Malware reports

IT threat evolution in Q1 2024. Non-mobile statistics

IT threat evolution Q1 2024
IT threat evolution Q1 2024. Mobile statistics
IT threat evolution Q1 2024. Non-mobile statistics

The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

In Q1 2024:

  • Kaspersky solutions blocked more than 658 million attacks from various online resources.
  • Web Anti-Virus responded to slightly fewer than 153 million unique links.
  • File Anti-Virus blocked nearly 32 million malicious and unwanted objects.
  • More than 83,000 users experienced ransomware attacks,
  • with 20% of all victims published on ransomware gangs’ DLSs (data leak sites) hit by LockBit.
  • More than 394,000 users encountered miners.

Ransomware

BlackCat/ALPHV

In early March, the BlackCat group, alternatively known as “ALPHV”, which distributed the ransomware with the same name, announced its retirement, claiming that their operations had been disrupted by the FBI. In a message posted on a cybercrime forum, the group said, “the feds screwed us over”, just as the group’s DLS showed a banner that read, “the Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action”. However, the FBI refused to comment, while Europol and the UK’s NCA denied involvement in any recent disruption to BlackCat’s infrastructure.

The group also posted a message offering the source code for their ransomware for $5 million. Several days earlier, a BlackCat affiliate had accused the group of stealing more than $20 million in ransom received from a victim company. All of this makes it likely that the “coordinated action” story is BlackCat’s attempt at disappearing with the money. This is not the first time a RaaS group has shut down their operations after taking their affiliates’ money.

LockBit

In February, as part of a joint effort named “Operation Cronos”, the law enforcement agencies of ten countries seized some of the infrastructure belonging to one of the most prolific ransomware gangs, LockBit. Police arrested two Lockbit operators and issued warrants for other members of the gang.

Soon after, though, LockBit developers reactivated their servers and continued their attacks using an updated ransomware version, which apparently suggests any damage the group had suffered as a result of the crackdown was insignificant.

The most prolific groups

This section looks at the most prolific of ransomware gangs that not only encrypt their victims’ files but steal their confidential data and then publish it, engaging in so-called “double extortion”. The statistics are based on the number of new victims added to each of the groups’ DLSs.

LockBit was the first quarter’s busiest cyberextortion gang, publishing 20.34% of total new ransomware victims on its DLS. It was followed by Black Basta (7.02%) and Play (6.75%).

The number of the group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)

Number of new ransomware Trojan modifications

In Q1 2024, we discovered nine new families and 7070 ransomware modifications.

Number of new ransomware modifications, Q1 2023 — Q1 2024 (download)

Number of users attacked by ransomware Trojans

In Q1, Kaspersky solutions protected 83,270 unique users from ransomware Trojan attacks.

Number of unique users attacked by ransomware Trojans, Q1 2024 (download)

Geography of attacked users

TOP 10 countries and territories attacked by ransomware Trojans:

Country/territory* %**
1 South Korea 0.75%
2 Bangladesh 0.63%
3 Libya 0.57%
4 Pakistan 0.56%
5 Iran 0.49%
6 China 0.46%
7 Iraq 0.40%
8 Venezuela 0.37%
9 Tanzania 0.36%
10 Tajikistan 0.36%

* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

Name Verdicts* Percentage of attacked users**
1 (generic verdict) Trojan-Ransom.Win32.Gen 22.92%
2 WannaCry Trojan-Ransom.Win32.Wanna 11.68%
3 (generic verdict) Trojan-Ransom.Win32.Encoder 8.63%
4 (generic verdict) Trojan-Ransom.Win32.Crypren 6.66%
5 Stop/Djvu Trojan-Ransom.Win32.Stop 6.46%
6 PolyRansom/VirLock Virus.Win32PolyRansom / Trojan-Ransom.Win32.PolyRansom 3.87%
7 (generic verdict) Trojan-Ransom.MSIL.Agent 3.66%
8 (generic verdict) Trojan-Ransom.Win32.Crypmod 3.01%
9 (generic verdict) Trojan-Ransom.Win32.Phny 3.00%
10 (generic verdict) Trojan-Ransom.Win32.Agent 2.40%

* Statistics are based on detection verdicts by Kaspersky products. The information was provided by Kaspersky users who consented to providing statistical data.
** Unique Kaspersky users attacked by the ransomware Trojan family as a percentage of total users attacked by ransomware Trojans.

Miners

Number of new miner modifications

In Q1 2024, Kaspersky solutions detected 6,601 new miner modifications.

Number of new miner modifications, Q1 2024 (download)

Number of users attacked by miners

In Q1, Kaspersky solutions protected 394,120 unique users globally from miners.

Number of unique users attacked by miners, Q1 2024 (download)

Geography of attacked users

TOP 10 countries and territories attacked by miners:

Country/territory* %**
1 Tajikistan 2.41
2 Venezuela 1.91
3 Kazakhstan 1.88
4 Kyrgyzstan 1.80
5 Belarus 1.69
6 Uzbekistan 1.55
7 Ethiopia 1.46
8 Ukraine 1.34
9 Mozambique 1.19
10 Sri Lanka 1.12

* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country or territory.

Attacks on macOS

In the universe of macOS Trojans, the year 2024 kicked off with the detection of a new backdoor named SpectralBlur and tentatively attributed to the Bluenoroff group. The malware has the typical capabilities of a backdoor, such as downloading and removing files, uploading data to a command-and-control server and running shell commands in a pseudoterminal.

Next, we discovered a large set of cracked applications that contained a Python backdoor loader. Its key feature was the ability to replace Bitcoin and Exodus wallet apps with infected versions to steal passwords and wallet recovery phrases.

We also found infected versions of the VNote and Notepad– text editors with a CobaltStrike agent loader inside. These spread via banner ads in Chinese search engines.

One of the last threats to be discovered in Q1 was a Rust backdoor disguised as a VisualStudio updater and spreading as documents describing job openings. Apparently designed to spy on its victims, the backdoor targeted software developers and existed in the form of several variants.

TOP 20 threats to macOS

Verdict %*
Trojan-Downloader.OSX.Agent.gen 11.49
AdWare.OSX.Amc.e 5.84
Trojan.OSX.Agent.gen 5.35
AdWare.OSX.Agent.ai 5.11
AdWare.OSX.Agent.gen 5.05
AdWare.OSX.Pirrit.ac 4.99
Monitor.OSX.HistGrabber.b 4.99
AdWare.OSX.Bnodlero.ax 4.27
AdWare.OSX.Agent.ap 3.73
AdWare.OSX.Pirrit.j 3.19
AdWare.OSX.Mhp.a 2.95
AdWare.OSX.Pirrit.gen 2.29
HackTool.OSX.DirtyCow.a 2.23
RiskTool.OSX.Spigot.a 2.17
AdWare.OSX.Pirrit.ae 2.05
Hoax.OSX.MacBooster.a 1.93
Trojan-Downloader.OSX.Lador.a 1.93
Trojan-Downloader.OSX.Agent.h 1.87
AdWare.OSX.Bnodlero.bg 1.87
Backdoor.OSX.Agent.l 1.81

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

A Trojan that downloaded other dangerous applications has topped the list of active threats. More often than not, it delivers various kinds of adware to the infected device, but there are no technical limitations in terms of the type of downloads, so it may as well drop any other malware.

Geography of threats for macOS

TOP 10 countries and territories by share of attacked users

Country/territory* %**
Spain 1.27
Italy 1.11
Canada 1.02
France 0.93
Mexico 0.88
United States 0.81
Germany 0.77
United Kingdom 0.75
Hong Kong 0.73
Brazil 0.66

* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country or territory.

Mainland China, previously a leader by number of attacked macOS users, dropped out of the TOP 10 list this time around. Spain, Italy and Canada had the highest numbers of users who encountered threats specific to macOS.

IoT attacks

IoT threat statistics

The protocol distribution of devices that attacked Kaspersky honeypots in Q1 2024 is as follows.

Protocol Q4 2023 Q1 2024
Telnet 91.88% 93.31%
SSH 8.12% 6.69%

Distribution of attacked services by number of unique IP addresses of attacking devices

As you can see, attackers began to use Telnet more frequently than SSH, as evidenced by the attack statistics for the two protocols.

Protocol Q4 2023 Q1 2024
Telnet 92.17% 96.48%
SSH 7.83% 3.52%

Distribution of attackers’ sessions in Kaspersky honeypots

TOP 10 threats delivered to IoT devices:

TOP 10 threats %* Q4 2023 %* Q1 2024
Trojan-Downloader.Linux.NyaDrop.b 19.40 37.26
Backdoor.Linux.Mirai.b 12.97 10.22
Trojan.Linux.Agent.nx 0.20 8.73
Backdoor.Linux.Mirai.ba 2.69 6.08
Backdoor.Linux.Mirai.cw 4.86 6.06
Backdoor.Linux.Gafgyt.a 1.19 3.53
Backdoor.Linux.Mirai.gp 0.05 2.81
Backdoor.Linux.Gafgyt.fj 0.05 1.97
Backdoor.Linux.Mirai.fg 2.52 1.57
Trojan-Downloader.Shell.Agent.p 0.99 1.54

* Share of each threat uploaded to an infected device as a result of a successful attack in the total number of uploaded threats.

Attacks on IoT honeypots

There were no drastic changes in the geographical distribution of SSH attacks. The shares of attacks originating in South Korea, Singapore and Germany increased the most.

Country/territory %* Q4 2023 %* Q1 2024
Mainland China 21.33 20.58
United States 11.65 12.15
South Korea 7.03 9.59
Singapore 3.97 6.87
Germany 3.76 4.97
India 4.95 4.52
Hong Kong 2.27 3.25
Russian Federation 3.37 2.84
Brazil 3.86 2.36
Japan 1.77 2.36

* Unique IP addresses located in the country or territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated.

Malicious actors who use the Telnet protocol stepped up attacks from mainland China noticeably.

Country/territory %* Q4 2023 %* Q1 2024
Mainland China 32.96 41.51
India 17.91 17.47
Japan 3.62 4.89
Brazil 4.81 3.78
Russian Federation 3.84 3.12
Thailand 1.08 2.95
Taiwan 2.29 2.73
South Korea 3.81 2.53
United States 2.82 2.20
Argentina 1.81 1.36

* Unique IP addresses located in a country or territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated.

Attacks via web resources

The statistics in this section are based on data provided by Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create malicious pages on purpose. Web resources with user-generated content, such as forums, as well as hacked legitimate resources, can be infected.

Countries and territories that serve as sources of web-based attacks: the TOP 10

The following statistics show the geographical distribution of sources of internet attacks blocked by Kaspersky products on user computers: web pages with redirects to exploits, sites hosting exploits and other malware, botnet C&C centers, etc. Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2024, Kaspersky solutions blocked 658,181,425 attacks launched from online resources across the globe. A total of 152,841,402 unique URLs triggered a Web Anti-Virus detection.

Geographical distribution of sources of web attacks, Q1 2024 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online malware infection faced by users in various countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

These rankings only include attacks by malicious objects that belong in the Malware category. Our calculations do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country/territory* %**
1 Greece 14.09
2 Bulgaria 13.01
3 Madagascar 12.54
4 Albania 12.04
5 North Macedonia 12.00
6 Ecuador 11.90
7 Sri Lanka 11.82
8 Qatar 11.77
9 Nepal 11.56
10 Bangladesh 11.36
11 Peru 11.24
12 Kenya 11.02
13 Venezuela 10.97
14 South Africa 10.94
15 Algeria 10.87
16 Serbia 10.84
17 Tunisia 10.77
18 Lithuania 10.66
19 Moldova 10.51
20 Slovakia 10.50

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware attacks as a percentage of all unique users of Kaspersky products in the country or territory.

On average during the quarter, 7.98% of the internet users’ computers worldwide were subjected to at least one Malware-category web attack.

Local threats

These statistics are based on detection verdicts returned by the OAS (on-access scan) and ODS (on-demand scan) Anti-Virus modules and received from users of Kaspersky products who consented to providing statistical data. The data includes detections of malicious programs located on user computers or removable media connected to the computers, such as flash drives, camera memory cards, phones or external hard drives.

In Q1 2024, our File Anti-Virus detected 31,817,072 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories worldwide.

The rankings only include attacks by malicious objects that belong in the Malware category. Our calculations do not include File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country/territory* %**
1 Turkmenistan 47.55
2 Yemen 43.57
3 Afghanistan 42.37
4 Tajikistan 39.09
5 Cuba 38.55
6 Syria 34.70
7 Uzbekistan 34.28
8 Burundi 32.79
9 Bangladesh 31.62
10 Myanmar 30.97
11 Tanzania 30.55
12 Niger 30.45
13 Belarus 29.84
14 Algeria 29.82
15 South Sudan 29.80
16 Cameroon 29.55
17 Benin 29.41
18 Madagascar 28.77
19 Burkina Faso 28.77
20 Iraq 28.38

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-category local threats were blocked, as a percentage of all unique users of Kaspersky products in the country or territory.

Overall, 15.04% of user computers globally faced at least one Malware local threat during Q3.

IT threat evolution in Q1 2024. Non-mobile statistics

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Subscribe to our weekly e-mails

The hottest research right in your inbox