Evolution of IT threat Q1 2020. Statistics and statistics
These statistics are based on the detection rates of Kaspersky products received from users who have agreed to provide statistics.
Quarterly indicators
According to Kaspersky’s safety net,
- Kaspersky’s solutions blocked 726,536,269 attacks from Internet sources in 203 countries.
- A total of 442,039,230 unique URLs were found as malicious components of the web antivirus.
- Malware attempts to steal money through online access to bank accounts were recorded on the computers of 249,748 individual users.
- The ransom attacks were repelled on the computers of 178,922 individual users.
- Our antivirus file has detected 164,653,290 unique and potentially unwanted malicious elements.
- Kaspersky products for detected mobile devices :
- 1,152,662 malicious installation packages
- 42,115 Installation kits for mobile banking trojans
- 4339 Installation kits for mobile Trojan horses with fee
Mobile threats
Quarterly events
The first quarter of 2020 will be dominated by the coronavirus pandemic and its exploitation by cybercriminals. In particular, the developers of the new modification of the Ginp Trojan Bank have renamed the malware Coronavirus Finder and then offered it for 0.75 euros, disguised as an application that should be able to detect people infected with COVID-19. For example, the attackers not only tried to mislead users with hot topics, but also to gain access to their credit card details. And because the Trojan remains on the device after the data has been stolen, attackers can intercept text messages with two-factor authorisation codes and use the stolen data without the victim’s knowledge.
Another interesting discovery this quarter: Cookiethief, a Trojan horse that steals cookies from mobile browsers and the Facebook application. If the attack is successful, the malware will give his agent access to the victim’s account, including the ability to perform various actions on his behalf, such as favors, repetitions, etc. To prevent the service from detecting abnormal activity in the intercepted profile, the Trojan contains a proxy module that allows attackers to issue commands.
The third malware that caught our attention this quarter was Trojan Dropper.AndroidOS.Shopper.a. It is designed to help cybercriminals leave fake notes and increase their Google Play score. The goals of cybercriminals are obvious here: They want to strengthen the changes in their applications, which are published and recommended, and alleviate the vigilance of potential victims. Please note that the Trojan horse uses accessibility services to evaluate requests and write messages to fully check another request: in this case, the official Google Play client.
Mobile threat statistics
In the first. In the third quarter of 2020, Kaspersky’s mobile products and technologies discovered 1,152,662 malicious installation packages, 171,669 more than in the previous quarter.
Malicious installation kits detected, Q1 2019 – Q1 2020 (download)
Since the second quarter of 2019, we have seen a steady increase in the number of mobile threats detected. Although it is still too early to sound the alarm (in 2019 the number of new threats was at its lowest in recent years), this trend is worrying.
Distribution of detected mobile applications according to type
Breakdown of newly discovered mobile communication programmes by type, Q1 2020 and Q4 2019 (download)
Of all the threats identified in the first quarter, half (49.9%) were unsolicited advertising requests, and their share increased by 19 percentage points compared to the previous quarter. Members of the HiddenAd and Ewind family were most often detected, with an overall 40% reduction in all adware threats detected, and the FakeAdBlocker family (12%).
Potentially undesirable applications of RiskTool (28.24%) come second, with the share of this type of threat remaining virtually unchanged. The main contributors are the Smsreg family (49% of all identified threats in this category), Agent (17%) and Dnotua (11%). It should be noted that the number of Smsreg family members found increased by more than 50% in the first quarter.
Threats such as the Trojan-Dropper were in third place (9,72%). Although their share has decreased by 7.63 percentage points compared to the previous quarter, droppers remain one of the most common mobile threat classes. The Ingopak became the top family in the first quarter, accounting for 71% of all Trojan and Dropper threats, followed by the Waponor (12%) and the Hqwar (8%), which are far behind.
It should be noted that mobile pipettes are most often used to install financial malware, although some financial threats can spread without their help. The proportion of these self-threatening threats is fairly large: the proportion of Trojan bankers in particular rose by 2.1 percentage points to 3.65% in the first quarter.
Top 20 Mobile malware
Please note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool or Adware.
| Judgement | %* | |
| 1 | HazardObject.Multi.generic | 44.89 |
| 2 | Trojan.AndroidOS.Boogr.gsh | 9.09 |
| 3 | DangerousObject.AndroidOS.GenericML | 7.08 |
| 4 | Trojan Downloader.AndroidOS.Necro.d | 4.52 |
| 5 | Trojan.AndroidOS.Hiddapp.ch | 2.73 |
| 6 | Trojan Downloader.AndroidOS.Helper.a | 2.45 |
| 7 | Trojan.AndroidOS.Handda.san | 2.31 |
| 8 | Trojan dropper.AndroidOS.Necro.z | 2.30 |
| 9 | Trojan.AndroidOS.Necro.a | 2.19 |
| 10 | Trojan Downloader.AndroidOS.Necro.b | 1.94 |
| 11 | Trojan dropper.AndroidOS.Hqwar.gen | 1.82 |
| 12 | Trojan dropper.AndroidOS.Helper.l | 1.50 |
| 13 | Yields.AndroidOS.Lotoor.be | 1.46 |
| 14 | Trojan dropper.AndroidOS.Lezok.p | 1.46 |
| 15 | Trojan banker.AndroidOS.Rotexy.e | 1.43 |
| 16 | Trojan dropper.AndroidOS.Penguin.e | 1.42 |
| 17 | Trojan SMS.AndroidOS.Prizes.a | 1.39 |
| 18 | Trojan.AndroidOS.Dvmap.a | 1.24 |
| 19 | Trojan.AndroidOS.Agent.rt. | 1.21 |
| 20 | Trojan.AndroidOS.Vdloader.a | 1.18 |
* Percentage of users that are attacked by this malware from all users of Kaspersky mobile products that are attacked.
DangerousObject.Multi.Generic (44.89%), the judgment we use to detect malware detected by cloud computing technologies, was, as always, at the top of our top 20. They are activated when antivirus databases do not yet have data to detect a malicious program, but the cloud in the Kaspersky security network already contains information about the object. This usually detects the latest malware.
Second and third place is taken by Trojan.AndroidOS.Boogr.gsh (9,09%) and DangerousObject.AndroidOS.GenericML (7,08%). These judgments are attributed to files that are recognized as malicious by our machine learning systems.
On the fourth (Trojan Downloader.AndroidOS.Necro.d, 4.52%) and tenth (Trojan Downloader.AndroidOS.Necro.b, 1.94%) place there are representatives of the Necro family, whose main task is to download and install modules from the servers of cyber criminals. The eighth dropper.AndroidOS.Necro.z (2.30%) behaves in the same way and only gets the modules it needs. As for the Trojan horse AndroidOS Necro.a, which came ninth (2.19%), the attackers gave it another task: The Trojan horse passes advertising links and clicks on advertising banners in the victim’s name.
The Trojan horse took fifth place: AndroidOS.Hiddapp.ch (2.73%). Once launched, the malware hides its icon in the application list and keeps running in the background. The payload of the Trojan can be other programs or advertising applications.
Sixth place went to Trojan-Downloader.AndroidOS.Helper.a (2.45%), which normally comes with Trojan-Downloader.AndroidOS.Necro. Helper.a has the ability to download and execute random code from an attacker’s server.
The verdict of Trojan.AndroidOS.Handda.san (2.31%) in seventh place is a group of different Trojan horses that hide their icons, get administrator rights for the device and use packers to escape detection.
Trojan-Banker.AndroidOS.Rotexy.e (1.43%) and Trojan-Dropper.AndroidOS.Penguin.e (1.42%) deserve special mention. The first is the only Banktrojan in the top 20 of the last quarter. The Rotexi family is six years old and its members have the task of stealing bank card data and intercepting two-factor payment authorization messages. The first member of the penguin pipette family, on the other hand, was only discovered in July last year and reached the age of 1 year. In the third quarter of 2020, the popularity of this product is significant.
Geography of mobile threats
Mobile malware detection card, Q1 2020 (download)
Top 10 countries by share of users attacked by mobile threats
| Country* (in English) | %** | |
| 1 | Iran | 39.56 |
| 2 | Algiers | 21.44 |
| 3 | Bangladesh | 18.58 |
| 4 | Nigeria | 15.58 |
| 5 | Lebanon | 15.28 |
| 6 | Tunis | 14.94 |
| 7 | Pakistan | 13.99 |
| 8 | Kuwait | 13.91 |
| 9 | Indonesia | 13.81 |
| 10 | Cuba | 13.62 |
* Excluded from the ranking of the country with relatively few users of Kaspersky mobile products (less than 10,000).
** Percentage of individual users attacked as a percentage of all Kaspersky mobile product users in the country.
In the first. In the third quarter of 2020, Iran was the leader in the share of users attacked (39.56%). Residents of this country were most likely to receive requests for advertising from the Notifyfyer family and requests to clone telegrams. Algeria ranks second (21.44%), where advertising applications were also distributed, but this time it was the HiddenAd and FakeAdBlocker families. Third place went to Bangladesh (18.58%), where half of the top ten mobile threats were adware from the HiddenAd family.
Mobile banking Trojan
In the reporting period, 42,115 Trojan installation packages for mobile banking were discovered. This is the highest value of the past 18 months and more than 2.5 times higher than in the fourth quarter. The first quarter of 2019. The largest contributors to the statistics were the Trojan-Banker.AndroidOS.Agent family (42.79% of all detected installation packages), Trojan-Banker.AndroidOS.Wroba (16.61%) and Trojan-Banker.AndroidOS.Svpeng (13.66%).
Number of Trojan installation kits for mobile banking detected by Kaspersky, Q1 2019 – Q1 2020 (download)
Top 10 mobile banking Trojan horses
| Judgement | %* | |
| 1 | Trojan banker.AndroidOS.Rotexy.e | 13.11 |
| 2 | Trojan banker.AndroidOS.Svpeng.q | 10.25 |
| 3 | Trojan banker.AndroidOS.Asacub.snt | 7.64 |
| 4 | Trojan banker.AndroidOS.Asacub.ce | 6.31 |
| 5 | Trojan banker.AndroidOS.Agent.eq | 5.70 |
| 6 | Trojan banker.AndroidOS.Anubis.san | 4.68 |
| 7 | Trojan banker.AndroidOS.Agent.ep | 3.65 |
| 8 | Trojan Banker.AndroidOS.Asacub.a | 3.50 |
| 9 | Trojan banker.AndroidOS.Asacub.ar | 3.00 |
| 10 | Trojan Banker.AndroidOS.Agent.cf | 2.70 |
* Individual users attacked by this malware as a percentage of all Kaspersky mobile product users attacked by bank threats.
The first and second place in our group of ten were taken by the Trojans, who were aimed at Russian speaking mobile phone users: Trojan Banker.AndroidOS.Rotexy.e (13.11%) and Trojan Banker.AndroidOS.Svpeng.q (10.25%).
Third, fourth, eighth and ninth place in the top ten mobile banking threats was taken by members of the Asakub family. The intruders behind the Trojan have stopped making new samples, but in the first quarter the distribution channels for the Trojan were still active.
Geography of threats to mobile banking, Q1 2020 (download)
Top 10 countries according to the percentage of users attacked by Trojan horses for mobile banking
| Country* (in English) | %** | |
| 1 | Japan | 0.57 |
| 2 | Spain | 0.48 |
| 3 | Italy | 0.26 |
| 4 | Bolivia | 0.18 |
| 5 | Russia | 0.17 |
| 6 | Turkey | 0.13 |
| 7 | Tajikistan | 0.13 |
| 8 | Brazil | 0.11 |
| 9 | Cuba | 0.11 |
| 10 | China | 0.10 |
* Excluded from the ranking of the country with relatively few users of Kaspersky mobile products (less than 10,000).
** Number of individual users attacked by Trojan horses for mobile banking as a percentage of all Kaspersky mobile product users in the country.
In the first quarter of 2020, Japan accounted for the majority of users attacked by mobile bankers (0.57%), the vast majority of whom were Trojan-Banker.AndroidOS.Agent.eq.
Second place is taken by Spain (0.48%), where we discovered malware of the Trojan-Banker.AndroidOS.Cebruser family in more than half of the cases, and another quarter of the detectives belonged to the Trojan-Banker.AndroidOS.Ginp family.
In third place is Italy (0.26%), where, as in Spain, the Trojan-Banker.AndroidOS.Cebruser family is the most widespread, with almost two-thirds of discoveries.
It is interesting to say more about the Sebruser family. Its creators were among the first to use the coronavirus theme to spread malware.
When the Trojan horse is launched, it starts working immediately: It requests access to access services to obtain administrator rights for the device and then tries to obtain card data.
The malware is distributed according to the Malware-as-a-Service model, and the feature set is standard for such threats, but with an interesting detail – the use of a step-by-step activation counter to bypass dynamic scanning tools (sandbox). Cebruser focuses on mobile banking applications in various countries and on popular non-financial applications; the main weapons are phishing windows and the interception of two-factor authentication. In addition, a malicious program can block the screen with a ransom tool and intercept keystrokes on the virtual keyboard.
Mobile Return Trojan horses
In the second quarter of 2020, we found 4,339 installation packages of mobile Trojan extortion programs, down 1,067 on the previous quarter.
Number of mobile Trojan installation kits discovered by Kaspersky for redemption, Q1 2019. – Q1 2020 (download)
Top 10 mobile Trojan horses for ransom
| Judgement | %* | |
| 1 | Trojan ransom.AndroidOS.Svpeng.aj | 17.08 |
| 2 | Trojan Ransom.AndroidOS.Kongur.e | 12.70 |
| 3 | Trojans-Ransom.AndroidOS.Small.as | 11.41 |
| 4 | Trojan ransom.AndroidOS.Rkor.k | 9.88 |
| 5 | Trojans-Ransom.AndroidOS.Small.as | 7.32 |
| 6 | Trojan Ransom.AndroidOS.Small.o. | 4.79 |
| 7 | Trojan ransom.AndroidOS.Svpeng.aj | 3.62 |
| 8 | Trojan ransom.AndroidOS.Svpeng.ah | 3.55 |
| 9 | Trojan Ransom.AndroidOS.Kongur.e | 3.32 |
| 10 | Trojan ransom.AndroidOS.Fusob.h | 3.17 |
* Percentage of individual users that are attacked by this malware compared to all users of Kaspersky mobile products that are attacked by blackmail trojans.
In recent quarters, the number of discovered blackmail of Trojan horses has gradually decreased, but we still see many attempts to infect these kinds of threats. The most important contribution to the statistics was made by the Svpeng, Congur and Small Families.
Geography of mobile rescue trojans, Q1 2020 (download)
Top 10 countries with a percentage of users being attacked by Trojans with a mobile phone.
| Country* (in English) | %** | |
| 1 | UNITED STATES | 0.26 |
| 2 | Kazakhstan | 0.25 |
| 3 | Iran | 0.16 |
| 4 | China | 0.09 |
| 5 | Saudi Arabia | 0.08 |
| 6 | Italy | 0.03 |
| 7 | Mexico | 0.03 |
| 8 | Canada | 0.03 |
| 9 | Indonesia | 0.03 |
| 10 | Switzerland | 0.03 |
* Excluded from the ranking of the country with relatively few users of Kaspersky mobile products (less than 10,000).
** Percentage of individual users attacked by mobile ransom trojans as a percentage of all Kaspersky mobile product users in the country.
The most important countries in terms of the number of users attacked by mobile phone ransoms are Syria (0.28%), the United States (0.26%) and Kazakhstan (0.25%).
Attacks against Apple MacOS
In the first. In the second quarter of 2020, we discovered not only new versions of common threats, but also a new family of backdoors, of which Backdoor.OSX.Capip.a was the first member. The working principle of the malware is simple: It calls on C&C to execute a shell script, which is then loaded and executed.
Top 20 Threats to MacOS
| Judgement | %* | |
| 1 | Downloader from troyens.OSX.Shlayer.a | 19.27 |
| 2 | AdWare.OSX.Pirrit.j | 10.34 |
| 3 | AdWare.OSX.Cimpli.k | 6.69 |
| 4 | AdWare.OSX.Ketin.h | 6.27 |
| 5 | AdWare.OSX.Pirrit.aa | 5.75 |
| 6 | AdWare.OSX.Pirrit.o | 5.74 |
| 7 | AdWare.OSX.Pirrit.x | 5.18 |
| 8 | AdWare.OSX.Spc.a | 4.56 |
| 9 | AdWare.OSX.Cimpli.f | 4.25 |
| 10 | AdWare.OSX.Bnodlero.t | 4.08 |
| 11 | AdWare.OSX.Bnodlero.x | 3.74 |
| 12 | Hoax.OSX.SuperClean.gen | 3.71 |
| 13 | AdWare.OSX.Cimpli.h | 3.37 |
| 14 | AdWare.OSX.Pirrit.v | 3.30 |
| 15 | AdWare.OSX.Amc.c | 2.98 |
| 16 | AdWare.OSX.MacSearch.d | 2.85 |
| 17 | RiskTool.OSX.Cones.a | 2.84 |
| 18 | AdWare.OSX.Pirrit.s | 2.80 |
| 19 | AdWare.OSX.Ketin.d | 2.76 |
| 20 | AdWare.OSX.Bnodlero.aq | 2.70 |
* Percentage of individual users that are attacked by this malware from all users of Kaspersky security solutions for the macros that are attacked.
In the first. In the first quarter of 2020, the 20 main threats to the macro have not changed significantly. The advertising Trojan Shlayer.a (19.27%) still ranks first, followed by the items Shlayer downloads itself on the infected system, including many advertising applications of the Pirrit family.
It is interesting to note that the unwanted program Hoax.OSX.SuperClean.gen was on position 12 of the list. Like other programs such as Hoax, it is distributed under the guise of a system-cleaning program and immediately after installation scares the user away from problems that would have been found in the system, such as gigabytes of garbage on the hard disk.
Geography of threats
| Country* (in English) | %** | |
| 1 | Spain | 7.14 |
| 2 | France | 6.94 |
| 3 | Italy | 5.94 |
| 4 | Canada | 5.58 |
| 5 | UNITED STATES | 5.49 |
| 6 | Russia | 5.10 |
| 7 | India | 4.88 |
| 8 | Mexico | 4.78 |
| 9 | Brazil | 4.65 |
| 10 | Belgium | 4.65 |
* Excluded from the country rating with relatively few Kaspersky Security Solutions for Macros users (less than 5,000)
** Unique users who have experienced macro threats as a percentage of all Kaspersky Security Solutions for Macros users in the country.
As in previous quarters, Spain (7.14%), France (6.94%) and Italy (5.94%) were the leaders. The most important factor contributing to the number of discoveries in these countries were the well-known advertising applications of Trojans and Shlayer from the Pirrit family.
IoT attacks
IoT threat statistics
In the first. In the third quarter of 2020, the number of IP addresses trying to attack Kaspersky Telnet’s traps has increased significantly. They accounted for 81.1% of all IP addresses attacked, while SSH traps accounted for almost 19%.
Distribution of services attacked by the number of unique IP addresses of the devices that carried out the attack, 1. quarter of 2020.
The situation was similar to that of the monitoring meetings: Attackers have often checked infected traps via Telnet.
Dissemination of work sessions of cybercriminals with Kaspersky traps, 1. quarter 2020.
Telnet attacks
Geography of IP addresses of devices attacked by Kaspersky Telnet 1 Q1 2020 trap (download)
Top ten countries per location of the devices from which the Kaspersky booby trap attacks were carried out.
| Country* (in English) | % |
| China | 13.04 |
| Egypt | 11.65 |
| Brazil | 11.33 |
| Vietnam | 7.38 |
| Taiwan | 6.18 |
| Russia | 4.38 |
| Iran | 3.96 |
| India | 3.14 |
| Turkey | 3.00 |
| UNITED STATES | 2.57 |
China has been a leader in the number of attacking robots for several consecutive quarters: in the first quarter of 2009 the number of robots that attacked China in the third quarter of 2020 was 13.04%. As before, Egypt (11.65%) and Brazil (11.33%) follow.
Attacks against SSH
Geography of IP addresses of devices subject to Kaspersky SSH attacks Q1 2020 (download)
Top ten countries by location of the devices from which the Kaspersky SSH traps were attacked
| Country* (in English) | % |
| China | 14.87 |
| Vietnam | 11.58 |
| UNITED STATES | 7.03 |
| Egypt | 6.82 |
| Brazil | 5.79 |
| Russia | 4.66 |
| India | 4.16 |
| Germany | 3.64 |
| Thailand | 3.44 |
| France | 2.83 |
In the first. In the third quarter of 2020, China (14.87%), Vietnam (11.58%) and the United States (7.03%) were among the top three countries in terms of the number of unique IP addresses from which SSH trap attacks were launched.
Threats to honey jars
| Judgement | %* |
| Trojan Downloader.Linux.NyaDrop.b | 64.35 |
| Backdoor.Linux.Mirai.b | 16.75 |
| Backdoor.Linux.Mirai.ba | 6.47 |
| The back door. Linux.Gafgyt.a. | 4.36 |
| Backdoor.Linux.Gafgyt.bj | 1.30 |
| Trojan charger: Shell.Agent.p. | 0.68 |
| Backdoor.Linux.Mirai.c | 0.64 |
| Backdoor.Linux.Hajime.b | 0.46 |
| The back door. Linux.Mirai.h. | 0.40 |
| Backdoor.Linux.Gafgyt.av | 0.35 |
* Share of the type of malware in the total amount of malware downloaded after a successful attack on IoT devices.
In the first. In the third quarter of 2020, attackers usually downloaded a minimalistic trojan loader, NyaDrop (64.35%), whose executable file does not exceed 500 KB. Threats from the Mirai family have traditionally prevailed: The members took four places in our top ten. This malware will continue to dominate the world of IoT threats for a long time to come, at least until a more advanced (and publicly available) DDoS bot emerges.
Financial threats
Financial threat statistics
In the first. In the third quarter of 2020, Kaspersky solutions blocked attempts to launch one or more types of malware to steal money from the bank accounts of 249,748 users’ computers.
Number of unique users that have been attacked by financial malware, Q1 2020 (download)
Geography of the attack
In order to assess and compare the risk of bank trojans and ATM and POS malware in different countries, we calculated for each country the percentage of Kaspersky product users facing this threat in the reporting period.
Geography of malware attacks in banks, Q1 2020 (download)
Top 10 countries by proportion of users attacked
| Country* (in English) | %** | |
| 1 | Uzbekistan | 10.5 |
| 2 | Tajikistan | 6.9 |
| 3 | Turkmenistan | 5.5 |
| 4 | Afghanistan | 5.1 |
| 5 | Yemen | 3.1 |
| 6 | Kazakhstan | 3.0 |
| 7 | Guatemala | 2.8 |
| 8 | Syria | 2.4 |
| 9 | Sudan | 2.1 |
| 10 | Kyrgyzstan | 2.1 |
* Exceptions are countries with relatively few users of Kaspersky products (less than 10,000).
** Percentage of individual users whose computers are affected by financial malware among all individual users of Kaspersky products in the country.
Top 10 malware families for banks
| Name | Reviews | %* | |
| 1 | Emotet | Backdoor.Win32.Emotet | 21.3 |
| 2 | Zbot | Trojan.Win32.Zbot | 20.8 |
| 3 | CliptoShuffler | Trojan banker.Win32.CliptoShuffler | 17.2 |
| 4 | RTM | Trojan banker.Win32.RTM | 12.3 |
| 5 | Zero | Virus.Win32.Nimnul | 3.6 |
| 6 | Griffins | Trojan.Win32.Trickster | 3.6 |
| 7 | Neuret | Trojan.Win32.Neurevt | 3.3 |
| 8 | The eye of the spy | Trojan spy.Win32.SpyEye | 2.3 |
| 9 | Danabot | Trojan banker.Win32.Danabot | 2.0 |
| 10 | Nymaim | Trojan.Win32.Nymaim | 1.9 |
** Percentage of users attacked by this malware family as a percentage of all users attacked by financial malware.
Repurchase programmes
Quarterly indicators
Attacks on municipal and community organisations and networks have not been facilitated. Given the profitability they represent for cybercriminals, there is no reason to continue this trend for several years.
More and more ransom programs are starting to complete the coding of the data theft. To date, this tactic has been adopted by Redemption Family distributors such as Maze, REvil/Sodinokibi, DoppelPaymer and JSWorm/Nemty/Nefilim. If the victim refuses to pay the ransom for the decryption (e.g. because the data have been restored from the backup), the attackers threaten to disclose the stolen confidential information. These threats are sometimes futile, but not always: The perpetrators of various blackmail programmes have set up sites that effectively publish data from victim organisations.
Number of new changes
In the first. In the third quarter of 2020, we discovered five new ransom families and 5,225 new modifications to these malicious programs.
Number of newly detected recall actions, Q1 2019 – Q1 2020 (download)
Number of users attacked by extortion Trojan horses
In the first. In the first quarter of 2020, Kaspersky’s products and technologies protected 178,922 users from redemption.
Number of unique users who have been attacked by free Trojan horses, Q1 2020 (download)
Geography of the attack
Geography of Trojan horse ransom, T1 2020 (download)
Top 10 countries attacked by rogue Trojans
| Country* (in English) | %** | |
| 1 | Bangladesh | 6.64 |
| 2 | Uzbekistan | 1.98 |
| 3 | Mozambique | 1.77 |
| 4 | Ethiopia | 1.67 |
| 5 | Nepal | 1.34 |
| 6 | Afghanistan | 1.31 |
| 7 | Egypt | 1.21 |
| 8 | Ghana | 0.83 |
| 9 | Azerbaijan | 0.81 |
| 10 | Serbia | 0.74 |
* Countries with relatively few Kaspersky users (less than 50,000) are excluded.
** Percentage of unique users whose computers have been attacked by blackmail trojans among all unique users of Kaspersky products in the country.
The 10 most common ransoms Trojan Family
| Name | Reviews | %* | |||
| 1 | WannaCry | Trojan ransom.Win32.Wanna | 19.03 | ||
| 2 | (common stop) | Trojan ransom.Win32.Gen | 16.71 | ||
| 3 | (common stop) | Trojan ransom.Win32.Phny | 16.22 | ||
| 4 | Gent-Krabbe | Trojan ransom.Win32.GandCrypt | 7.73 | ||
| 5 | Stop | Trojan ransom.Win32.Stop | 6.62 | ||
| 6 | (common stop) | Trojan ransom.Win32.encryptor | 4.28 | ||
| 7 | (common stop) | Trojan ransom.Win32.Crypren | 4.15 | ||
| 8 | PolyRance/Virl curl | Virus.Win32.PolyRansom,
Purchase of Trojan horses.Win32.PolyRansom |
2.96 | ||
| 9 | Crisis / Dharma | Trojan ransom.Win32.Crusis | 2.02 | ||
| 10 | (common stop) | Trojan ransom.Win32.generic | 1.56 | ||
* Number of Kaspersky users attacked for ransom by the Trojan family as a percentage of the total number of users attacked for ransom by Trojan horses.
Minors
Number of new changes
In the first. In the third quarter of 2020 Kaspersky Solutions discovered 192,036 new modifications by miners.
Number of new minor changes, Q1 2020 (download)
Number of users that have been attacked by minors
In the first quarter, we discovered underage attacks on the computers of 518,857 individual users of Kaspersky Lab products worldwide.
Number of individual users who have been attacked by minors, Q1 2020 (download)
Geography of the attack
Geography of mine attacks, Q1 2020 (download)
The 10 countries attacked by miners
| Country* (in English) | %** | |
| 1 | Afghanistan | 6.72 |
| 2 | Ethiopia | 4.90 |
| 3 | Tanzania | 3.26 |
| 4 | Sri Lanka | 3.22 |
| 5 | Uzbekistan | 3.10 |
| 6 | Rwanda | 2.56 |
| 7 | Vietnam | 2.54 |
| 8 | Kazakhstan | 2.45 |
| 9 | Mozambique | 1.96 |
| 10 | Pakistan | 1.67 |
* Countries with relatively few users of Kaspersky products (less than 50,000) are excluded.
** Individual users whose computers have been attacked by minors as a percentage of all individual users of Kaspersky products in the country.
Vulnerable applications used by cyber criminals inCyber attacks
We have already established that Microsoft Office’s vulnerabilities are the most common. The first quarter of 2020 was no exception: the share of exploits of these vulnerabilities increased to 74.83%. The most common vulnerability in Microsoft Office was CVE-2017-11882, related to a stack overflow error in the Comparison Editor section. The CVE-2017-8570, which is used to embed a malicious script in an OLE object within an Office document, is a heavyweight. A number of other vulnerabilities, such as CVE-2018-0802 and CVE-2017-8759, were also popular with attackers. In the absence of security updates for Microsoft Office, these vulnerabilities are successfully exploited and the user’s system is infected.
Secondly, exploits for vulnerabilities in the web browser (11.06%). In the first quarter, attackers attacked several browsers, including Microsoft Internet Explorer, Google Chrome and Mozilla Firefox. In addition, some vulnerabilities in the APT attacks have been exploited, for example B. CVE-2020-0674, which relates to the incorrect handling of in-memory objects in the outdated version of the JScript scripting engine in Internet Explorer, leading to code execution. Another example is the previously identified CVE-2019-17026, a datatype displacement vulnerability in Mozilla Firefox’s JIT compiler, which also leads to code execution remotely. If an attack is successful, both browsers lead to a malware infection. The researchers also discovered a targeted attack on Google Chrome using the RCE CVE-2020-6418 vulnerability in the JavaScript engine; in addition, the dangerous RCE CVE-2020-0767 vulnerability was discovered in the part of the ChakraCore scripting engine used by Microsoft Edge. Despite the fact that modern browsers have their own protection mechanisms, cybercriminals are constantly finding ways to circumvent them, very often through chains of exploitation. It is therefore very important to always keep the operating system and software up-to-date.
Subdivision of explosive devices used in attacks by type of application under attack, Q1 2020 (download)
This quarter a wide range of critical vulnerabilities in operating systems and their components have been discovered.
- CVE-2020-0601 is a vulnerability that uses an error in the main cryptographic library of Windows, a certificate validation algorithm that uses elliptical curves. This vulnerability allows the use of false certificates recognised as legitimate by the system.
- CVE-2020-0729 is a Windows LNK file processing problem that allows remote code execution if the user opens a malicious shortcut.
- CVE-2020-0688 is the result of a standard configuration error in Microsoft Exchange Server, where the same cryptographic keys are used to sign and encrypt serialized ASP.NET ViewState data so that attackers can execute their code on the server side with system privileges.
Various network attacks on system services and network protocols are more popular than ever with attackers. We continue to seek to exploit SME vulnerabilities with EternalBlue, EternalRomance and similar exploitation kits. In the first. In the fourth quarter of 2020, a new CVE-2020-0796 (SMBGhost) vulnerability in the SMBv3 network protocol was discovered. It leads to remote code execution, so that an attacker does not even need to know the username/password combination (because the error occurs before the authentication phase), but it is only present in Windows 10. Remote Desktop Gateway has two critical vulnerabilities (CVE-2020-0609 and CVE-2020-0610) that allow an unauthorized user to remotely execute code on the target system. In addition, more attempts were made to find Remote Desktop Services and Microsoft SQL Server passwords using the SMB protocol.
Web traps
The statistics in this section are based on a web-based antivirus that protects users when downloading malicious objects from malicious/infected web pages. Malicious websites are specifically created by cybercriminals and can infect web resources with user-generated content (e.g. forums) and endanger legitimate sources.
Countries that are the source of attacks on the web: Top 10
The following statistics show the distribution of sources of Internet attacks blocked by Kaspersky products per country on user computers (exploit redirects websites, exploit and other malware sites, bot services, etc.). Each individual host can be the source of one or more attacks on the web.
To determine the geographical source of attacks on the web, domain names are mapped to their actual domain IP addresses and then the geographical location of a particular IP address (GEOIP) is determined.
In the first. In the third quarter of 2020, Kaspersky’s decisions defeated 726,536,269 Internet resource attacks in 203 countries. 442,039,230 unique URLs were detected as malicious components of a web antivirus.
Country breakdown of the sources of web traps, quarter 2020 (download)
Countries where users are most at risk of online infection
In order to assess the risk of online infection for users in different countries, we calculated for each country the percentage of Kaspersky users whose computers were equipped with web antivirus software during the quarter. The data obtained gives an idea of the aggressive environment in which computers operate in different countries.
This assessment only covers malware attacks classified as malware; it does not include web-based antivirus detection of potentially dangerous or unwanted programs such as RiskTool or Adware.
| Country* (in English) | % of users attacked** | |
| 1 | Bulgaria | 13.89 |
| 2 | Tunis | 13.63 |
| 3 | Algiers | 13.15 |
| 4 | Libya | 12.05 |
| 5 | Bangladesh | 9.79 |
| 6 | Greece | 9.66 |
| 7 | Latvia | 9.64 |
| 8 | Somalia | 9.20 |
| 9 | Philippines | 9.11 |
| 10 | Morocco | 9.10 |
| 11 | Albania | 9.09 |
| 12 | Taiwan, China Province | 9.04 |
| 13 | Mongolia | 9.02 |
| 14 | Nepal | 8.69 |
| 15 | Indonesia | 8.62 |
| 16 | Egypt | 8.61 |
| 17 | Georgia | 8.47 |
| 18 | France | 8.44 |
| 19 | Palestine | 8.34 |
| 20 | Qatar | 8.30 |
* Countries with relatively few Kaspersky users (less than 10,000) are excluded.
** Percentage of unique users affected by malware attacks from all unique users of Kaspersky products in the country.
These statistics are based on the detection rates returned by the Web Antivirus module and received from Kaspersky product users who have agreed to provide the statistics.
On average, 6.56% of Internet users’ computers worldwide have been attacked by at least one class of malware.
Geography of malicious internet attacks, Q1 2020 (download)
Local threats
In this section we analyze the statistical data obtained using the OA and OCP modules in Kaspersky products. Malicious programs that are detected directly on the user’s computer or on removable media attached to the computer (flash drives, camera memory cards, telephones, external hard drives) or that were originally introduced into the computer in an unknown form (e.g. programs in complex installation programs, encrypted files, etc.) are not considered malware.
In the first. In the first quarter of 2020, our antivirus registry registered 164,653,290 malicious and potentially unwanted items.
Countries where users were most at risk of local contamination
For each country, we calculated the percentage of Kaspersky product users on whose computer file antivirus was launched during the reference period. These statistics show the degree of pollution of personal computers in different countries.
Please note that this assessment only covers malware attacks classified as malware; it does not include file-based antivirus triggers in response to potentially dangerous or unwanted programs such as RiskTool or Adware.
| Country* (in English) | % of users attacked** | |
| 1 | Afghanistan | 52.20 |
| 2 | Tajikistan | 47.14 |
| 3 | Uzbekistan | 45.16 |
| 4 | Ethiopia | 45.06 |
| 5 | Myanmar | 43.14 |
| 6 | Bangladesh | 42.14 |
| 7 | Kyrgyzstan | 41.52 |
| 8 | Yemen | 40.88 |
| 9 | China | 40.67 |
| 10 | Benin | 40.21 |
| 11 | Mongolia | 39.58 |
| 12 | Algiers | 39.55 |
| 13 | Laos | 39.21 |
| 14 | Burkina Faso | 39.09 |
| 15 | Malawi | 38.42 |
| 16 | Sudan | 38.34 |
| 17 | Rwanda | 37.84 |
| 18 | Iraq | 37.82 |
| 19 | Vietnam | 37.42 |
| 20 | Mauritania | 37.26 |
* Countries with relatively few Kaspersky users (less than 10,000) are excluded.
** Unique users on whose computers local malware threats are blocked, as a percentage of all unique users of Kaspersky products in the country.
Geography of local infection testing, Q1 2020 (download)
In total, 19.16% of user computers worldwide faced at least one local malware class threat in the first quarter.latest malware threats 2020,2020 threat reports,advanced persistent threat statistics,ransomware trends 2020,malware trends 2020,threat report format,2019 internet security threat report pdf,cyber threat landscape 2018
