I had the opportunity to visit with some European based customers when I spoke at the RSA Unplugged conference in London just a few weeks ago. Many of the customers I met with were very interested in a deep dive into the types of threats we see in the region. I have written about the threat landscape in Europe and European Union (EU) extensively over the years, including the articles below:
Ransomware is on the Rise, Especially in Europe
The Threat Landscape in the European Union at RSA Conference Europe 2013
European Union check-up: Locations with Lowest Infection Rates in the EU and What We Can Learn From Them
European Union Check-Up: Malicious Websites Hosted in the EU
European Union check-up: Romania still tops the list of most infected in the EU
Cyber-Threats in the European Union: First Half 2012
Cyber-Threats in the European Union
The Threat Landscape Shifts Significantly in the European Union – Part 1
The Threat Landscape Shifts Significantly in the European Union – Part 2
The Threat Landscape Shifts Significantly in the European Union – Part 3
I thought it was time to provide an updated view of the threat landscape in the region based on the latest data just released in the newest volume of the Microsoft Security Intelligence Report published just a few weeks ago.
First, let’s look at the encounter rate (ER) among locations in Europe where we have sufficient data. ER is the percentage of computers running Microsoft real-time security software that report detecting malware or unwanted software during a given period of time. The worldwide average ER in the fourth quarter of 2014 was 15.9%. The average ER for the countries/regions that we have statistically significant data on in the EU was 20.8% during the same period.
As Figure 2 illustrates, in the third quarter of 2014 Bulgaria, Italy, Romania, and France had the highest ERs in the region. In the fourth quarter Bulgaria, Romania, Croatia and Latvia had the highest ERs in the EU. Bulgaria topped the list in both quarters as the location in the EU that encounters threats most often in the EU with an ER of 26% in the third quarter and 23% in the final quarter of 2014.
Taking a closer look at what types of threats are being encountered most often in Bulgaria reveals higher than average levels of Trojans, Obfuscators & Injectors, Exploits, Backdoors and Browser Modifiers – as seen in Figure 3. Figure 4 shows the top threat families encountered in Bulgaria in the fourth quarter of 2014.
Figure 3: (left) malware categories encountered in Bulgaria in the last quarter of 2014 compared to the worldwide averages; (right); unwanted software categories encountered in Bulgaria and worldwide during the last quarter of 2014
Figure 4: Top threat families encountered in the last quarter of 2014 in Bulgaria
Some of the locations with relatively high ERs, like Romania and Bulgaria, are also among the locations with the highest malware infection rates (CCM) in the EU as Figure 5 illustrates; these are systems that encountered malware and were successfully infected. The worldwide average infection rate in the fourth quarter of 2014 was 5.9 systems infected with malware for every 1,000 scanned by the Malicious Software Removal Tool (MSRT) or 0.59% of the 600 – 700 million systems the MSRT executes on each month. The average infection rate for the 28 countries/regions in the EU during the same period was a CCM of 5.65 or 0.57%.
Taking a closer look at Romania during this time period reveals some interesting insights. The infection rate there has consistently been significantly higher than the worldwide average and the vast majority of the 28 locations in the EU.
The top threat found infecting systems in Romania in the last quarter of 2014 was Win32/Sality. What makes this interesting is that Sality is a virus (an old fashioned file infector) – I have written about why this seems remarkable before: Are Viruses Making a Comeback?
Another noteworthy data point is that the number of systems in Romania consistently running up to date antimalware software (67.4% of systems) is lower than the worldwide average (74.3%). Additionally, the number of systems in Romania consistently not running real-time anti-virus software (26% of systems) is higher than the worldwide average (19.1%).
In the second part of this series on the threat landscape in the EU, I’ll examine the locations that have low encounter rates and low malware infection rates. Is there something we can learn from these countries/regions?
Chief Security Advisor
Worldwide Cybersecurity & Data Protection
 Short for computers cleaned per mille (thousand). The number of computers cleaned for every 1,000 unique computers that run the MSRT. For example, if MSRT has 50,000 executions in a particular location in the first quarter of the year and removes infections from 200 computers, the CCM for that location in the first quarter of the year is 4.0 (200 ÷ 50,000 × 1,000).