VirusTotal’s Analysis of 80 Million Ransomware Samples Reveals the Current State of Cybersecurity Landscape


After analyzing around 80 million ransomware samples submitted by suspicious users across 140 countries since 2020, VirusTotal shared its first ransomware report. The report reveals that about 130 ransomware families have been found active during 2020 and the first half of 2021. Based on the analysis of daily submissions, it is found that the volume of attacks was the most during the first two quarters of 2020 when the Covid-19 pandemic was at its peak.

Israel is the most affected geography with an almost 600% increase based on the submissions compared to the previous baselines. The other most affected countries following Israel are South Korea, Vietnam, China, Singapore, and India.

Geographical-distribution-of-ransomware-related-submissions

Source: https://storage.googleapis.com/vtpublic/vt-ransomware-report-2021.pdf

The peak in the attacks is mostly attributed to the GrandCab family, who emerged to be the most active family with around 78.5% of samples under its name. Another peak in activity was seen during July 2021, which the Babuk ransomware family drove. Following GandCrab were Babuk, Cerber, Matsnu, and Wannacry with 7.61%, 3.11%, 2.63%, and 2.41%, respectively. Here’s a pie chart showing the top 10 most active

Top-10-Ransomware-Families-by-Number-of-Different-Samples

Source: https://storage.googleapis.com/vtpublic/vt-ransomware-report-2021.pdf

Although these 10 ransomware families topped the list, the report found a total of 130 different families active. Interestingly, while the bigger ransomware campaigns come and go, several smaller ones are constantly active throughout the analysis period.

The study also found that Windows remains the most targeted system as around 95% of the samples were Windows executables or dynamic link libraries (DLLs). Android was the second most targeted system with 2.09% Android-based samples.

Types-of-ransomware-samples

Source: https://storage.googleapis.com/vtpublic/vt-ransomware-report-2021.pdf

Although there were numerous ransomware attempts made, only 5% of the samples were associated with exploits. However, this does make sense as ransomware is usually deployed using social engineering or droppers.

Based on this 5% of samples, a few common artifacts used for malware distribution and lateral movement were identified. Topping the list of artifacts were Emotet, Zbot, Dridex, Gozi, and Danabot. Some other artifacts identified were Mimikatz and Cobaltstrike; scripting languages such as AutoIT and Powershell; and remote access Trojans (RATs), such as Phorpiex, Smokeloader, Nanocore, and Ponystealer.

Some other key findings from the report include:

  • Although a few big campaigns used some sort of existing samples, fresh samples are prepared by the attackers in most cases.
  • Besides a few spikes that come and go, there’s always a baseline activity by small campaigns.
  • Exploits were usually used only for privilege escalation and lateral movement within the network.
  • The attackers took a range of different and innovative approaches to penetrate systems.

Final Thoughts

Constantly rising ransomware activities hints that organizations worldwide are under the possibility of an attack. Hence, the report also highlights a few takeaways to build an effective anti-ransomware strategy.

  • Efficient malware-distribution detection systems
  • Patching strategy prioritization for Windows privilege escalation vulnerabilities
  • Increasing the strength and efficiency of scripting languages and lateral movement tools
  • Monitoring worldwide ransomware activities regularly and updating the security strategies accordingly
  • Always have resilience and recovery strategies in place in case the detection fails

You can seek assistance from a comprehensive cybersecurity service provider’s tools such as SharkStriker’s XDR to ensure top-notch detection, mitigation, prevention, and recovery. Such tools and services can help you monitor your IT infrastructure 24/7 and leverage machine-accelerated threat hunting for better resiliency.

Also, Read

Activities From Conti Ransomware Surges and Draws US Authorities’ Attention who Issues Fresh Alerts