IT threat evolution Q3 2019. Statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
Quarterly figures
According to Kaspersky Security Network:
Kaspersky solutions blocked 989,432,403 attacks launched from online resources in 203 countries across the globe.
560,025,316 unique URLs were recognized as malicious by Web Anti-Virus components.
Attempted infections by malware designed to steal money via online access to bank accounts were blocked on the computers of 197,559 users.
Ransomware attacks were defeated on the computers of 229,643 unique users.
Our File Anti-Virus detected 230,051,054 unique malicious and potentially unwanted objects.
Kaspersky products for mobile devices detected:
870,617 malicious installation packages
13,129 installation packages for mobile banking Trojans
13,179 installation packages for mobile ransomware Trojans

Mobile threats
Quarterly highlights
In Q3 2019, we discovered an extremely unpleasant incident with the popular CamScanner app on Google Play. The new version of the app contained an ad library inside with the Trojan dropper Necro built in. Judging by the reviews on Google Play, the dropper’s task was to activate paid subscriptions, although it could deliver another payload if required.

Anti Spy Privacy Tempered Glass Screen Protector For iPhone XR XS 11 PRO MAX 8 7

$0.99
End Date: Tuesday Dec-24-2019 9:44:42 PST
Buy It Now for only: $0.99
Buy It Now | Add to watch list

For iPhone 11 Pro Max 2019 Case Hybrid Heavy Duty Shockproof Clear Back Cover

$3.96
End Date: Thursday Jan-9-2020 6:00:35 PST
Buy It Now for only: $3.96
Buy It Now | Add to watch list

Another interesting Trojan detected in Q3 2019 is Trojan.AndroidOS.Agent.vn. Its main function is to “like” Facebook posts when instructed by its handlers. Interestingly, to make the click, the Trojan attacks the Facebook mobile app on the infected device, literally forcing it to execute its command.
In the same quarter, we discovered new FinSpy spyware Trojans for iOS and Android. In the fresh versions, the focus is on snooping on correspondence in messaging apps. The iOS version requires a jailbreak to do its job, while the Android version is able to spy on the encrypted Threema app among others.
Mobile threat statistics
In Q3 2019, Kaspersky detected 870,617 malicious installation packages.

Number of detected malicious installation packages, Q4 2018 – Q3 2019 (download)
Whereas in previous quarters we observed a noticeable drop in the number of new installation packages, Q3’s figure was up by 117,067 packages compared to the previous quarter.
Distribution of detected mobile apps by type

Distribution of detected mobile apps by type, Q2 and Q3 2019 (download)
Among all the mobile threats detected in Q3 2019, the lion’s share went to potentially unsolicited RiskTool-class programs (32.1%), which experienced a fall of 9 p.p. against the previous quarter. The most frequently detected objects were in the RiskTool.AndroidOS families: Agent (33.07% of all detected threats in this class), RiskTool.AndroidOS.Wapron (16.43%), and RiskTool.AndroidOS.Smssend (10.51%).
Second place went to miscellaneous Trojans united under the Trojan class (21.68%), their share increased by 10 p.p. The distribution within the class was unchanged since the previous quarter, with the Trojan.AndroidOS.Hiddapp (32.5%), Trojan.AndroidOS.Agent (12.8%), and Trojan.AndroidOS.Piom (9.1% ) families remaining in the lead. Kaspersky’s machine-learning systems made a significant contribution to detecting threats: Trojans detected by this technology (the Trojan.AndroidOS.Boogr verdict) made up 28.7% — second place after Hiddapp.
In third place were Adware-class programs (19.89%), whose share rose by 1 p.p. in the reporting period. Most often, adware programs belonged to one of the following families: AdWare.AndroidOS.Ewind (20.73% of all threats in this class), AdWare.AndroidOS.Agent (20.36%), and AdWare.AndroidOS.MobiDash (14.27%).
Threats in the Trojan-Dropper class (10.44%) remained at the same level with insignificant (0.5 p.p.) growth. The vast majority of detected droppers belonged to the Trojan-Dropper.AndroidOS.Wapnor family (69.7%). A long way behind in second and third place, respectively, were Trojan-Dropper.AndroidOS.Wroba (14.58%) and Trojan-Dropper.AndroidOS.Agent (8.75%).
TOP 20 mobile malware programs
Note that this malware rating does not include potentially dangerous or unwanted programs classified as RiskTool or adware.

Verdict
%*
1
DangerousObject.Multi.Generic
48.71
2
Trojan.AndroidOS.Boogr.gsh
9.03
3
Trojan.AndroidOS.Hiddapp.ch
7.24
4
Trojan.AndroidOS.Hiddapp.cr
7.23
5
Trojan-Dropper.AndroidOS.Necro.n
6.87
6
DangerousObject.AndroidOS.GenericML
4.34
7
Trojan-Downloader.AndroidOS.Helper.a
1.99
8
Trojan-Banker.AndroidOS.Svpeng.ak
1.75
9
Trojan-Dropper.AndroidOS.Agent.ok
1.65
10
Trojan-Dropper.AndroidOS.Hqwar.gen
1.52
11
Trojan-Dropper.AndroidOS.Hqwar.bb
1.46
12
Trojan-Downloader.AndroidOS.Necro.b
1.45
13
Trojan-Dropper.AndroidOS.Lezok.p
1.44
14
Trojan.AndroidOS.Hiddapp.cf
1.41
15
Trojan.AndroidOS.Dvmap.a
1.27
16
Trojan.AndroidOS.Agent.rt
1.24
17
Trojan-Banker.AndroidOS.Asacub.snt
1.21
18
Trojan-Dropper.AndroidOS.Necro.q
1.19
19
Trojan-Dropper.AndroidOS.Necro.l
1.12
20
Trojan-SMS.AndroidOS.Prizmes.a
1.12
* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked.
First place in our TOP 20 as ever went to DangerousObject.Multi.Generic (48.71%), the verdict we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.
Second and six places were claimed by Trojan.AndroidOS.Boogr.gsh (9.03%) and DangerousObject.AndroidOS.GenericML (4.34%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.
Third, fourth, and fourteenth places were taken by members of the Trojan.AndroidOS.Hiddapp family, whose task is to covertly foist ads onto victims.
Fifth, twelfth, eighteenth, and nineteenth positions went to Trojan droppers of the Necro family. Although this family showed up on the radar last quarter, really serious activity was observed only in this reporting period.
Seventh place goes to Trojan-Downloader.AndroidOS.Helper.a (1.99%), which is what members of the Necro family usually extract from themselves. Helper.a is tasked with downloading arbitrary code from malicious servers and running it.
The eighth place was taken by the malware Trojan-Banker.AndroidOS.Svpeng.ak (1.75%), the main task of which is to steal online banking credentials and intercept two-factor authorization codes.
Ninth position went to Trojan-Dropper.AndroidOS.Agent.ok (1.65%), which is distributed under the guise of FlashPlayer or a Rapidshare client. Most commonly, it drops adware modules into the infected system.
Tenth and eleventh places went to members of the Trojan-Banker.AndroidOS.Hqwar family. The popularity of this dropper among cybercriminals continues to fall.
Geography of mobile threats

Geography of mobile malware infection attempts, Q3 2019 (download)
TOP 10 countries by share of users attacked by mobile malware

Country*
%**
1
Iran
52.68
2
Bangladesh
30.94
3
India
28.75
4
Pakistan
28.13
5
Algeria
26.47
6
Indonesia
23.38
7
Nigeria
22.46
8
Tanzania
21.96
9
Saudi Arabia
20.05
10
Egypt
19.44
* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).** Unique users attacked by mobile bankers as a percentage of all users of Kaspersky mobile solutions in the country.
In Q3’s TOP 10, Iran (52.68%) retained top spot by share of attacked users. Note that over the reporting period the country’s share almost doubled. Kaspersky users in Iran most often encountered the adware app AdWare.AndroidOS.Agent.fa (22.03% of the total number of mobile threats), adware installing Trojan.AndroidOS.Hiddapp.bn (14.68% ) and the potentially unwanted program RiskTool.AndroidOS.Dnotua.yfe (8.84%).
Bangladesh (30.94%) retained second place in the ranking. Users in this country most frequently encountered adware programs, including AdWare.AndroidOS.Agent.fс (27.58% of the total number of mobile threats) and AdWare.AndroidOS.HiddenAd.et (12.65%), as well as Trojan.AndroidOS.Hiddapp.cr (20.05%), which downloads adware programs.
India (28.75%) climbed to third place due to the same threats that were more active than others in Bangladesh: AdWare.AndroidOS.Agent.fс (36.19%), AdWare.AndroidOS.HiddenAd.et (17.17%) and Trojan.AndroidOS.Hiddapp.cr (22.05%).
Mobile banking Trojans
In the reporting period, we detected 13,129 installation packages for mobile banking Trojans, only 770 fewer than in Q2 2019.
The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Svpeng (40.59% of all detected banking Trojans), Trojan-Banker.AndroidOS. Agent (11.84%), and Trojan-Banker.AndroidOS.Faketoken (11.79%) families.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2018 – Q3 2019 (download)
TOP 10 mobile banking Trojans

Verdict
%*
1
Trojan-Banker.AndroidOS.Svpeng.ak
16.85
2
Trojan-Banker.AndroidOS.Asacub.snt
11.61
3
Trojan-Banker.AndroidOS.Svpeng.q
8.97
4
Trojan-Banker.AndroidOS.Asacub.ce
8.07
5
Trojan-Banker.AndroidOS.Agent.ep
5.51
6
Trojan-Banker.AndroidOS.Asacub.a
5.27
7
Trojan-Banker.AndroidOS.Faketoken.q
5.26
8
Trojan-Banker.AndroidOS.Agent.eq
3.62
9
Trojan-Banker.AndroidOS.Faketoken.snt
2.91
10
Trojan-Banker.AndroidOS.Asacub.ar
2.81
* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by banking threats.
The TOP 10 banking threats in Q3 2019 was headed by Trojans of the Trojan-Banker.AndroidOS.Svpeng family: Svpeng.ak (16.85%) took first place, and Svpeng.q (8.97%) third. This is not the first time we have detected amusing obfuscation in Trojans from Russian-speaking cybercriminals — this time the code of the malware Svpeng.ak featured the names of video games.
Snippets of decompiled code from Trojan-Banker.AndroidOS.Svpeng.ak
Second, fourth, sixth, and tenth positions in Q3 went to the Asacub Trojan family. Despite a decrease in activity, Asacub samples are still found on devices around the world.

Geography of mobile banking threats, Q3 2019 (download)
TOP 10 countries by share of users attacked by mobile banking Trojans:

Country*
%**
1
Russia
0.30
2
South Africa
0.20
3
Kuwait
0.18
4
Tajikistan
0.13
5
Spain
0.12
6
Indonesia
0.12
7
China
0.11
8
Singapore
0.11
9
Armenia
0.10
10
Uzbekistan
0.10
* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky mobile solutions in the country.
In Q3 Russia moved up to first place (0.30%), which impacted the entire pattern of mobile bankers spread around the world. Users in Russia were most often targeted with Trojan-Banker.AndroidOS.Svpeng.ak (17.32% of all attempts to infect unique users with mobile financial malware). The same Trojan made it into the TOP 10 worldwide. It is a similar story with second and third places: Trojan-Banker.AndroidOS.Asacub.snt (11.86%) and Trojan-Banker.AndroidOS.Svpeng.q (9.20%).
South Africa fell to second place (0.20%), where for the second quarter in a row Trojan-Banker.AndroidOS.Agent.dx (89.80% of all mobile financial malware) was the most widespread threat.
Bronze went to Kuwait (0.21%), where, like in South Africa, Trojan-Banker.AndroidOS.Agent.dx (75%) was most often encountered.
Mobile ransomware Trojans
In Q3 2019, we detected 13,179 installation packages for mobile ransomware — 10,115 fewer than last quarter. We observed a similar drop in Q2, so since the start of the year the number of mobile ransomware Trojans has decreased almost threefold. The reason, as we see it, is the decline in activity of the group behind the Asacub Trojan.

Number of installation packages for mobile banking Trojans, Q3 2018 – Q3 2019 (download)
TOP 10 mobile ransomware Trojans

Verdict
%*
1
Trojan-Ransom.AndroidOS.Svpeng.aj
40.97
2
Trojan-Ransom.AndroidOS.Small.as
8.82
3
Trojan-Ransom.AndroidOS.Svpeng.ah
5.79
4
Trojan-Ransom.AndroidOS.Rkor.i
5.20
5
Trojan-Ransom.AndroidOS.Rkor.h
4.78
6
Trojan-Ransom.AndroidOS.Small.o
3.60
7
Trojan-Ransom.AndroidOS.Svpeng.ai
2.93
8
Trojan-Ransom.AndroidOS.Small.ce
2.93
9
Trojan-Ransom.AndroidOS.Fusob.h
2.72
10
Trojan-Ransom.AndroidOS.Small.cj
2.66
* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by ransomware Trojans.
In Q3 2019, the leading positions among ransomware Trojans were retained by members of the Trojan-Ransom.AndroidOS.Svpeng family. Top spot, as in the previous quarter, was claimed by Svpeng.aj (40.97%), with Svpeng.ah (5.79%) in third.

Geography of mobile ransomware Trojans, Q3 2019 (download)
TOP 10 countries by share of users attacked by mobile ransomware Trojans:

Country*
%**
1
US
1.12
2
Iran
0.25
3
Kazakhstan
0.25
4
Oman
0.09
5
Qatar
0.08
6
Saudi Arabia
0.06
7
Mexico
0.05
8
Pakistan
0.05
9
Kuwait
0.04
10
Indonesia
0.04
* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).** Unique users attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky mobile solutions in the country.
The leaders by number of users attacked by mobile ransomware Trojans, as in the previous quarter, were the US (1.12%), Iran (0.25%), and Kazakhstan (0.25%)
Attacks on Apple macOS
Q3 saw a lull in the emergence of new threats. An exception was the distribution of a modified version of the Stockfolio investment app, which contained an encrypted reverse shell backdoor.
TOP 20 threats for macOS

Verdict
%*
1
Trojan-Downloader.OSX.Shlayer.a
22.71
2
AdWare.OSX.Pirrit.j
14.43
3
AdWare.OSX.Pirrit.s
11.73
4
AdWare.OSX.Pirrit.p
10.43
5
AdWare.OSX.Pirrit.o
9.71
6
AdWare.OSX.Bnodlero.t
8.40
7
AdWare.OSX.Spc.a
7.32
8
AdWare.OSX.Cimpli.d
6.92
9
AdWare.OSX.MacSearch.a
4.88
10
Adware.OSX.Agent.d
4.71
11
AdWare.OSX.Ketin.c
4.63
12
AdWare.OSX.Ketin.b
4.10
13
Downloader.OSX.InstallCore.ab
4.01
14
AdWare.OSX.Cimpli.e
3.86
15
AdWare.OSX.Bnodlero.q
3.78
16
AdWare.OSX.Cimpli.f
3.76
17
AdWare.OSX.Bnodlero.x
3.49
18
AdWare.OSX.Mcp.a
3.26
19
AdWare.OSX.MacSearch.d
3.18
20
AdWare.OSX.Amc.a
3.15
* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked.
Like last quarter, the adware Trojan Shlayer was the top threat for macOS. This malware in turn downloaded adware programs of the Pirrit family, as a result of which its members took the second to fifth positions in our ranking.
Threat geography

Country*
%**
1
France
6.95
2
India
6.24
3
Spain
5.61
4
Italy
5.29
5
US
4.84
6
Russia
4.79
7
Brazil
4.75
8
Mexico
4.68
9
Canada
4.46
10
Australia
4.27
* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.
The geographical distribution of attacked users underwent some minor changes: India took silver with 6.24% of attacked users, while Spain came in third with 5.61%. France (6.95%) hung on to first position.
IoT attacks
IoT threat statistics
In Q3, the trend continued toward a decrease in the number of IP addresses of devices used to carry out attacks on Kaspersky Telnet honeypots. If in Q2 Telnet’s share was still significantly higher than that of SSH, in Q3 the figures were almost equal.
SSH
48.17%
Telnet
51.83%
Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2019
As for the number of sessions involving Kaspersky traps, we noted that in Q3 Telnet-based control was also deployed more often.
SSH
40.81%
Telnet
59.19%
Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2019
Telnet-based attacks

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q3 2019 (download)
TOP 10 countries by location of devices from which telnet-based attacks were carried out on Kaspersky traps

Country
%*
1
China
13.78
2
Egypt
10.89
3
Brazil
8.56
4
Taiwan
8.33
5
US
4.71
6
Russia
4.35
7
Turkey
3.47
8
Vietnam
3.44
9
Greece
3.43
10
India
3.41
Last quarter’s leaders Egypt (10.89%), China (13.78%), and Brazil (8.56%) again made up the TOP 3, the only difference being that this time China took the first place.
Telnet-based attacks most often resulted in the download of a member of the notorious Mirai family.
TOP 10 malware downloaded to infected IoT devices via successful telnet-based attacks

Verdict
%*
1
Backdoor.Linux.Mirai.b
38.08
2
Trojan-Downloader.Linux.NyaDrop.b
27.46
3
Backdoor.Linux.Mirai.ba
16.52
4
Backdoor.Linux.Gafgyt.bj
2.76
5
Backdoor.Linux.Mirai.au
2.21
6
Backdoor.Linux.Mirai.c
2.02
7
Backdoor.Linux.Mirai.h
1.81
8
Backdoor.Linux.Mirai.ad
1.66
9
Backdoor.Linux.Gafgyt.az
0.86
10
Backdoor.Linux.Mirai.a
0.80
* Share of malware type in the total amount of malware downloaded to IoT devices following a successful Telnet-based attack.
SSH-based attacks

Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q3 2019 (download)
TOP 10 countries by location of devices from which attacks were made on Kaspersky SSH traps

Country
%*
1
Egypt
17.06
2
Vietnam
16.98
3
China
13.81
4
Brazil
7.37
5
Russia
6.71
6
Thailand
4.53
7
US
4.13
8
Azerbaijan
3.99
9
India
2.55
10
France
1.53
In Q3 2019, the largest number of attacks on Kaspersky traps using the SSH protocol came from Egypt (17.06%). Vietnam (16.98%) and China (13.81%) took second and third places, respectively.
Financial threats
Financial threat statistics
In Q3 2019, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 197,559 users.

Number of unique users attacked by financial malware, Q3 2019 (download)
Attack geography
To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

Geography of banking malware attacks, Q3 2019 (download)
TOP 10 countries by share of attacked users

Country*
%**
1
Belarus
2.9
2
Uzbekistan
2.1
3
South Korea
1.9
4
Venezuela
1.8
5
Tajikistan
1.4
6
Afghanistan
1.3
7
China
1.2
8
Syria
1.2
9
Yemen
1.2
10
Sudan
1.1
* Excluded are countries with relatively few Kaspersky product users (under 10,000).** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky products in the country.
TOP 10 banking malware families

Name
Verdicts
%*
1
Zbot
Trojan.Win32.Zbot
26.7

2
Emotet
Backdoor.Win32.Emotet
23.9

3
RTM
Trojan-Banker.Win32.RTM
19.3

4
Nimnul
Virus.Win32.Nimnul
6.6

5
Trickster
Trojan.Win32.Trickster
5.8

6
CliptoShuffler
Trojan-Banker.Win32.CliptoShuffler
5.4

7
Nymaim
Trojan.Win32.Nymaim
3.6

8
SpyEye
Trojan-Spy.Win32.SpyEye
3.4

9
Danabot
Trojan-Banker.Win32.Danabot
3.3

10
Neurevt
Trojan.Win32.Neurevt
1.8

** Unique users attacked by this malware as a percentage of all users attacked by financial malware.
The TOP 3 in Q3 2019 had the same faces as last quarter, only in a different order: the RTM family (19.3%) dropped from first to third, shedding almost 13 p.p., allowing the other two — Zbot (26.7%) and Emotet (23.9%) — to climb up. Last quarter we noted a decline in the activity of Emotet servers, but in Q3 it came back on track, with Emotet’s share growing by more than 15 p.p.
Fourth and fifth places did not change at all — still occupied by Nimnul (6.6%) and Trickster (5.8%). Their scores rose insignificantly, less than 1 p.p. Of the new entries in our TOP 10, worth noting is the banker CliptoShuffler (5.4%), which stormed straight into sixth place.
Ransomware programs
Quarterly highlights
The number of ransomware attacks against government agencies, as well as organizations in the healthcare, education, and energy sectors, continues to rise. This trend we noted back in the previous quarter.
A new type of attack, one on network attached storages (NAS), is gaining ground. The infection scheme involves attackers scanning IP address ranges in search of NAS devices accessible via the Internet. Generally, only the web interface is accessible from the outside, protected by an authentication page; however, a number of devices have vulnerabilities in the firmware. This enables cybercriminals, by means of an exploit, to install on the device a Trojan that encrypts all data on NAS-connected media. This is a particularly dangerous attack, since in many cases the NAS is used to store backups, and such devices are generally perceived by their owners as a reliable means of storage, and the mere possibility of an infection can come as a shock.
Wipers have also become a more frequent attack tool. Like ransomware, such programs rename files and make ransom demands. But these Trojans irreversibly ruin the file contents (replacing them with zeros or random bytes), so even if the victim pays up, the original files are lost.
The FBI published decryption keys for GandCrab (verdict Trojan-Ransom.Win32.GandCrypt) versions 4 and 5. The decryption was added to the latest RakhniDecryptor build.
Number of new modifications
In Q3 2019, we identified three new families of ransomware Trojans and discovered 13,138 new modifications of this malware.

Number of new ransomware modifications, Q3 2018 – Q3 2019 (download)
Number of users attacked by ransomware Trojans
In Q3 2019, Kaspersky products defeated ransomware attacks against 229,643 unique KSN users. This is slightly fewer than the previous quarter.

Number of unique users attacked by ransomware Trojans, Q3 2019 (download)
July saw the largest number of attacked users — 100,380, almost 20,000 more than in June. After that, however, this indicator fell sharply and did not stray far from the figure of 90,000 attacked users.
Attack geography

Geographical spread of countries by share of users attacked by ransomware Trojans, Q3 2019 (download)
TOP 10 countries attacked by ransomware Trojans

Country*
% of users attacked by cryptors**
1
Bangladesh
6.39
2
Mozambique
2.96
3
Uzbekistan
2.26
4
Nepal
1.71
5
Ethiopia
1.29
6
Ghana
1.19
7
Afghanistan
1.12
8
Egypt
0.83
9
Palestine
0.80
10
Vietnam
0.79
* Excluded are countries with relatively few Kaspersky users (under 50,000).** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.
TOP 10 most common families of ransomware Trojans

Name
Verdicts
% of attacked users*
1
WannaCry
Trojan-Ransom.Win32.Wanna
20.96

2
(generic verdict)
Trojan-Ransom.Win32.Phny
20.01

3
GandCrab
Trojan-Ransom.Win32.GandCrypt
8.58

4
(generic verdict)
Trojan-Ransom.Win32.Gen
8.36

5
(generic verdict)
Trojan-Ransom.Win32.Encoder
6.56

6
(generic verdict)
Trojan-Ransom.Win32.Crypren
5.08

7
Stop
Trojan-Ransom.Win32.Stop
4.63

8
Rakhni
Trojan-Ransom.Win32.Rakhni
3.97

9
(generic verdict)
Trojan-Ransom.Win32.Crypmod
2.77

10
PolyRansom/VirLock
Virus.Win32.PolyRansom
Trojan-Ransom.Win32. PolyRansom
2.50

* Unique Kaspersky users attacked by the specified family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans.
Miners
Number of new modifications
In Q3 2019, Kaspersky solutions detected 11 753 new modifications of miners.

Number of new miner modifications, Q3 2019 (download)
Number of users attacked by miners
In Q3, we detected attacks using miners on the computers of 639,496 unique users of Kaspersky products worldwide.

Number of unique users attacked by miners, Q3 2019 (download)
The number of attacked users continued to decline in Q3, down to 282,334 in August. In September, this indicator began to grow — up to 297,394 — within touching distance of July’s figure.
Attack geography

Geographical spread of countries by share of users attacked by miners, Q3 2019 (download)
TOP 10 countries by share of users attacked by miners

Country*
% of users attacked by miners**
1
Afghanistan
9.42
2
Ethiopia
7.29
3
Uzbekistan
4.99
4
Sri Lanka
4.62
5
Tanzania
4.35
6
Vietnam
3.72
7
Kazakhstan
3.66
8
Mozambique
3.44
9
Rwanda
2.55
10
Bolivia
2.43
* Excluded are countries with relatively few Kaspersky users (under 50,000).** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country.
Vulnerable applications used by cybercriminals during cyber attacks
As before, in the statistics on the distribution of exploits used by cybercriminals, a huge share belongs to vulnerabilities in the Microsoft Office suite (73%). Most common of all, as in the previous quarter, were stack overflow errors (CVE-2017-11882, CVE-2018-0802) in the Equation Editor application, which was previously part of Microsoft Office. Other Microsoft Office vulnerabilities widely exploited this quarter were again CVE-2017-8570, CVE-2017-8759, and CVE-2017-0199.
Modern browsers are complex software products, which means that new vulnerabilities are constantly being discovered and used in attacks (13%). The most common target for cybercriminals is Microsoft Internet Explorer, vulnerabilities in which are often exploited in the wild. This quarter saw the discovery of the actively exploited zero-day vulnerability CVE-2019-1367, which causes memory corruption and allows remote code execution on the target system. The fact that Microsoft released an unscheduled patch for it points to how serious the situation was. Nor was Google Chrome problem-free this quarter, having received updates to fix a number of critical vulnerabilities (CVE-2019-13685, CVE-2019-13686, CVE-2019-13687, CVE-2019-13688), some of which allow intruders to circumvent all levels of browser protection and execute code in the system, bypassing the sandbox.
The majority of vulnerabilities aimed at privilege escalation inside the system stem from individual operating system services and popular apps. Privilege escalation vulnerabilities play a special role, as they are often utilized in malicious software to obtain persistence in the target system. Of note this quarter are the vulnerabilities CVE-2019-14743 and CVE-2019-15315, which allow compromising systems with the popular Steam client installed. A flaw in the Microsoft Windows Text Services Framework also warrants a mention. A Google researcher published a tool to demonstrate the problem (CtfTool), which allows processes to be run with system privileges, as well as changes to be made to the memory of other processes and arbitrary code to be executed in them.

Distribution of exploits used in attacks by type of application attacked, Q3 2019 (download)
Network attacks are still widespread. This quarter, as in previous ones, we registered numerous attempts to exploit vulnerabilities in the SMB protocol. This indicates that unprotected and not-updated systems are still at high risk of infection in attacks that deploy EternalBlue, EternalRomance, and other exploits. That said, a large share of malicious network traffic is made up of requests aimed at bruteforcing passwords in popular network services and servers, such as Remote Desktop Protocol and Microsoft SQL Server. RDP faced other problems too related to the detection of several vulnerabilities in this network protocol united under the common name DejaBlue (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1223, CVE-2019-1224, CVE-2019-1225, CVE-2019-1226). Unlike the previously discovered CVE-2019-0708, these vulnerabilities affect not only old versions of operating systems, but new ones as well, such as Windows 10. As in the case of CVE-2019-0708, some DejaBlue vulnerabilities do not require authorization in the attacked system and allow to carry out malicious activity invisible to the user. Therefore, it is vital to promptly install the latest updates for both the operating system and antivirus solutions to reduce the risk of infection.
Attacks via web resources
The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.
Countries that are sources of web-based attacks: TOP 10
The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.
To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In Q3 2019, Kaspersky solutions blocked 989,432,403 attacks launched from online resources located in 203 countries across the globe. 560,025,316 unique URLs triggered Web Anti-Virus components.

Distribution of web-based attack sources by country, Q3 2019 (download)
Countries where users faced the greatest risk of online infection
To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.
This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country*
% of attacked users**
1
Tunisia
23.26
2
Algeria
19.75
3
Albania
18.77
4
Réunion
16.46
5
Bangladesh
16.46
6
Venezuela
16.21
7
North Macedonia
15.33
8
France
15.09
9
Qatar
14.97
10
Martinique
14.84
11
Greece
14.59
12
Serbia
14.36
13
Syria
13.99
14
Bulgaria
13.88
15
Philippines
13.71
16
UAE
13.64
17
Djibouti
13.47
18
Morocco
13.35
19
Belarus
13.34
20
Saudi Arabia
13.30
* Excluded are countries with relatively few Kaspersky users (under 10,000).** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.
These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.
On average, 10.97% of Internet user computers worldwide experienced at least one Malware-class attack.

Geography of malicious web-based attacks, Q3 2019 (download)
Local threats
Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).
Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.
In Q3 2019, our File Anti-Virus detected 230,051,054 malicious and potentially unwanted objects.
Countries where users faced the highest risk of local infection
For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.
Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country*
% of attacked users**
1
Afghanistan
53.45
2
Tajikistan
48.43
3
Yemen
48.39
4
Uzbekistan
48.38
5
Turkmenistan
45.95
6
Myanmar
45.27
7
Ethiopia
44.18
8
Laos
43.24
9
Bangladesh
42.96
10
Mozambique
41.58
11
Syria
41.15
12
Vietnam
41.11
13
Iraq
41.09
14
Sudan
40.18
15
Kyrgyzstan
40.06
16
China
39.94
17
Rwanda
39.49
18
Venezuela
39.18
19
Malawi
38.81
20
Nepal
38.38

These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera memory cards, phones and external hard drives.
* Excluded are countries with relatively few Kaspersky users (under 10,000).** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q3 2019 (download)
Overall, 21.1% of user computers globally faced at least one Malware-class local threat during Q3.
The figure for Russia was 24.24%.





Click here for best antivirus and antispyware software

Powered by WPeMatico