Analysis of 80 million ransomware samples reveals a world under attack

Google has released a report taking a close look at the more than 80 million ransomware samples uploaded to its VirusTotal service in the last year and a half.

Each day, approximately 150,000 ransomware samples were analysed by the free VirusTotal service after being submitted by suspicious computer users, and shared with the security community to enhance their threat intelligence and improve anti-virus products.

VirusTotal’s first Ransomware Activity Report reveals that it received ransomware submissions from 140 different countries around the world, and discovered at least 130 different ransomware families had been active since January 2020.

During deeper analysis of a smaller, curated and representative set of around one million double-checked ransomware samples, VirusTotal determined that the Gandcrab ransomware-as-a-service operation rules the chart for the most commonly seen family of ransomware by number of samples delivered, thanks largely to a surge in activity in early 2020:

“GandCrab had an extraordinary peak in Q1 2020 which dramatically decreased afterwards. It is still active but at a different order of magnitude in terms of the number of fresh samples”

In runner-up position lies Babuk, which had a peak in submissions in July 2021:

“Another sizable peak occurred in July 2021, driven by the Babuk ransomware family – a ransomware operation launched at the beginning of 2021 that was behind the attack on the Washington DC Metropolitan Police Department.”

Of course, it’s important to look beyond the biggest ransomware families which may grab the headlines. Beyond the top ten ransomware groups, VirusTotal reports that “there is a baseline of activity of around 100 not-so-popular ransomware families that never stops.”

But what may surprise some people is the finding that typically ransomware does not take advantage of exploits to breach an organisation’s defences. According to the report, only 5% of the samples examined contained exploits.

“We believe this makes sense given that ransomware samples are usually deployed using social engineering and/or by droppers (small programs designed to install malware). In terms of ransomware distribution attackers don’t appear to need exploits other than for privilege escalation and for malware spreading within internal networks.”

Regardless, organisations would be wise not to be lax about keeping their IT systems patched against the latest vulnerabilities.

In addition, Tripwire recommends that companies raise awareness of the threat amongst their staff, and take measures to harden the security of their business against ransomware attacks.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.