At least 130 different ransomware families were active throughout 2020 and the first half of 2021, according to a VirusTotal report based on an analysis of more than 80 million ransomware samples uploaded to the service during that period.
Most often, the samples were loaded from Israel, South Korea, Vietnam, China, Singapore, India, Kazakhstan, the Philippines, Iran and the UK. As VirusTotal security engineer Vicente Diaz explained, a high number of downloads does not mean that the above countries are the most attacked. For example, Israel's high performance (the number of downloads of ransomware samples from this country increased by 600%) may be due to the fact that "many companies [in the country] are automating downloads" to the service.
The top most active ransomware families were led by GandCrab (78.5% of samples), mainly due to high activity from January to July 2020 (in the second half of the year, the activity of the group decreased significantly). In second place was Babuk ransomware (7.61%), followed by Cerber (3.11%), Matsnu (2.63%), Wannacry (2.41%), Congur (1.52%), Locky ( 1.29%), Teslacrypt (1.12%), Rkor (1.11%) and Reveton (0.70%).
“Among the top 10 ransomware families, we see wannacry. Perhaps these are the remnants of old detections that are still relevant for some current ransomware families. However, we do not believe this is indicative of a new wave of wannacry attacks,” the report notes.
As for the most attacked systems, the leadership in this category belongs to the Windows OS - 95% of the detected samples were Windows executable files or DLL libraries. At the same time, the share of malware for Android was only 2.09%. In addition, EvilQuest malware was discovered in mid-2020, attacking Apple Mac.
As noted, approximately 5% of the analyzed samples were related to exploits, mainly for privilege escalation or remote code execution vulnerabilities in Windows.
Almost all of the ten most active ransomware families involved various malware such as Emotet, Zbot, Dridex, Gozi or Danabot, as well as web traversal tools (Mimikatz and Cobaltstrike) and dozens of remote access trojans (Phorpiex, Smokeloader, Nanocore, Ponystealer etc.).
VirusTotal is a free Google-owned reputation and threat context service that helps analyze suspicious files, URLs, domains, and IP addresses to detect cyber threats.