Welcome to VirusTotal’s first Ransomware Activity Report. This initiative is designed to help researchers, security practitioners and the general public better understand the nature of ransomware attacks by sharing VirusTotal’s visibility. One of the main challenges for defenders is understanding the whole
picture. We all have a partial view at best and it has proved difficult to condense and analyze significant and rich data in a single place.
This is where VirusTotal comes in. We are in a unique position to provide comprehensive visibility. Over the last 16 years, we have processed more than 2 million files per day across 232 countries. VirusTotal
also harnesses the continuous contribution of its community of users to provide relevant context. We use this crowdsourced intelligence to analyze relevant data, share an understanding of how attacks develop,
and help inform how they might evolve in the future.
This report is the first step in what we hope will become an ongoing community effort to discover and share actionable information on malware trends.
Since 2020, users from more than 140 countries have submitted ransomware samples to VirusTotal.
During this time, at least 130 different ransomware families have been active.
Israel, South Korea, Vietnam, China, Singapore, India, Kazakhstan, Philippines, Iran and the UK are the 10 most affected territories based on the number of submissions to VirusTotal. Activity among the most spread ransomware families comes and goes, but there is a baseline of activity of around 100 not-so-popular ransomware families that never stops. According to our observations, it seems that in most cases attackers prepare fresh new samples for their campaigns. In July 2021 we observed a wave of the new variant of Babuk ransomware.