The value of Kaspersky Lab's business has declined over the past five years and is now less than $ 1 billion. The reason for this is low revenue growth and a well-established perception of the company in the global market, experts say.
Photo: Vladislav Shatilo / RBK
In the report Kaspersky Lab s Limited, head of legal entity of the group of companies "Kaspersky Lab" international standards financial statements for 2016 named the last on this moment appraisal of the company's business value (the document was published in early October 2017). It says that last year the company bought back 150,000 shares from one of its shareholders at a price of $ 15 per share. At the time of the transaction, the company's share capital was approximately 65.3 million shares. Based on this, the cost of the entire Kaspersky Lab was estimated at $ 979.4 million.
The revenue of the Kaspersky Lab group of companies at the end of 2016 amounted to $ 655.3 million, of which $ 643.8 million was received from the sale of licenses, $ 11.5 million - from the lease of property. More than a third (36.5%) of revenue came from Europe, a fourth (24.3%) - from the USA and Canada. In Russia and the CIS countries, Kaspersky Lab earned $ 86 million, or 13.3% of its revenue. EBITDA was $ 156 million, net profit - $ 90.6 million. At the same time, the company invests heavily in business development. Investments in development and research (R&D) amounted to $ 103.1 million, the group's advertising and marketing budget - $ 110 million.
Revenue and other indicators for 2016 have not yet been affected by the scandal that erupted around Kaspersky Lab: in mid-July this year, the US government, whose products were approved for use by US government agencies. By mid-December 2017, all government agencies must stop using Lab's antiviruses. This decision of the US authorities was explained by considerations information security... Democratic Senator Jean Shaheen said "Kaspersky Lab's relationship with the Kremlin" is "very alarming."
As of July 2017, 82.73% of shares in Kaspersky Labs belonged to the founder and CEO of Kaspersky Lab Eugene Kaspersky, another founder and advisor on corporate governance to Alexey De-Monderik - 9.67%, to Vadim Bogdanov (also a co-founder) - 7.3%. The remaining 0.3% of the shares are distributed between the two individuals and the Australian registrar Computershare. Based on the above estimate, the value of the share of the head of Kaspersky Lab could be at least $ 808 million.
In 2011-2012, Kaspersky Lab redeemed its own shares from Natalia Kaspersky and the General Atlantic Fund. Then the cost of the company's ordinary share was $ 10.2, preferred - $ 12 (now there are no company prefs). Based on the amount of share capital at that time, the entire business of Kaspersky Lab was estimated at $ 1.03 billion. Thus, over five years, the company's value decreased.
Negative growth
The value of the business is not increasing, because Kaspersky Lab is no longer a startup whose revenue can grow by hundreds of percent annually, says Sergey Libin, an analyst at Raiffeisenbank. Over the past five years, the company's turnover has grown by an average of 2.2% annually. “Business valuation is based on future growth, in fact, it is the present value of future cash flows. If a company has modest growth rates and no breakthrough launches or new openings are expected significant directions business, then its value will not change significantly over the years, ”says Libin.
He also notes that Kaspersky Lab is rated lower than competitors and peers in the market. “Business of“ Kaspersky Lab ”, based on the reporting, is estimated at 5.8 EBITDA, while the multiple of one of their main competitors Symantec is 10 EBITDA. The discount to Symantec is justified because American company is public and has a larger market share, and has a good position in the United States. "Kaspersky Lab" is a more risky asset, despite its work in the global market, it is closely associated with Russia and developing countries ", - says Libin. Other's Russian companies for example Yandex, the multiplier by which the company is valued is 16 EBITDA. “But this is not surprising: Yandex's revenue is growing by almost 30% a year,” he says.
According to the research company IDC, at the end of 2016, the volume of the global market for information security on end devices amounted to $ 9.5 billion. Symantec was its leader with a share of 24.7%. Intel was in second place (15.3%), followed by Trend Micro(10.1%), Kaspersky Lab (6.7%), Avast Software(5.7%), ESET (5.1%), Sophos Group (3%) and others.
There are several public companies among the listed companies. These are Symantec, whose market capitalization is $ 19.6 billion, Trend Micro ($ 7.5 billion), and Sophos Group ($ 3.8 billion). In 2011, Intel (total capitalization - $ 205.9 billion) bought an anti-virus software developer McAfee software for $ 7.68 billion. First, McAfee was renamed into Intel Security, but in 2017 the company spun out from Intel again and returned its name. At the same time, 51% of the company was sold to TPG for $ 4.2 billion. The head of Avast Software in 2015 estimated the company at at least $ 2 billion. In 2016, the company acquired its competitor. AVG Technologies for $ 1.3 billion
At the same time, Sergei Libin warns that since Kaspersky Lab is a non-public company, its shareholders who wish to sell their shares do not have many options. This is either a sale of shares to partners, or the company itself. “The buyer in such a situation can dictate his own rules and establish not the most high price- in fact, this is a discount for the illiquidity of securities, ”notes Libin.
The representative of "Kaspersky Lab" Andrey Bulay declined to comment on the assessment of the company's business.
Experts note an increase in the number of attacks using malicious documents and the number of banking Trojans for mobile devices.
As follows from the report, in the third half of 2017, the number of users attacked by the mobile banking Trojan Asacub increased sharply. In July of this year, the number of victims of the Trojan almost tripled, amounting to about 29 thousand. Also, the researchers found new modification the Svpeng mobile Trojan capable of reading the text entered by the user, sending SMS messages and preventing its removal.
The report also talks about expanding the list mobile applications attacked by the banking Trojan FakeToken. If earlier the Trojan and its modifications were blocked by a window mainly banking applications and some google apps, such as the Google play Store, now their area of interest includes applications for calling a taxi, booking air tickets and booking rooms in hotels. The main purpose of the Trojan is to collect data bank card user.
In addition, there is an increase in the activity of Trojans that steal users' money through subscriptions. These Trojans can visit sites that allow you to pay for services with funds from your account mobile phone user. Malicious software can click buttons on these sites using special JS files, thus making payments for certain services secretly from the user.
Countries with the most a large percentage Iran (35.12%), Bangladesh (28.3%), and China (27.38%) were attacked mobile devices in the third quarter of 2017. Russia took 35th place, its share accounted for 8.68% mobile threats... At the same time, Russia ranked first in terms of the number of attacks banking Trojans- 1.2% fell to its share, Uzbekistan (0.4%) and Kazakhstan (0.36%) took the second and third places.
Experts also noted an increase in the number of attacks using malicious documents. The number of combined documents (containing both an exploit and a phishing message) has increased in case the built-in exploit did not work.
The report also speaks of a new wave of Crysis ransomware attacks in August this year.
In July 2017, the authors of the Petya ransomware published their master key, which can be used to decrypt the Salsa keys required to decrypt the MFT database and unlock access to systems affected by the Petya / Mischa and GoldenEye malware attacks. It happened shortly after an outbreak of ransomware ExPetr, which used part of the code from GoldenEye. This move led researchers to believe that the authors of Petya / Mischa / GoldenEye tried to distance themselves from ExPetr in this way. Although the number of attacks grew during the quarter, it remains below the rates in May and June, when two massive outbreaks, WannaCry and ExPetr, thundered.
In terms of the number of ransomware infections, Myanmar ranks first (0.95%), Vietnam ranks second (0.92%) and Indonesia ranks third (0.69%). Russia, which ranked 10th in the second quarter, is now in 6th position (0.51%).
More details about the data of the report can be found.
Kaspersky Lab ICS CERT researchers conducted a vulnerability analysis information systems industrial enterprises for the second half of 2017 and published a detailed report, including comparative statistics for the two semesters.
Review Highlights
- 55% of the gaps in automated systems are in the energy industry.
- All the most dangerous vulnerabilities are characterized by authentication problems, remote code execution and ease of exploitation.
- The most common types of flaws are buffer overflows and incorrect authentication.
- Serious vulnerabilities found in software platforms and network protocols that can be used to attack the automation systems of many industrial enterprises.
- The number of holes in IoT devices has grown, followed by an increase in the number of botnets.
Hardly computers technological network are subjected to a targeted attack by miners: specialists have no reliable confirmation of this. Basically, systems are hooked by miners from the Internet, four times less often - from removable media.
Botnet agent attacks were more frequent: 10.8% of all industrial automation systems were attacked.
Despite the predominantly random nature of the infection, two targeted attacks were registered in 2017 - Industroyer and Trisis / Triton. In addition, industrial organizations have been subjected to phishing attacks, the most famous of which is the Formbook spy, which exploits the CVE-2017-8759 vulnerability or uses macros.
Threat statistics
In the second half of 2017, 37.8% of computers were unsuccessfully attacked industrial networks protected by Kaspersky Lab products. Statistics show a decline in malware activity by mid-summer:
Experts have traced the difference in attack statistics, distributed by industry, between the two semesters of 2017.
The main sources are the same - the Internet, removable media as well as email clients.
In the second half of 2017, 26.6% of attacks originated from malware belonging to the Trojan class.
Windows x86 remains the most popular target, although by the end of the year the number of attacks targeting JavaScript had increased markedly, pushing the platform to the third line of the list. Researchers attribute this fact to the spread of phishing emails containing Trojan-Ransom.Win32.Locky.
Kaspersky Lab specialists have compiled a map showing the percentage of computers attacked in the country. Most high level in Vietnam - 69.6%. Russia has risen from 21st place to 13th, its indicator is 46.8%.
Least of all attacks were registered in Israel (8.6%), Denmark (13.6%) and Great Britain (14.5%).
The researchers described the selection of data in the Methodology section.
In conclusion, the experts compiled lists of recommendations for industrial organizations, including measures to protect against accidental and targeted attacks, as well as against specific threats identified in the study.
Many people from different corners the globe especially from Europe and the United States, if asked to summarize 2016 in one word, they would choose the word “unpredictable”. At first glance, this fully applies to the cyber threats of 2016: huge botnets consisting of online devices that paralyzed a significant part of the Internet in October; ruthless hacking of popular sites, followed by a database leak; bank robberies through the SWIFT system, causing billions of dollars in damage to financial institutions; and many other threats. In reality, however, many of these incidents were predicted, sometimes years before they happened, by information security experts. Perhaps it would be best to describe them as "inevitable."
For cyber threats, 2016 was marked by the transformation of “sooner or later” into “now” #KLReport
The main takeaway of 2016: ransomware continued its relentless march around the world - there were more new families, more modifications, more attacks and more victims. But there are also rays of hope - including a new collaborative initiative, No More Ransom. Kaspersky Lab announced the revolutionary development of ransomware main theme 2016 year. More detailed information about the development of this threat and the damage caused to it, you can find.
Other components of the cyber threat landscape - targeted cyber espionage attacks, theft of funds from financial institutions, hacktivist campaigns and vulnerable networks of connected devices - also played a role, making the year a hectic and even turbulent one.
Six things we only learned this year
1. That the scale and complexity of the underground economy is greater today than ever before: xDedic - the shadow market
In May, we discovered a large, active one. The xDedic platform made it possible to list and buy the credentials of compromised servers. About 70,000 compromised servers were offered for sale (according to information obtained later, their number could reach 176,000) installed in organizations around the world. In most cases, the legitimate owners had no idea that one of their servers, quietly humming in the server room or in the data center, had been taken over by intruders and passed from one cybercriminal to another.
xDedic is not the first underground trading floor but it testifies to the growing complexity and sophistication of the economic ecosystem of the underground market.
“XDedic is a hacker's dream: simple, cheap and fast access to victims, opening up new opportunities both for ordinary cybercriminals and for those who take a more serious place in the cybercriminal world. "
2. That the largest theft of financial assets has nothing to do with the stock exchange: transfers through the SWIFT system
One of the most serious attacks in 2016 was carried out through the SWIFT (Society for Worldwide Interbank Financial Telecommunication) interbank network. In February 2016, hackers used the SWIFT credentials of Bangladesh Central Bank employees to send fake transaction requests to the Federal Reserve Bank of New York in order to transfer millions of dollars to various bank accounts in Asia. The hackers managed to transfer $ 81 million to the Philippine bank Rizal Commercial Banking Corporation and another $ 20 million to Pan Asia Banking. The campaign was thwarted when the bank discovered a typo in one of the funds transfer requests. You can read more about this robbery. In the following months, other attacks on banks using SWIFT credentials became known.
After the theft of $ 100 million, many banks had to improve their authentication system and SWIFT software update procedure #KLReport
3. That critical infrastructure is frighteningly vulnerable: BlackEnergy attacks
Although, strictly speaking, the BlackEnergy campaign was launched at the end of 2015, it deserves to be included in this list. The fact is that the full severity of the consequences of the BlackEnergy cyberattack for the energy industry of Ukraine became clear only at the beginning of 2016. The attack became unique in terms of the scale of harm, which included the shutdown of power distribution systems in Western Ukraine, the removal of software from infected computers, and a DDoS attack on the tech support services of the attacked companies. Kaspersky Lab has been involved in investigating BlackEnergy attacks since 2010. In particular, the company published an analysis of the mechanism used to penetrate computer systems. Our report published in 2016 can be found.
BlackEnergy's cyberattack on the Ukrainian energy sector showed how vulnerable critical infrastructure around the world is #KLReport
To help organizations working with automated systems control (ACS), find possible weak spots to keep them safe, Kaspersky Lab experts conducted an investigation into the threats to ICS systems. Their findings are published in.
4. That targeted attacks can be based on a "no-template" approach: ProjectSauron's APT campaign
ProjectSauron's “no-brainer” espionage platform will inevitably have a major impact on some basic principles#KLReport threat detection
5. That the publication of significant amounts of data on the Web can be an effective tool of influence: ShadowBrokers and other database dumps
In 2016, several cybercriminal groups posted dumps of stolen databases online. Probably the most famous data breach was perpetrated by a group calling itself ShadowBrokers. On August 13, they went online with a statement that they had files belonging to the highest-order predator in the world of APT threats -. According to ours, there are significant similarities between the data posted on the Web by the ShadowBrokers group and the Equation Group malware. The originally published dump contained several unknown zero-day exploits. In the following months, new dumps appeared on the Web. The long-term implications of all this activity are unknown, but it is already clear that such data breaches have the potential to have a huge - and alarming - impact on public opinion and public debate.
In 2016, we also registered a data leak from beautifulpeople.com, Tumblr, the nulled.io hacker forum, Kiddicare, VK.com, the official DotA 2 forum, Yahoo, Brazzers, Weebly, and Tesco Bank, and the attackers were motivated by a variety of motives - from greed for profit to the desire to tarnish the reputation of specific individuals.
6. That the camera can be a fighter of the global cyber army: the insecure internet of things
Internet-connected devices and systems - from homes and cars to hospitals and smart cities - exist to make our lives safer and easier. Moreover, many of them are designed and manufactured without special attention security - and are acquired by people who have little understanding of why leaving the default security settings is a bad idea.
In 2016, the danger of connecting everything to the Internet should be obvious to everyone #KLReport
As the world now knows, all these millions of unsecured devices connected to the Internet are a great temptation for cybercriminals. In October, attackers used a botnet of more than half a million Internet-connected home devices to carry out a DDoS attack on Dyn, a company that provides DNS services to Twitter, Amazon, PayPal, Netflix and others. The world was shocked, but warnings about the inadequate security of IoT devices had been heard for a long time.
In pursuit of profit
In 2016, tricks to trick people into providing their personal information or install malware that steals account details connected to online banking remained popular and were successfully used by cyber thieves. Kaspersky Lab solutions blocked attempts to run such malware on 2,871,965 devices. The share of attacks targeting Android devices has more than quadrupled.
Today, a third of banking malware targets Android devices#KLReport
Some APT groups were also interested in financial gain rather than cyber espionage. For example, the grouping behind the campaign was embedded in corporate networks banks to automate the rollback of transactions carried out through ATMs. After that, the gang members using debit cards repeatedly stole funds from ATMs, while leaving the card balance unchanged. This faction is still active at the end of 2016.
Metel carried out targeted attacks on banks and then sent people to ATMs to withdraw cash #KLReport
In June, Kaspersky Lab provided support to Russian law enforcement in the investigation of activity. The collaboration resulted in the arrest of 50 people suspected of repeatedly creating networks from infected computers and stealing more than $ 45 million from Russian banks and other financial and commercial organizations.
During the investigation, experts noticed that a program was installed on the computers of users attacked by Lurk remote administration Ammyy Admin... The researchers concluded that the Trojan was also downloaded to users' computers along with the legitimate Ammyy Admin software.
The arrest of the cyber gang Lurk became the largest arrest of hackers in the history of hackers in Russia #KLReport
