Analysis of 80 million ransomware samples reveals a world under attack

Google has released a report that takes a closer look at the more than 80 million ransomware samples uploaded to its VirusTotal service in the last year and a half.

Each day, approximately 150,000 ransomware samples were analyzed by the free VirusTotal service after being submitted by suspicious computer users and shared with the security community to improve their threat intelligence and improve antivirus products.

VirusTotal’s first Ransomware activity report reveals that it received ransomware submissions from 140 different countries around the world and discovered that at least 130 different ransomware families had been active since January 2020.

In an in-depth analysis of a small, curated, and representative set of about one million double-checked ransomware samples, VirusTotal determined that the Gandcrab ransomware-as-a-service operation regulates the chart of the most common family of ransomware by number of samples delivered , mainly thanks to an increase in activity in early 2020:

“GandCrab had an extraordinary peak in Q1 2020, which fell dramatically afterwards. It is still active, but of a different order of magnitude in terms of the number of fresh samples ”

In second place is Babuk, which had a highlight in submissions in July 2021:

“Another significant highlight took place in July 2021, run by the Babuk ransomware family – a ransomware operation launched in early 2021, which was behind the attack on the Washington DC Metropolitan Police Department.”

Of course, it is important to look beyond the largest ransomware families that can grab the headlines. In addition to the top ten ransomware groups, VirusTotal reports that “there is a line of activity of about 100 not-so-popular ransomware families that never stop.”

But what may surprise some people is the finding that ransomware typically does not exploit farms to violate an organization’s defenses. According to the report, only 5% of the samples examined contained holdings.

“We think it makes sense, as ransomware tests are usually implemented using social engineering and / or droppers (small programs designed to install malware). In terms of ransomware distribution, attackers seem to need no exploits other than to escalate privileges and for malware that spreads within internal networks. ”

Either way, organizations would do well not to be lax in keeping their IT systems patched against the latest vulnerabilities.

In addition, Tripwire recommends that companies raise awareness of the threat among their staff and take steps to step up their company’s security against ransomware attacks.


Editor’s note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect Tripwire, Inc.

Leave a Comment