Front Page: Traficom
Front Page: Traficom
Go to Search

Malware detected by Traficom

These statistics demonstrate the number and duration of malware infections in computers connected to Finnish information networks. The source of the data is the Autoreporter service of the NCSC-FI at Traficom, which collects data on malicious network traffic detected on the internet. The data is published four times a year.

The Autoreporter service automatically collects data on malware and information security violations detected in Finnish networks and reports them to network administrators. The service has been in use since 2006 and it covers all Finnish network areas. The statistical data collected during several years can be used to examine the prevalence of malware in Finnish networks, for example.

When reading the graphs below, it is good to remember that one infected computer may cause several Autoreporter observations on consecutive days if the malware has not been removed from the computer.

The first graph contains the number of detected malware and malicious traffic per quarter from 2012 onwards. Some retroactive corrections were made to the statistics in November 2016. In 2013 and early 2014, the number of observations was exceptionally high as one telecommunications operator had technical difficulties in connecting IP address data involved the observations to internet connections. Once the operator repaired the monitoring IP addresses and contacted its customers in early 2014, the number of observations decreased rapidly.

The observations peaked again in October and November 2016 compared to the average level of 2015 and 2016. This was caused by Mirai malware, which spread fast in small network devices and smart devices (Internet of Things, or IoT devices) around the world, including Finland. The NCSC-FI started to coordinate filtering of network traffic, which controlled the spreading of Mirai significantly. However, Mirai was quickly followed by other similar malware. It seems that malware infecting smart devices and using such devices to spread are here to stay. They are still dominating the statistics.

The second figure presents the relative proportions between different types of malware and malicious traffic during the most recent quarter. 

March 2020 has seen a marked increase in instances of malware scanning the internet for vulnerable and inadequately protected systems. The shift has been spurred by the growth in remote work as a result of the coronavirus pandemic, which has, for example, exposed to the internet a large number of Windows remote desktop services previously protected by companies’ internal networks. Internet criminals have adapted to the exceptional circumstances and identified these as easy targets.

Malware that attacks smart devices connected to the internet (IoT), such as security cameras and recording devices, constitutes a substantial share of detected malicious software, with Qsnatch and Mirai topping the list.

The cyber criminal group Avalanche offers phishing and malware attacks to other criminals as a service. The group uses and spreads several malware families. While our Autoreporter service can't identify all Avalanche malware among network traffic, it is able to detect communication between contaminated computers and the group’s command-and-control servers. The group has targeted Finland to an exceptional extent during the first quarter of 2020.


The data sources have been modified since the launch of Autoreporter. New and reliable sources have been added, unreliable sources have been removed, or data provided by an old source have been filtered based on feedback from telecommunications operators. Since Autoreporter has been in operation for a rather long time, its observations are statistically sufficient for making above-mentioned conclusions, for example.

Further details: tilastot(a)