Malware reports

IT threat evolution in Q2 2023. Non-mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2023:

  • Kaspersky solutions blocked 801,934,281 attacks from online resources across the globe.
  • A total of 209,716,810 unique links were detected by Web Anti-Virus components.
  • Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 95,546 unique users.
  • Ransomware attacks were defeated on the computers of 57,612 unique users.
  • Our File Anti-Virus detected 39,624,768 unique malicious and potentially unwanted objects.

Financial threats

Financial threat statistics

In Q2 2023, Kaspersky solutions blocked malware designed to steal money from bank accounts on the computers of 95,546 unique users.

Number of unique users attacked by financial malware, Q2 2023 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.

TOP 10 countries and territories by share of attacked users

Country or territory* %**
1 Afghanistan 3.7
2 Turkmenistan 3.6
3 Tajikistan 3.2
4 China 2.1
5 Switzerland 2.0
6 Yemen 1.8
7 Egypt 1.7
8 Venezuela 1.6
9 Azerbaijan 1.5
10 Spain 1.4

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 banking malware families

Name Verdicts %*
1 Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 30.0
2 Zbot/Zeus Trojan-Banker.Win32.Zbot 25.3
3 Emotet Trojan-Banker.Win32.Emotet 11.9
4 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 5.9
5 Trickster/Trickbot Trojan-Banker.Win32.Trickster 5.5
6 Danabot Trojan-Banker.Win32.Danabot 1.7
7 SpyEyes Trojan-Spy.Win32.SpyEye 1.4
8 Tinba Trojan-Banker.Win32.Tinba 1.4
9 Qbot/Qakbot Trojan-Banker.Win32.Qbot 1.4
10 IcedID Trojan-Banker.Win32.IcedID 0.6

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

MOVEit Transfer vulnerabilities exploited

The Cl0p ransomware gang began heavily exploiting vulnerabilities in MOVEit Transfer, a secure file transfer software solution used by organizations around the world. In late May, the cybercriminals took advantage of what at the time were zero-day vulnerabilities in the application, successfully compromising the networks of numerous companies and gaining access to confidential data. The vulnerabilities in MOVEit Transfer exploited by the attackers in that series of incidents were later assigned the identifiers CVE-2023-34362, CVE-2023-35708, and CVE-2023-35036.

Attacks on municipal organizations, educational and healthcare establishments

Q2 saw a considerable number of reports about ransomware attacks on municipal organizations, hospitals, and colleges. Among those organizations who had their networks compromised and data stolen, were Louisiana’s Office of Motor Vehicles (OMV) and the Oregon Driver and Motor Vehicle Services Division (DMV). The Cl0p group, which claimed responsibility for the attacks, leveraged the aforementioned MOVEit vulnerability.

The City of Augusta, Georgia was hit by BlackByte; Dallas, Texas, by Royal; Bluefield University, Virginia, by Avos; and the Open University of Cyprus, by Medusa.

According to the FBR, the Bl00dy group attacked educational organizations in May by taking advantage of the CVE-2023-27350 vulnerability in PaperCut, print management software used by tens of thousands of businesses.

Certain ransomware gangs had said they would not target this kind of organizations, but many cybercriminals obviously failed to stick to their declared moral principles.

Most prolific groups

This section looks at ransomware groups that engage in so-called “double extortion”, that is stealing and encrypting confidential data. Most of these groups target large companies, and often maintain a DLS (data leak site), where they publish a list of organizations they have attacked. The list of the busiest ransomware gangs in Q2 2023 looked as follows.

The most prolific ransomware gangs, Q2 2023 (download)

The diagram shows each group’s share in the total number of victims published on all the groups’ DLSs.

Number of new modifications

In Q2 2023, we detected 15 new ransomware families and 1917 new modifications of this malware type.

Number of new ransomware modifications, Q2 2022 — Q2 2023 (download)

Number of users attacked by ransomware Trojans

In Q2 2023, Kaspersky products and technologies protected 57,612 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q2 2023 (download)

Geography of attacked users

TOP 10 countries and territories attacked by ransomware Trojans

Country or territory* %**
1 Bangladesh 1.38
2 South Korea 1.25
3 Yemen 1.18
4 Taiwan 1.07
5 Mozambique 0.55
6 Pakistan 0.41
7 Iraq 0.33
8 Mainland China 0.29
9 Nigeria 0.27
10 Libya 0.26

* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

Name Verdicts* Share of attacked users**
1 WannaCry Trojan-Ransom.Win32.Wanna 13.67
2 Magniber Trojan-Ransom.Win64.Magni / Trojan-Ransom.Win32.Magni 13.58
3 (generic verdict) Trojan-Ransom.Win32.Encoder 11.74
4 Stop/Djvu Trojan-Ransom.Win32.Stop 6.91
5 (generic verdict) Trojan-Ransom.Win32.Phny 6.01
6 (generic verdict) Trojan-Ransom.Win32.Crypren 5.58
7 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 2.88
8 (generic verdict) Trojan-Ransom.Win32.Agent 2.49
9 CryFile Trojan-Ransom.Win32.CryFile 1.33
10 Lockbit Trojan-Ransom.Win32.Lockbit 1.27

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners

Number of new miner modifications

In Q2 2023, Kaspersky solutions detected 2184 new miner modifications.

Number of new miner modifications, Q2 2023 (download)

Number of users attacked by miners

In Q2, we detected attacks using miners on the computers of 384,063 unique users of Kaspersky products worldwide.

Number of unique users attacked by miners, Q2 2023 (download)

Geography of miner attacks

TOP 10 countries and territories attacked by miners

Country or territory* %**
1 Tajikistan 3.06
2 Kazakhstan 2.14
3 Kyrgyzstan 1.97
4 Uzbekistan 1.89
5 Venezuela 1.81
6 Mozambique 1.68
7 Belarus 1.54
8 Ukraine 1.47
9 Rwanda 1.28
10 Ethiopia 1.28

* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Vulnerable applications used by criminals during cyberattacks

Quarterly highlights

Q2 2023 was notable for the discovery of a series of vulnerabilities that impacted a fairly large number of organizations. The most resonant ones were the aforementioned vulnerabilities in MOVEit Transfer: CVE-2023-34362, CVE-2023-35036, and CVE-2023-35708. To exploit these, attackers used SQL injection to get access to the database and execute code on the server side.

The PaperCut print management application was plagued by a similar critical issue: a vulnerability designated as CVE-2023-27350. Attackers can use it to run a command in the operating system with System permissions with a specially crafted request. The vulnerability has been used by criminals as well.

New vulnerabilities in Google Chrome, Microsoft Windows, and Microsoft Office were discovered while detecting attacks on user systems. Google Chrome was found to contain two type confusion vulnerabilities (CVE-2023-2033 and CVE-2023-3079 ) and one integer overflow vulnerability (CVE-2023-2136). The above vulnerabilities, detected while they were being exploited, allowed an attacker to escape the browser sandbox. Developers’ patches for the relevant software are available.

Zero-day vulnerabilities were found in Windows while preventing attacks on users, with one of these (CVE-2023-28252) discovered by Kaspersky researchers. CVE-2023-29336, a Win32k subsystem flaw that allowed attackers to gain System privileges, and CVE-2023-24932 a Secure Boot bypass vulnerability that malicious actors could leverage to replace any system files, were discovered in Q2 as well. Microsoft fixes for each of the vulnerabilities are out, and we strongly encourage you to install all the relevant patches.

Vulnerability statistics

Kaspersky products detected roughly 300,000 exploitation attempts in Q2. Most of the detects, as always, were associated with Microsoft Office applications. Their share (75.53%) of the total was almost 3 pp below the previous period’s figure.

The most frequently exploited vulnerabilities were as follows:

  • CVE-2017-11882 and CVE-2018-0802: Equation Editor vulnerabilities that allow corrupting application memory during formula processing to then run arbitrary code in the system
  • CVE-2017-0199 allows using MS Office to load malicious scripts.
  • CVE-2017-8570 allows loading malicious HTA scripts into the system.

The next most common category was browser exploits (8.2% of the total, or 1 pp below the Q1 figure).

This was followed by exploits for the Java platform (4.83%), Android (4.33%), and Adobe Flash (4.10%).

Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2023 (download)

The online threats in Q2 2023, as before, consisted of MSSQL and RDP brute-force attacks. EternalBlue and EternalRomance remained popular exploits for operating system vulnerabilities. Notable numbers of attacks and scans that targeted log4j-type vulnerabilities (CVE-2021-44228) were recorded.

Attacks on macOS

A version of the Lockbit for macOS was discovered in Q2. This ransomware used to target Linux, but now the operators have extended its reach.

The JokerSpy Python backdoor deployed modified TCC databases to the target device during an attack to bypass restrictions when starting applications on that device.

TOP 20 threats for macOS

Verdict %*
1 AdWare.OSX.Agent.ai 8.90
2 AdWare.OSX.Agent.gen 8.54
3 AdWare.OSX.Pirrit.ac 7.44
4 AdWare.OSX.Amc.e 6.65
5 AdWare.OSX.Bnodlero.ax 6.44
6 Monitor.OSX.HistGrabber.b 6.20
7 AdWare.OSX.Agent.ap 4.62
8 AdWare.OSX.Pirrit.j 4.62
9 Trojan.OSX.Agent.gen 4.33
10 Hoax.OSX.MacBooster.a 4.12
11 AdWare.OSX.Pirrit.ae 3.28
12 Trojan-Downloader.OSX.Agent.h 2.90
13 AdWare.OSX.Bnodlero.bg 2.80
14 AdWare.OSX.Agent.ao 2.78
15 Downloader.OSX.InstallCore.ak 2.46
16 Monitor.OSX.Agent.a 2.20
17 AdWare.OSX.Pirrit.aa 2.06
18 Backdoor.OSX.Twenbc.g 1.89
19 Backdoor.OSX.Twenbc.h 1.77
20 Hoax.OSX.IOBooster.gen 1.75

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

In Q2, macOS users mainly encountered adware and “system optimizers” that asked money for fixing problems that did not exist.

Geography of threats for macOS

TOP 10 countries and territories by share of attacked users

Country or territory* %**
1 Hong Kong 1.40
2 Mainland China 1.19
3 Italy 1.16
4 France 1.06
5 United States 1.04
6 Mexico 0.98
7 Spain 0.96
8 Australia 0.86
9 United Kingdom 0.81
10 Russian Federation 0.81

* Excluded from the rankings are countries and territories with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country/territory.

Hong Kong and mainland China had the largest shares of attacked macOS users: 1.4% and 1.19%, respectively. The frequency of attacks in Italy, Spain, France, Russia, Mexico, and Canada was down. Other countries saw insignificant changes.

IoT attacks

IoT threat statistics

In Q2 2023, most devices that attacked Kaspersky honeypots again used the Telnet protocol.

Telnet 75.49%
SSH 24.51%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2023

In terms of session numbers, Telnet accounted for the absolute majority.

Telnet 95.63%
SSH 4.37%

Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2023

Attacks on IoT honeypots

The main sources of SSH attacks in Q2, as usual, were the United States (11.5%) and Asia and the Pacific. The increase in mainland China’s share was especially notable: from 6.80% to 12.63%.

TOP 10 countries/territories as sources of SSH attacks

Country/territory %*
Q1 2023 Q2 2023
Mainland China 6.80 12.63
United States 12.05 11.50
South Korea 7.64 6.21
Singapore 3.63 5.32
India 4.45 5.01
Taiwan 12.13 4.85
Brazil 5.08 4.57
Germany 4.00 4.21
Russian Federation 3.36 3.73
Vietnam 3.95 3.39
Other 36.91 41.96

* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated.

The share of both SSH and Telnet attacks originating on the island of Taiwan decreased noticeably. The share of Telnet attacks coming from mainland China dropped to 35.38%, but that country is still the leader. Vietnam’s share, on the contrary, rose significantly, from 0.88% to 5.39%. India (14.03%) and Brazil (6.36%) maintained second and third place, respectively.

TOP 10 countries/territories as sources of Telnet attacks

Country/territory %*
Q1 2023 Q2 2023
Mainland China 39.92 35.38
India 12.06 14.03
Brazil 4.92 6.36
Vietnam 0.88 5.39
United States 4.30 4.41
Russian Federation 4.82 4.33
Taiwan 7.51 2.79
South Korea 2.59 2.51
Argentina 1.08 2.24
Pakistan 1.41 2.17
Other 19.58 20.40

* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated.

TOP 10 threats delivered to IoT devices via Telnet

Verdict %*
1 Trojan-Downloader.Linux.NyaDrop.b 53.82
2 Backdoor.Linux.Mirai.b 40.72
3 Backdoor.Linux.Mirai.ew 2.31
4 Backdoor.Linux.Mirai.ek 0.85
5 Backdoor.Linux.Mirai.es 0.47
6 Backdoor.Linux.Mirai.fg 0.32
7 Backdoor.Linux.Mirai.cw 0.22
8 Backdoor.Linux.Mirai.gen 0.17
9 Trojan-Downloader.Shell.Agent.p 0.14
10 Backdoor.Linux.Gafgyt.gi 0.13

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.

Countries and territories that serve as sources of web-based attacks: TOP 10

The following statistics show the distribution by country or territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q2 2023, Kaspersky solutions blocked 801,934,281 attacks launched from online resources across the globe. A total of 209,716,810 unique links were detected by Web Anti-Virus components.

Distribution of web-attack sources by country/territory, Q2 2022 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in various countries/territories, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered at least once during the quarter in each country/territory. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %**
1 Greece 13.65
2 Turkey 13.62
3 Taiwan 13.02
4 Algeria 12.97
5 Albania 12.89
6 Serbia 12.72
7 Qatar 12.41
8 Palestine 12.05
9 Sri Lanka 11.97
10 Nepal 11.96
11 Tunisia 11.74
12 Portugal 11.71
13 Bangladesh 11.47
14 Hungary 11.44
15 Belarus 11.29
16 Bulgaria 11.03
17 Panama 10.99
18 Yemen 10.87
19 Slovakia 10.80
20 UAE 10.67

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country/territory.

On average during the quarter, 8.68% of internet users’ computers worldwide were subjected to at least one Malware-class web attack.

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q2 2023, our File Anti-Virus detected 39,624,768 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries/territories.

These rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %**
1 Turkmenistan 43.95
2 Afghanistan 43.39
3 Yemen 40.68
4 Tajikistan 40.20
5 Myanmar 36.25
6 Burundi 36.23
7 Syria 35.70
8 Benin 35.50
9 Burkina Faso 35.15
10 Rwanda 34.76
11 Chad 34.23
12 Cameroon 33.98
13 South Sudan 33.91
14 Democratic Republic of the Congo 33.90
15 Guinea 33.82
16 Republic of the Congo 33.55
17 Bangladesh 33.42
18 Algeria 33.36
19 Niger 33.28
20 Mali 33.14

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.

On average worldwide, Malware-class local threats were registered on 15.74% of users’ computers at least once during Q2. Russia scored 16.49% in these rankings.

IT threat evolution in Q2 2023. Non-mobile statistics

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox