Since 2020, at least 130 different ransomware families have been active

Pierluigi Paganini October 14, 2021

The popular Google’s VirusTotal scanning service has published an interesting analysis of more than 80 Million ransomware samples.

VirusTotal has published its first ransomware activity report based on the analysis of more than 80 million samples that have been uploaded from 140 countries worldwide. Since 2020, at least 130 different ransomware families have been active.

The countries with the highest number of submissions to VirusTotal were Israel, South Korea, Vietnam, China, Singapore, India, Kazakhstan, Philippines, Iran and the UK.

The analysis of the temporal distribution of ransomware-related submissions revealed a sequence of peaks in the first two quarters of 2020.

Most of the samples targeting Windows systems submitted to the scanning service since the beginning of 2020 belongs to the GandCrab family.

The researchers grouped the samples by 30,000 clusters of malware, and GandCrab accounted for 6,000 clusters, followed by Cerber with approximately 5,000 clusters.

The following graph shows the top 10 families by number of different samples:

ransomware analysis VirusTotal

It is interesting to note that a relatively young threat like the Babuk ransomware, which appeared on the threat landscape in early 2021,  was in second with 7.61 percent of the submitted samples.  

The analysis revealed that 95 percent of ransomware files detected were Windows-based executables or dynamic link libraries (DLLs), only 2 percent were Android-based threat.

Experts also analyzed the use of artifacts in the kill chain associated with different families, dividing them into those components used to distribute ransomware and those used for lateral movement. The former group was lead by Emotet and Zbot, the latter group by Mimikatz and Cobaltstrike.

Below are key findings of the report:

  • First, while big campaigns come and go, there is a constant baseline of ransomware activity that never stops.
  • Second, attackers are using a range of different approaches, including well-known botnet malware and other RATs.
  • Third, in terms of ransomware distribution attackers don’t appear to need exploits other than for privilege escalation and for malware spreading within internal networks.
  • Finally, as noted earlier, Windows accounts for 95 percent of the ransomware targets, compared to 2 percent for Android.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VirusTotal)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment