IT threat evolution in Q1 2024. Non-mobile statistics

IT threat evolution Q1 2024
IT threat evolution Q1 2024. Mobile statistics
IT threat evolution Q1 2024. Non-mobile statistics

The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

In Q1 2024:

• Kaspersky solutions blocked more than 658 million attacks from various online resources.
• Web Anti-Virus responded to slightly fewer than 153 million unique links.
• File Anti-Virus blocked nearly 32 million malicious and unwanted objects.
• More than 83,000 users experienced ransomware attacks,
• with 20% of all victims published on ransomware gangs’ DLSs (data leak sites) hit by LockBit.
• More than 394,000 users encountered miners.

Ransomware

Quarterly trends and highlights

BlackCat/ALPHV

In early March, the BlackCat group, alternatively known as “ALPHV”, which distributed the ransomware with the same name, announced its retirement, claiming that their operations had been disrupted by the FBI. In a message posted on a cybercrime forum, the group said, “the feds screwed us over”, just as the group’s DLS showed a banner that read, “the Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action”. However, the FBI refused to comment, while Europol and the UK’s NCA denied involvement in any recent disruption to BlackCat’s infrastructure.

The group also posted a message offering the source code for their ransomware for $5 million. Several days earlier, a BlackCat affiliate had accused the group of stealing more than $20 million in ransom received from a victim company. All of this makes it likely that the “coordinated action” story is BlackCat’s attempt at disappearing with the money. This is not the first time a RaaS group has shut down their operations after taking their affiliates’ money.

LockBit

In February, as part of a joint effort named “Operation Cronos”, the law enforcement agencies of ten countries seized some of the infrastructure belonging to one of the most prolific ransomware gangs, LockBit. Police arrested two Lockbit operators and issued warrants for other members of the gang.

Soon after, though, LockBit developers reactivated their servers and continued their attacks using an updated ransomware version, which apparently suggests any damage the group had suffered as a result of the crackdown was insignificant.

The most prolific groups

This section looks at the most prolific of ransomware gangs that not only encrypt their victims’ files but steal their confidential data and then publish it, engaging in so-called “double extortion”. The statistics are based on the number of new victims added to each of the groups’ DLSs.

LockBit was the first quarter’s busiest cyberextortion gang, publishing 20.34% of total new ransomware victims on its DLS. It was followed by Black Basta (7.02%) and Play (6.75%).

The number of the group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)

Number of new ransomware Trojan modifications

In Q1 2024, we discovered nine new families and 7070 ransomware modifications.

Number of new ransomware modifications, Q1 2023 — Q1 2024 (download)

Number of users attacked by ransomware Trojans

In Q1, Kaspersky solutions protected 83,270 unique users from ransomware Trojan attacks.

Number of unique users attacked by ransomware Trojans, Q1 2024 (download)

Geography of attacked users

TOP 10 countries and territories attacked by ransomware Trojans:

* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

* Statistics are based on detection verdicts by Kaspersky products. The information was provided by Kaspersky users who consented to providing statistical data.
** Unique Kaspersky users attacked by the ransomware Trojan family as a percentage of total users attacked by ransomware Trojans.

Miners

Number of new miner modifications

In Q1 2024, Kaspersky solutions detected 6,601 new miner modifications.

Number of new miner modifications, Q1 2024 (download)

Number of users attacked by miners

In Q1, Kaspersky solutions protected 394,120 unique users globally from miners.

Number of unique users attacked by miners, Q1 2024 (download)

Geography of attacked users

TOP 10 countries and territories attacked by miners:

* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country or territory.

Attacks on macOS

In the universe of macOS Trojans, the year 2024 kicked off with the detection of a new backdoor named SpectralBlur and tentatively attributed to the Bluenoroff group. The malware has the typical capabilities of a backdoor, such as downloading and removing files, uploading data to a command-and-control server and running shell commands in a pseudoterminal.

Next, we discovered a large set of cracked applications that contained a Python backdoor loader. Its key feature was the ability to replace Bitcoin and Exodus wallet apps with infected versions to steal passwords and wallet recovery phrases.

We also found infected versions of the VNote and Notepad– text editors with a CobaltStrike agent loader inside. These spread via banner ads in Chinese search engines.

One of the last threats to be discovered in Q1 was a Rust backdoor disguised as a VisualStudio updater and spreading as documents describing job openings. Apparently designed to spy on its victims, the backdoor targeted software developers and existed in the form of several variants.

TOP 20 threats to macOS

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

A Trojan that downloaded other dangerous applications has topped the list of active threats. More often than not, it delivers various kinds of adware to the infected device, but there are no technical limitations in terms of the type of downloads, so it may as well drop any other malware.

Geography of threats for macOS

TOP 10 countries and territories by share of attacked users

* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country or territory.

Mainland China, previously a leader by number of attacked macOS users, dropped out of the TOP 10 list this time around. Spain, Italy and Canada had the highest numbers of users who encountered threats specific to macOS.

IoT attacks

IoT threat statistics

The protocol distribution of devices that attacked Kaspersky honeypots in Q1 2024 is as follows.

Distribution of attacked services by number of unique IP addresses of attacking devices

As you can see, attackers began to use Telnet more frequently than SSH, as evidenced by the attack statistics for the two protocols.

Distribution of attackers’ sessions in Kaspersky honeypots

TOP 10 threats delivered to IoT devices:

* Share of each threat uploaded to an infected device as a result of a successful attack in the total number of uploaded threats.

Attacks on IoT honeypots

There were no drastic changes in the geographical distribution of SSH attacks. The shares of attacks originating in South Korea, Singapore and Germany increased the most.

* Unique IP addresses located in the country or territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated.

Malicious actors who use the Telnet protocol stepped up attacks from mainland China noticeably.

* Unique IP addresses located in a country or territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated.

Attacks via web resources

The statistics in this section are based on data provided by Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create malicious pages on purpose. Web resources with user-generated content, such as forums, as well as hacked legitimate resources, can be infected.

Countries and territories that serve as sources of web-based attacks: the TOP 10

The following statistics show the geographical distribution of sources of internet attacks blocked by Kaspersky products on user computers: web pages with redirects to exploits, sites hosting exploits and other malware, botnet C&C centers, etc. Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2024, Kaspersky solutions blocked 658,181,425 attacks launched from online resources across the globe. A total of 152,841,402 unique URLs triggered a Web Anti-Virus detection.

Geographical distribution of sources of web attacks, Q1 2024 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online malware infection faced by users in various countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

These rankings only include attacks by malicious objects that belong in the Malware category. Our calculations do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware attacks as a percentage of all unique users of Kaspersky products in the country or territory.

On average during the quarter, 7.98% of the internet users’ computers worldwide were subjected to at least one Malware-category web attack.

Local threats

These statistics are based on detection verdicts returned by the OAS (on-access scan) and ODS (on-demand scan) Anti-Virus modules and received from users of Kaspersky products who consented to providing statistical data. The data includes detections of malicious programs located on user computers or removable media connected to the computers, such as flash drives, camera memory cards, phones or external hard drives.

In Q1 2024, our File Anti-Virus detected 31,817,072 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories worldwide.

The rankings only include attacks by malicious objects that belong in the Malware category. Our calculations do not include File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-category local threats were blocked, as a percentage of all unique users of Kaspersky products in the country or territory.

Overall, 15.04% of user computers globally faced at least one Malware local threat during Q3.