If you purchase via links on our site, we may receive affiliate commissions.

VirusTotal’s first Ransomware Activity Report: the stakes are getting higher

14 October 2021

Israel tops the affected country list with a 600% increase in ransomware attacks over the past 18 months.

Google has commissioned VirusTotal to analyze more than 80 million ransomware samples from 140 countries uploaded to the malware scanning service since January 2020. The report, titled Ransomware in a Global Context [PDF], reveals how threat actors deployed ransomware tools against their targets in 2020 and the first half of 2021.

When it comes to the geographical distribution of ransomware attacks, Israel is the most significant outlier among the affected countries, with close to a 600% increase in the number of ransomware sample submissions to VirusTotal in the past year and a half. The rest of the top 10 is followed by South Korea, Vietnam, China, Singapore, India, Kazakhstan, the Philippines, Iran and the UK

Top 10 countries affected by ransomware<br> — (Image source: VirusTotal)

While submissions of the GandCrab ransomware samples skyrocketed in the first quarter of 2020, the latest peak in ransomware activity has been observed in July 2021, with an unprecedented spread of the Babuk ransomware family, which was introduced at the start of 2021.

"GandCrab had an extraordinary peak in Q1 2020 which dramatically decreased afterwards. It is still active but at a different order of magnitude in terms of the number of fresh samples," states the report.

Ransomware samples - distribution<br> — (Image source: VirusTotal)

With a whopping 78.5% of scanned ransomware files, GandCrab was the top ransomware variant used by attackers in the past 18 months. GandCrab with followed by Babuk and Cerber, which accounted for 7.61% and 3.11% of submissions to VirusTotal.

“Having an extreme outlier such as GandCrab makes the rest of families almost invisible in the chart with the exception of the Babuk ransomware peak in July 2021,” said VirusTotal.

Perhaps unsurprisingly, the vast majority (95.28%) of ransomware files detected by VirusTotal were Windows-based executables or dynamic link libraries (DLLs), while 2.09% were Android-based.

In terms of distribution artifacts used by threat actors to spread ransomware, the now-defunct Emotet took the lion’s share of the blame, followed by Zbot and Dridex.

“Attackers are using a range of different approaches, including well-known botnet malware and other RATs,” notes VirusTotal.

Tips for an effective anti-ransomware strategy

Based on the findings of the report, VirusTotal provides the following recommendations for an effective anti-ransomware strategy:

Ensure the patching strategy prioritizes all SMB and Windows privilege escalation vulnerabilities.
Regularly monitor new waves of ransomware activity and make sure detection and mitigation techniques are in place.
Watch out for well-known distribution malware, such as botnets-related and RATs.
Implement internal monitoring to harden the use of scripting languages and lateral movement tools.
In case you fail to detect a ransomware attack, always implement cyber resilience and recovery strategies.