The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.
In Q2 2024:
In April 2024, a criminal who developed a packer that was allegedly used by the Conti and Lockbit groups to evade antivirus detection was arrested in Kyiv. According to Dutch police, the arrested individual was directly involved in at least one attack using the Conti ransomware in 2021. The criminal has already been charged.
In May, a member of the REvil group, arrested back in October 2021, was sentenced to 13 years in prison and ordered to pay $16 million. The cybercriminal was involved in over 2,500 REvil attacks, resulting in more than $700 million in total damages.
In June, the FBI announced that it had obtained over 7,000 decryption keys for files encrypted by Lockbit ransomware attacks. The Bureau encourages victims to contact the Internet Crime Complaint Center (IC3) at ic3.gov.
According to the UK’s National Crime Agency (NCA) and the US Department of Justice, the Lockbit group amassed up to $1 billion in its attacks from June 2022 to February 2024.
The CVE-2024-26169 privilege escalation vulnerability, patched by Microsoft in March 2024, was likely exploited in attacks by the Black Basta group. Some evidence suggests that at the time of the exploitation, this vulnerability was still unpatched, making it a zero-day vulnerability.
In June 2024, a massive TellYouThePass ransomware attack was launched, exploiting the CVE-2024-4577 vulnerability in PHP. This attack targeted Windows servers with certain PHP configurations, including those with the default XAMPP stack. The attackers scanned public IP address ranges and automatically infected vulnerable servers, demanding 0.1 BTC as ransom. Although this is a relatively small amount, the scale of the attacks could have yielded substantial profits. In recent years, this method has not been used as frequently due to its cost for attackers, who prefer instead targeted attacks with the hands-on involvement of operators. However, in this case, the attackers employed the time-tested approach.
Here are the most active ransomware groups based on the number of victims added to their DLSs (data leak sites). In Q2 2024, the Play group was the most active, publishing data on 12% of all new ransomware victims. Cactus came in second (7.74%), followed by Ransom Hub (7.50%).
The percentage of victims of a particular group (according to its DLS) among victims of all groups published on all DLSs examined during the reporting period (download)
In Q2 2024, we discovered five new ransomware families and 4,456 new ransomware variants.
Number of new ransomware modifications, Q2 2023 – Q2 2024 (download)
In Q2 2024, Kaspersky solutions protected 85,819 unique users from ransomware Trojans.
Number of unique users attacked by ransomware Trojans, Q2 2024 (download)
Country/territory* | % of users attacked by ransomware** | |
1 | Pakistan | 0.84% |
2 | South Korea | 0.72% |
3 | Bangladesh | 0.54% |
4 | China | 0.53% |
5 | Iran | 0.52% |
6 | Libya | 0.51% |
7 | Tajikistan | 0.50% |
8 | Mozambique | 0.49% |
9 | Angola | 0.41% |
10 | Rwanda | 0.40% |
*Countries and territories with fewer than 50,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users whose computers were attacked by ransomware Trojans out of all unique Kaspersky product users in that country or territory.
Name | Verdicts* | Share of attacked users** | |
1 | (generic verdict) | Trojan-Ransom.Win32.Gen | 22.12% |
2 | WannaCry | Trojan-Ransom.Win32.Wanna | 9.51% |
3 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 6.94% |
4 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 5.42% |
5 | Lockbit | Trojan-Ransom.Win32.Lockbit | 4.71% |
6 | (generic verdict) | Trojan-Ransom.Win32.Agent | 2.88% |
7 | PolyRansom/VirLock | Virus.Win32.PolyRansom / Trojan-Ransom.Win32.PolyRansom | 2.80% |
8 | (generic verdict) | Trojan-Ransom.Win32.Phny | 2.61% |
9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 2.58% |
10 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 2.11% |
*Statistics are based on detection verdicts by Kaspersky products. The information was provided by Kaspersky users who consented to providing statistical data.
**Unique Kaspersky users attacked by the ransomware Trojan family as a percentage of total users attacked by ransomware Trojans.
In Q2 2024, Kaspersky products detected 36,380 new miner variants.
Number of new miner modifications, Q2 2024 (download)
In Q2 2024, we detected attacks using miners on 339,850 unique Kaspersky users worldwide.
Number of unique users attacked by miners, Q2 2024 (download)
Country/territory* | % of users attacked by miners** | |
1 | Tajikistan | 2.40% |
2 | Venezuela | 1.90% |
3 | Kazakhstan | 1.63% |
4 | Ethiopia | 1.58% |
5 | Kyrgyzstan | 1.49% |
6 | Belarus | 1.48% |
7 | Uzbekistan | 1.36% |
8 | Ukraine | 1.05% |
9 | Panama | 1.03% |
10 | Mozambique | 1.01% |
*Countries and territories with fewer than 50,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users whose computers were attacked by miners out of all unique Kaspersky product users in that country or territory.
In Q2 2024, numerous samples of the spyware Trojan-PSW.OSX.Amos (also known as Cuckoo) were found. This spyware is notable for requesting an administrator password through osascript, displaying a phishing window. Attackers regularly update and repackage this Trojan to avoid detection.
New versions of the LightRiver/LightSpy spyware were also discovered. This Trojan downloads modules from the server with spy and backdoor functionalities. For example, they record the screen or audio, steal browser history, and execute arbitrary console commands.
The percentage of users who encountered a certain malware out of all attacked users of Kaspersky solutions for macOS (download)
The leading active threat continues to be a Trojan capable of downloading adware or other malicious applications. Other common threats include adware and fake “system optimizers” that demand money to “fix” nonexistent issues.
Q1 2024* | Q2 2024* | |
Spain | 1.27% | 1.14% |
Mexico | 0.88% | 1.09% |
Hong Kong | 0.73% | 0.97% |
France | 0.93% | 0.93% |
United States | 0.81% | 0.89% |
Italy | 1.11% | 0.87% |
United Kingdom | 0.75% | 0.85% |
India | 0.56% | 0.70% |
Germany | 0.77% | 0.59% |
Brazil | 0.66% | 0.57% |
*Percentage of unique users encountering macOS threats out of all unique Kaspersky product users in that country or territory.
There has been a slight increase of 0.1–0.2 p.p. in the share of attacked users in Mexico, Hong Kong, the United Kingdom, and India. Conversely, we see a slight decline in Spain, Italy, and Germany.
In the second quarter of 2024, the distribution of attack protocols on devices targeting Kaspersky honeypots was as follows:
Distribution of attacked services by the number of unique IP addresses of the devices carrying out the attacks, Q1–Q2 2024 (download)
The share of attacks using the Telnet protocol continued to grow, reaching 98%.
Distribution of cybercriminal sessions with Kaspersky honeypots, Q1–Q2 2024 (download)
Share of a specific threat downloaded to an infected device as a result of a successful attack, out of the total number of downloaded threats (download)
For SSH protocol attacks, the share of attacks from China and India increased, while activity from South Korea slightly declined.
SSH | Q1 2024 | Q2 2024 |
China | 20.58% | 23.37% |
United States | 12.15% | 12.26% |
South Korea | 9.59% | 6.84% |
Singapore | 6.87% | 6.95% |
Germany | 4.97% | 4.13% |
India | 4.52% | 5.24% |
Hong Kong | 3.25% | 3.10% |
Russian Federation | 2.84% | 2.33% |
Brazil | 2.36% | 2.73% |
Japan | 2.36% | 1.92% |
Telnet attacks from China returned to 2023 levels, while the share from India grew.
Telnet | Q1 2024 | Q2 2024 |
China | 41.51% | 30.24% |
India | 17.47% | 22.68% |
Japan | 4.89% | 3.64% |
Brazil | 3.78% | 4.48% |
Russian Federation | 3.12% | 3.85% |
Thailand | 2.95% | 2.37% |
Taiwan | 2.73% | 2.64% |
South Korea | 2.53% | 2.46% |
United States | 2.20% | 2.66% |
Argentina | 1.36% | 1.76% |
The statistics in this section are based on the work of the web antivirus, which protects users at the moment malicious objects are downloaded from a malicious or infected webpage. Cybercriminals intentionally create malicious pages. Web resources with user-created content (such as forums), as well as compromised legitimate sites, can also be infected.
The following statistics show the distribution of countries and territories that were the sources of internet attacks on users’ computers blocked by Kaspersky products (webpages with redirects to exploits, sites with exploits and other malware, botnet control centers, and so on). Any unique host could be the source of one or more web-based attacks.
To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In Q2 2024, Kaspersky solutions blocked 664,046,455 attacks launched from online resources across the globe. A total of 113,535,455 unique URLs that triggered the web antivirus were recorded.
Distribution of web attack sources by country and territory (Q2 2024) (download)
To assess the risk of malware infection through the internet faced by user’s computers in different countries and territories, we calculated the share of Kaspersky product users who encountered web antivirus detections during the reporting period for each country and territory. This data indicates the aggressiveness of the environment in which computers operate.
The following statistics are based on the detection verdicts of the web antivirus module, provided by Kaspersky product users who consented to share statistical data.
It’s important to note that only attacks involving malicious objects of the Malware class are included in this ranking. Web antivirus detections for potentially dangerous and unwanted programs, such as RiskTool and adware, were not counted.
Country/territory* | % of attacked users** | |
1 | Moldova | 11.3635 |
2 | Greece | 10.8560 |
3 | Qatar | 10.4018 |
4 | Belarus | 9.8162 |
5 | Argentina | 9.5380 |
6 | Bulgaria | 9.4714 |
7 | South Africa | 9.4128 |
8 | Sri Lanka | 9.1585 |
9 | Kyrgyzstan | 8.8852 |
10 | Lithuania | 8.6847 |
11 | Tunisia | 8.6739 |
12 | Albania | 8.6586 |
13 | North Macedonia | 8.6463 |
14 | Bosnia & Herzegovina | 8.6291 |
15 | Botswana | 8.6254 |
16 | UAE | 8.5993 |
17 | Germany | 8.5887 |
18 | Slovenia | 8.5851 |
19 | Egypt | 8.5582 |
20 | Canada | 8.4985 |
*Countries and territories with fewer than 10,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users subjected to web attacks by malicious objects of the Malware class out of all unique Kaspersky product users in that country or territory.
On average during the quarter, 7.38% of the internet users’ computers worldwide were subjected to at least one Malware-category web attack.
Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).
Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The following statistics are based on detection verdicts from the OAS (on-access scan, scanning when accessing a file) and ODS (on-demand scan, scanning launched by a user) antivirus modules, provided by Kaspersky product users who agreed to share statistical data. These statistics take into account malware found directly on users’ computers or on removable media connected to computers, such as flash drives, camera memory cards, phones, and external hard drives.
In the second quarter of 2024, our file antivirus detected 27,394,168 malicious and potentially unwanted objects.
For each country and territory, we calculated the percentage of Kaspersky users on whose computers file antivirus was triggered during the reporting period. This data reflects the level of infection of personal computers across different countries and territories worldwide.
Note that only attacks involving malicious objects of the Malware class are included in this ranking. Detections of potentially dangerous or unwanted programs such as RiskTool and adware were not counted.
Country/territory* | % of attacked users** | |
1 | Turkmenistan | 44.2517 |
2 | Afghanistan | 39.4972 |
3 | Cuba | 38.3242 |
4 | Yemen | 38.2295 |
5 | Tajikistan | 37.5013 |
6 | Uzbekistan | 32.7085 |
7 | Syria | 31.5546 |
8 | Burundi | 30.5511 |
9 | Bangladesh | 28.3616 |
10 | South Sudan | 28.3293 |
11 | Tanzania | 28.0949 |
12 | Cameroon | 28.0254 |
13 | Niger | 27.9138 |
14 | Algeria | 27.8984 |
15 | Benin | 27.6164 |
16 | Myanmar | 26.6960 |
17 | Venezuela | 26.6944 |
18 | Iran | 26.5071 |
19 | Vietnam | 26.3409 |
20 | Congo | 26.3160 |
*Countries and territories with fewer than 10,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users on whose computers local Malware-class threats were blocked, out of all unique Kaspersky product users in that country or territory.
On average, 14.2% of users’ computers worldwide encountered at least one local Malware-class threat during the second quarter.
The figure for Russia was 15.68%.