desktop versions of Microsoft Office and in mobile (iOS and Android) versions.
- CVE-2023-23376: a Common Log File System Driver vulnerability that allows escalating privileges to system level.
- СVE-2023-21768: a vulnerability in the Ancillary Function Driver for WinSock that allows obtaining system privileges.
A Microsoft fix for each of the vulnerabilities is out, and we strongly encourage you to install all the relevant patches.
The main network threats in Q1 2023 were brute-force attacks on MSSQL and RDP services. EternalBlue and EternalRomance remained popular exploits for operating system vulnerabilities. We detected notably large numbers of attacks and scans that targeted log4j-type vulnerabilities (CVE-2021-44228).
Vulnerability statistics
In Q1 2023, Kaspersky products detected more than 300,000 exploitation attempts, most of these using Microsoft Office exploits. Their share was 78.96%, down by just 1 p.p. from the previous quarter. The most-exploited vulnerabilities in that category were the following:
- CVE-2017-11882 and CVE-2018-0802: Equation Editor vulnerabilities that allow corrupting application memory during formula processing to then run arbitrary code in the system.
- CVE-2017-0199 that allows using MS Office to load malicious scripts.
- CVE-2017-8570 that allows loading malicious HTA scripts into the system.
The second most-exploited category were browser vulnerabilities (7.07%), their share growing by 1 p.p. We did not discover any new browser vulnerabilities exploited by malicious actors in the wild. Q2 2023 might bring something new.
Distribution of exploits used by cybercriminals by type of attacked application, Q1 2023 (download)
Android (4.04%) and Java (3.93%) were third and fourth, respectively. Android exploits lost 1 p.p. during the period, whereas the share of Java exploits remained unchanged. The fifth- and sixth-place scores — Adobe Flash (3.49%) and PDF (2.52%) — were very close to the previous quarter’s figures as well.
Attacks on macOS
The first quarter’s high-profile event was a supply-chain attack on the 3CX app, including the macOS version. Hackers were able to embed malicious code into the libffmpeg media processing library to download a payload from their servers.
Worth noting is the MacStealer spy program, also discovered in Q1 2023, which stole cookies from the victim’s browser, as well as account details and cryptowallet passwords.
TOP 20 threats for macOS
Verdict | %* | |
1 | AdWare.OSX.Pirrit.ac | 11.87 |
2 | AdWare.OSX.Amc.e | 8.41 |
3 | AdWare.OSX.Pirrit.j | 7.98 |
4 | AdWare.OSX.Agent.ai | 7.58 |
5 | Monitor.OSX.HistGrabber.b | 6.64 |
6 | AdWare.OSX.Bnodlero.ax | 6.12 |
7 | AdWare.OSX.Pirrit.ae | 5.77 |
8 | AdWare.OSX.Agent.gen | 4.98 |
9 | Hoax.OSX.MacBooster.a | 4.76 |
10 | Trojan-Downloader.OSX.Agent.h | 4.66 |
11 | AdWare.OSX.Pirrit.o | 3.63 |
12 | Backdoor.OSX.Twenbc.g | 3.52 |
13 | AdWare.OSX.Bnodlero.bg | 3.32 |
14 | AdWare.OSX.Pirrit.aa | 3.20 |
15 | Backdoor.OSX.Twenbc.h | 3.14 |
16 | AdWare.OSX.Pirrit.gen | 3.14 |
17 | Downloader.OSX.InstallCore.ak | 2.37 |
18 | Trojan-Downloader.OSX.Lador.a | 2.03 |
19 | RiskTool.OSX.Spigot.a | 1.92 |
20 | Trojan.OSX.Agent.gen | 1.88 |
* Unique users who encountered this malware as a percentage of all users of Kaspersky security products for macOS who were attacked.
Adware remained the most widespread threat to macOS users. In addition to that, we frequently came across all kinds of system “cleaners” and “optimizers”, many of these containing highly annoying ads or classic scams, where users were offered to buy solutions to problems that did not exist.
Geography of threats for macOS
ТОР 10 countries/territories by share of attacked users
Country/territory* | %** | |
1 | Italy | 1.43 |
2 | Spain | 1.39 |
3 | France | 1.37 |
4 | Russian Federation | 1.29 |
5 | Mexico | 1.20 |
6 | Canada | 1.18 |
7 | United States | 1.16 |
8 | United Kingdom | 0.98 |
9 | Australia | 0.87 |
10 | Brazil | 0.81 |
* Excluded from the rankings are countries/territories with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country/territory.
Italy (1.43%) and Spain (1.39%) became the leaders by number of attacked users, as France (1.37%), Russia (1.29%) and Canada (1.18%) lost a few percentage points. Overall, the percentage of attacked users in the TOP 10 countries did not change much.
IoT attacks
IoT threat statistics
In Q3 2023, a majority of the devices that attacked Kaspersky honeypots still used the Telnet protocol, but its popularity decreased somewhat from the previous quarter.
Telnet | 69.2% |
SSH | 30.8% |
Distribution of attacked services by number of unique IP addresses of attacking devices, Q1 2023
In terms of session numbers, Telnet accounted for the absolute majority.
Telnet | 97.8% |
SSH | 2.2% |
Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2023
TOP 10 countries/territories as sources of SSH attacks
Country/territory | %* (Q4 2022) | %* (Q1 2023) |
Taiwan | 1.60 | 12.13 |
United States | 19.11 | 12.05 |
South Korea | 3.32 | 7.64 |
Mainland China | 8.45 | 6.80 |
Brazil | 5.10 | 5.08 |
India | 6.26 | 4.45 |
Germany | 6.20 | 4.00 |
Vietnam | 2.18 | 3.95 |
Singapore | 6.63 | 3.63 |
Russian Federation | 3.33 | 3.36 |
Other | 37.81 | 36.91 |
* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated.
The APAC countries/territories and the U.S. remained the main sources of SSH attacks in Q1 2023.
TOP 10 countries/territories as sources of Telnet attacks
Country/territory | %* (Q4 2022) | %* (Q1 2023) |
Mainland China | 46.90 | 39.92 |
India | 6.61 | 12.06 |
Taiwan | 6.37 | 7.51 |
Brazil | 3.31 | 4.92 |
Russian Federation | 4.53 | 4.82 |
United States | 4.33 | 4.30 |
South Korea | 7.39 | 2.59 |
Iran | 1.05 | 1.50 |
Pakistan | 1.40 | 1.41 |
Kenya | 0.06 | 1.39 |
Other | 18.04 | 19.58 |
* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated.
Mainland China (39.92%) remained the largest source of Telnet attacks, with India’s (12.06%) and Kenya’s (1.39%) contributions increasing significantly. The share of attacks that originated in South Korea (2.59%) decreased.
TOP 10 threats delivered to IoT devices via Telnet
Verdict | %* | |
1 | Trojan-Downloader.Linux.NyaDrop.b | 41.39% |
2 | Backdoor.Linux.Mirai.b | 18.82% |
3 | Backdoor.Linux.Mirai.cw | 9.63% |
4 | Backdoor.Linux.Mirai.ba | 6.18% |
5 | Backdoor.Linux.Gafgyt.a | 2.64% |
6 | Backdoor.Linux.Mirai.fg | 2.25% |
7 | Backdoor.Linux.Mirai.ew | 1.89% |
8 | Trojan-Downloader.Shell.Agent.p | 1.77% |
9 | Backdoor.Linux.Gafgyt.bj | 1.24% |
10 | Trojan-Downloader.Linux.Mirai.d | 1.23% |
* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.
Attacks via web resources
The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.
Countries/territories that serve as sources of web-based attacks: TOP 10
The following statistics show the distribution by country/territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.
To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.
In Q1 2023, Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe. A total of 246,912,694 unique URLs were detected by Web Anti-Virus.
Distribution of web-attack sources across countries, Q1 2022 (download)
Countries/territories where users faced the greatest risk of online infection
To assess the risk of online infection faced by users in various countries/territories, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered at least once during the quarter in each country/territory. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in various countries.
Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.
Country/territory* | %** | |
1 | Turkey | 16.88 |
2 | Taiwan | 16.01 |
3 | Algeria | 15.95 |
4 | Palestine | 15.30 |
5 | Albania | 14.95 |
6 | Yemen | 14.94 |
7 | Serbia | 14.54 |
8 | Tunisia | 14.13 |
9 | South Korea | 13.98 |
10 | Libya | 13.93 |
11 | Sri Lanka | 13.85 |
12 | Greece | 13.53 |
13 | Syria | 13.51 |
14 | Nepal | 13.10 |
15 | Bangladesh | 12.92 |
16 | Georgia | 12.85 |
17 | Morocco | 12.80 |
18 | Moldova | 12.73 |
19 | Lithuania | 12.61 |
20 | Bahrein | 12.39 |
* Excluded are countries/territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country/territory.
On average during the quarter, 9.73% of internet users’ computers worldwide were subjected to at least one Malware-class web attack.
Local threats
In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).
In Q1 2023, our File Anti-Virus detected 43,827,839 malicious and potentially unwanted objects.
Countries and territories where users faced the highest risk of local infection
For each country/territory, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries/territories.
These rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.
Country/territory* | %** | |
1 | Yemen | 45.38 |
2 | Turkmenistan | 44.68 |
3 | Afghanistan | 43.64 |
4 | Tajikistan | 42.57 |
5 | Cuba | 36.01 |
6 | Burundi | 35.20 |
7 | Syria | 35.17 |
8 | Bangladesh | 35.07 |
9 | Myanmar | 34.98 |
10 | Uzbekistan | 34.22 |
11 | South Sudan | 34.06 |
12 | Rwanda | 34.01 |
13 | Algeria | 33.94 |
14 | Guinea | 33.74 |
15 | Cameroon | 33.09 |
16 | Sudan | 33.06 |
17 | Chad | 33.06 |
18 | Tanzania | 32.50 |
19 | Benin | 32.42 |
20 | Malawi | 31.93 |
* Excluded are countries/territories with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.
On average worldwide, Malware-class local threats were registered on 15.22% of users’ computers at least once during Q3.
IT threat evolution in Q1 2023. Non-mobile statistics