Authors
- IT threat evolution in Q2 2023
- IT threat evolution in Q2 2023. Non-mobile statistics
- IT threat evolution in Q2 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
Quarterly figures
According to Kaspersky Security Network, in Q2 2023:
- Kaspersky solutions blocked 801,934,281 attacks from online resources across the globe.
- A total of 209,716,810 unique links were detected by Web Anti-Virus components.
- Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 95,546 unique users.
- Ransomware attacks were defeated on the computers of 57,612 unique users.
- Our File Anti-Virus detected 39,624,768 unique malicious and potentially unwanted objects.
Financial threats
Financial threat statistics
In Q2 2023, Kaspersky solutions blocked malware designed to steal money from bank accounts on the computers of 95,546 unique users.
Number of unique users attacked by financial malware, Q2 2023 (download)
Geography of financial malware attacks
To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.
TOP 10 countries and territories by share of attacked users
| Country or territory* | %** | |
| 1 | Afghanistan | 3.7 |
| 2 | Turkmenistan | 3.6 |
| 3 | Tajikistan | 3.2 |
| 4 | China | 2.1 |
| 5 | Switzerland | 2.0 |
| 6 | Yemen | 1.8 |
| 7 | Egypt | 1.7 |
| 8 | Venezuela | 1.6 |
| 9 | Azerbaijan | 1.5 |
| 10 | Spain | 1.4 |
* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country/territory.
TOP 10 banking malware families
| Name | Verdicts | %* | |
| 1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 30.0 |
| 2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 25.3 |
| 3 | Emotet | Trojan-Banker.Win32.Emotet | 11.9 |
| 4 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 5.9 |
| 5 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 5.5 |
| 6 | Danabot | Trojan-Banker.Win32.Danabot | 1.7 |
| 7 | SpyEyes | Trojan-Spy.Win32.SpyEye | 1.4 |
| 8 | Tinba | Trojan-Banker.Win32.Tinba | 1.4 |
| 9 | Qbot/Qakbot | Trojan-Banker.Win32.Qbot | 1.4 |
| 10 | IcedID | Trojan-Banker.Win32.IcedID | 0.6 |
* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.
Ransomware programs
Quarterly trends and highlights
MOVEit Transfer vulnerabilities exploited
The Cl0p ransomware gang began heavily exploiting vulnerabilities in MOVEit Transfer, a secure file transfer software solution used by organizations around the world. In late May, the cybercriminals took advantage of what at the time were zero-day vulnerabilities in the application, successfully compromising the networks of numerous companies and gaining access to confidential data. The vulnerabilities in MOVEit Transfer exploited by the attackers in that series of incidents were later assigned the identifiers CVE-2023-34362, CVE-2023-35708, and CVE-2023-35036.
Attacks on municipal organizations, educational and healthcare establishments
Q2 saw a considerable number of reports about ransomware attacks on municipal organizations, hospitals, and colleges. Among those organizations who had their networks compromised and data stolen, were Louisiana’s Office of Motor Vehicles (OMV) and the Oregon Driver and Motor Vehicle Services Division (DMV). The Cl0p group, which claimed responsibility for the attacks, leveraged the aforementioned MOVEit vulnerability.
The City of Augusta, Georgia was hit by BlackByte; Dallas, Texas, by Royal; Bluefield University, Virginia, by Avos; and the Open University of Cyprus, by Medusa.
According to the FBR, the Bl00dy group attacked educational organizations in May by taking advantage of the CVE-2023-27350 vulnerability in PaperCut, print management software used by tens of thousands of businesses.
Certain ransomware gangs had said they would not target this kind of organizations, but many cybercriminals obviously failed to stick to their declared moral principles.
Most prolific groups
This section looks at ransomware groups that engage in so-called “double extortion”, that is stealing and encrypting confidential data. Most of these groups target large companies, and often maintain a DLS (data leak site), where they publish a list of organizations they have attacked. The list of the busiest ransomware gangs in Q2 2023 looked as follows.
The most prolific ransomware gangs, Q2 2023 (download)
The diagram shows each group’s share in the total number of victims published on all the groups’ DLSs.
Number of new modifications
In Q2 2023, we detected 15 new ransomware families and 1917 new modifications of this malware type.
Number of new ransomware modifications, Q2 2022 — Q2 2023 (download)
Number of users attacked by ransomware Trojans
In Q2 2023, Kaspersky products and technologies protected 57,612 users from ransomware attacks.
Number of unique users attacked by ransomware Trojans, Q2 2023 (download)
Geography of attacked users
TOP 10 countries and territories attacked by ransomware Trojans
| Country or territory* | %** | |
| 1 | Bangladesh | 1.38 |
| 2 | South Korea | 1.25 |
| 3 | Yemen | 1.18 |
| 4 | Taiwan | 1.07 |
| 5 | Mozambique | 0.55 |
| 6 | Pakistan | 0.41 |
| 7 | Iraq | 0.33 |
| 8 | Mainland China | 0.29 |
| 9 | Nigeria | 0.27 |
| 10 | Libya | 0.26 |
* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.
TOP 10 most common families of ransomware Trojans
| Name | Verdicts* | Share of attacked users** | |
| 1 | WannaCry | Trojan-Ransom.Win32.Wanna | 13.67 |
| 2 | Magniber | Trojan-Ransom.Win64.Magni / Trojan-Ransom.Win32.Magni | 13.58 |
| 3 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 11.74 |
| 4 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.91 |
| 5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.01 |
| 6 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 5.58 |
| 7 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 2.88 |
| 8 | (generic verdict) | Trojan-Ransom.Win32.Agent | 2.49 |
| 9 | CryFile | Trojan-Ransom.Win32.CryFile | 1.33 |
| 10 | Lockbit | Trojan-Ransom.Win32.Lockbit | 1.27 |
* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.
Miners
Number of new miner modifications
In Q2 2023, Kaspersky solutions detected 2184 new miner modifications.
Number of new miner modifications, Q2 2023 (download)
Number of users attacked by miners
In Q2, we detected attacks using miners on the computers of 384,063 unique users of Kaspersky products worldwide.
Number of unique users attacked by miners, Q2 2023 (download)
Geography of miner attacks
TOP 10 countries and territories attacked by miners
| Country or territory* | %** | |
| 1 | Tajikistan | 3.06 |
| 2 | Kazakhstan | 2.14 |
| 3 | Kyrgyzstan | 1.97 |
| 4 | Uzbekistan | 1.89 |
| 5 | Venezuela | 1.81 |
| 6 | Mozambique | 1.68 |
| 7 | Belarus | 1.54 |
| 8 | Ukraine | 1.47 |
| 9 | Rwanda | 1.28 |
| 10 | Ethiopia | 1.28 |
* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Q2 2023 was notable for the discovery of a series of vulnerabilities that impacted a fairly large number of organizations. The most resonant ones were the aforementioned vulnerabilities in MOVEit Transfer: CVE-2023-34362, CVE-2023-35036, and CVE-2023-35708. To exploit these, attackers used SQL injection to get access to the database and execute code on the server side.
The PaperCut print management application was plagued by a similar critical issue: a vulnerability designated as CVE-2023-27350. Attackers can use it to run a command in the operating system with System permissions with a specially crafted request. The vulnerability has been used by criminals as well.
New vulnerabilities in Google Chrome, Microsoft Windows, and Microsoft Office were discovered while detecting attacks on user systems. Google Chrome was found to contain two type confusion vulnerabilities (CVE-2023-2033 and CVE-2023-3079 ) and one integer overflow vulnerability (CVE-2023-2136). The above vulnerabilities, detected while they were being exploited, allowed an attacker to escape the browser sandbox. Developers’ patches for the relevant software are available.
Zero-day vulnerabilities were found in Windows while preventing attacks on users, with one of these (CVE-2023-28252) discovered by Kaspersky researchers. CVE-2023-29336, a Win32k subsystem flaw that allowed attackers to gain System privileges, and CVE-2023-24932 a Secure Boot bypass vulnerability that malicious actors could leverage to replace any system files, were discovered in Q2 as well. Microsoft fixes for each of the vulnerabilities are out, and we strongly encourage you to install all the relevant patches.
Vulnerability statistics
Kaspersky products detected roughly 300,000 exploitation attempts in Q2. Most of the detects, as always, were associated with Microsoft Office applications. Their share (75.53%) of the total was almost 3 pp below the previous period’s figure.
The most frequently exploited vulnerabilities were as follows:
- CVE-2017-11882 and CVE-2018-0802: Equation Editor vulnerabilities that allow corrupting application memory during formula processing to then run arbitrary code in the system
- CVE-2017-0199 allows using MS Office to load malicious scripts.
- CVE-2017-8570 allows loading malicious HTA scripts into the system.
The next most common category was browser exploits (8.2% of the total, or 1 pp below the Q1 figure).
This was followed by exploits for the Java platform (4.83%), Android (4.33%), and Adobe Flash (4.10%).
Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2023 (download)
The online threats in Q2 2023, as before, consisted of MSSQL and RDP brute-force attacks. EternalBlue and EternalRomance remained popular exploits for operating system vulnerabilities. Notable numbers of attacks and scans that targeted log4j-type vulnerabilities (CVE-2021-44228) were recorded.
Attacks on macOS
A version of the Lockbit for macOS was discovered in Q2. This ransomware used to target Linux, but now the operators have extended its reach.
The JokerSpy Python backdoor deployed modified TCC databases to the target device during an attack to bypass restrictions when starting applications on that device.
TOP 20 threats for macOS
| Verdict | %* | |
| 1 | AdWare.OSX.Agent.ai | 8.90 |
| 2 | AdWare.OSX.Agent.gen | 8.54 |
| 3 | AdWare.OSX.Pirrit.ac | 7.44 |
| 4 | AdWare.OSX.Amc.e | 6.65 |
| 5 | AdWare.OSX.Bnodlero.ax | 6.44 |
| 6 | Monitor.OSX.HistGrabber.b | 6.20 |
| 7 | AdWare.OSX.Agent.ap | 4.62 |
| 8 | AdWare.OSX.Pirrit.j | 4.62 |
| 9 | Trojan.OSX.Agent.gen | 4.33 |
| 10 | Hoax.OSX.MacBooster.a | 4.12 |
| 11 | AdWare.OSX.Pirrit.ae | 3.28 |
| 12 | Trojan-Downloader.OSX.Agent.h | 2.90 |
| 13 | AdWare.OSX.Bnodlero.bg | 2.80 |
| 14 | AdWare.OSX.Agent.ao | 2.78 |
| 15 | Downloader.OSX.InstallCore.ak | 2.46 |
| 16 | Monitor.OSX.Agent.a | 2.20 |
| 17 | AdWare.OSX.Pirrit.aa | 2.06 |
| 18 | Backdoor.OSX.Twenbc.g | 1.89 |
| 19 | Backdoor.OSX.Twenbc.h | 1.77 |
| 20 | Hoax.OSX.IOBooster.gen | 1.75 |
* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.
In Q2, macOS users mainly encountered adware and “system optimizers” that asked money for fixing problems that did not exist.
Geography of threats for macOS
TOP 10 countries and territories by share of attacked users
| Country or territory* | %** | |
| 1 | Hong Kong | 1.40 |
| 2 | Mainland China | 1.19 |
| 3 | Italy | 1.16 |
| 4 | France | 1.06 |
| 5 | United States | 1.04 |
| 6 | Mexico | 0.98 |
| 7 | Spain | 0.96 |
| 8 | Australia | 0.86 |
| 9 | United Kingdom | 0.81 |
| 10 | Russian Federation | 0.81 |
* Excluded from the rankings are countries and territories with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country/territory.
Hong Kong and mainland China had the largest shares of attacked macOS users: 1.4% and 1.19%, respectively. The frequency of attacks in Italy, Spain, France, Russia, Mexico, and Canada was down. Other countries saw insignificant changes.
IoT attacks
IoT threat statistics
In Q2 2023, most devices that attacked Kaspersky honeypots again used the Telnet protocol.
| Telnet | 75.49% |
| SSH | 24.51% |
Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2023
In terms of session numbers, Telnet accounted for the absolute majority.
| Telnet | 95.63% |
| SSH | 4.37% |
Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2023
Attacks on IoT honeypots
The main sources of SSH attacks in Q2, as usual, were the United States (11.5%) and Asia and the Pacific. The increase in mainland China’s share was especially notable: from 6.80% to 12.63%.
TOP 10 countries/territories as sources of SSH attacks
| Country/territory | %* | |
| Q1 2023 | Q2 2023 | |
| Mainland China | 6.80 | 12.63 |
| United States | 12.05 | 11.50 |
| South Korea | 7.64 | 6.21 |
| Singapore | 3.63 | 5.32 |
| India | 4.45 | 5.01 |
| Taiwan | 12.13 | 4.85 |
| Brazil | 5.08 | 4.57 |
| Germany | 4.00 | 4.21 |
| Russian Federation | 3.36 | 3.73 |
| Vietnam | 3.95 | 3.39 |
| Other | 36.91 | 41.96 |
* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated.
The share of both SSH and Telnet attacks originating on the island of Taiwan decreased noticeably. The share of Telnet attacks coming from mainland China dropped to 35.38%, but that country is still the leader. Vietnam’s share, on the contrary, rose significantly, from 0.88% to 5.39%. India (14.03%) and Brazil (6.36%) maintained second and third place, respectively.
TOP 10 countries/territories as sources of Telnet attacks
| Country/territory | %* | |
| Q1 2023 | Q2 2023 | |
| Mainland China | 39.92 | 35.38 |
| India | 12.06 | 14.03 |
| Brazil | 4.92 | 6.36 |
| Vietnam | 0.88 | 5.39 |
| United States | 4.30 | 4.41 |
| Russian Federation | 4.82 | 4.33 |
| Taiwan | 7.51 | 2.79 |
| South Korea | 2.59 | 2.51 |
| Argentina | 1.08 | 2.24 |
| Pakistan | 1.41 | 2.17 |
| Other | 19.58 | 20.40 |
* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated.
TOP 10 threats delivered to IoT devices via Telnet
| Verdict | %* | |
| 1 | Trojan-Downloader.Linux.NyaDrop.b | 53.82 |
| 2 | Backdoor.Linux.Mirai.b | 40.72 |
| 3 | Backdoor.Linux.Mirai.ew | 2.31 |
| 4 | Backdoor.Linux.Mirai.ek | 0.85 |
| 5 | Backdoor.Linux.Mirai.es | 0.47 |
| 6 | Backdoor.Linux.Mirai.fg | 0.32 |
| 7 | Backdoor.Linux.Mirai.cw | 0.22 |
| 8 | Backdoor.Linux.Mirai.gen | 0.17 |
| 9 | Trojan-Downloader.Shell.Agent.p | 0.14 |
| 10 | Backdoor.Linux.Gafgyt.gi | 0.13 |
* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.
Attacks via web resources
The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.
Countries and territories that serve as sources of web-based attacks: TOP 10
The following statistics show the distribution by country or territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.
To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.
In Q2 2023, Kaspersky solutions blocked 801,934,281 attacks launched from online resources across the globe. A total of 209,716,810 unique links were detected by Web Anti-Virus components.
Distribution of web-attack sources by country/territory, Q2 2022 (download)
Countries and territories where users faced the greatest risk of online infection
To assess the risk of online infection faced by users in various countries/territories, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered at least once during the quarter in each country/territory. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.
Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.
| Country or territory* | %** | |
| 1 | Greece | 13.65 |
| 2 | Turkey | 13.62 |
| 3 | Taiwan | 13.02 |
| 4 | Algeria | 12.97 |
| 5 | Albania | 12.89 |
| 6 | Serbia | 12.72 |
| 7 | Qatar | 12.41 |
| 8 | Palestine | 12.05 |
| 9 | Sri Lanka | 11.97 |
| 10 | Nepal | 11.96 |
| 11 | Tunisia | 11.74 |
| 12 | Portugal | 11.71 |
| 13 | Bangladesh | 11.47 |
| 14 | Hungary | 11.44 |
| 15 | Belarus | 11.29 |
| 16 | Bulgaria | 11.03 |
| 17 | Panama | 10.99 |
| 18 | Yemen | 10.87 |
| 19 | Slovakia | 10.80 |
| 20 | UAE | 10.67 |
* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country/territory.
On average during the quarter, 8.68% of internet users’ computers worldwide were subjected to at least one Malware-class web attack.
Local threats
In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).
In Q2 2023, our File Anti-Virus detected 39,624,768 malicious and potentially unwanted objects.
Countries and territories where users faced the highest risk of local infection
For each country and territory, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries/territories.
These rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.
| Country or territory* | %** | |
| 1 | Turkmenistan | 43.95 |
| 2 | Afghanistan | 43.39 |
| 3 | Yemen | 40.68 |
| 4 | Tajikistan | 40.20 |
| 5 | Myanmar | 36.25 |
| 6 | Burundi | 36.23 |
| 7 | Syria | 35.70 |
| 8 | Benin | 35.50 |
| 9 | Burkina Faso | 35.15 |
| 10 | Rwanda | 34.76 |
| 11 | Chad | 34.23 |
| 12 | Cameroon | 33.98 |
| 13 | South Sudan | 33.91 |
| 14 | Democratic Republic of the Congo | 33.90 |
| 15 | Guinea | 33.82 |
| 16 | Republic of the Congo | 33.55 |
| 17 | Bangladesh | 33.42 |
| 18 | Algeria | 33.36 |
| 19 | Niger | 33.28 |
| 20 | Mali | 33.14 |
* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.
On average worldwide, Malware-class local threats were registered on 15.74% of users’ computers at least once during Q2. Russia scored 16.49% in these rankings.
Authors
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Most prolific groups
- Number of new modifications
- Number of users attacked by ransomware Trojans
- Geography of attacked users
- TOP 10 most common families of ransomware Trojans
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Countries and territories that serve as sources of web-based attacks: TOP 10
- Countries and territories where users faced the greatest risk of online infection
- Local threats
From the same authors
In the same category
IT threat evolution in Q2 2023. Non-mobile statistics