Malware reports

IT threat evolution Q3 2020. Non-mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3:

  • Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources across the globe.
  • 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 146,761 unique users.
  • Ransomware attacks were defeated on the computers of 121,579 unique users.
  • Our File Anti-Virus detected 87,941,334 unique malicious and potentially unwanted objects.

Financial threats

Financial threat statistics

In Q3 2020, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 146,761 users.

Number of unique users attacked by financial malware, Q3 2020 (download)

Attack geography

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country.

Geography of financial malware attacks, Q3 2020 (download)

Top 10 countries by share of attacked users

Country* %**
1 Costa Rica 6.6
2 Turkmenistan 5.9
3 Tajikistan 4.7
4 Uzbekistan 4.6
5 Afghanistan 3.4
6 Syria 1.7
7 Iran 1.6
8 Yemen 1.6
9 Kazakhstan 1.5
10 Venezuela 1.5

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

First among the banker families, as in the previous quarter, is Zbot (19.7%), despite its share dropping 5.1 p.p. It is followed by Emotet (16.1%) — as we predicted, this malware renewed its activity, climbing by 9.5 p.p. as a result. Meanwhile, the share of another banker family, RTM, decreased by 11.2 p.p., falling from second position to fifth with a score of 7.4%.

Top 10 banking malware families

Name Verdicts %*
1 Zbot Trojan.Win32.Zbot 19.7
2 Emotet Backdoor.Win32.Emotet 16.1
3 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 12.2
4 Trickster Trojan.Win32.Trickster 8.8
5 RTM Trojan-Banker.Win32.RTM 7.4
6 Neurevt Trojan.Win32.Neurevt 5.4
7 Nimnul Virus.Win32.Nimnul 4.4
8 SpyEye Trojan-Spy.Win32.SpyEye 3.5
9 Danabot Trojan-Banker.Win32.Danabot 3.1
10 Gozi Trojan-Banker.Win32.Gozi 1.9

** Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

Q3 2020 saw many high-profile ransomware attacks on organizations in various fields: education, healthcare, governance, energy, finance, IT, telecommunications and many others. Such cybercriminal activity is understandable: a successful attack on a major organization can command a ransom in the millions of dollars, which is several orders of magnitude higher than the typical sum for mass ransomware.

Campaigns of this type can be viewed as advanced persistent threats (APTs), and Kaspersky researchers detected the involvement of the Lazarus group in the distribution of one of these ransomware programs.

Distributors of these Trojans also began to cooperate with the aim of carrying out more effective and destructive attacks. At the start of the quarter, word leaked out that Maze operators had joined forces with distributors of LockBit, and later RagnarLocker, to form a ransomware cartel. The cybercriminals used shared infrastructure to publish stolen confidential data. Also observed was the pooling of expertise in countering security solutions.

Of the more heartening events, Q3 will be remembered for the arrest of one of the operators of the GandCrab ransomware. Law enforcement agencies in Belarus, Romania and the UK teamed up to catch the distributor of the malware, which had reportedly infected more than 1,000 computers.

Number of new modifications

In Q3 2020, we detected four new ransomware families and 6,720 new modifications of this malware type.

Number of new ransomware modifications, Q3 2019 – Q3 2020 (download)

Number of users attacked by ransomware Trojans

In Q3 2020, Kaspersky products and technologies protected 121,579 users against ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q3 2020 (download)

Attack geography

Geography of attacks by ransomware Trojans, Q3 2020 (download)

Top 10 countries attacked by ransomware Trojans

Country* %**
1 Bangladesh 2.37
2 Mozambique 1.10
3 Ethiopia 1.02
4 Afghanistan 0.87
5 Uzbekistan 0.79
6 Egypt 0.71
7 China 0.65
8 Pakistan 0.52
9 Vietnam 0.50
10 Myanmar 0.46

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware Trojans

Name Verdicts %*
1 WannaCry Trojan-Ransom.Win32.Wanna 18.77
2 (generic verdict) Trojan-Ransom.Win32.Gen 10.37
3 (generic verdict) Trojan-Ransom.Win32.Encoder 9.58
4 (generic verdict) Trojan-Ransom.Win32.Generic 8.55
5 (generic verdict) Trojan-Ransom.Win32.Phny 6.37
6 Stop Trojan-Ransom.Win32.Stop 5.89
7 (generic verdict) Trojan-Ransom.Win32.Crypren 4.12
8 PolyRansom/VirLock Virus.Win32.PolyRansom 3.14
9 Crysis/Dharma Trojan-Ransom.Win32.Crusis 2.44
10 (generic verdict) Trojan-Ransom.Win32.Crypmod 1.69

* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware.

Miners

Number of new modifications

In Q3 2020, Kaspersky solutions detected 3,722 new modifications of miners.

Number of new miner modifications, Q3 2020 (download)

Number of users attacked by miners

In Q3, we detected attacks using miners on the computers of 440,041 unique users of Kaspersky products worldwide. If in the previous quarter the number of attacked users decreased, in this reporting period the situation was reversed: from July we saw a gradual rise in activity.

Number of unique users attacked by miners, Q3 2020 (download)

Attack geography

Geography of miner attacks, Q3 2020 (download)

Top 10 countries attacked by miners

Country* %**
1 Afghanistan 5.53
2 Ethiopia 3.94
3 Tanzania 3.06
4 Rwanda 2.58
5 Uzbekistan 2.46
6 Sri Lanka 2.30
7 Kazakhstan 2.26
8 Vietnam 1.95
9 Mozambique 1.76
10 Pakistan 1.57

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks

According to our statistics, vulnerabilities in the Microsoft Office suite continue to lead: in Q3, their share amounted to 71% of all identified vulnerabilities. Users worldwide are in no rush to update the package, putting their computers at risk of infection. Although our products protect against the exploitation of vulnerabilities, we strongly recommend the timely installation of patches, especially security updates.

First place in this category of vulnerabilities goes to CVE-2017-8570, which can embed a malicious script in an OLE object placed inside an Office document. Almost on a par in terms of popularity is the vulnerability CVE-2017-11882, exploits for which use a stack overflow error in the Equation Editor component. CVE-2017-0199 and CVE-2018-0802 likewise remain popular.

Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2020 (download)

The share of vulnerabilities in Internet browsers increased by 3 p.p. this quarter to 15%. One of the most-talked-about browser vulnerabilities was CVE-2020-1380 — a use-after-free error in the jscript9.dll library of the current version of the Internet Explorer 9+ scripting engine. This same vulnerability was spotted in the Operation PowerFall targeted attack.

Also in Q3, researchers discovered the critical vulnerability CVE-2020-6492 in the WebGL component of Google Chrome. Theoretically, it can be used to execute arbitrary code in the context of a program. The similar vulnerability CVE-2020-6542 was later found in the same component. Use-after-free vulnerabilities were detected in other components too: Task Scheduler (CVE-2020-6543), Media (CVE-2020-6544) and Audio (CVE-2020-6545).

In another browser, Mozilla Firefox, three critical vulnerabilities, CVE-2020-15675, CVE-2020-15674 and CVE-2020-15673, related to incorrect memory handling, were detected, also potentially leading to arbitrary code execution in the system.

In the reporting quarter, the vulnerability CVE-2020-1464, used to bypass scans on malicious files delivered to user systems, was discovered in Microsoft Windows. An error in the cryptographic code made it possible for an attacker to insert a malicious JAR archive inside a correctly signed MSI file, circumvent security mechanisms, and compromise the system. Also detected were vulnerabilities that could potentially be used to compromise a system with different levels of privileges:

Among network-based attacks, those involving EternalBlue exploits and other vulnerabilities from the Shadow Brokers suite remain popular. Also common are brute-force attacks on Remote Desktop Services and Microsoft SQL Server, and via the SMB protocol. In addition, the already mentioned critical vulnerability CVE-2020-1472, also known as Zerologon, is network-based. This error allows an intruder in the corporate network to impersonate any computer and change its password in Active Directory.

Attacks on macOS

Perhaps this quarter’s most interesting find was EvilQuest, also known as Virus.OSX.ThifQseut.a. It is a self-replicating piece of ransomware, that is, a full-fledged virus. The last such malware for macOS was detected 13 years ago, since which time this class of threats has been considered irrelevant for this platform.

Top 20 threats for macOS

Verdict %*
1 Monitor.OSX.HistGrabber.b 14.11
2 AdWare.OSX.Pirrit.j 9.21
3 AdWare.OSX.Bnodlero.at 9.06
4 Trojan-Downloader.OSX.Shlayer.a 8.98
5 AdWare.OSX.Bnodlero.ay 6.78
6 AdWare.OSX.Pirrit.ac 5.78
7 AdWare.OSX.Ketin.h 5.71
8 AdWare.OSX.Pirrit.o 5.47
9 AdWare.OSX.Cimpli.k 4.79
10 AdWare.OSX.Ketin.m 4.45
11 Hoax.OSX.Amc.d 4.38
12 Trojan-Downloader.OSX.Agent.j 3.98
13 Trojan-Downloader.OSX.Agent.h 3.58
14 AdWare.OSX.Pirrit.gen 3.52
15 AdWare.OSX.Spc.a 3.18
16 AdWare.OSX.Amc.c 2.97
17 AdWare.OSX.Pirrit.aa 2.94
18 AdWare.OSX.Pirrit.x 2.81
19 AdWare.OSX.Cimpli.l 2.78
20 AdWare.OSX.Bnodlero.x 2.64

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

Among the adware modules and their Trojan downloaders in the macOS threat rating for Q3 2020 was Hoax.OSX.Amc.d. Known as Advanced Mac Cleaner, this is a typical representative of the class of programs that first intimidate the user with system errors or other issues on the computer, and then ask for money to fix them.

Threat geography

Geography of threats for macOS, Q3 2020 (download)

Top 10 countries by share of attacked users

Country* %**
1 Spain 6.20%
2 France 6.13%
3 India 5.59%
4 Canada 5.31%
5 Brazil 5.23%
6 USA 5.19%
7 Mexico 4.98%
8 Great Britain 4.37%
9 China 4.25%
10 Italy 4.19%

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 5000)
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

Spain (6.29%) and France (6.13%) were the leaders by share of attacked users. They were followed by India (5.59%) in third place, up from fifth in the last quarter. As for detected macOS threats, the Shlayer Trojan consistently holds a leading position in countries in this Top 10 list.

IoT attacks

IoT threat statistics

In Q3 2020, the share of devices whose IP addresses were used for Telnet attacks on Kaspersky traps increased by 4.5 p.p.

Telnet 85.34%
SSH 14.66%

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2020

However, the distribution of sessions from these same IPs in Q3 did not change significantly: the share of operations using the SSH protocol rose by 2.8 p.p.

Telnet 68.69%
SSH 31.31%

Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2020

Nevertheless, Telnet still dominates both by number of attacks from unique IPs and in terms of further communication with the trap by the attacking party.

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q3 2020 (download)

Top 10 countries by location of devices from which attacks were carried out on Kaspersky Telnet traps

Country %*
India 19.99
China 15.46
Egypt 9.77
Brazil 7.66
Taiwan, Province of China 3.91
Russia 3.84
USA 3.14
Iran 3.09
Vietnam 2.83
Greece 2.52

* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country.

In Q3, India (19.99%) was the location of the highest number of devices that attacked Telnet traps.  China (15.46%), having ranked first in the previous quarter, moved down a notch, despite its share increasing by 2.71 p.p. Egypt (9.77%) took third place, up by 1.45 p.p.

Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q3 2020 (download)

Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps

Country %*
China 28.56
USA 14.75
Germany 4.67
Brazil 4.44
France 4.03
India 3.48
Russia 3.19
Singapore 3.16
Vietnam 3.14
South Korea 2.29

* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country.

In Q3, as before, China (28.56%) topped the leaderboard. Likewise, the US (14.75%) retained second place. Vietnam (3.14%), however, having taken bronze in the previous quarter, fell to ninth, ceding its Top 3 position to Germany (4.67%).

Threats loaded into traps

Verdict %*
Backdoor.Linux.Mirai.b 38.59
Trojan-Downloader.Linux.NyaDrop.b 24.78
Backdoor.Linux.Mirai.ba 11.40
Backdoor.Linux.Gafgyt.a 9.71
Backdoor.Linux.Mirai.cw 2.51
Trojan-Downloader.Shell.Agent.p 1.25
Backdoor.Linux.Gafgyt.bj 1.24
Backdoor.Linux.Mirai.ad 0.93
Backdoor.Linux.Mirai.cn 0.81
Backdoor.Linux.Mirai.c 0.61

* Share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q3 2020, Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources located across the globe. 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus.

Distribution of web attack sources by country, Q3 2020 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the share of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Vietnam 8.69
2 Bangladesh 7.34
3 Latvia 7.32
4 Mongolia 6.83
5 France 6.71
6 Moldova 6.64
7 Algeria 6.22
8 Madagascar 6.15
9 Georgia 6.06
10 UAE 5.98
11 Nepal 5.98
12 Spain 5.92
13 Serbia 5.87
14 Montenegro 5.86
15 Estonia 5.84
16 Qatar 5.83
17 Tunisia 5.81
18 Belarus 5.78
19 Uzbekistan 5.68
20 Myanmar 5.55

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average, 4.58% of Internet user computers worldwide experienced at least one Malware-class attack.

Geography of web-based malware attacks, Q3 2020 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q3 2020, our File Anti-Virus detected 87,941,334 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users**
1 Afghanistan 49.27
2 Turkmenistan 45.07
3 Myanmar 42.76
4 Tajikistan 41.16
5 Ethiopia 41.15
6 Bangladesh 39.90
7 Burkina Faso 37.63
8 Laos 37.26
9 South Sudan 36.67
10 Uzbekistan 36.58
11 Benin 36.54
12 China 35.56
13 Sudan 34.74
14 Rwanda 34.40
15 Guinea 33.87
16 Vietnam 33.79
17 Mauritania 33.67
18 Tanzania 33.65
19 Chad 33.58
20 Burundi 33.49

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q3 2020 (download)

Overall, 16.40% of user computers globally faced at least one Malware-class local threat during Q3.

The figure for Russia was 18.21%.

IT threat evolution Q3 2020. Non-mobile statistics

Your email address will not be published. Required fields are marked *

 

  1. George Moody

    The Countries seem to be labelled incorrectly on the “Geography of miner attacks, Q3 2020” map.

    1. Yuliya Glazova

      Thank you! Fixed it.

Reports

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Subscribe to our weekly e-mails

The hottest research right in your inbox