From 80 million malware samples collected worldwide, it appears that more than 130 different so-called ransomware families are active. This is evident from an analysis of the 2020-2021 figures of cybersecurity initiative VirusTotal on behalf of search giant Google. The countries most affected during this period include Israel, South Korea, Vietnam, China and Singapore.
A ransomware family includes all ransomware, software that hijacks data for money , which are derived from a (often) known technical method. This method is then named after the group that developed it. The most common ransomware families, according to this analysis, are based on the GandCrab (78.5%), Babuk (7.61%) and Cerber (3.11%) ransomware.
The VirusTotal(PDF) research is based on submitted ransomware samples from 140 different countries. These countries have collectively submitted 80 million samples, of which over 1 million have been identified as ransomware by multiple sources.
The analysis shows that there are 130 ransomware families that vary in popularity. The more clusters active within a family, the wider the diversity of malware used based on this family (see image). Attackers also use a variety of techniques, such as botnet malware and Remote Access Trojans (RATs) to get the ransomware to their target.
The most common ransomware family is GandCrab (78.5%), followed closely by Babuk, Cerber, Matsnu, Wannacry, Congur, Locky, Teslacrypt, Rkor, and Reveon. More than 95% of the analyzed ransomware files targeted Windows, compared to just 2% for Android.
Ransomware-as-a-Service in action
The top two families are overrepresented because major attacks based on this ransomware took place during the measurement period. For example, there was a large peak of GandCrab attacks in the first half of 2020. The use of this family quickly declined after that. One reason for its widespread use is that GandCrab ransomware is sold as part of Ransomware-as-a-Service (RaaS) services. GandCrab is used in this way by many criminal groups in different ways and is, therefore, more often found during analysis.
VirusTotal’s analysis also shows that of the 140 countries, the following countries appear to be most affected by ransomware attacks: Israel, South Korea, Vietnam, China, Singapore, India, Kazakhstan, the Philippines, Iran, and the United Kingdom. Kingdom. Israel in particular stands out, with over 600% more samples submitted than usual.
Ransomware is a low-risk, high-reward strategy that can be used by both large and small groups of criminals. VirusTotal, therefore, believes that large, high-profile ransomware campaigns will regularly appear. At the same time, there is a constant stream of smaller attacks that rarely stall.
Catch up on more articles here
Follow us on Twitter here