IT threat evolution Q3 2019. Statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network:

  • Kaspersky solutions blocked 989,432,403 attacks launched from online resources in 203 countries across the globe.
  • 560,025,316 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were blocked on the computers of 197,559 users.
  • Ransomware attacks were defeated on the computers of 229,643 unique users.
  • Our File Anti-Virus detected 230,051,054 unique malicious and potentially unwanted objects.
  • Kaspersky products for mobile devices detected:
    • 870,617 malicious installation packages
    • 13,129 installation packages for mobile banking Trojans
    • 13,179 installation packages for mobile ransomware Trojans

Mobile threats

Quarterly highlights

In Q3 2019, we discovered an extremely unpleasant incident with the popular CamScanner app on Google Play. The new version of the app contained an ad library inside with the Trojan dropper Necro built in. Judging by the reviews on Google Play, the dropper’s task was to activate paid subscriptions, although it could deliver another payload if required.

Another interesting Trojan detected in Q3 2019 is Trojan.AndroidOS.Agent.vn. Its main function is to “like” Facebook posts when instructed by its handlers. Interestingly, to make the click, the Trojan attacks the Facebook mobile app on the infected device, literally forcing it to execute its command.

In the same quarter, we discovered new FinSpy spyware Trojans for iOS and Android. In the fresh versions, the focus is on snooping on correspondence in messaging apps. The iOS version requires a jailbreak to do its job, while the Android version is able to spy on the encrypted Threema app among others.

Mobile threat statistics

In Q3 2019, Kaspersky detected 870,617 malicious installation packages.

Number of detected malicious installation packages, Q4 2018 – Q3 2019 (download)

Whereas in previous quarters we observed a noticeable drop in the number of new installation packages, Q3’s figure was up by 117,067 packages compared to the previous quarter.

Distribution of detected mobile apps by type

Distribution of detected mobile apps by type, Q2 and Q3 2019 (download)

Among all the mobile threats detected in Q3 2019, the lion’s share went to potentially unsolicited RiskTool-class programs (32.1%), which experienced a fall of 9 p.p. against the previous quarter. The most frequently detected objects were in the RiskTool.AndroidOS families: Agent (33.07% of all detected threats in this class), RiskTool.AndroidOS.Wapron (16.43%), and RiskTool.AndroidOS.Smssend (10.51%).

Second place went to miscellaneous Trojans united under the Trojan class (21.68%), their share increased by 10 p.p. The distribution within the class was unchanged since the previous quarter, with the Trojan.AndroidOS.Hiddapp (32.5%), Trojan.AndroidOS.Agent (12.8%), and Trojan.AndroidOS.Piom (9.1% ) families remaining in the lead. Kaspersky’s machine-learning systems made a significant contribution to detecting threats: Trojans detected by this technology (the Trojan.AndroidOS.Boogr verdict) made up 28.7% — second place after Hiddapp.

In third place were Adware-class programs (19.89%), whose share rose by 1 p.p. in the reporting period. Most often, adware programs belonged to one of the following families: AdWare.AndroidOS.Ewind (20.73% of all threats in this class), AdWare.AndroidOS.Agent (20.36%), and AdWare.AndroidOS.MobiDash (14.27%).

Threats in the Trojan-Dropper class (10.44%) remained at the same level with insignificant (0.5 p.p.) growth. The vast majority of detected droppers belonged to the Trojan-Dropper.AndroidOS.Wapnor family (69.7%). A long way behind in second and third place, respectively, were Trojan-Dropper.AndroidOS.Wroba (14.58%) and Trojan-Dropper.AndroidOS.Agent (8.75%).

TOP 20 mobile malware programs

Note that this malware rating does not include potentially dangerous or unwanted programs classified as RiskTool or adware.

Verdict %*
1 DangerousObject.Multi.Generic 48.71
2 Trojan.AndroidOS.Boogr.gsh 9.03
3 Trojan.AndroidOS.Hiddapp.ch 7.24
4 Trojan.AndroidOS.Hiddapp.cr 7.23
5 Trojan-Dropper.AndroidOS.Necro.n 6.87
6 DangerousObject.AndroidOS.GenericML 4.34
7 Trojan-Downloader.AndroidOS.Helper.a 1.99
8 Trojan-Banker.AndroidOS.Svpeng.ak 1.75
9 Trojan-Dropper.AndroidOS.Agent.ok 1.65
10 Trojan-Dropper.AndroidOS.Hqwar.gen 1.52
11 Trojan-Dropper.AndroidOS.Hqwar.bb 1.46
12 Trojan-Downloader.AndroidOS.Necro.b 1.45
13 Trojan-Dropper.AndroidOS.Lezok.p 1.44
14 Trojan.AndroidOS.Hiddapp.cf 1.41
15 Trojan.AndroidOS.Dvmap.a 1.27
16 Trojan.AndroidOS.Agent.rt 1.24
17 Trojan-Banker.AndroidOS.Asacub.snt 1.21
18 Trojan-Dropper.AndroidOS.Necro.q 1.19
19 Trojan-Dropper.AndroidOS.Necro.l 1.12
20 Trojan-SMS.AndroidOS.Prizmes.a 1.12

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked.

First place in our TOP 20 as ever went to DangerousObject.Multi.Generic (48.71%), the verdict we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.

Second and six places were claimed by Trojan.AndroidOS.Boogr.gsh (9.03%) and DangerousObject.AndroidOS.GenericML (4.34%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

Third, fourth, and fourteenth places were taken by members of the Trojan.AndroidOS.Hiddapp family, whose task is to covertly foist ads onto victims.

Fifth, twelfth, eighteenth, and nineteenth positions went to Trojan droppers of the Necro family. Although this family showed up on the radar last quarter, really serious activity was observed only in this reporting period.

Seventh place goes to Trojan-Downloader.AndroidOS.Helper.a (1.99%), which is what members of the Necro family usually extract from themselves. Helper.a is tasked with downloading arbitrary code from malicious servers and running it.

The eighth place was taken by the malware Trojan-Banker.AndroidOS.Svpeng.ak (1.75%), the main task of which is to steal online banking credentials and intercept two-factor authorization codes.

Ninth position went to Trojan-Dropper.AndroidOS.Agent.ok (1.65%), which is distributed under the guise of FlashPlayer or a Rapidshare client. Most commonly, it drops adware modules into the infected system.

Tenth and eleventh places went to members of the Trojan-Banker.AndroidOS.Hqwar family. The popularity of this dropper among cybercriminals continues to fall.

Geography of mobile threats

Geography of mobile malware infection attempts, Q3 2019 (download)

TOP 10 countries by share of users attacked by mobile malware

Country* %**
1 Iran 52.68
2 Bangladesh 30.94
3 India 28.75
4 Pakistan 28.13
5 Algeria 26.47
6 Indonesia 23.38
7 Nigeria 22.46
8 Tanzania 21.96
9 Saudi Arabia 20.05
10 Egypt 19.44

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).
** Unique users attacked by mobile bankers as a percentage of all users of Kaspersky mobile solutions in the country.

In Q3’s TOP 10, Iran (52.68%) retained top spot by share of attacked users. Note that over the reporting period the country’s share almost doubled. Kaspersky users in Iran most often encountered the adware app AdWare.AndroidOS.Agent.fa (22.03% of the total number of mobile threats), adware installing Trojan.AndroidOS.Hiddapp.bn (14.68% ) and the potentially unwanted program RiskTool.AndroidOS.Dnotua.yfe (8.84%).

Bangladesh (30.94%) retained second place in the ranking. Users in this country most frequently encountered adware programs, including AdWare.AndroidOS.Agent.fс (27.58% of the total number of mobile threats) and AdWare.AndroidOS.HiddenAd.et (12.65%), as well as Trojan.AndroidOS.Hiddapp.cr (20.05%), which downloads adware programs.

India (28.75%) climbed to third place due to the same threats that were more active than others in Bangladesh: AdWare.AndroidOS.Agent.fс (36.19%), AdWare.AndroidOS.HiddenAd.et (17.17%) and Trojan.AndroidOS.Hiddapp.cr (22.05%).

Mobile banking Trojans

In the reporting period, we detected 13,129 installation packages for mobile banking Trojans, only 770 fewer than in Q2 2019.

The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Svpeng (40.59% of all detected banking Trojans), Trojan-Banker.AndroidOS. Agent (11.84%), and Trojan-Banker.AndroidOS.Faketoken (11.79%) families.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2018 – Q3 2019 (download)

TOP 10 mobile banking Trojans

Verdict %*
1 Trojan-Banker.AndroidOS.Svpeng.ak 16.85
2 Trojan-Banker.AndroidOS.Asacub.snt 11.61
3 Trojan-Banker.AndroidOS.Svpeng.q 8.97
4 Trojan-Banker.AndroidOS.Asacub.ce 8.07
5 Trojan-Banker.AndroidOS.Agent.ep 5.51
6 Trojan-Banker.AndroidOS.Asacub.a 5.27
7 Trojan-Banker.AndroidOS.Faketoken.q 5.26
8 Trojan-Banker.AndroidOS.Agent.eq 3.62
9 Trojan-Banker.AndroidOS.Faketoken.snt 2.91
10 Trojan-Banker.AndroidOS.Asacub.ar 2.81

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by banking threats.

The TOP 10 banking threats in Q3 2019 was headed by Trojans of the Trojan-Banker.AndroidOS.Svpeng family: Svpeng.ak (16.85%) took first place, and Svpeng.q (8.97%) third. This is not the first time we have detected amusing obfuscation in Trojans from Russian-speaking cybercriminals — this time the code of the malware Svpeng.ak featured the names of video games.

Snippets of decompiled code from Trojan-Banker.AndroidOS.Svpeng.ak

Second, fourth, sixth, and tenth positions in Q3 went to the Asacub Trojan family. Despite a decrease in activity, Asacub samples are still found on devices around the world.

Geography of mobile banking threats, Q3 2019 (download)

TOP 10 countries by share of users attacked by mobile banking Trojans:

Country* %**
1 Russia 0.30
2 South Africa 0.20
3 Kuwait 0.18
4 Tajikistan 0.13
5 Spain 0.12
6 Indonesia 0.12
7 China 0.11
8 Singapore 0.11
9 Armenia 0.10
10 Uzbekistan 0.10

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky mobile solutions in the country.

In Q3 Russia moved up to first place (0.30%), which impacted the entire pattern of mobile bankers spread around the world. Users in Russia were most often targeted with Trojan-Banker.AndroidOS.Svpeng.ak (17.32% of all attempts to infect unique users with mobile financial malware). The same Trojan made it into the TOP 10 worldwide. It is a similar story with second and third places: Trojan-Banker.AndroidOS.Asacub.snt (11.86%) and Trojan-Banker.AndroidOS.Svpeng.q (9.20%).

South Africa fell to second place (0.20%), where for the second quarter in a row Trojan-Banker.AndroidOS.Agent.dx (89.80% of all mobile financial malware) was the most widespread threat.

Bronze went to Kuwait (0.21%), where, like in South Africa, Trojan-Banker.AndroidOS.Agent.dx (75%) was most often encountered.

Mobile ransomware Trojans

In Q3 2019, we detected 13,179 installation packages for mobile ransomware — 10,115 fewer than last quarter. We observed a similar drop in Q2, so since the start of the year the number of mobile ransomware Trojans has decreased almost threefold. The reason, as we see it, is the decline in activity of the group behind the Asacub Trojan.

Number of installation packages for mobile banking Trojans, Q3 2018 – Q3 2019 (download)

TOP 10 mobile ransomware Trojans

Verdict %*
1 Trojan-Ransom.AndroidOS.Svpeng.aj 40.97
2 Trojan-Ransom.AndroidOS.Small.as 8.82
3 Trojan-Ransom.AndroidOS.Svpeng.ah 5.79
4 Trojan-Ransom.AndroidOS.Rkor.i 5.20
5 Trojan-Ransom.AndroidOS.Rkor.h 4.78
6 Trojan-Ransom.AndroidOS.Small.o 3.60
7 Trojan-Ransom.AndroidOS.Svpeng.ai 2.93
8 Trojan-Ransom.AndroidOS.Small.ce 2.93
9 Trojan-Ransom.AndroidOS.Fusob.h 2.72
10 Trojan-Ransom.AndroidOS.Small.cj 2.66

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by ransomware Trojans.

In Q3 2019, the leading positions among ransomware Trojans were retained by members of the Trojan-Ransom.AndroidOS.Svpeng family. Top spot, as in the previous quarter, was claimed by Svpeng.aj (40.97%), with Svpeng.ah (5.79%) in third.

Geography of mobile ransomware Trojans, Q3 2019 (download)

TOP 10 countries by share of users attacked by mobile ransomware Trojans:

Country* %**
1 US 1.12
2 Iran 0.25
3 Kazakhstan 0.25
4 Oman 0.09
5 Qatar 0.08
6 Saudi Arabia 0.06
7 Mexico 0.05
8 Pakistan 0.05
9 Kuwait 0.04
10 Indonesia 0.04

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).
** Unique users attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky mobile solutions in the country.

The leaders by number of users attacked by mobile ransomware Trojans, as in the previous quarter, were the US (1.12%), Iran (0.25%), and Kazakhstan (0.25%)

Attacks on Apple macOS

Q3 saw a lull in the emergence of new threats. An exception was the distribution of a modified version of the Stockfolio investment app, which contained an encrypted reverse shell backdoor.

TOP 20 threats for macOS

Verdict %*
1 Trojan-Downloader.OSX.Shlayer.a 22.71
2 AdWare.OSX.Pirrit.j 14.43
3 AdWare.OSX.Pirrit.s 11.73
4 AdWare.OSX.Pirrit.p 10.43
5 AdWare.OSX.Pirrit.o 9.71
6 AdWare.OSX.Bnodlero.t 8.40
7 AdWare.OSX.Spc.a 7.32
8 AdWare.OSX.Cimpli.d 6.92
9 AdWare.OSX.MacSearch.a 4.88
10 Adware.OSX.Agent.d 4.71
11 AdWare.OSX.Ketin.c 4.63
12 AdWare.OSX.Ketin.b 4.10
13 Downloader.OSX.InstallCore.ab 4.01
14 AdWare.OSX.Cimpli.e 3.86
15 AdWare.OSX.Bnodlero.q 3.78
16 AdWare.OSX.Cimpli.f 3.76
17 AdWare.OSX.Bnodlero.x 3.49
18 AdWare.OSX.Mcp.a 3.26
19 AdWare.OSX.MacSearch.d 3.18
20 AdWare.OSX.Amc.a 3.15

* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked.

Like last quarter, the adware Trojan Shlayer was the top threat for macOS. This malware in turn downloaded adware programs of the Pirrit family, as a result of which its members took the second to fifth positions in our ranking.

Threat geography

Country* %**
1 France 6.95
2 India 6.24
3 Spain 5.61
4 Italy 5.29
5 US 4.84
6 Russia 4.79
7 Brazil 4.75
8 Mexico 4.68
9 Canada 4.46
10 Australia 4.27

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

The geographical distribution of attacked users underwent some minor changes: India took silver with 6.24% of attacked users, while Spain came in third with 5.61%. France (6.95%) hung on to first position.

IoT attacks

IoT threat statistics

In Q3, the trend continued toward a decrease in the number of IP addresses of devices used to carry out attacks on Kaspersky Telnet honeypots. If in Q2 Telnet’s share was still significantly higher than that of SSH, in Q3 the figures were almost equal.

SSH 48.17%
Telnet 51.83%

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2019

As for the number of sessions involving Kaspersky traps, we noted that in Q3 Telnet-based control was also deployed more often.

SSH 40.81%
Telnet 59.19%

Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2019

Telnet-based attacks

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q3 2019 (download)

TOP 10 countries by location of devices from which telnet-based attacks were carried out on Kaspersky traps

Country %*
1 China 13.78
2 Egypt 10.89
3 Brazil 8.56
4 Taiwan 8.33
5 US 4.71
6 Russia 4.35
7 Turkey 3.47
8 Vietnam 3.44
9 Greece 3.43
10 India 3.41

Last quarter’s leaders Egypt (10.89%), China (13.78%), and Brazil (8.56%) again made up the TOP 3, the only difference being that this time China took the first place.

Telnet-based attacks most often resulted in the download of a member of the notorious Mirai family.

TOP 10 malware downloaded to infected IoT devices via successful telnet-based attacks

Verdict %*
1 Backdoor.Linux.Mirai.b 38.08
2 Trojan-Downloader.Linux.NyaDrop.b 27.46
3 Backdoor.Linux.Mirai.ba 16.52
4 Backdoor.Linux.Gafgyt.bj 2.76
5 Backdoor.Linux.Mirai.au 2.21
6 Backdoor.Linux.Mirai.c 2.02
7 Backdoor.Linux.Mirai.h 1.81
8 Backdoor.Linux.Mirai.ad 1.66
9 Backdoor.Linux.Gafgyt.az 0.86
10 Backdoor.Linux.Mirai.a 0.80

* Share of malware type in the total amount of malware downloaded to IoT devices following a successful Telnet-based attack.

SSH-based attacks

Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q3 2019 (download)

TOP 10 countries by location of devices from which attacks were made on Kaspersky SSH traps

Country %*
1 Egypt 17.06
2 Vietnam 16.98
3 China 13.81
4 Brazil 7.37
5 Russia 6.71
6 Thailand 4.53
7 US 4.13
8 Azerbaijan 3.99
9 India 2.55
10 France 1.53

In Q3 2019, the largest number of attacks on Kaspersky traps using the SSH protocol came from Egypt (17.06%). Vietnam (16.98%) and China (13.81%) took second and third places, respectively.

Financial threats

Financial threat statistics

In Q3 2019, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 197,559 users.

Number of unique users attacked by financial malware, Q3 2019 (download)

Attack geography

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

Geography of banking malware attacks, Q3 2019 (download)

TOP 10 countries by share of attacked users

Country* %**
1 Belarus 2.9
2 Uzbekistan 2.1
3 South Korea 1.9
4 Venezuela 1.8
5 Tajikistan 1.4
6 Afghanistan 1.3
7 China 1.2
8 Syria 1.2
9 Yemen 1.2
10 Sudan 1.1

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky products in the country.

TOP 10 banking malware families

Name Verdicts %*
1 Zbot Trojan.Win32.Zbot 26.7
2 Emotet Backdoor.Win32.Emotet 23.9
3 RTM Trojan-Banker.Win32.RTM 19.3
4 Nimnul Virus.Win32.Nimnul 6.6
5 Trickster Trojan.Win32.Trickster 5.8
6 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 5.4
7 Nymaim Trojan.Win32.Nymaim 3.6
8 SpyEye Trojan-Spy.Win32.SpyEye 3.4
9 Danabot Trojan-Banker.Win32.Danabot 3.3
10 Neurevt Trojan.Win32.Neurevt 1.8

** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

The TOP 3 in Q3 2019 had the same faces as last quarter, only in a different order: the RTM family (19.3%) dropped from first to third, shedding almost 13 p.p., allowing the other two — Zbot (26.7%) and Emotet (23.9%) — to climb up. Last quarter we noted a decline in the activity of Emotet servers, but in Q3 it came back on track, with Emotet’s share growing by more than 15 p.p.

Fourth and fifth places did not change at all — still occupied by Nimnul (6.6%) and Trickster (5.8%). Their scores rose insignificantly, less than 1 p.p. Of the new entries in our TOP 10, worth noting is the banker CliptoShuffler (5.4%), which stormed straight into sixth place.

Ransomware programs

Quarterly highlights

The number of ransomware attacks against government agencies, as well as organizations in the healthcare, education, and energy sectors, continues to rise. This trend we noted back in the previous quarter.

A new type of attack, one on network attached storages (NAS), is gaining ground. The infection scheme involves attackers scanning IP address ranges in search of NAS devices accessible via the Internet. Generally, only the web interface is accessible from the outside, protected by an authentication page; however, a number of devices have vulnerabilities in the firmware. This enables cybercriminals, by means of an exploit, to install on the device a Trojan that encrypts all data on NAS-connected media. This is a particularly dangerous attack, since in many cases the NAS is used to store backups, and such devices are generally perceived by their owners as a reliable means of storage, and the mere possibility of an infection can come as a shock.

Wipers have also become a more frequent attack tool. Like ransomware, such programs rename files and make ransom demands. But these Trojans irreversibly ruin the file contents (replacing them with zeros or random bytes), so even if the victim pays up, the original files are lost.

The FBI published decryption keys for GandCrab (verdict Trojan-Ransom.Win32.GandCrypt) versions 4 and 5. The decryption was added to the latest RakhniDecryptor build.

Number of new modifications

In Q3 2019, we identified three new families of ransomware Trojans and discovered 13,138 new modifications of this malware.

Number of new ransomware modifications, Q3 2018 – Q3 2019 (download)

Number of users attacked by ransomware Trojans

In Q3 2019, Kaspersky products defeated ransomware attacks against 229,643 unique KSN users. This is slightly fewer than the previous quarter.

Number of unique users attacked by ransomware Trojans, Q3 2019 (download)

July saw the largest number of attacked users — 100,380, almost 20,000 more than in June. After that, however, this indicator fell sharply and did not stray far from the figure of 90,000 attacked users.

Attack geography

Geographical spread of countries by share of users attacked by ransomware Trojans, Q3 2019 (download)

TOP 10 countries attacked by ransomware Trojans

Country* % of users attacked by cryptors**
1 Bangladesh 6.39
2 Mozambique 2.96
3 Uzbekistan 2.26
4 Nepal 1.71
5 Ethiopia 1.29
6 Ghana 1.19
7 Afghanistan 1.12
8 Egypt 0.83
9 Palestine 0.80
10 Vietnam 0.79

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.

TOP 10 most common families of ransomware Trojans

Name Verdicts % of attacked users*
1 WannaCry Trojan-Ransom.Win32.Wanna 20.96
2 (generic verdict) Trojan-Ransom.Win32.Phny 20.01
3 GandCrab Trojan-Ransom.Win32.GandCrypt 8.58
4 (generic verdict) Trojan-Ransom.Win32.Gen 8.36
5 (generic verdict) Trojan-Ransom.Win32.Encoder 6.56
6 (generic verdict) Trojan-Ransom.Win32.Crypren 5.08
7 Stop Trojan-Ransom.Win32.Stop 4.63
8 Rakhni Trojan-Ransom.Win32.Rakhni 3.97
9 (generic verdict) Trojan-Ransom.Win32.Crypmod 2.77
10 PolyRansom/VirLock Virus.Win32.PolyRansom
Trojan-Ransom.Win32. PolyRansom
2.50

* Unique Kaspersky users attacked by the specified family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans.

Miners

Number of new modifications

In Q3 2019, Kaspersky solutions detected 11 753 new modifications of miners.

Number of new miner modifications, Q3 2019 (download)

Number of users attacked by miners

In Q3, we detected attacks using miners on the computers of 639,496 unique users of Kaspersky products worldwide.

Number of unique users attacked by miners, Q3 2019 (download)

The number of attacked users continued to decline in Q3, down to 282,334 in August. In September, this indicator began to grow — up to 297,394 — within touching distance of July’s figure.

Attack geography

Geographical spread of countries by share of users attacked by miners, Q3 2019 (download)

TOP 10 countries by share of users attacked by miners

Country* % of users attacked by miners**
1 Afghanistan 9.42
2 Ethiopia 7.29
3 Uzbekistan 4.99
4 Sri Lanka 4.62
5 Tanzania 4.35
6 Vietnam 3.72
7 Kazakhstan 3.66
8 Mozambique 3.44
9 Rwanda 2.55
10 Bolivia 2.43

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyber attacks

As before, in the statistics on the distribution of exploits used by cybercriminals, a huge share belongs to vulnerabilities in the Microsoft Office suite (73%). Most common of all, as in the previous quarter, were stack overflow errors (CVE-2017-11882, CVE-2018-0802) in the Equation Editor application, which was previously part of Microsoft Office. Other Microsoft Office vulnerabilities widely exploited this quarter were again CVE-2017-8570, CVE-2017-8759, and CVE-2017-0199.

Modern browsers are complex software products, which means that new vulnerabilities are constantly being discovered and used in attacks (13%). The most common target for cybercriminals is Microsoft Internet Explorer, vulnerabilities in which are often exploited in the wild. This quarter saw the discovery of the actively exploited zero-day vulnerability CVE-2019-1367, which causes memory corruption and allows remote code execution on the target system. The fact that Microsoft released an unscheduled patch for it points to how serious the situation was. Nor was Google Chrome problem-free this quarter, having received updates to fix a number of critical vulnerabilities (CVE-2019-13685, CVE-2019-13686, CVE-2019-13687, CVE-2019-13688), some of which allow intruders to circumvent all levels of browser protection and execute code in the system, bypassing the sandbox.

The majority of vulnerabilities aimed at privilege escalation inside the system stem from individual operating system services and popular apps. Privilege escalation vulnerabilities play a special role, as they are often utilized in malicious software to obtain persistence in the target system. Of note this quarter are the vulnerabilities CVE-2019-14743 and CVE-2019-15315, which allow compromising systems with the popular Steam client installed. A flaw in the Microsoft Windows Text Services Framework also warrants a mention. A Google researcher published a tool to demonstrate the problem (CtfTool), which allows processes to be run with system privileges, as well as changes to be made to the memory of other processes and arbitrary code to be executed in them.

Distribution of exploits used in attacks by type of application attacked, Q3 2019 (download)

Network attacks are still widespread. This quarter, as in previous ones, we registered numerous attempts to exploit vulnerabilities in the SMB protocol. This indicates that unprotected and not-updated systems are still at high risk of infection in attacks that deploy EternalBlue, EternalRomance, and other exploits. That said, a large share of malicious network traffic is made up of requests aimed at bruteforcing passwords in popular network services and servers, such as Remote Desktop Protocol and Microsoft SQL Server. RDP faced other problems too related to the detection of several vulnerabilities in this network protocol united under the common name DejaBlue (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1223, CVE-2019-1224, CVE-2019-1225, CVE-2019-1226). Unlike the previously discovered CVE-2019-0708, these vulnerabilities affect not only old versions of operating systems, but new ones as well, such as Windows 10. As in the case of CVE-2019-0708, some DejaBlue vulnerabilities do not require authorization in the attacked system and allow to carry out malicious activity invisible to the user. Therefore, it is vital to promptly install the latest updates for both the operating system and antivirus solutions to reduce the risk of infection.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: TOP 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q3 2019, Kaspersky solutions blocked 989,432,403 attacks launched from online resources located in 203 countries across the globe. 560,025,316 unique URLs triggered Web Anti-Virus components.

Distribution of web-based attack sources by country, Q3 2019 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Tunisia 23.26
2 Algeria 19.75
3 Albania 18.77
4 Réunion 16.46
5 Bangladesh 16.46
6 Venezuela 16.21
7 North Macedonia 15.33
8 France 15.09
9 Qatar 14.97
10 Martinique 14.84
11 Greece 14.59
12 Serbia 14.36
13 Syria 13.99
14 Bulgaria 13.88
15 Philippines 13.71
16 UAE 13.64
17 Djibouti 13.47
18 Morocco 13.35
19 Belarus 13.34
20 Saudi Arabia 13.30

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average, 10.97% of Internet user computers worldwide experienced at least one Malware-class attack.

Geography of malicious web-based attacks, Q3 2019 (download)

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q3 2019, our File Anti-Virus detected 230,051,054 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users**
1 Afghanistan 53.45
2 Tajikistan 48.43
3 Yemen 48.39
4 Uzbekistan 48.38
5 Turkmenistan 45.95
6 Myanmar 45.27
7 Ethiopia 44.18
8 Laos 43.24
9 Bangladesh 42.96
10 Mozambique 41.58
11 Syria 41.15
12 Vietnam 41.11
13 Iraq 41.09
14 Sudan 40.18
15 Kyrgyzstan 40.06
16 China 39.94
17 Rwanda 39.49
18 Venezuela 39.18
19 Malawi 38.81
20 Nepal 38.38

These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera memory cards, phones and external hard drives.

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q3 2019 (download)

Overall, 21.1% of user computers globally faced at least one Malware-class local threat during Q3.

The figure for Russia was 24.24%.