Malware reports

IT threat evolution in Q3 2023. Non-mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2023:

  • Kaspersky solutions blocked 694,400,301 attacks from online resources across the globe.
  • A total of 169,194,807 unique links were recognized as malicious by Web Anti-Virus components.
  • Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 76,551 unique users.
  • Ransomware attacks were defeated on the computers of 46,872 unique users.
  • Our File Anti-Virus detected 33,847,517 unique malicious and potentially unwanted objects.

Financial threats

Financial threat statistics

In Q3 2023, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 76,551 unique users.

Number of unique users attacked by financial malware, Q3 2023 (download)

Geography of financial malware attacks

To assess the extent to which PC users in different countries and territories are at risk of infection by banking Trojans and ATM/PoS malware, for each country and territory we calculated the share of Kaspersky users who encountered this threat during the reporting period out of all users of our products in the given country or territory.

TOP 10 countries and territories by share of attacked users

Country or territory* %**
1 Afghanistan 3.9
2 Turkmenistan 3.5
3 China 2.4
4 Tajikistan 2.1
5 Yemen 1.7
6 Egypt 1.5
7 Thailand 1.5
8 Venezuela 1.4
9 Syria 1.4
10 Paraguay 1.2

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 banking malware families

Name Verdicts %*
1 Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 34.0
2 Zbot/Zeus Trojan-Banker.Win32.Zbot 16.0
3 Emotet Trojan-Banker.Win32.Emotet 12.6
4 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 7.1
5 SpyEyes Trojan-Spy.Win32.SpyEye 3.0
6 Danabot Trojan-Banker.Win32.Danabot 2.4
7 Qbot/Qakbot Trojan-Banker.Win32.Qbot 2.1
8 Gozi Trojan-Banker.Win32.Gozi 0.9
9 Tinba Trojan-Banker.Win32.Tinba 0.8
10 IcedID Trojan-Banker.Win32.IcedID 0.6

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

Vulnerability exploitation

In Q3, ransomware groups were detected exploiting vulnerabilities in various server software. For example, CVE-2023-3519, a remote code execution vulnerability in Citrix NetScaler, was used by attackers believed to be affiliated with the BlackCat/ALPHV group. The groups using Akira and Lockbit malware exploited the CVE-2023-20269 vulnerability in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) as a way to compromise victims’ networks. The Cuba group utilized an exploit for the CVE-2023-27532 vulnerability in Veeam Backup & Replication (VBR) to extract credentials from the configuration files of this software. Also detected were attacks by unknown ransomware on unpatched Openfire servers with CVE-2023-32315. This vulnerability allows an unauthenticated attacker to create an administrative account on the server and install arbitrary malware in the form of a JAR plugin.

More attacks on healthcare

Our Q2 report already noted a significant amount of news coverage of ransomware attacks on hospitals, universities, and municipal organizations. This trend continued in Q3. Among the victims of high-profile incidents in the healthcare industry were: McLaren HealthCare (the BlackCat/ALPHV group claimed responsibility for the attack and posted information about it on its data leak site); Prospect Medical Holdings (the Rhysida group posted a statement on its website announcing the theft of 1 TB of documents and a 1.3 TB database of personal data); PhilHealth (the Medusa group demanded the equivalent of $300,000 and began releasing sensitive data stolen in the attack shortly afterwards).

Most prolific groups

This section looks at ransomware groups that engage in so-called “double extortion”, that is, stealing and encrypting confidential data. Most of these groups target large companies, and often maintain a DLS (data leak site), where they publish a list of organizations they have attacked. Here’s the chart of the busiest ransomware gangs of Q3 2023:

The most prolific ransomware gangs, Q3 2023 (download)

The diagram shows each group’s share of the total number of victims published on all the DLS sites analyzed.

Number of new modifications

In Q3 2023, we uncovered nine new ransomware families and 11,387 new modifications of this malware type.

Number of new ransomware modifications, Q3 2022 — Q3 2023 (download)

Number of users attacked by ransomware Trojans

In Q3 2023, Kaspersky products and technologies protected 46,872 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q3 2023 (download)

Geography of attacked users

TOP 10 countries and territories attacked by ransomware Trojans

Country or territory* %**
1 Yemen 1.63
2 Bangladesh 1.39
3 South Korea 0.65
4 Pakistan 0.51
5 Mozambique 0.51
6 Iraq 0.27
7 Taiwan 0.27
8 Mainland China 0.26
9 Nigeria 0.26
10 Libya 0.23

* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

Name Verdicts* Share of attacked users**
1 (generic verdict) Trojan-Ransom.Win32.Gen 16.80
2 WannaCry Trojan-Ransom.Win32.Wanna 14.45
3 (generic verdict) Trojan-Ransom.Win32.Encoder 11.98
4 (generic verdict) Trojan-Ransom.Win32.Phny 7.26
5 Stop/Djvu Trojan-Ransom.Win32.Stop 5.69
6 (generic verdict) Trojan-Ransom.Win32.Crypren 5.69
7 Magniber Trojan-Ransom.Win64.Magni / Trojan-Ransom.Win32.Magni 4.06
8 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 3.43
9 (generic verdict) Trojan-Ransom.Win32.Agent 2.72
10 Lockbit Trojan-Ransom.Win32.Lockbit 2.39

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners

Number of new miner modifications

In Q3 2023, Kaspersky solutions detected 2199 new miner modifications.

Number of new miner modifications, Q3 2023 (download)

Number of users attacked by miners

In Q3, we detected attacks that used miners on the computers of 363,120 unique users of Kaspersky products worldwide.

Number of unique users attacked by miners, Q3 2023 (download)

Geography of miner attacks

TOP 10 countries and territories attacked by miners

Country or territory* %**
1 Tajikistan 2.38
2 Kazakhstan 1.96
3 Uzbekistan 1.69
4 Venezuela 1.57
5 Kyrgyzstan 1.56
6 Mozambique 1.44
7 Pakistan 1.44
8 Belarus 1.43
9 Sri Lanka 1.30
10 Ukraine 1.19

* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Vulnerable applications used in cyberattacks

Quarterly highlights

Q3 2023 was quite eventful in terms of in-the-wild (ITW) vulnerability discoveries. Worth noting are:

  • CVE-2023-36884, a vulnerability in MS Office allowing execution of commands with user privileges to bypass Protected View mode.
  • CVE-2023-38831, a vulnerability in WinRAR. To exploit this vulnerability, attackers use a specially crafted archive which, when opened through the WinRAR GUI, launches a malicious file.
  • CVE-2023-4762, a type confusion vulnerability in Google Chrome’s V8 engine. Its exploitation allows escaping the browser sandbox.
  • CVE-2023-4863, a vulnerability in the WebP image library in Google Chrome. It can also be used for sandbox escape.
  • CVE-2023-5217, a vulnerability in the VP8 encoding function in Google Chrome, exploitation of which allows sandbox escape.

Since each of these vulnerabilities was found ITW, we recommend installing the latest updates of the relevant software.

Vulnerability statistics

As is customary, Microsoft Office (80.14%) ranks first by number of attempts to exploit vulnerabilities in Q3, gaining 4.5 p.p. Cybercriminals continue to use old vulnerabilities to attack unpatched corporate systems. Among the most commonly exploited vulnerabilities in the suite are:

  • CVE-2017-11882 and CVE-2018-0802 in the Equation Editor component, allowing an Equation object in a document to cause application memory corruption upon being processed and make it possible to execute arbitrary code in the system;
  • CVE-2017-0199, allowing exploitation of MS Office features to download malicious scripts;
  • CVE-2017-8570, allowing download and execution of a malicious HTA script.

Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2023 (download)

In second place are browsers (5.85%), whose share decreased by 2 p.p. against the previous quarter. The Android platform (4.70%) rounds out the TOP 3: exploits for it were up by 0.37 p.p. against the previous period.

Network threats in Q3 2023 are mainly brute-force password attacks on MSSQL and RDP services. Note that among exploits for operating system vulnerabilities, EternalBlue and EternalRomance remain popular. Additionally, we observed scanning for Log4j-type vulnerabilities (CVE-2021-44228), attacks on them, and probing of systems for insecure deserialization in Java.

Attacks on macOS

This quarter saw the appearance of a new version of XLoader masquerading as a popular document viewing and editing application. As with previous versions, the Trojan grabs clipboard contents and authorization data from Chrome and Firefox browsers.

TOP 20 threats for macOS

Verdict %*
1 AdWare.OSX.Agent.ai 9.08
2 AdWare.OSX.Pirrit.ac 6.84
3 Hoax.OSX.MacBooster.a 6.32
4 AdWare.OSX.Agent.ap 6.05
5 Monitor.OSX.HistGrabber.b 5.82
6 AdWare.OSX.Amc.e 5.72
7 AdWare.OSX.Bnodlero.ax 4.75
8 AdWare.OSX.Pirrit.j 4.33
9 Trojan.OSX.Agent.gen 4.25
10 AdWare.OSX.Agent.gen 3.84
11 AdWare.OSX.Pirrit.ae 3.39
12 AdWare.OSX.Mhp.a 2.97
13 Trojan-Downloader.OSX.Agent.h 2.74
14 AdWare.OSX.Amc.c 2.35
15 Downloader.OSX.InstallCore.ak 2.32
16 AdWare.OSX.Pirrit.aa 2.17
17 AdWare.OSX.Bnodlero.bg 2.09
18 AdWare.OSX.Pirrit.gen 2.06
19 Backdoor.OSX.Twenbc.g 2.01
20 AdWare.OSX.Pirrit.o 1.88

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

Adware programs and fake system accelerators remained the main threat to macOS users in Q3.

Geography of threats for macOS

TOP 10 countries and territories by share of attacked users

Country or territory* %**
1 Hong Kong 1.40
2 Mainland China 1.19
3 Italy 1.16
4 France 1.06
5 United States 1.04
6 Mexico 0.98
7 Spain 0.96
8 Australia 0.86
9 United Kingdom 0.81
10 Russian Federation 0.81

* Excluded from the rankings are countries and territories with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country/territory.

IoT attacks

IoT threat statistics

In Q3 2023, the distribution of devices attacking Kaspersky traps using the Telnet and SSH protocols did not change significantly.

Telnet 78.94%
SSH 21.06%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q3 2023

In terms of session numbers, Telnet accounted for the absolute majority.

Telnet 97.19%
SSH 2.81%

Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2023

Attacks on IoT honeypots

In Q3, the main sources of SSH attacks were again the United States and the APAC region. The share of attacks emanating from the mainland China (20.14%) rose, while those from South Korea (3.63%) and Vietnam (2.76%) fell slightly. The shares of other countries and territories changed insignificantly.

TOP 10 countries and territories as sources of SSH attacks

Country or territory %*
Q2 2023 Q3 2023
Mainland China 12.63 20.14
United States 11.50 11.58
India 5.01 5.54
Singapore 5.32 5.54
Germany 4.21 4.68
Brazil 4.57 4.30
Russian Federation 3.73 3.92
South Korea 6.21 3.63
Vietnam 3.39 2.76
Hong Kong 2.33 2.64
Other 41.96 35.27

* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated.

Cybercriminals controlling devices in India increased their share of the total number of Telnet-based attacks (to 20.07%), while the share of threat actors owning devices in the mainland China dropped slightly (to 31.58%).

TOP 10 countries and territories as sources of Telnet attacks

Country or territory %*
Q2 2023 Q3 2023
Mainland China 35.38 31.58
India 14.03 20.07
United States 4.41 4.38
Brazil 6.36 4.20
Russian Federation 4.33 3.81
Taiwan 2.79 2.67
South Korea 2.51 2.50
Egypt 0.93 2.35
Namibia 0.41 2.13
Argentina 2.24 2.11
Other 20.40 24.19

* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated.

TOP 10 threats delivered to IoT devices via Telnet

Verdict %*
1 Trojan-Downloader.Linux.NyaDrop.b 39.16
2 Backdoor.Linux.Mirai.b 16.95
3 Backdoor.Linux.Mirai.ba 9.03
4 Backdoor.Linux.Mirai.es 6.39
5 Backdoor.Linux.Mirai.cw 5.97
6 Backdoor.Linux.Mirai.fg 3.58
7 Trojan.Linux.Agent.nx 2.22
8 Trojan-Downloader.Linux.Mirai.d 1.87
9 Trojan-Downloader.Shell.Agent.p 1.77
10 Backdoor.Linux.Gafgyt.a 1.62

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Attacks via web resources

The statistics in this section come from Web Anti-Virus, which protects users when malicious objects are downloaded from malicious or infected web pages. Cybercriminals create such sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.

Countries and territories that serve as sources of web-based attacks: TOP 10

The following statistics show the distribution by country and territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q3 2023, Kaspersky solutions blocked 694,400,301 attacks from online resources located across the globe. A total of 169,194,807 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-attack sources by country and territory, Q3 2023 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries and territories, for each country and territory we calculated the share of Kaspersky users on whose devices Web Anti-Virus was triggered at least once during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %**
1 Belarus 15.42
2 Moldova 15.35
3 Albania 14.05
4 Taiwan 13.46
5 North Macedonia 13.08
6 Bulgaria 12.84
7 Serbia 12.75
8 Kyrgyzstan 12.73
9 Latvia 12.64
10 Greece 12.53
11 Estonia 12.06
12 Bangladesh 11.94
13 Nepal 11.91
14 Sri Lanka 11.91
15 Slovenia 11.70
16 Algeria 11.61
17 Turkey 11.58
18 Bosnia and Herzegovina 11.22
19 Belgium 11.15
20 Canada 11.04

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country/territory.

On average during the quarter, 8.81% of computers of internet users worldwide were subjected to at least one Malware-class web attack.

Local threats

In this section, we analyze statistical data obtained from the OAS (On-Access Scan) and ODS (On-Demand Scan) modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q3 2023, our File Anti-Virus detected 33,847,517 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories worldwide.

The ranking includes only Malware-class attacks; it doesn’t consider File Anti-Virus triggerings by potentially dangerous or unwanted programs such as RiskTool or adware.

Country or territory* %**
1 Turkmenistan 49.40
2 Yemen 44.54
3 Afghanistan 40.48
4 Tajikistan 39.09
5 Burundi 34.92
6 Bangladesh 34.45
7 Myanmar 33.78
8 South Sudan 33.63
9 Syria 33.60
10 Benin 33.12
11 Guinea 32.81
12 Chad 32.61
13 Cameroon 31.92
14 Tanzania 31.90
15 Uzbekistan 31.86
16 Republic of the Congo 31.51
17 Democratic Republic of the Congo 31.18
18 Malawi 30.82
19 Burkina Faso 30.77
20 Rwanda 30.55

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country or territory.

Overall globally, 15.4% of user computers faced at least one Malware-class local threat during Q3.

IT threat evolution in Q3 2023. Non-mobile statistics

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox