15 October 2021

VirusTotal releases its first ever ransomware activity report


VirusTotal releases its first ever ransomware activity report

At least 130 different ransomware families have been making rounds in the wild since 2020, with Israel, South Korea, Vietnam, China, Singapore, India, Kazakhstan, Philippines, Iran and the UK being among the most affected territories, according to a first ever VirusTotal’s ransomware activity report based on a comprehensive analysis of 80 million ransomware-related samples uploaded to the online malware scanning platform over the past year-and-a-half.

According to Google's VirusTotal, the GandCrab ransomware-as-a-service (RaaS) group was the most active family in early 2020 (78.5%), followed by Babuk (7.61%), Cerber (3.11%), Matsnu (2.63%), Wannacry (2.41%), Congur (1.52%), Locky (1.29%), Teslacrypt (1.12%), Rkor (1.11%), and Reveton (0.70%).

“Among the top 10 ransomware families, we can see the presence of wannacry. This is probably a remnant of an old detection that still applies to some current ransomware families. However, we don’t believe this points to any new wave of wannacry attacks,” the report said.

The analysis revealed that the vast majority of ransomware files detected were designed to target Windows systems - 93.28% out of ransomware files were Windows executables or dynamic link libraries (DLLs). Meanwhile, 2% were Android-based, and around mid-2020 a number of positive samples, called EvilQuest, were identified, targeting macOS.

“Around 5 percent of the analyzed samples were associated with exploits, most commonly Windows elevation of privileges and SMB information disclosures and remote execution. Only two of the top 10 exploited vulnerabilities were disclosed in 2020, and none in 2021,” the report said.

To reach their goal, ransomware operators are using a variety of approaches, such as well-known botnet malware (Emotet, Zbot, Dridex, Gozi, Danabot), and remote access trojans (RATs), such as Phorpiex, Smokeloader, Nanocore, and Ponystealer.

“While big campaigns come and go, there is a constant baseline of ransomware activity that never stops,” the report concludes.


Back to the list

Latest Posts

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Dropped countries include such countries as Morocco, Mexico, Saudi Arabia, or the UAE.
26 November 2021
CronRAT: New Linux malware that hides behind February 31 to stay undetected

CronRAT: New Linux malware that hides behind February 31 to stay undetected

The malware hides in the Linux calendar system and enables server-side Magecart data theft which bypasses browser-based security solutions.
26 November 2021
New malware campaign targets crypto, NFT and DeFi communities via Discord

New malware campaign targets crypto, NFT and DeFi communities via Discord

The Babadeda crypter is able to bypass signature-based antivirus solutions and was previously observed in malicious campaigns distributing RATs, and LockBit ransomware.
26 November 2021