All statistics in this report are from the world cloud service Kaspersky Security Network( KSN ), which receives information from components in our security solutions. The data was obtained from users who have given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in this endeavor to collect information about malicious activity. The statistics in this report cover the period from May 2020 to April 2021, inclusive.

Main figures

70% of Internet user computers in the EU experienced at least one Malware-class attack. In the EU, Kaspersky solutions blocked 115,452, 157 web assaults. 2,676,988 unique URLs were recognized as malicious by our Web Anti-Virus. 377,685 unique malicious objects were is an obstacle to our Web Anti-Virus. Effort infections by malware designed to steal money via online access to bank accounts were logged on the devices of 79, 315 users. 56,877 unique users in the EU were attacked by ransomware. 132,656 unique users in the EU were attacked by miners. 40% customers of Kaspersky answers in the EU encountered at least one phishing assault. 86,584,675 phishing attempts were blocked by Kaspersky solutions in the EU.

Fiscal menaces

The statistics include not only banking threats, but malware for ATMs and pay terminals.

Number of users attacked by banking malware

During the reporting period, Kaspersky solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 79,315 users.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Number of EU users attacked by fiscal malware, May 2020- April 2021( download)

Threat geography

To evaluate and compare the risk of being infected by banking Trojans and ATM/ POS malware, for each EU country we calculated the share of users of Kaspersky products who faced this menace during the reporting period as a percentage of all assaulted consumers in that country.

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Geography of banking malware attacks in the EU, May 2020- April 2021( download)

Top 10 EU countries by share of assaulted customers

Country %* 1 Cyprus 1.3

2 Bulgaria 1.2

3 Greece 1.1

4 Italy 1.0

5 Portugal 1.0

6 Croatia 0.8

7 Germany 0.6

8 Latvia 0.6

9 Poland 0.6

10 Romania 0.6

* The share of unique users in the EU whose computers were targeted by financial malware in the total number of unique EU customers attacked by all kinds of malware.

Top 10 financial malware families

Name %* 1 Zbot 24.7

2 Nymaim 11.5

3 Danabot 9.9

4 Emotet 8.9

5 CliptoShuffler 7.7

6 BitStealer 5.6

7 SpyEyes 3.5

8 Gozi 3.4

9 Dridex 3.2

10 Trickster 1.9

* The share of unique consumers in the EU attacked by this malware in the total number of users assaulted by fiscal malware.

Ransomware programs

During the reporting period, we identified more than 17,317 ransomware modifications and detected 25 new households. Note that we did not create a separate family for each new piece of ransomware. Most threats of this type were assigned the generic verdict, which we be provided to new and unknown samples.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Number of new ransomware adjustments detected in the EU, May 2020- April 2021( download)

Number of users assaulted by ransomware Trojans

During the reporting period, ransomware Trojans attacked 56,877 unique consumers, including 12,358 corporate customers( excluding SMBs) and 2,274 consumers associated with small and medium-sized businesses.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Number of users in the EU attacked by ransomware Trojans, May 2020- April 2021( download)

Threat geography

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Geography of onslaughts in the EU by ransomware Trojans, May 2020- April 2021( download)

Top 10 EU countries by share of attacked customers

Country %* 1 Greece 0.56

2 Cyprus 0.38

3 Portugal 0.36

4 Bulgaria 0.31

5 Hungary 0.29

6 Italy 0.29

7 Latvia 0.28

8 Slovenia 0.27

9 Spain 0.26

10 Estonia 0.23

* The share of unique consumers in the EU country whose computers were targeted by ransomware in the total number of unique users in that country attacked by all kinds of malware.

Top 10 most common families of ransomware Trojans

Name Verdict %*

1 (generic verdict) Trojan-Ransom.Win3 2. Gen 14.40 2 (generic verdict) Trojan-Ransom.Win3 2. Agent 12.58 3 (generic verdict) Trojan-Ransom.Win3 2. Encoder 10.80 4 (generic verdict) Trojan-Ransom.Win3 2. Generic 5.94 5 Stop Trojan-Ransom.Win3 2. Stop 3.87 6 WannaCry Trojan-Ransom.Win3 2. Wanna 3.20 7 (generic verdict) Trojan-Ransom.Win3 2. Crypmod 2.31 8 (generic verdict) Trojan-Ransom.Win3 2. Crypren 2.30 9 REvil/Sodinokibi Trojan-Ransom.Win3 2. Sodin 1.97 10 (generic verdict) Trojan-Ransom.Win3 2. Cryptor 1.85

* The share of unique Kaspersky consumers assaulted by the made household of ransomware Trojans in the total number of users attacked by ransomware Trojans.

Miners Number of users assaulted by miners in the EU

During the reporting period, we detected attempts to install a miner on the computers of 132,656 unique consumers. Miners been taken into consideration 0.53% of all attacks and 10.31% of all Risktool-type programs

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Number of EU users attacked by miners, May 2020- April 2021( download)

During the reporting period, Kaspersky products saw Trojan.Win3 2. Miner.gen( generic verdict) more often than others, which accounted for 13.62% of all users attacked by miners. It was followed by Trojan.Win3 2. Miner.bbb (8. 67%) and Trojan.JS.Miner.m( 2.84% ).

Threat geography

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Geography of miner-related onslaughts in the EU, May 2020- April 2021( download)

Vulnerable applications used by cybercriminals

In 2020, most vulnerabilities were discovered by researchers before attackers could exploit them. Nonetheless, there was no doing without zero-day vulnerabilities, of which Kaspersky find 😛 TAGEND

CVE-2 020 -1 380, a use-after-free vulnerability in the Jscript9 ingredient of Microsoft’s Internet Explorer browser caused by insufficient checks during the generation of optimized JIT code. This vulnerability was most likely used by the APT group DarkHotel at the first stage of system compromise, after which the warhead was delivered by an additional exploit that escalated privileges in the system; CVE-2020-0986 in the GDI Print/ Print Spooler ingredient of Microsoft’s Windows operating system, enabling manipulation of process recollection for arbitrary code executing in different contexts of a system service process. Exploitation of this vulnerability commits attackers the ability to bypass sandboxes, for example, in the browser.

The first quarter of 2021 turned out to be rich is not merely in well-known vulnerabilities, but also in zero-day ones. In particular, both IT security specialists and cybercriminals demonstrated great interest in the new Microsoft Exchange Server vulnerabilities 😛 TAGEND

CVE-2 021 -2 6855 — a Service-Side Request Forgery vulnerability that allows an attacker to make a forged server request and execute arbitrary code( RCE ); CVE-2 021 -2 6857 — insecure object deserialization by the Unified Messaging service, which can lead to arbitrary code execution on the server side; CVE-2 021 -2 6858 — allows an attacker to write data to server files, which can also lead to remote code execution; CVE-2 021 -2 7065 — similar to CVE-2 021 -2 6858, this vulnerability permit an approved Microsoft Exchange user to write arbitrary code to system files.

These vulnerabilities were found in-the-wild and had been used by APT and ransomware groups.

One more constellation of vulnerabilities that appeared in the infosec sky was a threesome of critical flaws in the popular SolarWinds Orion Platform- CVE-2 021 -2 5274, CVE-2 021 -2 5275, CVE-2 021 -2 5276. Successful exploitation of any of them can cause infection of information systems where the platform is installed( largely, enterprise and government PCs ).

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Distribution of exploits used in attacks by type of application attacked, May 2020- April 2021( download)

The rating of vulnerable applications is based on judgments by Kaspersky products for blocked exploits used by cybercriminals both in network attacks and in vulnerable local apps, including on consumers’ mobile devices.

Network attacks were the most common method of system penetration, and a significant portion of them is made up of brute-force strikes on various network services: RDP, Microsoft SQL Server, etc. In addition, the year gone by demonstrated that everything in the Windows operating system is cyclical, and that most of the saw vulnerabilities exist in the same services, for example, in the motorists of the SMB( SMBGhost, SMBBleed ), DNS( SigRed) and ICMPv6( BadNeighbor) network protocols. Two critical vulnerabilities( CVE-2 020 -0 609, CVE-2 020 -0 610) were found in the Remote Desktop Gateway service. An interesting vulnerability, dubbed Zerologon, was also discovered in the NetLogon service. In Q1 2021, researchers observed three new vulnerabilities in Windows network stack code related to IPv4/ IPv6 protocols processing — CVE-2 021 -2 4074, CVE-2 021 -2 4086 and CVE-2 021 -2 4094. Lastly, despite the fact that exploits for the EternalBlue and EternalRomance families are old, “theyre still” used by attackers.

Attacks on macOS

Top 20 threats for macO

Verdict %* 1 Monitor.OSX.HistGrabber.b 14.50

2 AdWare.OSX.Bnodlero.at 12.04

3 AdWare.OSX.Bnodlero.ay 11.42

4 AdWare.OSX.Bnodlero.ax 10.56

5 AdWare.OSX.Bnodlero.bg 9.18

6 Trojan-Downloader.OSX.Shlayer.a 8.06

7 AdWare.OSX.Pirrit.j 6.23

8 AdWare.OSX.Pirrit.ac 6.05

9 AdWare.OSX.Ketin.h 5.30

10 AdWare.OSX.Bnodlero.t 4.94

11 AdWare.OSX.Bnodlero.av 4.82

12 Trojan-Downloader.OSX.Agent.h 4.48

13 AdWare.OSX.Pirrit.o 4.35

14 AdWare.OSX.Cimpli.k 3.75

15 AdWare.OSX.Pirrit.gen 3.75

16 AdWare.OSX.Pirrit.aa 3.58

17 AdWare.OSX.Ketin.m 3.22

18 AdWare.OSX.Pirrit.q 3.20

19 AdWare.OSX.Ketin.l 3.13

20 AdWare.OSX.Spc.a 2.87

* The share of unique users who encountered this threat in the total number of users of Kaspersky security solutions for macOS who were attacked.

Threat geography

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Geography of assaulted macOS consumers in EU, May 2020- April 2021( download)

Top 10 EU countries by share of attacked macOS consumers

Country %* 1 France 15.32

2 Spain 13.99

3 Italy 11.43

4 Portugal 9.75

5 Greece 9.59

6 Germany 9.41

7 Hungary 8.60

8 Lithuania 8.14

9 Poland 8.10

10 Belgium 7.94

* The share of unique customers attacked in the total number of users of Kaspersky security answers for macOS in the country.

IoT attempts IoT menace statistics

During the reporting period, more than 80% of assaults on Kaspersky traps were be carried forward employing the Telnet protocol.

Telnet 81.31% SSH 18.69%

Distribution of attacked services by number of unique IP address of devices that carried out attacks, May 2020- April 2021

As for distribution of sessions, Telnet also reigns, accounting for three one-quarters of all working sessions.

Telnet 75.66% SSH 24.34%

Distribution of cybercriminal working conferences with Kaspersky traps, May 2020- April 2021

As a ensue, machines that carried out attacks employing the Telnet protocol were selected to build the map of attackers’ IP addresses.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Geography of IP addresses of machines from which attempts were made to attack Kaspersky Telnet traps, May 2020- April 2021( download)

Top 10 countries by location of machines from which onslaughts were carried out

Country %* 1 Greece 26.84

2 Italy 18.55

3 Germany 7.92

4 Spain 7.46

5 Poland 5.66

6 France 5.60

7 Romania 5.52

8 Sweden 4.52

9 Netherlands 3.65

10 Hungary 2.95

* The share of devices from which assaults were carried out in the given country in the total number of devices.

Malware loaded into honeypots

Verdict %* 1 Backdoor.Linux.Mirai.b 42.57

2 Trojan-Downloader.Linux.NyaDrop.b 20.96

3 Backdoor.Linux.Mirai.ba 9.79

4 Backdoor.Linux.Gafgyt.a 5.42

5 Backdoor.Linux.Gafgyt.a 2.74

6 Backdoor.Linux.Gafgyt.bj 1.44

7 Trojan-Downloader.Shell.Agent.p 1.31

8 Backdoor.Linux.Agent.bc 1.20

9 Backdoor.Linux.Mirai.cw 1.15

10 Backdoor.Linux.Mirai.cn 0.82

* The share of malware type in the number of members of malicious programs downloaded to IoT machines following a successful attack.

Strike via web resources

The statistics in this section are based on Web Anti-Virus, which protects customers when malicious objects are downloaded from malicious/ infected web pages. Cybercriminals make such sites on purpose, and web resources with user-created content( for example, meetings ), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attempts

The following statistics demonstrate the distribution by country of the sources of Internet onslaughts blocked by Kaspersky products on customer computers( web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C& C centers, etc .). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based strikes, domain names are matched against their actual domain IP address, and then the geographical location of the specific IP address( GeoIP) is established.

Kaspersky solutions in the EU blocked 115,452, 157 onslaughts launched from online resources around the globe. Moreover, 89.33% of these resources were located in simply 10 countries.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Distribution of web assault sources by country, May 2020- April 2021( download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by EU customers, for each country we calculated the percentage of Kaspersky customers on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data renders an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes an attack against malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware. Overall, during the reporting period, adware and its components were registered on 89.60% of users’ computers on which Web Anti-Virus was triggered.

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Geography of malicious web-based strikes, May 2020- April 2021( download)

On average, 13.70% of Internet user computers in the EU experienced at least one Malware-class attack during the reporting period.

Top 10 EU countries where customers faced the greatest risk of online infection

Country %* 1 Latvia 21.11

2 Greece 18.50

3 Estonia 17.52

4 France 16.81

5 Bulgaria 14.86

6 Italy 14.76

7 Portugal 14.44

8 Lithuania 14.21

9 Hungary 13.82

10 Poland 13.17

* The share of unique customers targeted by Malware-class attacks in the number of members of unique customers of Kaspersky products in the country.

Top 20 malicious programs most actively used in online strikes

During the reporting period, Kaspersky’s Web Anti-Virus saw 377,685 unique malicious objects( scripts, exploits, executable files, etc .), as well as 2,676, 988 unique malicious URLs on which Web Anti-Virus was triggered. Based on the collected data, we identified the 20 most actively use malicious programs in online attempts on customers’ computers.

Verdict* %** 1 Blocked 49.22

2 Trojan.Script.Generic 12.52

3 Hoax.HTML.FraudLoad.m 8.38

4 Trojan.PDF.Badur.gen 2.46

5 Trojan.Script.Agent.dc 2.16

6 Trojan.Multi.Preqw.gen 2.11

7 Trojan-Downloader.Script.Generic 1.99

8 Trojan.Script.Miner.gen 1.56

9 Exploit.MSOffice.CVE-2017-11882.gen 1.02

10 Trojan-PSW.Script.Generic 0.91

11 DangerousObject.Multi.Generic 0.74

12 Trojan.BAT.Miner.gen 0.74

13 Trojan.MSOffice.SAgent.gen 0.60

14 Trojan.Script.SAgent.gen 0.50

15 Trojan-Downloader.MSOffice.SLoad.gen 0.47

16 Trojan-Downloader.Win32.Upatre.pef 0.33

17 Trojan-Downloader.JS.Inor.a 0.30

18 Trojan-Downloader.MSWord.Agent.btl 0.30

19 Hoax.Script.Dating.gen 0.27

20 Trojan-Downloader.JS.SLoad.gen 0.27

* Excluded from the list are HackTool-type threats.

** The share of attacks by the given malicious program in the total number of Malware-class web assaults registered on the computers of unique consumers of Kaspersky products.

Local threats

Statistics on local infections of user computers is an important indicator. They include objects that penetrated the target computer through infecting files or removable storage media, or initially built their route onto the computer in non-open form( for example, programs in complex installers, encrypted files, etc .). These statistics additionally include objects detected on user computers after the first system scan by Kaspersky’s Anti-Virus application.

This section analyzes statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or retrieved, as well as the results of scanning removable storage media.

Countries where customers faced the highest risk of local infection

For each country in the EU, we calculated how often consumers there encountered a File Anti-Virus triggering during the year. Included are detections of objects found on user computers or removable media connected to them( flash drives, camera/ telephone memory cards, external hard drives ). These statistics reflect the level of personal computer infection in different countries.

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Geography of local infections by malware, May 2020- April 2021( download)

During the reporting period, on average, at least one piece of malware was seen on 18.77% of computers, hard drives or removable media belonging to KSN customers in the EU.

Top 10 EU countries where consumers faced the greatest risk of local infection

Country %* 1 Greece 32.60

2 Bulgaria 31.55

3 Latvia 31.38

4 Estonia 29.48

5 Hungary 27.88

6 Lithuania 27.11

7 Portugal 26.01

8 Cyprus 25.43

9 Italy 24.64

10 Spain 23.57

* The share of unique customers on whose computers Malware-class local menaces were blocked in the number of members of unique consumers of Kaspersky products in the country.

Top 20 malicious objects detected on consumer computers

We recognized the 20 most commonly saw menaces on EU customers’ computers during the reporting period. Not included are Riskware-type programs and adware.

Verdict* %** 1 DangerousObject.Multi.Generic 19.45

2 Trojan.Multi.BroSubsc.gen 18.53

3 Trojan.Script.Generic 8.29

4 Trojan.Multi.GenAutorunReg.a 7.08

5 Trojan.Multi.Misslink.a 6.75

6 Hoax.Win32.DriverToolKit.b 2.77

7 Trojan.MSOffice.SAgent.gen 2.63

8 Exploit.Script.Generic 2.25

9 Trojan.Win32.SEPEH.gen 2.00

10 Trojan-Downloader.Script.Generic 1.91

11 Worm.Win32.WBVB 1.53

12 Hoax.Win32.Uniblue.gen 1.33

13 Trojan.Script.Agent.gen 1.29

14 Trojan-Dropper.Win32.Scrop.adwo 1.17

15 Trojan.Multi.GenAutorunTask.c 1.16

16 Trojan.Win32.Generic 1.12

17 Trojan.Multi.GenBadur.gen 1.10

18 Trojan.BAT.Miner.gen 1.09

19 Trojan.Multi.GenAutorunTask.b 1.07

20 Trojan.Multi.GenAutorunTaskFile.a 1.05

* Excluded from the list are HackTool-type threats.

** The share of unique consumers on whose computers File Anti-Virus saw the made object in the number of members of unique consumers of Kaspersky products whose Anti-Virus was triggered by malware.

Phishing in the EU Phishing trends

Cloud phishing

We observed that the number of EU-targeted phishing resources on cloud platforms and hosting sites approximately doubled during the reporting period.

Cryptocurrency

The number of cryptocurrency-related phishing detections tripled. This category consists of fraudulent sites somehow linked to cryptocurrencies: in most cases, they are fake crypto exchanges that require users to invest fund to gain access to an account that allegedly already contain complimentary currency. In fact, customers simply lose their own money if they try to buy access to such sites.

Another particularly interesting type of phishing we observed in the EU is a mixture of cryptocurrency and COVID-1 9 topics: fake websites offering COVID-1 9 inoculations for cryptocurrency.

Example of fake COVID-1 9 vaccine offer

Targeted extortion

In late August 2020, we realise some unusual extortion messages. In them, cybercriminals claimed to have planted TNT somewhere in the recipient’s office, saying it would be exploded unless a ransom was paid or if police activity was observed near the building.

Whereas individuals are asked to cough up the equivalent of $500-1, 000 in bitcoin( the maximum we learnt was around $5,000 ), for corporations supposedly rigged with explosives the amount rises to approximately $20,000. The majority of the defraud e-mails are written in German, but we observed English versions as well.

Microsoft Office lance phishing

The trend for harvesting Microsoft 365 credentials through spear phishing continues to evolve. Such phishing e-mails commonly contain a hyperlink to a fake website. Sure enough, once many people had absorbed that simple precaution, phishers began supplanting the links with affixed HTML files, the sole purpose of which is to automate redirection. Clicking on the HTML attachment opens it in a browser. As far as the phishing aspect goes, the file has just one line of code( javascript: window.location.href) with the phishing website address as a variable. It forces the browser to open the website in the same window.

Phishing attempts

In total, 86,584, 675 phishing attempts were blocked by Kaspersky solutions in the EU, representing 21.89% of all phishing attacks around the world during the reporting period.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

EU share of phishing detectings, April 2020- April 2021( download)

Threat geography

During the reporting period, approximately 13.4% customers of Kaspersky solutions in the EU encountered at least one phishing attack.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Geography of EU phishing, April 2020- April 2021( download)

Top 10 EU countries where consumers faced phishing attacks

Country %* 1 Portugal 18.34

2 France 17.98

3 Belgium 15.10

4 Greece 14.98

5 Hungary 14.87

6 Italy 14.44

7 Slovakia 12.77

8 Spain 12.74

9 Poland 12.47

10 Latvia 12.26

* The share of unique customers targeted by phishing onslaughts in the number of members of unique customers of Kaspersky products in the country.

Organisation under attempt

The rating of organizations targeted by phishers is based on the triggering of the deterministic ingredient in the Anti-Phishing system on customer computers. The component detects all pages with phishing content that the user has tried to open by following a connect in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database.

Pandemic-related events affected the distribution of phishing attempts across the categories of targeted organisations. However, the largest categories remained unchanged as they have done for several years: in the EU during reporting period, these were Global Internet portals( 16.08% ), Online storages( 15.73%) and Payment systems( 13.67% ).

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Share of phishing categories in the EU, April 2020- April 2021( download)

Top-level domain( TLD) utilization

In the share of EU top-level domains( TLDs ), we include all national TLDs belonging to EU member states. In the reporting period, this share amounted to 7.27%.

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Distribution of phishing domains by top-level domain, April 2020- April 2021( download)

The share declined significantly( -3 p.p .) following the adjournment of 2020, but in Q1 2021 we observed a slight increase to 5.26%.

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Timeline of share of EU top-level domains, Q2 2020- Q2 2021( download)

The programme leading to this report has received funding from the European Union’s Horizon 2020 research and innovation programme under award agreement No 883464.

Read more: securelist.com