VirusTotal Shares Data on Ransomware Activity

Google's online malware scanning service analyzed 80 million ransomware samples that were uploaded in the past year-and-a-half.

Attackers employed around 130 ransomware families in 2020 and the first half of 2021, with the GandCrab variant the most active, according to newly released data from VirusTotal's first-ever ransomware report.

VirusTotal, which is part of Google, studied some 80 million ransomware samples that had been uploaded to the online malware scanning platform over the past year-and-a-half. Next in line for the most active ransomware families were Babuk, Cerber, Matsnu, Congur, Locky, Teslacrypt, Rkor, and Reveon, according to Google's VirusTotal report findings.

Some 140 countries submitted samples, led by Israel and then South Korea, Vietnam, China, Singapore, India, Kazakhstan, Philippines, Iran, and the UK.

Ransomware attacks have become a big priority in the US government lately as many high-profile companies (think: Colonial Pipeline) and healthcare organizations have been hit and suffered major operational disruption. Most recently, the US Department of Justice (DoJ) launched the National Cryptocurrency Enforcement Team to crack down on the illegal use of cryptocurrency, the anonymous payment conduit of choice by ransomware operators. It also announced the Civil Cyber-Fraud Initiative to ensure government contractors disclose their cybersecurity protocols and cyberattacks in order to protect agencies from supply chain-related cyberattacks.

"We saw peaks of ransomware activity in the first two quarters of 2020, primarily due to the ransomware-as-a-service group GandCrab (though its prevalence decreased dramatically in the second half of the year)," said Vicente Diaz, threat intel strategist at Google's VirusTotal, in a blog post. "Another sizable peak occurred in July 2021, driven by the Babuk ransomware family – a ransomware operation launched at the beginning of 2021 that was behind the attack on the Washington DC Metropolitan Police Department."

Diaz noted that large ransomware campaigns come and go, but some 100 ransomware families constantly circulate in the wild. Attackers use botnets and remote access Trojans (RATs) to transport ransomware, often with new samples of ransomware. 

Editors' Choice
Elizabeth Montalbano, Contributor, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading