In the first quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.3 pp from the previous quarter to 24.4%.
Compared to the first quarter of 2023, the percentage decreased by 1.3 pp.
Building automation has historically led the surveyed industries in terms of the percentage of ICS computers on which malicious objects were blocked.
In the first quarter of 2024, the percentage of ICS machines that blocked malicious objects decreased across all industries.
In the first quarter of 2024, Kaspersky’s protection solutions blocked malware from 10,865 different families belonging to various categories on industrial automation systems.
Compared to the previous quarter, in the first quarter of 2024, the most significant increase in the percentage of ICS computers on which malicious objects in various categories were blocked was detected for AutoCAD malware: by 1.16 times.
The internet, email clients, and removable storage devices remain the primary sources of threats to computers in an organization’s operating technology infrastructure. Note that the sources of blocked threats cannot be reliably identified in all cases.
In the first quarter of 2024, the percentage of ICS computers on which threats from various sources were blocked decreased for every major source.
Regionally, the percentage of ICS computers that blocked malicious objects during the quarter ranged from 32.4% in Africa to 11.5% in Northern Europe.
The two regions with the highest percentage of attacked ICS computers, Africa and South-East Asia, saw their percentages increase from the previous quarter.
Malicious objects that are used for initial infection of computers include dangerous internet resources that are added to denylists, malicious scripts and phishing pages, and malicious documents.
By cybercriminals’ logic, these malicious objects can spread easily. As a result, they are blocked by security solutions more often than everything else. This is also reflected in our statistics.
Globally and in almost all regions, denylisted internet resources and malicious scripts and phishing pages occupy first place in the rankings of malware categories by percentage of ICS computers on which this malware is blocked.
The sources of most malicious objects used for initial infection are the internet and email. The leading regions by percentage of ICS computers on which threats from these sources were blocked are the following:
Internet threats
Email threats
The leading regions by percentage of ICS computers on which denylisted internet resources were blocked were:
The leading regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked were:
The leading regions by percentage of ICS computers on which malicious documents were blocked were:
Malicious objects used for initial infection of computers deliver next-stage malware – spyware, ransomware, and miners – to victims’ computers.
Among the miners designed to run on Windows, some of the most common are those distributed by attackers in the form of NSIS installer files with legitimate software.
As a rule, the higher the percentage of ICS computers on which initial infection malware is blocked, the higher the percentage of next-stage malware.
The three leading regions by percentage of ICS computers on which spyware was blocked were as follows:
Spyware ranks no higher than third place in the threat category rankings by percentage of ICS computers on which it was blocked in almost every region except for:
The leading regions by percentage of ICS computers on which miners in the form of executable files for Windows were blocked were:
Miners in the form of Windows executable files are seventh in the global rankings of threat categories by percentage of ICS computers on which they were blocked.
We should note that during Q1 2024, the percentage of ICS computers on which miners in the form of Windows executable files were blocked increased in all regions except for Russia and Central Asia.
The leading regions by percentage of ICS computers on which browser-based web miners were blocked were:
In the regional rankings of threat categories by percentage of ICS computers on which they were blocked, web miners ended up in fifth place in the following regions:
Globally, this threat ranked eighth.
In Q1 2024, the percentage of ICS computers on which browser-based web miners were blocked increased in all regions except for Russia and Central Asia.
The regions with the highest percentage of ICS computers on which ransomware was blocked were:
Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.
To spread across ICS networks, viruses and worms rely on removable media, network folders, infected files including backups, and network attacks on outdated software.
In three regions, the percentage of ICS computers on which threats were blocked when connecting removable media is higher than the percentage of ICS computers on which mail threats were blocked – although it was lower in all others:
The leading regions by percentage of ICS computers on which worms were blocked were:
Globally, worms are in sixth place in the threat category ranking by percentage of ICS computers on which they were blocked. In similar regional rankings, worms are in fourth place in four regions:
Two of these regions led by percentage of ICS computers on which threats were blocked when connecting removable media:
The leading regions by percentage of ICS computers on which viruses were blocked were:
In Southeast Asia, viruses are in first place (!) in the threat category rankings by percentage of ICS computers on which they were blocked.
Note that two of the three top regions are also leaders by percentage of ICS computers on which network folder threats were blocked.
AutoCAD malware can spread in a variety of ways, so it falls into a separate catogory.
The same regions that lead in the virus rankings are also the leaders by percentage of ICS computers on which AutoCAD malware was blocked:
Normally, AutoCAD malware is a minor threat that usually comes last in the malware category rankings by percentage of ICS computers on which it is blocked. In Southeast Asia in Q1 2024, this category was fifth.
The full global and regional reports have been published on the Kaspersky ICS CERT website.