About 2% were Android-based, while one set, known as EvilQuest, targeted OSX, the study, titled Ransomware Activity Report, said. It took into account samples submitted all the way back to January 2020.
Vicente Diaz of VirusTotal said in a short blog post accompanying the 14-page study that of the 140 countries which submitted ransomware samples, Israel was far and away an outlier with the highest number of submissions and nearly 600% rise in submissions compared to its baseline.
Percentage increase from baseline.
"Israel was followed by South Korea, Vietnam, China, Singapore, India, Kazakhstan, the Philippines, Iran and the UK as the most affected territories based on the number of submissions to VirusTotal," Diaz said.
The following four conclusions were reached:
- First, while big campaigns come and go, there is a constant baseline of ransomware activity that never stops.
- Second, attackers are using a range of different approaches, including well-known botnet malware and other remote access trojans.
- Third, in terms of ransomware distribution attackers don’t appear to need exploits other than for privilege escalation and for malware spreading within internal networks.
- Finally, Windows accounts for 95% of the ransomware targets, compared to 2% for Android.
"Activity among the most spread ransomware families comes and goes, but there is a baseline of activity of around 100 not-so-popular ransomware families that never stops," the report said.
Number of ransomware clusters identified grouped by family.
"According to our observations, it seems that in most cases attackers prepare fresh new samples for their campaigns. In July 2021 we observed a wave of the new variant of Babuk ransomware.
"GandCrab was the most active family in early 2020, before its prevalence decreased dramatically in the second half of the year."
The study identified at least 130 different ransomware families. "Identification was not a trivial exercise given the different naming conventions used by the security industry," it said.
"For example, the set of samples we selected for our analysis can be grouped into more than 30,000 different clusters based on similarity. Clusters are sets of malware grouped together because they look similar."
Gandcrab was the top ransomware family by a very big margin among the samples analysed.
Top 10 ransomware families by number of different samples. All screenshots courtesy VirusTotal.