- IT threat evolution in Q3 2023
- IT threat evolution in Q3 2023. Non-mobile statistics
- IT threat evolution in Q3 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
Quarterly figures
According to Kaspersky Security Network, in Q3 2023:
- Kaspersky solutions blocked 694,400,301 attacks from online resources across the globe.
- A total of 169,194,807 unique links were recognized as malicious by Web Anti-Virus components.
- Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 76,551 unique users.
- Ransomware attacks were defeated on the computers of 46,872 unique users.
- Our File Anti-Virus detected 33,847,517 unique malicious and potentially unwanted objects.
Financial threats
Financial threat statistics
In Q3 2023, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 76,551 unique users.
Number of unique users attacked by financial malware, Q3 2023 (download)
Geography of financial malware attacks
To assess the extent to which PC users in different countries and territories are at risk of infection by banking Trojans and ATM/PoS malware, for each country and territory we calculated the share of Kaspersky users who encountered this threat during the reporting period out of all users of our products in the given country or territory.
TOP 10 countries and territories by share of attacked users
Country or territory* | %** | |
1 | Afghanistan | 3.9 |
2 | Turkmenistan | 3.5 |
3 | China | 2.4 |
4 | Tajikistan | 2.1 |
5 | Yemen | 1.7 |
6 | Egypt | 1.5 |
7 | Thailand | 1.5 |
8 | Venezuela | 1.4 |
9 | Syria | 1.4 |
10 | Paraguay | 1.2 |
* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country/territory.
TOP 10 banking malware families
Name | Verdicts | %* | |
1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 34.0 |
2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 16.0 |
3 | Emotet | Trojan-Banker.Win32.Emotet | 12.6 |
4 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 7.1 |
5 | SpyEyes | Trojan-Spy.Win32.SpyEye | 3.0 |
6 | Danabot | Trojan-Banker.Win32.Danabot | 2.4 |
7 | Qbot/Qakbot | Trojan-Banker.Win32.Qbot | 2.1 |
8 | Gozi | Trojan-Banker.Win32.Gozi | 0.9 |
9 | Tinba | Trojan-Banker.Win32.Tinba | 0.8 |
10 | IcedID | Trojan-Banker.Win32.IcedID | 0.6 |
* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.
Ransomware programs
Quarterly trends and highlights
Vulnerability exploitation
In Q3, ransomware groups were detected exploiting vulnerabilities in various server software. For example, CVE-2023-3519, a remote code execution vulnerability in Citrix NetScaler, was used by attackers believed to be affiliated with the BlackCat/ALPHV group. The groups using Akira and Lockbit malware exploited the CVE-2023-20269 vulnerability in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) as a way to compromise victims’ networks. The Cuba group utilized an exploit for the CVE-2023-27532 vulnerability in Veeam Backup & Replication (VBR) to extract credentials from the configuration files of this software. Also detected were attacks by unknown ransomware on unpatched Openfire servers with CVE-2023-32315. This vulnerability allows an unauthenticated attacker to create an administrative account on the server and install arbitrary malware in the form of a JAR plugin.
More attacks on healthcare
Our Q2 report already noted a significant amount of news coverage of ransomware attacks on hospitals, universities, and municipal organizations. This trend continued in Q3. Among the victims of high-profile incidents in the healthcare industry were: McLaren HealthCare (the BlackCat/ALPHV group claimed responsibility for the attack and posted information about it on its data leak site); Prospect Medical Holdings (the Rhysida group posted a statement on its website announcing the theft of 1 TB of documents and a 1.3 TB database of personal data); PhilHealth (the Medusa group demanded the equivalent of $300,000 and began releasing sensitive data stolen in the attack shortly afterwards).
Most prolific groups
This section looks at ransomware groups that engage in so-called “double extortion”, that is, stealing and encrypting confidential data. Most of these groups target large companies, and often maintain a DLS (data leak site), where they publish a list of organizations they have attacked. Here’s the chart of the busiest ransomware gangs of Q3 2023:
The most prolific ransomware gangs, Q3 2023 (download)
The diagram shows each group’s share of the total number of victims published on all the DLS sites analyzed.
Number of new modifications
In Q3 2023, we uncovered nine new ransomware families and 11,387 new modifications of this malware type.
Number of new ransomware modifications, Q3 2022 — Q3 2023 (download)
Number of users attacked by ransomware Trojans
In Q3 2023, Kaspersky products and technologies protected 46,872 users from ransomware attacks.
Number of unique users attacked by ransomware Trojans, Q3 2023 (download)
Geography of attacked users
TOP 10 countries and territories attacked by ransomware Trojans
Country or territory* | %** | |
1 | Yemen | 1.63 |
2 | Bangladesh | 1.39 |
3 | South Korea | 0.65 |
4 | Pakistan | 0.51 |
5 | Mozambique | 0.51 |
6 | Iraq | 0.27 |
7 | Taiwan | 0.27 |
8 | Mainland China | 0.26 |
9 | Nigeria | 0.26 |
10 | Libya | 0.23 |
* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.
TOP 10 most common families of ransomware Trojans
Name | Verdicts* | Share of attacked users** | |
1 | (generic verdict) | Trojan-Ransom.Win32.Gen | 16.80 |
2 | WannaCry | Trojan-Ransom.Win32.Wanna | 14.45 |
3 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 11.98 |
4 | (generic verdict) | Trojan-Ransom.Win32.Phny | 7.26 |
5 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 5.69 |
6 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 5.69 |
7 | Magniber | Trojan-Ransom.Win64.Magni / Trojan-Ransom.Win32.Magni | 4.06 |
8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 3.43 |
9 | (generic verdict) | Trojan-Ransom.Win32.Agent | 2.72 |
10 | Lockbit | Trojan-Ransom.Win32.Lockbit | 2.39 |
* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.
Miners
Number of new miner modifications
In Q3 2023, Kaspersky solutions detected 2199 new miner modifications.
Number of new miner modifications, Q3 2023 (download)
Number of users attacked by miners
In Q3, we detected attacks that used miners on the computers of 363,120 unique users of Kaspersky products worldwide.
Number of unique users attacked by miners, Q3 2023 (download)
Geography of miner attacks
TOP 10 countries and territories attacked by miners
Country or territory* | %** | |
1 | Tajikistan | 2.38 |
2 | Kazakhstan | 1.96 |
3 | Uzbekistan | 1.69 |
4 | Venezuela | 1.57 |
5 | Kyrgyzstan | 1.56 |
6 | Mozambique | 1.44 |
7 | Pakistan | 1.44 |
8 | Belarus | 1.43 |
9 | Sri Lanka | 1.30 |
10 | Ukraine | 1.19 |
* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.
Vulnerable applications used in cyberattacks
Quarterly highlights
Q3 2023 was quite eventful in terms of in-the-wild (ITW) vulnerability discoveries. Worth noting are:
- CVE-2023-36884, a vulnerability in MS Office allowing execution of commands with user privileges to bypass Protected View mode.
- CVE-2023-38831, a vulnerability in WinRAR. To exploit this vulnerability, attackers use a specially crafted archive which, when opened through the WinRAR GUI, launches a malicious file.
- CVE-2023-4762, a type confusion vulnerability in Google Chrome’s V8 engine. Its exploitation allows escaping the browser sandbox.
- CVE-2023-4863, a vulnerability in the WebP image library in Google Chrome. It can also be used for sandbox escape.
- CVE-2023-5217, a vulnerability in the VP8 encoding function in Google Chrome, exploitation of which allows sandbox escape.
Since each of these vulnerabilities was found ITW, we recommend installing the latest updates of the relevant software.
Vulnerability statistics
As is customary, Microsoft Office (80.14%) ranks first by number of attempts to exploit vulnerabilities in Q3, gaining 4.5 p.p. Cybercriminals continue to use old vulnerabilities to attack unpatched corporate systems. Among the most commonly exploited vulnerabilities in the suite are:
- CVE-2017-11882 and CVE-2018-0802 in the Equation Editor component, allowing an Equation object in a document to cause application memory corruption upon being processed and make it possible to execute arbitrary code in the system;
- CVE-2017-0199, allowing exploitation of MS Office features to download malicious scripts;
- CVE-2017-8570, allowing download and execution of a malicious HTA script.
Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2023 (download)
In second place are browsers (5.85%), whose share decreased by 2 p.p. against the previous quarter. The Android platform (4.70%) rounds out the TOP 3: exploits for it were up by 0.37 p.p. against the previous period.
Network threats in Q3 2023 are mainly brute-force password attacks on MSSQL and RDP services. Note that among exploits for operating system vulnerabilities, EternalBlue and EternalRomance remain popular. Additionally, we observed scanning for Log4j-type vulnerabilities (CVE-2021-44228), attacks on them, and probing of systems for insecure deserialization in Java.
Attacks on macOS
This quarter saw the appearance of a new version of XLoader masquerading as a popular document viewing and editing application. As with previous versions, the Trojan grabs clipboard contents and authorization data from Chrome and Firefox browsers.
TOP 20 threats for macOS
Verdict | %* | |
1 | AdWare.OSX.Agent.ai | 9.08 |
2 | AdWare.OSX.Pirrit.ac | 6.84 |
3 | Hoax.OSX.MacBooster.a | 6.32 |
4 | AdWare.OSX.Agent.ap | 6.05 |
5 | Monitor.OSX.HistGrabber.b | 5.82 |
6 | AdWare.OSX.Amc.e | 5.72 |
7 | AdWare.OSX.Bnodlero.ax | 4.75 |
8 | AdWare.OSX.Pirrit.j | 4.33 |
9 | Trojan.OSX.Agent.gen | 4.25 |
10 | AdWare.OSX.Agent.gen | 3.84 |
11 | AdWare.OSX.Pirrit.ae | 3.39 |
12 | AdWare.OSX.Mhp.a | 2.97 |
13 | Trojan-Downloader.OSX.Agent.h | 2.74 |
14 | AdWare.OSX.Amc.c | 2.35 |
15 | Downloader.OSX.InstallCore.ak | 2.32 |
16 | AdWare.OSX.Pirrit.aa | 2.17 |
17 | AdWare.OSX.Bnodlero.bg | 2.09 |
18 | AdWare.OSX.Pirrit.gen | 2.06 |
19 | Backdoor.OSX.Twenbc.g | 2.01 |
20 | AdWare.OSX.Pirrit.o | 1.88 |
* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.
Adware programs and fake system accelerators remained the main threat to macOS users in Q3.
Geography of threats for macOS
TOP 10 countries and territories by share of attacked users
Country or territory* | %** | |
1 | Hong Kong | 1.40 |
2 | Mainland China | 1.19 |
3 | Italy | 1.16 |
4 | France | 1.06 |
5 | United States | 1.04 |
6 | Mexico | 0.98 |
7 | Spain | 0.96 |
8 | Australia | 0.86 |
9 | United Kingdom | 0.81 |
10 | Russian Federation | 0.81 |
* Excluded from the rankings are countries and territories with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country/territory.
IoT attacks
IoT threat statistics
In Q3 2023, the distribution of devices attacking Kaspersky traps using the Telnet and SSH protocols did not change significantly.
Telnet | 78.94% |
SSH | 21.06% |
Distribution of attacked services by number of unique IP addresses of attacking devices, Q3 2023
In terms of session numbers, Telnet accounted for the absolute majority.
Telnet | 97.19% |
SSH | 2.81% |
Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2023
Attacks on IoT honeypots
In Q3, the main sources of SSH attacks were again the United States and the APAC region. The share of attacks emanating from the mainland China (20.14%) rose, while those from South Korea (3.63%) and Vietnam (2.76%) fell slightly. The shares of other countries and territories changed insignificantly.
TOP 10 countries and territories as sources of SSH attacks
Country or territory | %* | |
Q2 2023 | Q3 2023 | |
Mainland China | 12.63 | 20.14 |
United States | 11.50 | 11.58 |
India | 5.01 | 5.54 |
Singapore | 5.32 | 5.54 |
Germany | 4.21 | 4.68 |
Brazil | 4.57 | 4.30 |
Russian Federation | 3.73 | 3.92 |
South Korea | 6.21 | 3.63 |
Vietnam | 3.39 | 2.76 |
Hong Kong | 2.33 | 2.64 |
Other | 41.96 | 35.27 |
* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated.
Cybercriminals controlling devices in India increased their share of the total number of Telnet-based attacks (to 20.07%), while the share of threat actors owning devices in the mainland China dropped slightly (to 31.58%).
TOP 10 countries and territories as sources of Telnet attacks
Country or territory | %* | |
Q2 2023 | Q3 2023 | |
Mainland China | 35.38 | 31.58 |
India | 14.03 | 20.07 |
United States | 4.41 | 4.38 |
Brazil | 6.36 | 4.20 |
Russian Federation | 4.33 | 3.81 |
Taiwan | 2.79 | 2.67 |
South Korea | 2.51 | 2.50 |
Egypt | 0.93 | 2.35 |
Namibia | 0.41 | 2.13 |
Argentina | 2.24 | 2.11 |
Other | 20.40 | 24.19 |
* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated.
TOP 10 threats delivered to IoT devices via Telnet
Verdict | %* | |
1 | Trojan-Downloader.Linux.NyaDrop.b | 39.16 |
2 | Backdoor.Linux.Mirai.b | 16.95 |
3 | Backdoor.Linux.Mirai.ba | 9.03 |
4 | Backdoor.Linux.Mirai.es | 6.39 |
5 | Backdoor.Linux.Mirai.cw | 5.97 |
6 | Backdoor.Linux.Mirai.fg | 3.58 |
7 | Trojan.Linux.Agent.nx | 2.22 |
8 | Trojan-Downloader.Linux.Mirai.d | 1.87 |
9 | Trojan-Downloader.Shell.Agent.p | 1.77 |
10 | Backdoor.Linux.Gafgyt.a | 1.62 |
* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.
Attacks via web resources
The statistics in this section come from Web Anti-Virus, which protects users when malicious objects are downloaded from malicious or infected web pages. Cybercriminals create such sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.
Countries and territories that serve as sources of web-based attacks: TOP 10
The following statistics show the distribution by country and territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.
To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.
In Q3 2023, Kaspersky solutions blocked 694,400,301 attacks from online resources located across the globe. A total of 169,194,807 unique URLs were recognized as malicious by Web Anti-Virus components.
Distribution of web-attack sources by country and territory, Q3 2023 (download)
Countries and territories where users faced the greatest risk of online infection
To assess the risk of online infection faced by users in different countries and territories, for each country and territory we calculated the share of Kaspersky users on whose devices Web Anti-Virus was triggered at least once during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.
Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.
Country or territory* | %** | |
1 | Belarus | 15.42 |
2 | Moldova | 15.35 |
3 | Albania | 14.05 |
4 | Taiwan | 13.46 |
5 | North Macedonia | 13.08 |
6 | Bulgaria | 12.84 |
7 | Serbia | 12.75 |
8 | Kyrgyzstan | 12.73 |
9 | Latvia | 12.64 |
10 | Greece | 12.53 |
11 | Estonia | 12.06 |
12 | Bangladesh | 11.94 |
13 | Nepal | 11.91 |
14 | Sri Lanka | 11.91 |
15 | Slovenia | 11.70 |
16 | Algeria | 11.61 |
17 | Turkey | 11.58 |
18 | Bosnia and Herzegovina | 11.22 |
19 | Belgium | 11.15 |
20 | Canada | 11.04 |
* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country/territory.
On average during the quarter, 8.81% of computers of internet users worldwide were subjected to at least one Malware-class web attack.
Local threats
In this section, we analyze statistical data obtained from the OAS (On-Access Scan) and ODS (On-Demand Scan) modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).
In Q3 2023, our File Anti-Virus detected 33,847,517 malicious and potentially unwanted objects.
Countries and territories where users faced the highest risk of local infection
For each country and territory, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories worldwide.
The ranking includes only Malware-class attacks; it doesn’t consider File Anti-Virus triggerings by potentially dangerous or unwanted programs such as RiskTool or adware.
Country or territory* | %** | |
1 | Turkmenistan | 49.40 |
2 | Yemen | 44.54 |
3 | Afghanistan | 40.48 |
4 | Tajikistan | 39.09 |
5 | Burundi | 34.92 |
6 | Bangladesh | 34.45 |
7 | Myanmar | 33.78 |
8 | South Sudan | 33.63 |
9 | Syria | 33.60 |
10 | Benin | 33.12 |
11 | Guinea | 32.81 |
12 | Chad | 32.61 |
13 | Cameroon | 31.92 |
14 | Tanzania | 31.90 |
15 | Uzbekistan | 31.86 |
16 | Republic of the Congo | 31.51 |
17 | Democratic Republic of the Congo | 31.18 |
18 | Malawi | 30.82 |
19 | Burkina Faso | 30.77 |
20 | Rwanda | 30.55 |
* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country or territory.
Overall globally, 15.4% of user computers faced at least one Malware-class local threat during Q3.
IT threat evolution in Q3 2023. Non-mobile statistics