IT threat evolution Q3 2020. Non-mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
Quarterly figures
According to Kaspersky Security Network, in Q3:
- Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources across the globe.
- 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 146,761 unique users.
- Ransomware attacks were defeated on the computers of 121,579 unique users.
- Our File Anti-Virus detected 87,941,334 unique malicious and potentially unwanted objects.
Financial threats
Financial threat statistics
In Q3 2020, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 146,761 users.
Number of unique users attacked by financial malware, Q3 2020 (download)
Attack geography
To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country.
Geography of financial malware attacks, Q3 2020 (download)
Top 10 countries by share of attacked users
Country* | %** | |
1 | Costa Rica | 6.6 |
2 | Turkmenistan | 5.9 |
3 | Tajikistan | 4.7 |
4 | Uzbekistan | 4.6 |
5 | Afghanistan | 3.4 |
6 | Syria | 1.7 |
7 | Iran | 1.6 |
8 | Yemen | 1.6 |
9 | Kazakhstan | 1.5 |
10 | Venezuela | 1.5 |
* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.
First among the banker families, as in the previous quarter, is Zbot (19.7%), despite its share dropping 5.1 p.p. It is followed by Emotet (16.1%) — as we predicted, this malware renewed its activity, climbing by 9.5 p.p. as a result. Meanwhile, the share of another banker family, RTM, decreased by 11.2 p.p., falling from second position to fifth with a score of 7.4%.
Top 10 banking malware families
Name | Verdicts | %* | ||
1 | Zbot | Trojan.Win32.Zbot | 19.7 | |
2 | Emotet | Backdoor.Win32.Emotet | 16.1 | |
3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 12.2 | |
4 | Trickster | Trojan.Win32.Trickster | 8.8 | |
5 | RTM | Trojan-Banker.Win32.RTM | 7.4 | |
6 | Neurevt | Trojan.Win32.Neurevt | 5.4 | |
7 | Nimnul | Virus.Win32.Nimnul | 4.4 | |
8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.5 | |
9 | Danabot | Trojan-Banker.Win32.Danabot | 3.1 | |
10 | Gozi | Trojan-Banker.Win32.Gozi | 1.9 |
** Unique users who encountered this malware family as a percentage of all users attacked by financial malware.
Ransomware programs
Quarterly trends and highlights
Q3 2020 saw many high-profile ransomware attacks on organizations in various fields: education, healthcare, governance, energy, finance, IT, telecommunications and many others. Such cybercriminal activity is understandable: a successful attack on a major organization can command a ransom in the millions of dollars, which is several orders of magnitude higher than the typical sum for mass ransomware.
Campaigns of this type can be viewed as advanced persistent threats (APTs), and Kaspersky researchers detected the involvement of the Lazarus group in the distribution of one of these ransomware programs.
Distributors of these Trojans also began to cooperate with the aim of carrying out more effective and destructive attacks. At the start of the quarter, word leaked out that Maze operators had joined forces with distributors of LockBit, and later RagnarLocker, to form a ransomware cartel. The cybercriminals used shared infrastructure to publish stolen confidential data. Also observed was the pooling of expertise in countering security solutions.
Of the more heartening events, Q3 will be remembered for the arrest of one of the operators of the GandCrab ransomware. Law enforcement agencies in Belarus, Romania and the UK teamed up to catch the distributor of the malware, which had reportedly infected more than 1,000 computers.
Number of new modifications
In Q3 2020, we detected four new ransomware families and 6,720 new modifications of this malware type.
Number of new ransomware modifications, Q3 2019 – Q3 2020 (download)
Number of users attacked by ransomware Trojans
In Q3 2020, Kaspersky products and technologies protected 121,579 users against ransomware attacks.
Number of unique users attacked by ransomware Trojans, Q3 2020 (download)
Attack geography
Geography of attacks by ransomware Trojans, Q3 2020 (download)
Top 10 countries attacked by ransomware Trojans
Country* | %** | |
1 | Bangladesh | 2.37 |
2 | Mozambique | 1.10 |
3 | Ethiopia | 1.02 |
4 | Afghanistan | 0.87 |
5 | Uzbekistan | 0.79 |
6 | Egypt | 0.71 |
7 | China | 0.65 |
8 | Pakistan | 0.52 |
9 | Vietnam | 0.50 |
10 | Myanmar | 0.46 |
* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.
Top 10 most common families of ransomware Trojans
Name | Verdicts | %* | ||
1 | WannaCry | Trojan-Ransom.Win32.Wanna | 18.77 | |
2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 10.37 | |
3 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 9.58 | |
4 | (generic verdict) | Trojan-Ransom.Win32.Generic | 8.55 | |
5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.37 | |
6 | Stop | Trojan-Ransom.Win32.Stop | 5.89 | |
7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.12 | |
8 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 3.14 | |
9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 2.44 | |
10 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.69 |
* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware.
Miners
Number of new modifications
In Q3 2020, Kaspersky solutions detected 3,722 new modifications of miners.
Number of new miner modifications, Q3 2020 (download)
Number of users attacked by miners
In Q3, we detected attacks using miners on the computers of 440,041 unique users of Kaspersky products worldwide. If in the previous quarter the number of attacked users decreased, in this reporting period the situation was reversed: from July we saw a gradual rise in activity.
Number of unique users attacked by miners, Q3 2020 (download)
Attack geography
Geography of miner attacks, Q3 2020 (download)
Top 10 countries attacked by miners
Country* | %** | |
1 | Afghanistan | 5.53 |
2 | Ethiopia | 3.94 |
3 | Tanzania | 3.06 |
4 | Rwanda | 2.58 |
5 | Uzbekistan | 2.46 |
6 | Sri Lanka | 2.30 |
7 | Kazakhstan | 2.26 |
8 | Vietnam | 1.95 |
9 | Mozambique | 1.76 |
10 | Pakistan | 1.57 |
* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.
Vulnerable applications used by cybercriminals during cyberattacks
According to our statistics, vulnerabilities in the Microsoft Office suite continue to lead: in Q3, their share amounted to 71% of all identified vulnerabilities. Users worldwide are in no rush to update the package, putting their computers at risk of infection. Although our products protect against the exploitation of vulnerabilities, we strongly recommend the timely installation of patches, especially security updates.
First place in this category of vulnerabilities goes to CVE-2017-8570, which can embed a malicious script in an OLE object placed inside an Office document. Almost on a par in terms of popularity is the vulnerability CVE-2017-11882, exploits for which use a stack overflow error in the Equation Editor component. CVE-2017-0199 and CVE-2018-0802 likewise remain popular.
Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2020 (download)
The share of vulnerabilities in Internet browsers increased by 3 p.p. this quarter to 15%. One of the most-talked-about browser vulnerabilities was CVE-2020-1380 — a use-after-free error in the jscript9.dll library of the current version of the Internet Explorer 9+ scripting engine. This same vulnerability was spotted in the Operation PowerFall targeted attack.
Also in Q3, researchers discovered the critical vulnerability CVE-2020-6492 in the WebGL component of Google Chrome. Theoretically, it can be used to execute arbitrary code in the context of a program. The similar vulnerability CVE-2020-6542 was later found in the same component. Use-after-free vulnerabilities were detected in other components too: Task Scheduler (CVE-2020-6543), Media (CVE-2020-6544) and Audio (CVE-2020-6545).
In another browser, Mozilla Firefox, three critical vulnerabilities, CVE-2020-15675, CVE-2020-15674 and CVE-2020-15673, related to incorrect memory handling, were detected, also potentially leading to arbitrary code execution in the system.
In the reporting quarter, the vulnerability CVE-2020-1464, used to bypass scans on malicious files delivered to user systems, was discovered in Microsoft Windows. An error in the cryptographic code made it possible for an attacker to insert a malicious JAR archive inside a correctly signed MSI file, circumvent security mechanisms, and compromise the system. Also detected were vulnerabilities that could potentially be used to compromise a system with different levels of privileges:
- CVE-2020-1554, CVE-2020-1492, CVE-2020-1379, CVE-2020-1477 and CVE-2020-1525 in the Windows Media Foundation component;
- CVE-2020-1046, detected in the .NET platform, can be used to run malicious code with administrator privileges;
- CVE-2020-1472, a vulnerability in the code for processing Netlogon Remote Protocol requests that could allow an attacker to change any user credentials.
Among network-based attacks, those involving EternalBlue exploits and other vulnerabilities from the Shadow Brokers suite remain popular. Also common are brute-force attacks on Remote Desktop Services and Microsoft SQL Server, and via the SMB protocol. In addition, the already mentioned critical vulnerability CVE-2020-1472, also known as Zerologon, is network-based. This error allows an intruder in the corporate network to impersonate any computer and change its password in Active Directory.
Attacks on macOS
Perhaps this quarter’s most interesting find was EvilQuest, also known as Virus.OSX.ThifQseut.a. It is a self-replicating piece of ransomware, that is, a full-fledged virus. The last such malware for macOS was detected 13 years ago, since which time this class of threats has been considered irrelevant for this platform.
Top 20 threats for macOS
Verdict | %* | |
1 | Monitor.OSX.HistGrabber.b | 14.11 |
2 | AdWare.OSX.Pirrit.j | 9.21 |
3 | AdWare.OSX.Bnodlero.at | 9.06 |
4 | Trojan-Downloader.OSX.Shlayer.a | 8.98 |
5 | AdWare.OSX.Bnodlero.ay | 6.78 |
6 | AdWare.OSX.Pirrit.ac | 5.78 |
7 | AdWare.OSX.Ketin.h | 5.71 |
8 | AdWare.OSX.Pirrit.o | 5.47 |
9 | AdWare.OSX.Cimpli.k | 4.79 |
10 | AdWare.OSX.Ketin.m | 4.45 |
11 | Hoax.OSX.Amc.d | 4.38 |
12 | Trojan-Downloader.OSX.Agent.j | 3.98 |
13 | Trojan-Downloader.OSX.Agent.h | 3.58 |
14 | AdWare.OSX.Pirrit.gen | 3.52 |
15 | AdWare.OSX.Spc.a | 3.18 |
16 | AdWare.OSX.Amc.c | 2.97 |
17 | AdWare.OSX.Pirrit.aa | 2.94 |
18 | AdWare.OSX.Pirrit.x | 2.81 |
19 | AdWare.OSX.Cimpli.l | 2.78 |
20 | AdWare.OSX.Bnodlero.x | 2.64 |
* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.
Among the adware modules and their Trojan downloaders in the macOS threat rating for Q3 2020 was Hoax.OSX.Amc.d. Known as Advanced Mac Cleaner, this is a typical representative of the class of programs that first intimidate the user with system errors or other issues on the computer, and then ask for money to fix them.
Threat geography
Geography of threats for macOS, Q3 2020 (download)
Top 10 countries by share of attacked users
Country* | %** | |
1 | Spain | 6.20% |
2 | France | 6.13% |
3 | India | 5.59% |
4 | Canada | 5.31% |
5 | Brazil | 5.23% |
6 | USA | 5.19% |
7 | Mexico | 4.98% |
8 | Great Britain | 4.37% |
9 | China | 4.25% |
10 | Italy | 4.19% |
* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 5000)
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.
Spain (6.29%) and France (6.13%) were the leaders by share of attacked users. They were followed by India (5.59%) in third place, up from fifth in the last quarter. As for detected macOS threats, the Shlayer Trojan consistently holds a leading position in countries in this Top 10 list.
IoT attacks
IoT threat statistics
In Q3 2020, the share of devices whose IP addresses were used for Telnet attacks on Kaspersky traps increased by 4.5 p.p.
Telnet | 85.34% |
SSH | 14.66% |
Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2020
However, the distribution of sessions from these same IPs in Q3 did not change significantly: the share of operations using the SSH protocol rose by 2.8 p.p.
Telnet | 68.69% |
SSH | 31.31% |
Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2020
Nevertheless, Telnet still dominates both by number of attacks from unique IPs and in terms of further communication with the trap by the attacking party.
Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q3 2020 (download)
Top 10 countries by location of devices from which attacks were carried out on Kaspersky Telnet traps
Country | %* |
India | 19.99 |
China | 15.46 |
Egypt | 9.77 |
Brazil | 7.66 |
Taiwan, Province of China | 3.91 |
Russia | 3.84 |
USA | 3.14 |
Iran | 3.09 |
Vietnam | 2.83 |
Greece | 2.52 |
* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country.
In Q3, India (19.99%) was the location of the highest number of devices that attacked Telnet traps. China (15.46%), having ranked first in the previous quarter, moved down a notch, despite its share increasing by 2.71 p.p. Egypt (9.77%) took third place, up by 1.45 p.p.
Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q3 2020 (download)
Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps
Country | %* |
China | 28.56 |
USA | 14.75 |
Germany | 4.67 |
Brazil | 4.44 |
France | 4.03 |
India | 3.48 |
Russia | 3.19 |
Singapore | 3.16 |
Vietnam | 3.14 |
South Korea | 2.29 |
* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country.
In Q3, as before, China (28.56%) topped the leaderboard. Likewise, the US (14.75%) retained second place. Vietnam (3.14%), however, having taken bronze in the previous quarter, fell to ninth, ceding its Top 3 position to Germany (4.67%).
Threats loaded into traps
Verdict | %* |
Backdoor.Linux.Mirai.b | 38.59 |
Trojan-Downloader.Linux.NyaDrop.b | 24.78 |
Backdoor.Linux.Mirai.ba | 11.40 |
Backdoor.Linux.Gafgyt.a | 9.71 |
Backdoor.Linux.Mirai.cw | 2.51 |
Trojan-Downloader.Shell.Agent.p | 1.25 |
Backdoor.Linux.Gafgyt.bj | 1.24 |
Backdoor.Linux.Mirai.ad | 0.93 |
Backdoor.Linux.Mirai.cn | 0.81 |
Backdoor.Linux.Mirai.c | 0.61 |
* Share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack.
Attacks via web resources
The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.
Countries that are sources of web-based attacks: Top 10
The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.
To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In Q3 2020, Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources located across the globe. 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus.
Distribution of web attack sources by country, Q3 2020 (download)
Countries where users faced the greatest risk of online infection
To assess the risk of online infection faced by users in different countries, for each country we calculated the share of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.
This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.
Country* | % of attacked users** | |
1 | Vietnam | 8.69 |
2 | Bangladesh | 7.34 |
3 | Latvia | 7.32 |
4 | Mongolia | 6.83 |
5 | France | 6.71 |
6 | Moldova | 6.64 |
7 | Algeria | 6.22 |
8 | Madagascar | 6.15 |
9 | Georgia | 6.06 |
10 | UAE | 5.98 |
11 | Nepal | 5.98 |
12 | Spain | 5.92 |
13 | Serbia | 5.87 |
14 | Montenegro | 5.86 |
15 | Estonia | 5.84 |
16 | Qatar | 5.83 |
17 | Tunisia | 5.81 |
18 | Belarus | 5.78 |
19 | Uzbekistan | 5.68 |
20 | Myanmar | 5.55 |
* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.
These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.
On average, 4.58% of Internet user computers worldwide experienced at least one Malware-class attack.
Geography of web-based malware attacks, Q3 2020 (download)
Local threats
In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).
In Q3 2020, our File Anti-Virus detected 87,941,334 malicious and potentially unwanted objects.
Countries where users faced the highest risk of local infection
For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.
Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.
Country* | % of attacked users** | |
1 | Afghanistan | 49.27 |
2 | Turkmenistan | 45.07 |
3 | Myanmar | 42.76 |
4 | Tajikistan | 41.16 |
5 | Ethiopia | 41.15 |
6 | Bangladesh | 39.90 |
7 | Burkina Faso | 37.63 |
8 | Laos | 37.26 |
9 | South Sudan | 36.67 |
10 | Uzbekistan | 36.58 |
11 | Benin | 36.54 |
12 | China | 35.56 |
13 | Sudan | 34.74 |
14 | Rwanda | 34.40 |
15 | Guinea | 33.87 |
16 | Vietnam | 33.79 |
17 | Mauritania | 33.67 |
18 | Tanzania | 33.65 |
19 | Chad | 33.58 |
20 | Burundi | 33.49 |
* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.
Geography of local infection attempts, Q3 2020 (download)
Overall, 16.40% of user computers globally faced at least one Malware-class local threat during Q3.
The figure for Russia was 18.21%.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.