IT threat evolution in Q1 2022. Non-mobile statistics

• IT threat evolution in Q1 2022
• IT threat evolution in Q1 2022. Non-mobile statistics
• IT threat evolution in Q1 2022. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q1 2022:

• Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe.
• Web Anti-Virus recognized 313,164,030 unique URLs as malicious.
• Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 107,848 unique users.
• Ransomware attacks were defeated on the computers of 74,694 unique users.
• Our File Anti-Virus detected 58,989,058 unique malicious and potentially unwanted objects.

Financial threats

Financial threat statistics

In Q1 2022 Kaspersky solutions blocked the launch of at least one piece of malware designed to steal money from bank accounts on the computers of 107,848 unique users.

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.

Ransomware programs

Quarterly trends and highlights

Law enforcement successes

• Several members of the R Evil ransomware crime group were arrested by Russian law enforcement in January. The Russian Federal Security Service (FSB) says it seized the following assets from the cybercriminals: “more than 426 million rubles ($5.6 million) including denominated in cryptocurrency; $600,000; 500,000 euros; computer equipment, the crypto wallets that were used to perpetrate crimes, and 20 luxury cars that were purchased with illicitly obtained money.”
• In February, a Canadian citizen was sentenced to 6 years and 8 months in prison for involvement in Net Walker ransomware attacks (also known as Mailto ransomware).
• In January, Ukrainian police arrested a ransomware gang who delivered an unclarified strain of malware via e-mail. According to the statement released by the police, over fifty companies in the United States and Europe were attacked by the cybercriminals.

Hermetic Wiper, Hermetic Ransom and RU  ransom, etc.

In February, new malware was discovered which carried out attacks with the aim of destroying files. Two pieces of malware — a Trojan called Hermetic Wiper that destroys data and a cryptor called Hermetic Ransom — were both used in cyberattacks in Ukraine. That February, Ukrainian systems were attacked by another Trojan called Isaac Wiper, followed by a third Trojan in March called Caddy Wiper. The apparent aim of this malware family was to render infected computers unusable leaving no possibility of recovering files.

An intelligence team later discovered that Hermetic Ransom only superficially encrypts files, and ones encrypted by the ransomware can be decrypted.

RU ransom malware was discovered in March, which was created to encrypt files on computers in Russia. The analysis of the malicious code revealed it was developed to wipe data, as RU ransom generates keys for all the victim’s encrypted files without storing them anywhere.

Conti source-code leak

The ransomware group Conti had its source code leaked along with its chat logs which were made public. It happened shortly after the Conti group expressed support for the Russian government’s actions on its website. The true identity of the individual who leaked the data is currently unknown. According to different versions, it could have been a researcher or an insider in the group who disagrees with its position.

Whoever it may have been, the leaked ransomware source codes in the public domain will obviously be at the fingertips of other cybercriminals, which is what happened on more than one occasion with examples like Hidden Tear and Babuk.

Attacks on NAS devices

Network-attached storage (NAS) devices continue to be targeted by ransomware attacks. A new wave of Q locker Trojan infections on QNAP NAS devices occurred in January following a brief lull which lasted a few months. A new form of ransomware infecting QNAP NAS devices also appeared in the month of January called Dead Bolt, and ASUSTOR devices became its new target in February.

Maze Decryptor

Master decryption keys for Maze, Sekhmet and Egregor ransomware were made public in February. The keys turned out to be authentic and we increased our support to decrypt files encrypted by these infamous forms of ransomware in our Rakhni Decryptor utility. The decryptor is available on the website of our No Ransom project and the website of the international No More Ransom project in the Decryption Tools section.