Connect with us

Hi, what are you looking for?


Application Security

VirusTotal Shares Analysis of 80 Million Ransomware Samples

At least 130 ransomware families were active in 2020 and in the first half of 2021, according to a recent data analysis from Google’s VirusTotal scanning service.

At least 130 ransomware families were active in 2020 and in the first half of 2021, according to a recent data analysis from Google’s VirusTotal scanning service.

Analysis of more than 80 million potential ransomware-related samples submitted from 140 countries worldwide reveals that GandCrab has been the most active ransomware family hitting Windows systems since the beginning of 2020.

The analyzed samples were grouped by 30,000 clusters of malware, and GandCrab accounted for 6,000, followed by Cerber with nearly 5,000 clusters, and Congur, with roughly 2,500 clusters.

GandCrab remains the leader even when it comes to the number of different samples submitted to VirusTotal, accounting for 78.5% of them. Babuk, which emerged in early 2021 and was used in the attack on Washington DC Metropolitan Police Department, came in second with 7.61 percent of the submitted samples.  

Cerber (with 3.11 percent of the samples), Matsnu (2.63 percent), and WannaCry (2.41 percent) rounded up top five. According to Google, WannaCry is likely present on the list because of “a remnant of an old detection that still applies to some current ransomware families,” and not due to a new wave of attacks.

[ Related: Understanding the Cryptocurrency-Ransomware Connection ]

Many of the big ransomware campaigns are short lived, but there’s a constant activity of roughly 100 ransomware families that continues at all times, according to the VirusTotal analysis.

Advertisement. Scroll to continue reading.

Fresh samples are typically used for new campaigns, with botnets and remote access Trojans (RATs) used as delivery mechanisms. Attackers also use exploits for privilege escalation and for spreading their malware within internal networks.

The VirusTotal analysis also found that most ransomware continues to target Windows systems, as roughly 95 percent of the samples were Windows-based executables or dynamic link libraries (DLLs). Android ransomware accounted for 2 percent of the samples and Google also observed roughly 1 million EvilQuest ransomware samples targeting macOS machines.

In terms of geographical distribution, Israel appears to have been affected the most, with a 600 percent increase in sample submissions compared to the baseline, followed by South Korea and Vietnam, with approximately 150 percent each.

Related: Ransomware Risk Assessment Service Aims to Deflect Attacks

Related: Understanding the Cryptocurrency-Ransomware Connection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...