At least 130 ransomware families were active in 2020 and in the first half of 2021, according to a recent data analysis from Google’s VirusTotal scanning service.
Analysis of more than 80 million potential ransomware-related samples submitted from 140 countries worldwide reveals that GandCrab has been the most active ransomware family hitting Windows systems since the beginning of 2020.
The analyzed samples were grouped by 30,000 clusters of malware, and GandCrab accounted for 6,000, followed by Cerber with nearly 5,000 clusters, and Congur, with roughly 2,500 clusters.
GandCrab remains the leader even when it comes to the number of different samples submitted to VirusTotal, accounting for 78.5% of them. Babuk, which emerged in early 2021 and was used in the attack on Washington DC Metropolitan Police Department, came in second with 7.61 percent of the submitted samples.
Cerber (with 3.11 percent of the samples), Matsnu (2.63 percent), and WannaCry (2.41 percent) rounded up top five. According to Google, WannaCry is likely present on the list because of “a remnant of an old detection that still applies to some current ransomware families,” and not due to a new wave of attacks.
[ Related: Understanding the Cryptocurrency-Ransomware Connection ]
Many of the big ransomware campaigns are short lived, but there’s a constant activity of roughly 100 ransomware families that continues at all times, according to the VirusTotal analysis.
Fresh samples are typically used for new campaigns, with botnets and remote access Trojans (RATs) used as delivery mechanisms. Attackers also use exploits for privilege escalation and for spreading their malware within internal networks.
The VirusTotal analysis also found that most ransomware continues to target Windows systems, as roughly 95 percent of the samples were Windows-based executables or dynamic link libraries (DLLs). Android ransomware accounted for 2 percent of the samples and Google also observed roughly 1 million EvilQuest ransomware samples targeting macOS machines.
In terms of geographical distribution, Israel appears to have been affected the most, with a 600 percent increase in sample submissions compared to the baseline, followed by South Korea and Vietnam, with approximately 150 percent each.
Related: Ransomware Risk Assessment Service Aims to Deflect Attacks
Related: Understanding the Cryptocurrency-Ransomware Connection

More from Ionut Arghire
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- Apria Healthcare Notifying 2 Million People of Years-Old Data Breaches
- European Cybersecurity Firm Sekoia.io Raises $37.5 Million
- GitLab Security Update Patches Critical Vulnerability
- Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
