At least 130 different ransomware families have been making rounds in the wild since 2020, with Israel, South Korea, Vietnam, China, Singapore, India, Kazakhstan, Philippines, Iran and the UK being among the most affected territories, according to a first ever VirusTotal’s ransomware activity report based on a comprehensive analysis of 80 million ransomware-related samples uploaded to the online malware scanning platform over the past year-and-a-half.

According to Google's VirusTotal, the GandCrab ransomware-as-a-service (RaaS) group was the most active family in early 2020 (78.5%), followed by Babuk (7.61%), Cerber (3.11%), Matsnu (2.63%), Wannacry (2.41%), Congur (1.52%), Locky (1.29%), Teslacrypt (1.12%), Rkor (1.11%), and Reveton (0.70%).

“Among the top 10 ransomware families, we can see the presence of wannacry. This is probably a remnant of an old detection that still applies to some current ransomware families. However, we don’t believe this points to any new wave of wannacry attacks,” the report said.

The analysis revealed that the vast majority of ransomware files detected were designed to target Windows systems - 93.28% out of ransomware files were Windows executables or dynamic link libraries (DLLs). Meanwhile, 2% were Android-based, and around mid-2020 a number of positive samples, called EvilQuest, were identified, targeting macOS.

“Around 5 percent of the analyzed samples were associated with exploits, most commonly Windows elevation of privileges and SMB information disclosures and remote execution. Only two of the top 10 exploited vulnerabilities were disclosed in 2020, and none in 2021,” the report said.

To reach their goal, ransomware operators are using a variety of approaches, such as well-known botnet malware (Emotet, Zbot, Dridex, Gozi, Danabot), and remote access trojans (RATs), such as Phorpiex, Smokeloader, Nanocore, and Ponystealer.

“While big campaigns come and go, there is a constant baseline of ransomware activity that never stops,” the report concludes.