VirusTotal Shares Data on Ransomware Activity

Google's online malware scanning service analyzed 80 million ransomware samples that were uploaded in the past year-and-a-half.

Ransomware note on a computer screen
JAM / Alamy Stock Photo

Attackers employed around 130 ransomware families in 2020 and the first half of 2021, with the GandCrab variant the most active, according to newly released data from VirusTotal's first-ever ransomware report.

VirusTotal, which is part of Google, studied some 80 million ransomware samples that had been uploaded to the online malware scanning platform over the past year-and-a-half. Next in line for the most active ransomware families were Babuk, Cerber, Matsnu, Congur, Locky, Teslacrypt, Rkor, and Reveon, according to Google's VirusTotal report findings.

Some 140 countries submitted samples, led by Israel and then South Korea, Vietnam, China, Singapore, India, Kazakhstan, Philippines, Iran, and the UK.

Ransomware attacks have become a big priority in the US government lately as many high-profile companies (think: Colonial Pipeline) and healthcare organizations have been hit and suffered major operational disruption. Most recently, the US Department of Justice (DoJ) launched the National Cryptocurrency Enforcement Team to crack down on the illegal use of cryptocurrency, the anonymous payment conduit of choice by ransomware operators. It also announced the Civil Cyber-Fraud Initiative to ensure government contractors disclose their cybersecurity protocols and cyberattacks in order to protect agencies from supply chain-related cyberattacks.

Ransomware-as-a-Service
"We saw peaks of ransomware activity in the first two quarters of 2020, primarily due to the ransomware-as-a-service group GandCrab (though its prevalence decreased dramatically in the second half of the year)," said Vicente Diaz, threat intel strategist at Google's VirusTotal, in a blog post. "Another sizable peak occurred in July 2021, driven by the Babuk ransomware family – a ransomware operation launched at the beginning of 2021 that was behind the attack on the Washington DC Metropolitan Police Department."

Diaz noted that large ransomware campaigns come and go, but some 100 ransomware families constantly circulate in the wild. Attackers use botnets and remote access Trojans (RATs) to transport ransomware, often with new samples of ransomware. 

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights