IT threat evolution Q1 2024
IT threat evolution Q1 2024. Mobile statistics
IT threat evolution Q1 2024. Non-mobile statistics
The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.
Quarterly figures
In Q1 2024:
- Kaspersky solutions blocked more than 658 million attacks from various online resources.
- Web Anti-Virus responded to slightly fewer than 153 million unique links.
- File Anti-Virus blocked nearly 32 million malicious and unwanted objects.
- More than 83,000 users experienced ransomware attacks,
- with 20% of all victims published on ransomware gangs’ DLSs (data leak sites) hit by LockBit.
- More than 394,000 users encountered miners.
Ransomware
Quarterly trends and highlights
BlackCat/ALPHV
In early March, the BlackCat group, alternatively known as “ALPHV”, which distributed the ransomware with the same name, announced its retirement, claiming that their operations had been disrupted by the FBI. In a message posted on a cybercrime forum, the group said, “the feds screwed us over”, just as the group’s DLS showed a banner that read, “the Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action”. However, the FBI refused to comment, while Europol and the UK’s NCA denied involvement in any recent disruption to BlackCat’s infrastructure.
The group also posted a message offering the source code for their ransomware for $5 million. Several days earlier, a BlackCat affiliate had accused the group of stealing more than $20 million in ransom received from a victim company. All of this makes it likely that the “coordinated action” story is BlackCat’s attempt at disappearing with the money. This is not the first time a RaaS group has shut down their operations after taking their affiliates’ money.
LockBit
In February, as part of a joint effort named “Operation Cronos”, the law enforcement agencies of ten countries seized some of the infrastructure belonging to one of the most prolific ransomware gangs, LockBit. Police arrested two Lockbit operators and issued warrants for other members of the gang.
Soon after, though, LockBit developers reactivated their servers and continued their attacks using an updated ransomware version, which apparently suggests any damage the group had suffered as a result of the crackdown was insignificant.
The most prolific groups
This section looks at the most prolific of ransomware gangs that not only encrypt their victims’ files but steal their confidential data and then publish it, engaging in so-called “double extortion”. The statistics are based on the number of new victims added to each of the groups’ DLSs.
LockBit was the first quarter’s busiest cyberextortion gang, publishing 20.34% of total new ransomware victims on its DLS. It was followed by Black Basta (7.02%) and Play (6.75%).
The number of the group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)
Number of new ransomware Trojan modifications
In Q1 2024, we discovered nine new families and 7070 ransomware modifications.
Number of new ransomware modifications, Q1 2023 — Q1 2024 (download)
Number of users attacked by ransomware Trojans
In Q1, Kaspersky solutions protected 83,270 unique users from ransomware Trojan attacks.
Number of unique users attacked by ransomware Trojans, Q1 2024 (download)
Geography of attacked users
TOP 10 countries and territories attacked by ransomware Trojans:
Country/territory* | %** | |
1 | South Korea | 0.75% |
2 | Bangladesh | 0.63% |
3 | Libya | 0.57% |
4 | Pakistan | 0.56% |
5 | Iran | 0.49% |
6 | China | 0.46% |
7 | Iraq | 0.40% |
8 | Venezuela | 0.37% |
9 | Tanzania | 0.36% |
10 | Tajikistan | 0.36% |
* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.
TOP 10 most common families of ransomware Trojans
Name | Verdicts* | Percentage of attacked users** | |
1 | (generic verdict) | Trojan-Ransom.Win32.Gen | 22.92% |
2 | WannaCry | Trojan-Ransom.Win32.Wanna | 11.68% |
3 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 8.63% |
4 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 6.66% |
5 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.46% |
6 | PolyRansom/VirLock | Virus.Win32PolyRansom / Trojan-Ransom.Win32.PolyRansom | 3.87% |
7 | (generic verdict) | Trojan-Ransom.MSIL.Agent | 3.66% |
8 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 3.01% |
9 | (generic verdict) | Trojan-Ransom.Win32.Phny | 3.00% |
10 | (generic verdict) | Trojan-Ransom.Win32.Agent | 2.40% |
* Statistics are based on detection verdicts by Kaspersky products. The information was provided by Kaspersky users who consented to providing statistical data.
** Unique Kaspersky users attacked by the ransomware Trojan family as a percentage of total users attacked by ransomware Trojans.
Miners
Number of new miner modifications
In Q1 2024, Kaspersky solutions detected 6,601 new miner modifications.
Number of new miner modifications, Q1 2024 (download)
Number of users attacked by miners
In Q1, Kaspersky solutions protected 394,120 unique users globally from miners.
Number of unique users attacked by miners, Q1 2024 (download)
Geography of attacked users
TOP 10 countries and territories attacked by miners:
Country/territory* | %** | |
1 | Tajikistan | 2.41 |
2 | Venezuela | 1.91 |
3 | Kazakhstan | 1.88 |
4 | Kyrgyzstan | 1.80 |
5 | Belarus | 1.69 |
6 | Uzbekistan | 1.55 |
7 | Ethiopia | 1.46 |
8 | Ukraine | 1.34 |
9 | Mozambique | 1.19 |
10 | Sri Lanka | 1.12 |
* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country or territory.
Attacks on macOS
In the universe of macOS Trojans, the year 2024 kicked off with the detection of a new backdoor named SpectralBlur and tentatively attributed to the Bluenoroff group. The malware has the typical capabilities of a backdoor, such as downloading and removing files, uploading data to a command-and-control server and running shell commands in a pseudoterminal.
Next, we discovered a large set of cracked applications that contained a Python backdoor loader. Its key feature was the ability to replace Bitcoin and Exodus wallet apps with infected versions to steal passwords and wallet recovery phrases.
We also found infected versions of the VNote and Notepad– text editors with a CobaltStrike agent loader inside. These spread via banner ads in Chinese search engines.
One of the last threats to be discovered in Q1 was a Rust backdoor disguised as a VisualStudio updater and spreading as documents describing job openings. Apparently designed to spy on its victims, the backdoor targeted software developers and existed in the form of several variants.
TOP 20 threats to macOS
Verdict | %* |
Trojan-Downloader.OSX.Agent.gen | 11.49 |
AdWare.OSX.Amc.e | 5.84 |
Trojan.OSX.Agent.gen | 5.35 |
AdWare.OSX.Agent.ai | 5.11 |
AdWare.OSX.Agent.gen | 5.05 |
AdWare.OSX.Pirrit.ac | 4.99 |
Monitor.OSX.HistGrabber.b | 4.99 |
AdWare.OSX.Bnodlero.ax | 4.27 |
AdWare.OSX.Agent.ap | 3.73 |
AdWare.OSX.Pirrit.j | 3.19 |
AdWare.OSX.Mhp.a | 2.95 |
AdWare.OSX.Pirrit.gen | 2.29 |
HackTool.OSX.DirtyCow.a | 2.23 |
RiskTool.OSX.Spigot.a | 2.17 |
AdWare.OSX.Pirrit.ae | 2.05 |
Hoax.OSX.MacBooster.a | 1.93 |
Trojan-Downloader.OSX.Lador.a | 1.93 |
Trojan-Downloader.OSX.Agent.h | 1.87 |
AdWare.OSX.Bnodlero.bg | 1.87 |
Backdoor.OSX.Agent.l | 1.81 |
* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.
A Trojan that downloaded other dangerous applications has topped the list of active threats. More often than not, it delivers various kinds of adware to the infected device, but there are no technical limitations in terms of the type of downloads, so it may as well drop any other malware.
Geography of threats for macOS
TOP 10 countries and territories by share of attacked users
Country/territory* | %** |
Spain | 1.27 |
Italy | 1.11 |
Canada | 1.02 |
France | 0.93 |
Mexico | 0.88 |
United States | 0.81 |
Germany | 0.77 |
United Kingdom | 0.75 |
Hong Kong | 0.73 |
Brazil | 0.66 |
* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country or territory.
Mainland China, previously a leader by number of attacked macOS users, dropped out of the TOP 10 list this time around. Spain, Italy and Canada had the highest numbers of users who encountered threats specific to macOS.
IoT attacks
IoT threat statistics
The protocol distribution of devices that attacked Kaspersky honeypots in Q1 2024 is as follows.
Protocol | Q4 2023 | Q1 2024 |
Telnet | 91.88% | 93.31% |
SSH | 8.12% | 6.69% |
Distribution of attacked services by number of unique IP addresses of attacking devices
As you can see, attackers began to use Telnet more frequently than SSH, as evidenced by the attack statistics for the two protocols.
Protocol | Q4 2023 | Q1 2024 |
Telnet | 92.17% | 96.48% |
SSH | 7.83% | 3.52% |
Distribution of attackers’ sessions in Kaspersky honeypots
TOP 10 threats delivered to IoT devices:
TOP 10 threats | %* Q4 2023 | %* Q1 2024 |
Trojan-Downloader.Linux.NyaDrop.b | 19.40 | 37.26 |
Backdoor.Linux.Mirai.b | 12.97 | 10.22 |
Trojan.Linux.Agent.nx | 0.20 | 8.73 |
Backdoor.Linux.Mirai.ba | 2.69 | 6.08 |
Backdoor.Linux.Mirai.cw | 4.86 | 6.06 |
Backdoor.Linux.Gafgyt.a | 1.19 | 3.53 |
Backdoor.Linux.Mirai.gp | 0.05 | 2.81 |
Backdoor.Linux.Gafgyt.fj | 0.05 | 1.97 |
Backdoor.Linux.Mirai.fg | 2.52 | 1.57 |
Trojan-Downloader.Shell.Agent.p | 0.99 | 1.54 |
* Share of each threat uploaded to an infected device as a result of a successful attack in the total number of uploaded threats.
Attacks on IoT honeypots
There were no drastic changes in the geographical distribution of SSH attacks. The shares of attacks originating in South Korea, Singapore and Germany increased the most.
Country/territory | %* Q4 2023 | %* Q1 2024 |
Mainland China | 21.33 | 20.58 |
United States | 11.65 | 12.15 |
South Korea | 7.03 | 9.59 |
Singapore | 3.97 | 6.87 |
Germany | 3.76 | 4.97 |
India | 4.95 | 4.52 |
Hong Kong | 2.27 | 3.25 |
Russian Federation | 3.37 | 2.84 |
Brazil | 3.86 | 2.36 |
Japan | 1.77 | 2.36 |
* Unique IP addresses located in the country or territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated.
Malicious actors who use the Telnet protocol stepped up attacks from mainland China noticeably.
Country/territory | %* Q4 2023 | %* Q1 2024 |
Mainland China | 32.96 | 41.51 |
India | 17.91 | 17.47 |
Japan | 3.62 | 4.89 |
Brazil | 4.81 | 3.78 |
Russian Federation | 3.84 | 3.12 |
Thailand | 1.08 | 2.95 |
Taiwan | 2.29 | 2.73 |
South Korea | 3.81 | 2.53 |
United States | 2.82 | 2.20 |
Argentina | 1.81 | 1.36 |
* Unique IP addresses located in a country or territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated.
Attacks via web resources
The statistics in this section are based on data provided by Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create malicious pages on purpose. Web resources with user-generated content, such as forums, as well as hacked legitimate resources, can be infected.
Countries and territories that serve as sources of web-based attacks: the TOP 10
The following statistics show the geographical distribution of sources of internet attacks blocked by Kaspersky products on user computers: web pages with redirects to exploits, sites hosting exploits and other malware, botnet C&C centers, etc. Any unique host could be the source of one or more web-based attacks.
To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In Q1 2024, Kaspersky solutions blocked 658,181,425 attacks launched from online resources across the globe. A total of 152,841,402 unique URLs triggered a Web Anti-Virus detection.
Geographical distribution of sources of web attacks, Q1 2024 (download)
Countries and territories where users faced the greatest risk of online infection
To assess the risk of online malware infection faced by users in various countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.
These rankings only include attacks by malicious objects that belong in the Malware category. Our calculations do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.
Country/territory* | %** | |
1 | Greece | 14.09 |
2 | Bulgaria | 13.01 |
3 | Madagascar | 12.54 |
4 | Albania | 12.04 |
5 | North Macedonia | 12.00 |
6 | Ecuador | 11.90 |
7 | Sri Lanka | 11.82 |
8 | Qatar | 11.77 |
9 | Nepal | 11.56 |
10 | Bangladesh | 11.36 |
11 | Peru | 11.24 |
12 | Kenya | 11.02 |
13 | Venezuela | 10.97 |
14 | South Africa | 10.94 |
15 | Algeria | 10.87 |
16 | Serbia | 10.84 |
17 | Tunisia | 10.77 |
18 | Lithuania | 10.66 |
19 | Moldova | 10.51 |
20 | Slovakia | 10.50 |
* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware attacks as a percentage of all unique users of Kaspersky products in the country or territory.
On average during the quarter, 7.98% of the internet users’ computers worldwide were subjected to at least one Malware-category web attack.
Local threats
These statistics are based on detection verdicts returned by the OAS (on-access scan) and ODS (on-demand scan) Anti-Virus modules and received from users of Kaspersky products who consented to providing statistical data. The data includes detections of malicious programs located on user computers or removable media connected to the computers, such as flash drives, camera memory cards, phones or external hard drives.
In Q1 2024, our File Anti-Virus detected 31,817,072 malicious and potentially unwanted objects.
Countries and territories where users faced the highest risk of local infection
For each country and territory, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories worldwide.
The rankings only include attacks by malicious objects that belong in the Malware category. Our calculations do not include File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.
Country/territory* | %** | |
1 | Turkmenistan | 47.55 |
2 | Yemen | 43.57 |
3 | Afghanistan | 42.37 |
4 | Tajikistan | 39.09 |
5 | Cuba | 38.55 |
6 | Syria | 34.70 |
7 | Uzbekistan | 34.28 |
8 | Burundi | 32.79 |
9 | Bangladesh | 31.62 |
10 | Myanmar | 30.97 |
11 | Tanzania | 30.55 |
12 | Niger | 30.45 |
13 | Belarus | 29.84 |
14 | Algeria | 29.82 |
15 | South Sudan | 29.80 |
16 | Cameroon | 29.55 |
17 | Benin | 29.41 |
18 | Madagascar | 28.77 |
19 | Burkina Faso | 28.77 |
20 | Iraq | 28.38 |
* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-category local threats were blocked, as a percentage of all unique users of Kaspersky products in the country or territory.
Overall, 15.04% of user computers globally faced at least one Malware local threat during Q3.
IT threat evolution in Q1 2024. Non-mobile statistics