Malware reports

IT threat evolution in Q2 2024. Non-mobile statistics

The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

In Q2 2024:

  • Kaspersky solutions blocked over 664 million attacks from various internet sources.
  • The web antivirus reacted to 113.5 million unique URLs.
  • The file antivirus blocked over 27 million malicious and unwanted objects.
  • Almost 86,000 users encountered ransomware attacks.
  • Nearly 12% of all ransomware victims whose data was published on DLSs (data leak sites) were affected by the Play ransomware group.
  • Nearly 340,000 users faced miner attacks.

Ransomware

Law enforcement successes

In April 2024, a criminal who developed a packer that was allegedly used by the Conti and Lockbit groups to evade antivirus detection was arrested in Kyiv. According to Dutch police, the arrested individual was directly involved in at least one attack using the Conti ransomware in 2021. The criminal has already been charged.

In May, a member of the REvil group, arrested back in October 2021, was sentenced to 13 years in prison and ordered to pay $16 million. The cybercriminal was involved in over 2,500 REvil attacks, resulting in more than $700 million in total damages.

In June, the FBI announced that it had obtained over 7,000 decryption keys for files encrypted by Lockbit ransomware attacks. The Bureau encourages victims to contact the Internet Crime Complaint Center (IC3) at ic3.gov.

According to the UK’s National Crime Agency (NCA) and the US Department of Justice, the Lockbit group amassed up to $1 billion in its attacks from June 2022 to February 2024.

Attacks exploiting vulnerabilities

The CVE-2024-26169 privilege escalation vulnerability, patched by Microsoft in March 2024, was likely exploited in attacks by the Black Basta group. Some evidence suggests that at the time of the exploitation, this vulnerability was still unpatched, making it a zero-day vulnerability.

In June 2024, a massive TellYouThePass ransomware attack was launched, exploiting the CVE-2024-4577 vulnerability in PHP. This attack targeted Windows servers with certain PHP configurations, including those with the default XAMPP stack. The attackers scanned public IP address ranges and automatically infected vulnerable servers, demanding 0.1 BTC as ransom. Although this is a relatively small amount, the scale of the attacks could have yielded substantial profits. In recent years, this method has not been used as frequently due to its cost for attackers, who prefer instead targeted attacks with the hands-on involvement of operators. However, in this case, the attackers employed the time-tested approach.

Most active groups

Here are the most active ransomware groups based on the number of victims added to their DLSs (data leak sites). In Q2 2024, the Play group was the most active, publishing data on 12% of all new ransomware victims. Cactus came in second (7.74%), followed by Ransom Hub (7.50%).

The percentage of victims of a particular group (according to its DLS) among victims of all groups published on all DLSs examined during the reporting period (download)

Number of new modifications

In Q2 2024, we discovered five new ransomware families and 4,456 new ransomware variants.

Number of new ransomware modifications, Q2 2023 – Q2 2024 (download)

Number of users attacked by ransomware Trojans

In Q2 2024, Kaspersky solutions protected 85,819 unique users from ransomware Trojans.

Number of unique users attacked by ransomware Trojans, Q2 2024 (download)

Geography of attacked users

Top 10 countries and territories targeted by ransomware Trojans

Country/territory* % of users attacked by ransomware**
1 Pakistan 0.84%
2 South Korea 0.72%
3 Bangladesh 0.54%
4 China 0.53%
5 Iran 0.52%
6 Libya 0.51%
7 Tajikistan 0.50%
8 Mozambique 0.49%
9 Angola 0.41%
10 Rwanda 0.40%

*Countries and territories with fewer than 50,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users whose computers were attacked by ransomware Trojans out of all unique Kaspersky product users in that country or territory.

Top 10 most common families of ransomware Trojans

Name Verdicts* Share of attacked users**
1 (generic verdict) Trojan-Ransom.Win32.Gen 22.12%
2 WannaCry Trojan-Ransom.Win32.Wanna 9.51%
3 (generic verdict) Trojan-Ransom.Win32.Encoder 6.94%
4 (generic verdict) Trojan-Ransom.Win32.Crypren 5.42%
5 Lockbit Trojan-Ransom.Win32.Lockbit 4.71%
6 (generic verdict) Trojan-Ransom.Win32.Agent 2.88%
7 PolyRansom/VirLock Virus.Win32.PolyRansom / Trojan-Ransom.Win32.PolyRansom 2.80%
8 (generic verdict) Trojan-Ransom.Win32.Phny 2.61%
9 (generic verdict) Trojan-Ransom.Win32.Crypmod 2.58%
10 Stop/Djvu Trojan-Ransom.Win32.Stop 2.11%

*Statistics are based on detection verdicts by Kaspersky products. The information was provided by Kaspersky users who consented to providing statistical data.
**Unique Kaspersky users attacked by the ransomware Trojan family as a percentage of total users attacked by ransomware Trojans.

Miners

Number of new modifications

In Q2 2024, Kaspersky products detected 36,380 new miner variants.

Number of new miner modifications, Q2 2024 (download)

Number of users attacked by miners

In Q2 2024, we detected attacks using miners on 339,850 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q2 2024 (download)

Geography of attacked users

Top 10 countries and territories targeted by miners

Country/territory* % of users attacked by miners**
1 Tajikistan 2.40%
2 Venezuela 1.90%
3 Kazakhstan 1.63%
4 Ethiopia 1.58%
5 Kyrgyzstan 1.49%
6 Belarus 1.48%
7 Uzbekistan 1.36%
8 Ukraine 1.05%
9 Panama 1.03%
10 Mozambique 1.01%

*Countries and territories with fewer than 50,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users whose computers were attacked by miners out of all unique Kaspersky product users in that country or territory.

Attacks on macOS

In Q2 2024, numerous samples of the spyware Trojan-PSW.OSX.Amos (also known as Cuckoo) were found. This spyware is notable for requesting an administrator password through osascript, displaying a phishing window. Attackers regularly update and repackage this Trojan to avoid detection.

New versions of the LightRiver/LightSpy spyware were also discovered. This Trojan downloads modules from the server with spy and backdoor functionalities. For example, they record the screen or audio, steal browser history, and execute arbitrary console commands.

Top 20 threats to macOS

The percentage of users who encountered a certain malware out of all attacked users of Kaspersky solutions for macOS (download)

The leading active threat continues to be a Trojan capable of downloading adware or other malicious applications. Other common threats include adware and fake “system optimizers” that demand money to “fix” nonexistent issues.

Geography of threats for macOS

Top 10 countries and territories by share of attacked users

Q1 2024* Q2 2024*
Spain 1.27% 1.14%
Mexico 0.88% 1.09%
Hong Kong 0.73% 0.97%
France 0.93% 0.93%
United States 0.81% 0.89%
Italy 1.11% 0.87%
United Kingdom 0.75% 0.85%
India 0.56% 0.70%
Germany 0.77% 0.59%
Brazil 0.66% 0.57%

*Percentage of unique users encountering macOS threats out of all unique Kaspersky product users in that country or territory.

There has been a slight increase of 0.1–0.2 p.p. in the share of attacked users in Mexico, Hong Kong, the United Kingdom, and India. Conversely, we see a slight decline in Spain, Italy, and Germany.

IoT threat statistics

In the second quarter of 2024, the distribution of attack protocols on devices targeting Kaspersky honeypots was as follows:

Distribution of attacked services by the number of unique IP addresses of the devices carrying out the attacks, Q1–Q2 2024 (download)

The share of attacks using the Telnet protocol continued to grow, reaching 98%.

Distribution of cybercriminal sessions with Kaspersky honeypots, Q1–Q2 2024 (download)

Top 10 threats delivered to IoT devices

Share of a specific threat downloaded to an infected device as a result of a successful attack, out of the total number of downloaded threats (download)

Attacks on IoT honeypots

For SSH protocol attacks, the share of attacks from China and India increased, while activity from South Korea slightly declined.

SSH Q1 2024 Q2 2024
China 20.58% 23.37%
United States 12.15% 12.26%
South Korea 9.59% 6.84%
Singapore 6.87% 6.95%
Germany 4.97% 4.13%
India 4.52% 5.24%
Hong Kong 3.25% 3.10%
Russian Federation 2.84% 2.33%
Brazil 2.36% 2.73%
Japan 2.36% 1.92%

Telnet attacks from China returned to 2023 levels, while the share from India grew.

Telnet Q1 2024 Q2 2024
China 41.51% 30.24%
India 17.47% 22.68%
Japan 4.89% 3.64%
Brazil 3.78% 4.48%
Russian Federation 3.12% 3.85%
Thailand 2.95% 2.37%
Taiwan 2.73% 2.64%
South Korea 2.53% 2.46%
United States 2.20% 2.66%
Argentina 1.36% 1.76%

Attacks via web resources

The statistics in this section are based on the work of the web antivirus, which protects users at the moment malicious objects are downloaded from a malicious or infected webpage. Cybercriminals intentionally create malicious pages. Web resources with user-created content (such as forums), as well as compromised legitimate sites, can also be infected.

Countries and territories that serve as sources of web-based attacks: Top 10

The following statistics show the distribution of countries and territories that were the sources of internet attacks on users’ computers blocked by Kaspersky products (webpages with redirects to exploits, sites with exploits and other malware, botnet control centers, and so on). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2024, Kaspersky solutions blocked 664,046,455 attacks launched from online resources across the globe. A total of 113,535,455 unique URLs that triggered the web antivirus were recorded.

Distribution of web attack sources by country and territory (Q2 2024) (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection through the internet faced by user’s computers in different countries and territories, we calculated the share of Kaspersky product users who encountered web antivirus detections during the reporting period for each country and territory. This data indicates the aggressiveness of the environment in which computers operate.

The following statistics are based on the detection verdicts of the web antivirus module, provided by Kaspersky product users who consented to share statistical data.

It’s important to note that only attacks involving malicious objects of the Malware class are included in this ranking. Web antivirus detections for potentially dangerous and unwanted programs, such as RiskTool and adware, were not counted.

Country/territory* % of attacked users**
1 Moldova 11.3635
2 Greece 10.8560
3 Qatar 10.4018
4 Belarus 9.8162
5 Argentina 9.5380
6 Bulgaria 9.4714
7 South Africa 9.4128
8 Sri Lanka 9.1585
9 Kyrgyzstan 8.8852
10 Lithuania 8.6847
11 Tunisia 8.6739
12 Albania 8.6586
13 North Macedonia 8.6463
14 Bosnia & Herzegovina 8.6291
15 Botswana 8.6254
16 UAE 8.5993
17 Germany 8.5887
18 Slovenia 8.5851
19 Egypt 8.5582
20 Canada 8.4985

*Countries and territories with fewer than 10,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users subjected to web attacks by malicious objects of the Malware class out of all unique Kaspersky product users in that country or territory.

On average during the quarter, 7.38% of the internet users’ computers worldwide were subjected to at least one Malware-category web attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The following statistics are based on detection verdicts from the OAS (on-access scan, scanning when accessing a file) and ODS (on-demand scan, scanning launched by a user) antivirus modules, provided by Kaspersky product users who agreed to share statistical data. These statistics take into account malware found directly on users’ computers or on removable media connected to computers, such as flash drives, camera memory cards, phones, and external hard drives.

In the second quarter of 2024, our file antivirus detected 27,394,168 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers file antivirus was triggered during the reporting period. This data reflects the level of infection of personal computers across different countries and territories worldwide.

Note that only attacks involving malicious objects of the Malware class are included in this ranking. Detections of potentially dangerous or unwanted programs such as RiskTool and adware were not counted.

Country/territory* % of attacked users**
1 Turkmenistan 44.2517
2 Afghanistan 39.4972
3 Cuba 38.3242
4 Yemen 38.2295
5 Tajikistan 37.5013
6 Uzbekistan 32.7085
7 Syria 31.5546
8 Burundi 30.5511
9 Bangladesh 28.3616
10 South Sudan 28.3293
11 Tanzania 28.0949
12 Cameroon 28.0254
13 Niger 27.9138
14 Algeria 27.8984
15 Benin 27.6164
16 Myanmar 26.6960
17 Venezuela 26.6944
18 Iran 26.5071
19 Vietnam 26.3409
20 Congo 26.3160

*Countries and territories with fewer than 10,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users on whose computers local Malware-class threats were blocked, out of all unique Kaspersky product users in that country or territory.

On average, 14.2% of users’ computers worldwide encountered at least one local Malware-class threat during the second quarter.

The figure for Russia was 15.68%.

IT threat evolution in Q2 2024. Non-mobile statistics

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Subscribe to our weekly e-mails

The hottest research right in your inbox