IT threat evolution in Q2 2021. PC statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2021:

• Kaspersky solutions blocked 1,686,025,551 attacks from online resources across the globe.
• Web antivirus recognized 675,832,360 unique URLs as malicious.
• Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 119,252 unique users.
• Ransomware attacks were defeated on the computers of 97,451 unique users.
• Our file antivirus detected 68,294,298 unique malicious and potentially unwanted objects.

Financial threats

Financial threat statistics

In Q2 2021, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 119,252 unique users.

Number of unique users attacked by financial malware, Q2 2021 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country.

Geography of financial malware attacks, Q2 2021 (download)

Top 10 countries by share of attacked users

| Country* |**%****
—|—|—
1 | Turkmenistan | 5.8
2 | Tajikistan | 5.0
3 | Afghanistan | 4.2
4 | Uzbekistan | 3.3
5 | Lithuania | 2.9
6 | Sudan | 2.8
7 | Paraguay | 2.5
8 | Zimbabwe | 1.6
9 | Costa Rica | 1.5
10 | Yemen | 1.5

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

Last quarter, as per tradition, the most widespread family of bankers was ZeuS/Zbot (17.8%), but its share in Q2 almost halved, by 13 p.p. Second place again went to the CliptoShuffler family (9.9%), whose share also fell, by 6 p.p. The Top 3 is rounded out by SpyEye (8.8%), which added 5 p.p., climbing from the eighth place. Note the disappearance of Emotet from the Top 10, which was predictable given the liquidation of its infrastructure in the previous quarter.

Top 10 banking malware families

| Name | Verdicts | %*
—|—|—|—
1 | Zbot | Trojan.Win32.Zbot | 17.8
2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 9.9
3 | SpyEye | Trojan-Spy.Win32.SpyEye | 8.8
4 | Trickster | Trojan.Win32.Trickster | 5.5
5 | RTM | Trojan-Banker.Win32.RTM | 3.8
6 | Danabot | Trojan-Banker.Win32.Danabot | 3.6
7 | Nimnul | Virus.Win32.Nimnul | 3.3
8 | Cridex | Backdoor.Win32.Cridex | 2.3
9 | Nymaim | Trojan.Win32.Nymaim | 1.9
10 | Neurevt | Trojan.Win32.Neurevt | 1.6

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

Quarterly trends and highlights

Attack on Colonial Pipeline and closure of DarkSide

Ransomware attacks on large organizations continued in Q2. Perhaps the most notable event of the quarter was the attack by the DarkSide group on Colonial Pipeline, one of the largest fuel pipeline operators in the US. The incident led to fuel outages and a state of emergency in four states. The results of the investigation, which involved the FBI and several other US government agencies, was reported to US President Joe Biden.

For the cybercriminals, this sudden notoriety proved unwelcome. In their blog, DarkSide's creators heaped the blame on third-party operators. Another post was published stating that DarkSide's developers had lost access to part of their infrastructure and were shutting down the service and the affiliate program.

Another consequence of this high-profile incident was a new rule on the Russian-language forum XSS, where many developers of ransomware, including REvil (also known as Sodinokibi or Sodin), LockBit and Netwalker, advertise their affiliate programs. The new rule forbade the advertising and selling of any ransomware programs on the site. The administrators of other forums popular with cybercriminals took similar decisions.

Closure of Avaddon

Another family of targeted ransomware whose owners shut up shop in Q2 is Avaddon. At the same time as announcing the shutdown, the attackers provided Bleeping Computer with the decryption keys.

Clash with Clop

Ukrainian police searched and arrested members of the Clop group. Law enforcement agencies also deactivated part of the cybercriminals' infrastructure, which did not, however, stop the group's activities.

Attacks on NAS devices

In Q2, cybercriminals stepped up their attacks on network-attached storage (NAS) devices. There appeared the new Qlocker family, which packs user files into a password-protected 7zip archive, plus our old friends ech0raix and AgeLocker began to gather steam.

Number of new ransomware modifications

In Q2 2021, we detected 14 new ransomware families and 3,905 new modifications of this malware type.

Number of new ransomware modifications, Q2 2020 — Q2 2021 (download)

Number of users attacked by ransomware Trojans

In Q2 2021, Kaspersky products and technologies protected 97,451 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q2 2021 (download)

Geography of ransomware attacks

Geography of attacks by ransomware Trojans, Q2 2021 (download)

Top 10 countries attacked by ransomware Trojans

| Country* |**%****
—|—|—
1 | Bangladesh | 1.85
2 | Ethiopia | 0.51
3 | China | 0.49
4 | Pakistan | 0.40
5 | Egypt | 0.38
6 | Indonesia | 0.36
7 | Afghanistan | 0.36
8 | Vietnam | 0.35
9 | Myanmar | 0.35
10 | Nepal | 0.33

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware Trojans

| Name |Verdicts|%*
—|—|—|—
1 | WannaCry | Trojan-Ransom.Win32.Wanna | 20.66
2 | Stop | Trojan-Ransom.Win32.Stop | 19.70
3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.10
4 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 6.37
5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.08
6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.87
7 | (generic verdict) | Trojan-Ransom.Win32.Agent | 5.19
8 | PolyRansom/VirLock | Virus.Win32.Polyransom / Trojan-Ransom.Win32.PolyRansom | 2.39
9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.48
10 | (generic verdict) | Trojan-Ransom.MSIL.Encoder | 1.26

* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware.

Miners

Number of new miner modifications

In Q2 2021, Kaspersky solutions detected 31,443 new modifications of miners.

Number of new miner modifications, Q2 2021 (download)

Number of users attacked by miners

In Q2, we detected attacks using miners on the computers of 363,516 unique users of Kaspersky products worldwide. At the same time, the number of attacked users gradually decreased during the quarter; in other words, the downward trend in miner activity returned.

Number of unique users attacked by miners, Q2 2021 (download)

Geography of miner attacks

Geography of miner attacks, Q2 2021 (download)

Top 10 countries attacked by miners

| Country* |**%****
—|—|—
1 | Afghanistan | 3.99
2 | Ethiopia | 2.66
3 | Rwanda | 2.19
4 | Uzbekistan | 1.61
5 | Mozambique | 1.40
6 | Sri Lanka | 1.35
7 | Vietnam | 1.33
8 | Kazakhstan | 1.31
9 | Azerbaijan | 1.21
10 | Tanzania | 1.19

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks

Q2 2021 injected some minor changes into our statistics on exploits used by cybercriminals. In particular, the share of exploits for Microsoft Office dropped to 55.81% of the total number of threats of this type. Conversely, the share of exploits attacking popular browsers rose by roughly 3 p.p. to 29.13%.

Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2021 (download)

Microsoft Office exploits most often tried to utilize the memory corruption vulnerability CVE-2018-0802. This error can occur in the Equation Editor component when processing objects in a specially constructed document, and its exploitation causes a buffer overflow and allows an attacker to execute arbitrary code. Also seen in Q2 was the similar vulnerability CVE-2017-11882, which causes a buffer overflow on the stack in the same component. Lastly, we spotted an attempt to exploit the CVE-2017-8570 vulnerability, which, like other bugs in Microsoft Office, permits the execution of arbitrary code in vulnerable versions of the software.

Q2 2021 was marked by the emergence of several dangerous vulnerabilities in various versions of the Microsoft Windows family, many of them observed in the wild. Kaspersky alone found three vulnerabilities used in targeted attacks:

• CVE-2021-28310 — an out-of-bounds (OOB) write vulnerability in the Microsoft DWM Core library used in Desktop Window Manager. Due to insufficient checks in the data array code, an unprivileged user using the DirectComposition API can write their own data to the memory areas they control. As a result, the data of real objects is corrupted, which, in turn, can lead to the execution of arbitrary code;
• CVE-2021-31955 — an information disclosure vulnerability that exposes information about kernel objects. Together with other exploits, it allows an intruder to attack a vulnerable system;
• CVE-2021-31956 — a vulnerability in the ntfs.sys file system driver. It causes incorrect checking of transferred sizes, allowing an attacker to inflict a buffer overflow by manipulating parameters.

You can read more about these vulnerabilities and their exploitation in our articles PuzzleMaker attacks with Chrome zero-day exploit chain and Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild.

Other security researchers found a number of browser vulnerabilities, including:

• CVE-2021-33742 — a bug in the Microsoft Trident browser engine (MSHTML) that allows writing data outside the memory of operable objects;
• Three Google Chrome vulnerabilities found in the wild that exploit bugs in various browser components: CVE-2021-30551 — a data type confusion vulnerability in the V8 scripting engine; CVE-2021-30554 — a use-after-free vulnerability in the WebGL component; and CVE-2021-21220 — a heap corruption vulnerability;
• Three vulnerabilities in the WebKit browser engine, now used mainly in Apple products (for example, the Safari browser), were also found in the wild: CVE-2021-30661 — a use-after-free vulnerability; CVE-2021-30665 — a memory corruption vulnerability; and CVE-2021-30663 — an integer overflow vulnerability.

All of these vulnerabilities allow a cybercriminal to attack a system unnoticed if the user opens a malicious site in an unpatched browser.

In Q2, two similar vulnerabilities were found (CVE-2021-31201 and CVE-2021-31199), exploiting integer overflow bugs in the Microsoft Windows Cryptographic Provider component. Using these vulnerabilities, an attacker could prepare a special signed document that would ultimately allow the execution of arbitrary code in the context of an application that uses the vulnerable library.

But the biggest talking point of the quarter was the critical vulnerabilities CVE-2021-1675 and CVE-2021-34527 in the Microsoft Windows Print Spooler, in both server and client editions. Their discovery, together with a proof of concept, caused a stir in both the expert community and the media, which dubbed one of the vulnerabilities PrintNightmare. Exploitation of these vulnerabilities is quite trivial, since Print Spooler is enabled by default in Windows, and the methods of compromise are available even to unprivileged users, including remote ones. In the latter case, the RPC mechanism can be leveraged for compromise. As a result, an attacker with low-level access can take over not only a local machine, but also the domain controller, if these systems have not been updated, or available risk mitigation methods against these vulnerabilities have not been applied.

Among the network threats in Q2 2021, attempts to brute-force passwords in popular protocols and services (RDP, SSH, MSSQL, etc.) are still current. Attacks using EternalBlue, EternalRomance and other such exploits remain prevalent, although their share is gradually shrinking. New attacks include CVE-2021-31166, a vulnerability in the Microsoft Windows HTTP protocol stack that causes a denial of service during processing of web-server requests. To gain control over target systems, attackers are also using the previously found NetLogon vulnerability (CVE-2020-1472) and, for servers running Microsoft Exchange Server, vulnerabilities recently discovered while researching targeted attacks by the HAFNIUM group.

Attacks on macOS

As for threats to the macOS platform, Q2 will be remembered primarily for the appearance of new samples of the XCSSET Trojan. Designed to steal data from browsers and other applications, the malware is notable for spreading itself through infecting projects in the Xcode development environment. The Trojan takes the form of a bash script packed with the SHC utility, allowing it to evade macOS protection, which does not block script execution. During execution of the script, the SHC utility uses the RC4 algorithm to decrypt the payload, which, in turn, downloads additional modules.

Top 20 threats for macOS

| Verdict |%*
—|—|—
1 | AdWare.OSX.Pirrit.j | 14.47
2 | AdWare.OSX.Pirrit.ac | 13.89
3 | AdWare.OSX.Pirrit.o | 10.21
4 | AdWare.OSX.Pirrit.ae | 7.96
5 | AdWare.OSX.Bnodlero.at | 7.94
6 | Monitor.OSX.HistGrabber.b | 7.82
7 | Trojan-Downloader.OSX.Shlayer.a | 7.69
8 | AdWare.OSX.Bnodlero.bg | 7.28
9 | AdWare.OSX.Pirrit.aa | 6.84
10 | AdWare.OSX.Pirrit.gen | 6.44
11 | AdWare.OSX.Cimpli.m | 5.53
12 | Trojan-Downloader.OSX.Agent.h | 5.50
13 | Backdoor.OSX.Agent.z | 4.64
14 | Trojan-Downloader.OSX.Lador.a | 3.92
15 | AdWare.OSX.Bnodlero.t | 3.64
16 | AdWare.OSX.Bnodlero.bc | 3.36
17 | AdWare.OSX.Ketin.h | 3.25
18 | AdWare.OSX.Bnodlero.ay | 3.08
19 | AdWare.OSX.Pirrit.q | 2.84
20 | AdWare.OSX.Pirrit.x | 2.56

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

As in the previous quarter, a total of 15 of the Top 20 threats for macOS are adware programs. The Pirrit and Bnodlero families have traditionally stood out from the crowd, with the former accounting for two-thirds of the total number of threats.

Geography of threats for macOS

Geography of threats for macOS, Q2 2021 (download)

Top 10 countries by share of attacked users

| Country* |**%****
—|—|—
1 | India | 3.77
2 | France | 3.67
3 | Spain | 3.45
4 | Canada | 3.08
5 | Italy | 3.00
6 | Mexico | 2.88
7 | Brazil | 2.82
8 | USA | 2.69
9 | Australia | 2.53
10 | Great Britain | 2.33

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

In Q2 2021, first place by share of attacked users went to India (3.77%), where adware applications from the Pirrit family were most frequently encountered. A comparable situation was observed in France (3.67%) and Spain (3.45%), which ranked second and third, respectively.

IoT attacks

IoT threat statistics

In Q2 2021, as before, most of the attacks on Kaspersky traps came via the Telnet protocol.

Telnet	70.55%
SSH	29.45%

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q2 2021

The statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.

Telnet	63.06%
SSH	36.94%

Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2021

Top 10 threats delivered to IoT devices via Telnet

| Verdict |%*
—|—|—
1 | Backdoor.Linux.Mirai.b | 30.25%
2 | Trojan-Downloader.Linux.NyaDrop.b | 27.93%
3 | Backdoor.Linux.Mirai.ba | 5.82%
4 | Backdoor.Linux.Agent.bc | 5.10%
5 | Backdoor.Linux.Gafgyt.a | 4.44%
6 | Trojan-Downloader.Shell.Agent.p | 3.22%
7 | RiskTool.Linux.BitCoinMiner.b | 2.90%
8 | Backdoor.Linux.Gafgyt.bj | 2.47%
9 | Backdoor.Linux.Mirai.cw | 2.52%
10 | Backdoor.Linux.Mirai.ad | 2.28%

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Detailed IoT threat statistics are published in our Q2 2021 DDoS report: <https://securelist.com/ddos-attacks-in-q2-2021/103424/#attacks-on-iot-honeypots&gt;

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that serve as sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q2 2021, Kaspersky solutions blocked 1,686,025,551 attacks from online resources located across the globe. 675,832,360 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-attack sources by country, Q2 2021 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

| Country* | % of attacked users**
—|—|—
1 | Belarus | 23.65
2 | Mauritania | 19.04
3 | Moldova | 18.88
4 | Ukraine | 18.37
5 | Kyrgyzstan | 17.53
6 | Algeria | 17.51
7 | Syria | 15.17
8 | Uzbekistan | 15.16
9 | Kazakhstan | 14.80
10 | Tajikistan | 14.70
11 | Russia | 14.54
12 | Yemen | 14.38
13 | Tunisia | 13.40
14 | Estonia | 13.36
15 | Latvia | 13.23
16 | Libya | 13.04
17 | Armenia | 12.95
18 | Morocco | 12.39
19 | Saudi Arabia | 12.16
20 | Macao | 11.67

* Excluded are countries with relatively few Kaspersky users (under 10,000).
Unique users targeted byMalware-class** attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average during the quarter, 9.43% of computers of Internet users worldwide were subjected to at least one Malware-class web attack.

Geography of web-based malware attacks, Q2 2021 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q2 2021, our File Anti-Virus detected 68,294,298 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

| Country* | % of attacked users**
—|—|—
1 | Turkmenistan | 49.38
2 | Tajikistan | 48.11
3 | Afghanistan | 46.52
4 | Uzbekistan | 44.21
5 | Ethiopia | 43.69
6 | Yemen | 43.64
7 | Cuba | 38.71
8 | Myanmar | 36.12
9 | Syria | 35.87
10 | South Sudan | 35.22
11 | China | 35.14
12 | Kyrgyzstan | 34.91
13 | Bangladesh | 34.63
14 | Venezuela | 34.15
15 | Benin | 32.94
16 | Algeria | 32.83
17 | Iraq | 32.55
18 | Madagascar | 31.68
19 | Mauritania | 31.60
20 | Belarus | 31.38

* Excluded are countries with relatively few Kaspersky users (under 10,000).
Unique users on whose computersMalware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q2 2021 (download)

On average worldwide, Malware-class local threats were recorded on 15.56% of users' computers at least once during the quarter. Russia scored 17.52% in this rating.