All statistics in this report are from the global cloud service Kaspersky Security Network (KSN), which receives information from components in our security solutions. The data was obtained from users who have given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in this endeavor to collect information about malicious activity. The statistics in this report cover the period from May 2020 to April 2021, inclusive.
Main figures
- 70% of Internet user computers in the EU experienced at least one Malware-class attack.
- In the EU, Kaspersky solutions blocked 115,452,157 web attacks.
- 2,676,988 unique URLs were recognized as malicious by our Web Anti-Virus.
- 377,685 unique malicious objects were blocked by our Web Anti-Virus.
- Attempted infections by malware designed to steal money via online access to bank accounts were logged on the devices of 79,315 users.
- 56,877 unique users in the EU were attacked by ransomware.
- 132,656 unique users in the EU were attacked by miners.
- 40% users of Kaspersky solutions in the EU encountered at least one phishing attack.
- 86,584,675 phishing attempts were blocked by Kaspersky solutions in the EU.
Financial threats
The statistics include not only banking threats, but malware for ATMs and payment terminals.
Number of users attacked by banking malware
During the reporting period, Kaspersky solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 79,315 users.
Number of EU users attacked by financial malware, May 2020 – April 2021 (download)
Threat geography
To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware, for each EU country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all attacked users in that country.
Geography of banking malware attacks in the EU, May 2020 – April 2021 (download)
Top 10 EU countries by share of attacked users
Country | %* | |
1 | Cyprus | 1.3 |
2 | Bulgaria | 1.2 |
3 | Greece | 1.1 |
4 | Italy | 1.0 |
5 | Portugal | 1.0 |
6 | Croatia | 0.8 |
7 | Germany | 0.6 |
8 | Latvia | 0.6 |
9 | Poland | 0.6 |
10 | Romania | 0.6 |
* The share of unique users in the EU whose computers were targeted by financial malware in the total number of unique EU users attacked by all kinds of malware.
Top 10 financial malware families
Name | %* | |
1 | Zbot | 24.7 |
2 | Nymaim | 11.5 |
3 | Danabot | 9.9 |
4 | Emotet | 8.9 |
5 | CliptoShuffler | 7.7 |
6 | BitStealer | 5.6 |
7 | SpyEyes | 3.5 |
8 | Gozi | 3.4 |
9 | Dridex | 3.2 |
10 | Trickster | 1.9 |
* The share of unique users in the EU attacked by this malware in the total number of users attacked by financial malware.
Ransomware programs
During the reporting period, we identified more than 17,317 ransomware modifications and detected 25 new families. Note that we did not create a separate family for each new piece of ransomware. Most threats of this type were assigned the generic verdict, which we give to new and unknown samples.
Number of new ransomware modifications detected in the EU, May 2020 – April 2021 (download)
Number of users attacked by ransomware Trojans
During the reporting period, ransomware Trojans attacked 56,877 unique users, including 12,358 corporate users (excluding SMBs) and 2,274 users associated with small and medium-sized businesses.
Number of users in the EU attacked by ransomware Trojans, May 2020 – April 2021 (download)
Threat geography
Geography of attacks in the EU by ransomware Trojans, May 2020 – April 2021 (download)
Top 10 EU countries by share of attacked users
Country | %* | |
1 | Greece | 0.56 |
2 | Cyprus | 0.38 |
3 | Portugal | 0.36 |
4 | Bulgaria | 0.31 |
5 | Hungary | 0.29 |
6 | Italy | 0.29 |
7 | Latvia | 0.28 |
8 | Slovenia | 0.27 |
9 | Spain | 0.26 |
10 | Estonia | 0.23 |
* The share of unique users in the EU country whose computers were targeted by ransomware in the total number of unique users in that country attacked by all kinds of malware.
Top 10 most common families of ransomware Trojans
Name | Verdict | %* | |
1 | (generic verdict) | Trojan-Ransom.Win32.Gen | 14.40 |
2 | (generic verdict) | Trojan-Ransom.Win32.Agent | 12.58 |
3 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 10.80 |
4 | (generic verdict) | Trojan-Ransom.Win32.Generic | 5.94 |
5 | Stop | Trojan-Ransom.Win32.Stop | 3.87 |
6 | WannaCry | Trojan-Ransom.Win32.Wanna | 3.20 |
7 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 2.31 |
8 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.30 |
9 | REvil/Sodinokibi | Trojan-Ransom.Win32.Sodin | 1.97 |
10 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 1.85 |
* The share of unique Kaspersky users attacked by the given family of ransomware Trojans in the total number of users attacked by ransomware Trojans.
Miners
Number of users attacked by miners in the EU
During the reporting period, we detected attempts to install a miner on the computers of 132,656 unique users. Miners accounted for 0.53% of all attacks and 10.31% of all Risktool-type programs
Number of EU users attacked by miners, May 2020 – April 2021 (download)
During the reporting period, Kaspersky products detected Trojan.Win32.Miner.gen (generic verdict) more often than others, which accounted for 13.62% of all users attacked by miners. It was followed by Trojan.Win32.Miner.bbb (8.67%) and Trojan.JS.Miner.m (2.84%).
Threat geography
Geography of miner-related attacks in the EU, May 2020 – April 2021 (download)
Vulnerable applications used by cybercriminals
In 2020, most vulnerabilities were discovered by researchers before attackers could exploit them. However, there was no doing without zero-day vulnerabilities, of which Kaspersky found:
- CVE-2020-1380, a use-after-free vulnerability in the Jscript9 component of Microsoft’s Internet Explorer browser caused by insufficient checks during the generation of optimized JIT code. This vulnerability was most likely used by the APT group DarkHotel at the first stage of system compromise, after which the payload was delivered by an additional exploit that escalated privileges in the system;
- CVE-2020-0986 in the GDI Print/Print Spooler component of Microsoft’s Windows operating system, enabling manipulation of process memory for arbitrary code execution in the context of a system service process. Exploitation of this vulnerability gives attackers the ability to bypass sandboxes, for example, in the browser.
The first quarter of 2021 turned out to be rich not only in well-known vulnerabilities, but also in zero-day ones. In particular, both IT security specialists and cybercriminals showed great interest in the new Microsoft Exchange Server vulnerabilities:
- CVE-2021-26855 — a Service-Side Request Forgery vulnerability that allows an attacker to make a forged server request and execute arbitrary code (RCE);
- CVE-2021-26857 — insecure object deserialization by the Unified Messaging service, which can lead to arbitrary code execution on the server side;
- CVE-2021-26858 — allows an attacker to write data to server files, which can also lead to remote code execution;
- CVE-2021-27065 — similar to CVE-2021-26858, this vulnerability allow an authorized Microsoft Exchange user to write arbitrary code to system files.
These vulnerabilities were found in-the-wild and had been used by APT and ransomware groups.
One more constellation of vulnerabilities that appeared in the infosec sky was a threesome of critical bugs in the popular SolarWinds Orion Platform – CVE-2021-25274, CVE-2021-25275, CVE-2021-25276. Successful exploitation of any of them can cause infection of the system where the platform is installed (mostly, enterprise and government PCs).
Distribution of exploits used in attacks by type of application attacked, May 2020 – April 2021 (download)
The rating of vulnerable applications is based on verdicts by Kaspersky products for blocked exploits used by cybercriminals both in network attacks and in vulnerable local apps, including on users’ mobile devices.
Network attacks were the most common method of system penetration, and a significant portion of them is made up of brute-force attacks on various network services: RDP, Microsoft SQL Server, etc. In addition, the year gone by demonstrated that everything in the Windows operating system is cyclical, and that most of the detected vulnerabilities exist in the same services, for example, in the drivers of the SMB (SMBGhost, SMBBleed), DNS (SigRed) and ICMPv6 (BadNeighbor) network protocols. Two critical vulnerabilities (CVE-2020-0609, CVE-2020-0610) were found in the Remote Desktop Gateway service. An interesting vulnerability, dubbed Zerologon, was also discovered in the NetLogon service. In Q1 2021, researchers found three new vulnerabilities in Windows network stack code related to IPv4/IPv6 protocols processing — CVE-2021-24074, CVE-2021-24086 and CVE-2021-24094. Lastly, despite the fact that exploits for the EternalBlue and EternalRomance families are old, they are still used by attackers.
Attacks on macOS
Top 20 threats for macOS
Verdict | %* | |
1 | Monitor.OSX.HistGrabber.b | 14.50 |
2 | AdWare.OSX.Bnodlero.at | 12.04 |
3 | AdWare.OSX.Bnodlero.ay | 11.42 |
4 | AdWare.OSX.Bnodlero.ax | 10.56 |
5 | AdWare.OSX.Bnodlero.bg | 9.18 |
6 | Trojan-Downloader.OSX.Shlayer.a | 8.06 |
7 | AdWare.OSX.Pirrit.j | 6.23 |
8 | AdWare.OSX.Pirrit.ac | 6.05 |
9 | AdWare.OSX.Ketin.h | 5.30 |
10 | AdWare.OSX.Bnodlero.t | 4.94 |
11 | AdWare.OSX.Bnodlero.av | 4.82 |
12 | Trojan-Downloader.OSX.Agent.h | 4.48 |
13 | AdWare.OSX.Pirrit.o | 4.35 |
14 | AdWare.OSX.Cimpli.k | 3.75 |
15 | AdWare.OSX.Pirrit.gen | 3.75 |
16 | AdWare.OSX.Pirrit.aa | 3.58 |
17 | AdWare.OSX.Ketin.m | 3.22 |
18 | AdWare.OSX.Pirrit.q | 3.20 |
19 | AdWare.OSX.Ketin.l | 3.13 |
20 | AdWare.OSX.Spc.a | 2.87 |
* The share of unique users who encountered this threat in the total number of users of Kaspersky security solutions for macOS who were attacked.
Threat geography
Geography of attacked macOS users in EU, May 2020 – April 2021 (download)
Top 10 EU countries by share of attacked macOS users
Country | %* | |
1 | France | 15.32 |
2 | Spain | 13.99 |
3 | Italy | 11.43 |
4 | Portugal | 9.75 |
5 | Greece | 9.59 |
6 | Germany | 9.41 |
7 | Hungary | 8.60 |
8 | Lithuania | 8.14 |
9 | Poland | 8.10 |
10 | Belgium | 7.94 |
* The share of unique users attacked in the total number of users of Kaspersky security solutions for macOS in the country.
IoT attacks
IoT threat statistics
During the reporting period, more than 80% of attacks on Kaspersky traps were carried out using the Telnet protocol.
Telnet | 81.31% |
SSH | 18.69% |
Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, May 2020 – April 2021
As for distribution of sessions, Telnet also prevails, accounting for three quarters of all working sessions.
Telnet | 75.66% |
SSH | 24.34% |
Distribution of cybercriminal working sessions with Kaspersky traps, May 2020 – April 2021
As a result, devices that carried out attacks using the Telnet protocol were selected to build the map of attackers’ IP addresses.
Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, May 2020 – April 2021 (download)
Top 10 countries by location of devices from which attacks were carried out
Country | %* | |
1 | Greece | 26.84 |
2 | Italy | 18.55 |
3 | Germany | 7.92 |
4 | Spain | 7.46 |
5 | Poland | 5.66 |
6 | France | 5.60 |
7 | Romania | 5.52 |
8 | Sweden | 4.52 |
9 | Netherlands | 3.65 |
10 | Hungary | 2.95 |
* The share of devices from which attacks were carried out in the given country in the total number of devices.
Malware loaded into honeypots
Verdict | %* | |
1 | Backdoor.Linux.Mirai.b | 42.57 |
2 | Trojan-Downloader.Linux.NyaDrop.b | 20.96 |
3 | Backdoor.Linux.Mirai.ba | 9.79 |
4 | Backdoor.Linux.Gafgyt.a | 5.42 |
5 | Backdoor.Linux.Gafgyt.a | 2.74 |
6 | Backdoor.Linux.Gafgyt.bj | 1.44 |
7 | Trojan-Downloader.Shell.Agent.p | 1.31 |
8 | Backdoor.Linux.Agent.bc | 1.20 |
9 | Backdoor.Linux.Mirai.cw | 1.15 |
10 | Backdoor.Linux.Mirai.cn | 0.82 |
* The share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack.
Attacks via web resources
The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose, and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.
Countries that are sources of web-based attacks
The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.
To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of the specific IP address (GeoIP) is established.
Kaspersky solutions in the EU blocked 115,452,157 attacks launched from online resources across the globe. Moreover, 89.33% of these resources were located in just 10 countries.
Distribution of web attack sources by country, May 2020 – April 2021 (download)
Countries where users faced the greatest risk of online infection
To assess the risk of online infection faced by EU users, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.
This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware. Overall, during the reporting period, adware and its components were registered on 89.60% of users’ computers on which Web Anti-Virus was triggered.
Geography of malicious web-based attacks, May 2020 – April 2021 (download)
On average, 13.70% of Internet user computers in the EU experienced at least one Malware-class attack during the reporting period.
Top 10 EU countries where users faced the greatest risk of online infection
Country | %* | |
1 | Latvia | 21.11 |
2 | Greece | 18.50 |
3 | Estonia | 17.52 |
4 | France | 16.81 |
5 | Bulgaria | 14.86 |
6 | Italy | 14.76 |
7 | Portugal | 14.44 |
8 | Lithuania | 14.21 |
9 | Hungary | 13.82 |
10 | Poland | 13.17 |
* The share of unique users targeted by Malware-class attacks in the total number of unique users of Kaspersky products in the country.
Top 20 malicious programs most actively used in online attacks
During the reporting period, Kaspersky’s Web Anti-Virus detected 377,685 unique malicious objects (scripts, exploits, executable files, etc.), as well as 2,676,988 unique malicious URLs on which Web Anti-Virus was triggered. Based on the collected data, we identified the 20 most actively used malicious programs in online attacks on users’ computers.
Verdict* | %** | |
1 | Blocked | 49.22 |
2 | Trojan.Script.Generic | 12.52 |
3 | Hoax.HTML.FraudLoad.m | 8.38 |
4 | Trojan.PDF.Badur.gen | 2.46 |
5 | Trojan.Script.Agent.dc | 2.16 |
6 | Trojan.Multi.Preqw.gen | 2.11 |
7 | Trojan-Downloader.Script.Generic | 1.99 |
8 | Trojan.Script.Miner.gen | 1.56 |
9 | Exploit.MSOffice.CVE-2017-11882.gen | 1.02 |
10 | Trojan-PSW.Script.Generic | 0.91 |
11 | DangerousObject.Multi.Generic | 0.74 |
12 | Trojan.BAT.Miner.gen | 0.74 |
13 | Trojan.MSOffice.SAgent.gen | 0.60 |
14 | Trojan.Script.SAgent.gen | 0.50 |
15 | Trojan-Downloader.MSOffice.SLoad.gen | 0.47 |
16 | Trojan-Downloader.Win32.Upatre.pef | 0.33 |
17 | Trojan-Downloader.JS.Inor.a | 0.30 |
18 | Trojan-Downloader.MSWord.Agent.btl | 0.30 |
19 | Hoax.Script.Dating.gen | 0.27 |
20 | Trojan-Downloader.JS.SLoad.gen | 0.27 |
* Excluded from the list are HackTool-type threats.
** The share of attacks by the given malicious program in the total number of Malware-class web attacks registered on the computers of unique users of Kaspersky products.
Local threats
Statistics on local infections of user computers is an important indicator. They include objects that penetrated the target computer through infecting files or removable storage media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.). These statistics additionally include objects detected on user computers after the first system scan by Kaspersky’s Anti-Virus application.
This section analyzes statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, as well as the results of scanning removable storage media.
Countries where users faced the highest risk of local infection
For each country in the EU, we calculated how often users there encountered a File Anti-Virus triggering during the year. Included are detections of objects found on user computers or removable media connected to them (flash drives, camera/phone memory cards, external hard drives). These statistics reflect the level of personal computer infection in different countries.
Geography of local infections by malware, May 2020 – April 2021 (download)
During the reporting period, on average, at least one piece of malware was detected on 18.77% of computers, hard drives or removable media belonging to KSN users in the EU.
Top 10 EU countries where users faced the greatest risk of local infection
Country | %* | |
1 | Greece | 32.60 |
2 | Bulgaria | 31.55 |
3 | Latvia | 31.38 |
4 | Estonia | 29.48 |
5 | Hungary | 27.88 |
6 | Lithuania | 27.11 |
7 | Portugal | 26.01 |
8 | Cyprus | 25.43 |
9 | Italy | 24.64 |
10 | Spain | 23.57 |
* The share of unique users on whose computers Malware-class local threats were blocked in the total number of unique users of Kaspersky products in the country.
Top 20 malicious objects detected on user computers
We identified the 20 most commonly detected threats on EU users’ computers during the reporting period. Not included are Riskware-type programs and adware.
Verdict* | %** | |
1 | DangerousObject.Multi.Generic | 19.45 |
2 | Trojan.Multi.BroSubsc.gen | 18.53 |
3 | Trojan.Script.Generic | 8.29 |
4 | Trojan.Multi.GenAutorunReg.a | 7.08 |
5 | Trojan.Multi.Misslink.a | 6.75 |
6 | Hoax.Win32.DriverToolKit.b | 2.77 |
7 | Trojan.MSOffice.SAgent.gen | 2.63 |
8 | Exploit.Script.Generic | 2.25 |
9 | Trojan.Win32.SEPEH.gen | 2.00 |
10 | Trojan-Downloader.Script.Generic | 1.91 |
11 | Worm.Win32.WBVB | 1.53 |
12 | Hoax.Win32.Uniblue.gen | 1.33 |
13 | Trojan.Script.Agent.gen | 1.29 |
14 | Trojan-Dropper.Win32.Scrop.adwo | 1.17 |
15 | Trojan.Multi.GenAutorunTask.c | 1.16 |
16 | Trojan.Win32.Generic | 1.12 |
17 | Trojan.Multi.GenBadur.gen | 1.10 |
18 | Trojan.BAT.Miner.gen | 1.09 |
19 | Trojan.Multi.GenAutorunTask.b | 1.07 |
20 | Trojan.Multi.GenAutorunTaskFile.a | 1.05 |
* Excluded from the list are HackTool-type threats.
** The share of unique users on whose computers File Anti-Virus detected the given object in the total number of unique users of Kaspersky products whose Anti-Virus was triggered by malware.
Phishing in the EU
Phishing trends
-
Cloud phishing
We observed that the number of EU-targeted phishing resources on cloud platforms and hosting sites approximately doubled during the reporting period.
-
Cryptocurrency
The number of cryptocurrency-related phishing detections tripled. This category consists of fraudulent sites somehow linked to cryptocurrencies: in most cases, they are fake crypto exchanges that require users to invest money to gain access to an account that allegedly already contain complimentary currency. In fact, users just lose their own money if they try to buy access to such sites.
Another particularly interesting type of phishing we observed in the EU is a mixture of cryptocurrency and COVID-19 themes: fake sites offering COVID-19 vaccines for cryptocurrency.
Example of fake COVID-19 vaccine offer
-
Targeted extortion
In late August 2020, we saw some unusual extortion messages. In them, cybercriminals claimed to have planted TNT somewhere in the recipient’s office, saying it would be detonated unless a ransom was paid or if police activity was observed near the building.
Whereas individuals are asked to cough up the equivalent of $500–1,000 in bitcoin (the maximum we saw was around $5,000), for companies supposedly rigged with explosives the amount rises to roughly $20,000. The bulk of the scam e-mails are written in German, but we found English versions as well.
-
Microsoft Office spear phishing
The trend for harvesting Microsoft 365 credentials through spear phishing continues to evolve. Such phishing e-mails normally contain a hyperlink to a fake website. Sure enough, once many people had absorbed that simple precaution, phishers began replacing the links with attached HTML files, the sole purpose of which is to automate redirection. Clicking on the HTML attachment opens it in a browser. As far as the phishing aspect goes, the file has just one line of code (javascript: window.location.href) with the phishing website address as a variable. It forces the browser to open the website in the same window.
Phishing attacks
In total, 86,584,675 phishing attempts were blocked by Kaspersky solutions in the EU, representing 21.89% of all phishing attacks around the world during the reporting period.
EU share of phishing detections, April 2020 – April 2021 (download)
Threat geography
During the reporting period, approximately 13.4% users of Kaspersky solutions in the EU encountered at least one phishing attack.
Geography of EU phishing, April 2020 – April 2021 (download)
Top 10 EU countries where users faced phishing attacks
Country | %* | |
1 | Portugal | 18.34 |
2 | France | 17.98 |
3 | Belgium | 15.10 |
4 | Greece | 14.98 |
5 | Hungary | 14.87 |
6 | Italy | 14.44 |
7 | Slovakia | 12.77 |
8 | Spain | 12.74 |
9 | Poland | 12.47 |
10 | Latvia | 12.26 |
* The share of unique users targeted by phishing attacks in the total number of unique users of Kaspersky products in the country.
Organizations under attack
The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database.
Pandemic-related events affected the distribution of phishing attacks across the categories of targeted organizations. However, the largest categories remained unchanged as they have done for several years: in the EU during reporting period, these were Global Internet portals (16.08%), Online stores (15.73%) and Payment systems (13.67%).
Share of phishing categories in the EU, April 2020 – April 2021 (download)
Top-level domain (TLD) usage
In the share of EU top-level domains (TLDs), we include all national TLDs belonging to EU member states. In the reporting period, this share amounted to 7.27%.
Distribution of phishing domains by top-level domain, April 2020 – April 2021 (download)
The share decreased significantly (-3 p.p.) at the end of 2020, but in Q1 2021 we observed a slight increase to 5.26%.
Timeline of share of EU top-level domains, Q2 2020 – Q2 2021 (download)
The project leading to this report has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 883464. |