IT threat evolution in Q2 2024. Non-mobile statistics

The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

In Q2 2024:

• Kaspersky solutions blocked over 664 million attacks from various internet sources.
• The web antivirus reacted to 113.5 million unique URLs.
• The file antivirus blocked over 27 million malicious and unwanted objects.
• Almost 86,000 users encountered ransomware attacks.
• Nearly 12% of all ransomware victims whose data was published on DLSs (data leak sites) were affected by the Play ransomware group.
• Nearly 340,000 users faced miner attacks.

Ransomware

Quarterly trends and highlights

Law enforcement successes

In April 2024, a criminal who developed a packer that was allegedly used by the Conti and Lockbit groups to evade antivirus detection was arrested in Kyiv. According to Dutch police, the arrested individual was directly involved in at least one attack using the Conti ransomware in 2021. The criminal has already been charged.

In May, a member of the REvil group, arrested back in October 2021, was sentenced to 13 years in prison and ordered to pay $16 million. The cybercriminal was involved in over 2,500 REvil attacks, resulting in more than $700 million in total damages.

In June, the FBI announced that it had obtained over 7,000 decryption keys for files encrypted by Lockbit ransomware attacks. The Bureau encourages victims to contact the Internet Crime Complaint Center (IC3) at ic3.gov.

According to the UK’s National Crime Agency (NCA) and the US Department of Justice, the Lockbit group amassed up to $1 billion in its attacks from June 2022 to February 2024.

Attacks exploiting vulnerabilities

The CVE-2024-26169 privilege escalation vulnerability, patched by Microsoft in March 2024, was likely exploited in attacks by the Black Basta group. Some evidence suggests that at the time of the exploitation, this vulnerability was still unpatched, making it a zero-day vulnerability.

In June 2024, a massive TellYouThePass ransomware attack was launched, exploiting the CVE-2024-4577 vulnerability in PHP. This attack targeted Windows servers with certain PHP configurations, including those with the default XAMPP stack. The attackers scanned public IP address ranges and automatically infected vulnerable servers, demanding 0.1 BTC as ransom. Although this is a relatively small amount, the scale of the attacks could have yielded substantial profits. In recent years, this method has not been used as frequently due to its cost for attackers, who prefer instead targeted attacks with the hands-on involvement of operators. However, in this case, the attackers employed the time-tested approach.

Most active groups

Here are the most active ransomware groups based on the number of victims added to their DLSs (data leak sites). In Q2 2024, the Play group was the most active, publishing data on 12% of all new ransomware victims. Cactus came in second (7.74%), followed by Ransom Hub (7.50%).

The percentage of victims of a particular group (according to its DLS) among victims of all groups published on all DLSs examined during the reporting period (download)

Number of new modifications

In Q2 2024, we discovered five new ransomware families and 4,456 new ransomware variants.

Number of new ransomware modifications, Q2 2023 – Q2 2024 (download)

Number of users attacked by ransomware Trojans

In Q2 2024, Kaspersky solutions protected 85,819 unique users from ransomware Trojans.

Number of unique users attacked by ransomware Trojans, Q2 2024 (download)

Geography of attacked users

Top 10 countries and territories targeted by ransomware Trojans

*Countries and territories with fewer than 50,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users whose computers were attacked by ransomware Trojans out of all unique Kaspersky product users in that country or territory.

Top 10 most common families of ransomware Trojans

*Statistics are based on detection verdicts by Kaspersky products. The information was provided by Kaspersky users who consented to providing statistical data.
**Unique Kaspersky users attacked by the ransomware Trojan family as a percentage of total users attacked by ransomware Trojans.

Miners

Number of new modifications

In Q2 2024, Kaspersky products detected 36,380 new miner variants.

Number of new miner modifications, Q2 2024 (download)

Number of users attacked by miners

In Q2 2024, we detected attacks using miners on 339,850 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q2 2024 (download)

Geography of attacked users

Top 10 countries and territories targeted by miners

*Countries and territories with fewer than 50,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users whose computers were attacked by miners out of all unique Kaspersky product users in that country or territory.

Attacks on macOS

In Q2 2024, numerous samples of the spyware Trojan-PSW.OSX.Amos (also known as Cuckoo) were found. This spyware is notable for requesting an administrator password through osascript, displaying a phishing window. Attackers regularly update and repackage this Trojan to avoid detection.

New versions of the LightRiver/LightSpy spyware were also discovered. This Trojan downloads modules from the server with spy and backdoor functionalities. For example, they record the screen or audio, steal browser history, and execute arbitrary console commands.

Top 20 threats to macOS

The percentage of users who encountered a certain malware out of all attacked users of Kaspersky solutions for macOS (download)

The leading active threat continues to be a Trojan capable of downloading adware or other malicious applications. Other common threats include adware and fake “system optimizers” that demand money to “fix” nonexistent issues.

Geography of threats for macOS

Top 10 countries and territories by share of attacked users

*Percentage of unique users encountering macOS threats out of all unique Kaspersky product users in that country or territory.

There has been a slight increase of 0.1–0.2 p.p. in the share of attacked users in Mexico, Hong Kong, the United Kingdom, and India. Conversely, we see a slight decline in Spain, Italy, and Germany.

IoT threat statistics

In the second quarter of 2024, the distribution of attack protocols on devices targeting Kaspersky honeypots was as follows:

Distribution of attacked services by the number of unique IP addresses of the devices carrying out the attacks, Q1–Q2 2024 (download)

The share of attacks using the Telnet protocol continued to grow, reaching 98%.

Distribution of cybercriminal sessions with Kaspersky honeypots, Q1–Q2 2024 (download)

Top 10 threats delivered to IoT devices

Share of a specific threat downloaded to an infected device as a result of a successful attack, out of the total number of downloaded threats (download)

Attacks on IoT honeypots

For SSH protocol attacks, the share of attacks from China and India increased, while activity from South Korea slightly declined.

Telnet attacks from China returned to 2023 levels, while the share from India grew.

Attacks via web resources

The statistics in this section are based on the work of the web antivirus, which protects users at the moment malicious objects are downloaded from a malicious or infected webpage. Cybercriminals intentionally create malicious pages. Web resources with user-created content (such as forums), as well as compromised legitimate sites, can also be infected.

Countries and territories that serve as sources of web-based attacks: Top 10

The following statistics show the distribution of countries and territories that were the sources of internet attacks on users’ computers blocked by Kaspersky products (webpages with redirects to exploits, sites with exploits and other malware, botnet control centers, and so on). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2024, Kaspersky solutions blocked 664,046,455 attacks launched from online resources across the globe. A total of 113,535,455 unique URLs that triggered the web antivirus were recorded.

Distribution of web attack sources by country and territory (Q2 2024) (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection through the internet faced by user’s computers in different countries and territories, we calculated the share of Kaspersky product users who encountered web antivirus detections during the reporting period for each country and territory. This data indicates the aggressiveness of the environment in which computers operate.

The following statistics are based on the detection verdicts of the web antivirus module, provided by Kaspersky product users who consented to share statistical data.

It’s important to note that only attacks involving malicious objects of the Malware class are included in this ranking. Web antivirus detections for potentially dangerous and unwanted programs, such as RiskTool and adware, were not counted.

*Countries and territories with fewer than 10,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users subjected to web attacks by malicious objects of the Malware class out of all unique Kaspersky product users in that country or territory.

On average during the quarter, 7.38% of the internet users’ computers worldwide were subjected to at least one Malware-category web attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The following statistics are based on detection verdicts from the OAS (on-access scan, scanning when accessing a file) and ODS (on-demand scan, scanning launched by a user) antivirus modules, provided by Kaspersky product users who agreed to share statistical data. These statistics take into account malware found directly on users’ computers or on removable media connected to computers, such as flash drives, camera memory cards, phones, and external hard drives.

In the second quarter of 2024, our file antivirus detected 27,394,168 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers file antivirus was triggered during the reporting period. This data reflects the level of infection of personal computers across different countries and territories worldwide.

Note that only attacks involving malicious objects of the Malware class are included in this ranking. Detections of potentially dangerous or unwanted programs such as RiskTool and adware were not counted.

*Countries and territories with fewer than 10,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users on whose computers local Malware-class threats were blocked, out of all unique Kaspersky product users in that country or territory.

On average, 14.2% of users’ computers worldwide encountered at least one local Malware-class threat during the second quarter.

The figure for Russia was 15.68%.