Have you ever wondered at the scale of activity in the cyber underground or what goes on down there? It’s fair to say it’s a little short of a feeding frenzy with lone hackers honing their skills to organised crime groups launching mass phishing campaigns and every shade of cyber miscreant in between. Within this context a recent report from Virus Total revealed just how alarmingly widespread ransomware activity is. If you had any doubts about the need for cyber security the findings from this report will put your straight.

Virus Total is a free service for the security community. It analyses suspicious files and URLs and shares them with antivirus vendors and security companies to help them improving their services and products. To give you a sense of the scale of its operations, each day it analyses approximately 150,000 ransomware samples which are submitted by security researchers, suspicious computer users, IT departments and so on from around the world.

80 million ransomware samples in 18 months

Recently it reported on more than 80 million ransomware samples that were uploaded to its service in the past 18 months. It received ransomware submissions from 140 different countries and discovered at least 130 different ransomware families had been active since January 2020.

The report revealed:
  • Gandcrab ransomware-as-a-service operation was the most commonly seen family of ransomware based on the number of samples delivered. This illustrates how a large number of cyber criminals without high-level skills are hiring ransomware from its creators to launch attacks.
  • Another prominent ransomware family is Babuk, a ransomware operation launched at the beginning of 2021 and was behind an attack on the Washington DC Metropolitan Police Department.
  • There is also a baseline of activity of around 100 not-so-popular ransomware families that never stops. That is, these attacks are essentially going on 24/7.
Interestingly, based on Virus Total’s analysis only 5% of the samples examined contained exploits. An exploit is a vulnerability in software that attackers have discovered.
  • By far, most ransomware attacks are deployed using social engineering, that is phishing mails and droppers which are small programs designed to install malware.
  • A phishing mail, for instance may contain an attachment, which is marked as ‘invoice’ in order to lure someone into downloading and opening it.
  • If the attachment is opened the dropper, ‘drops’ the ransomware code into a system. In essence it unpacks that ransomware components and installs them quietly in the background.
  • This dropper activity doesn’t damage the system as such rather, it sets up the ransomware to do its work. Droppers are not used exclusively for ransomware, they also load other types of malware such banking trojans, key stroke loggers and spyware.
BullGuard customers are lucky in the sense they are protected by some of the best internet security available. For instance BullGuard consists of layers of security each with its own security role and when taken together provide, seriously robust layered defences.
  • Dynamic machine learning is one component of BullGuard protection. Based on algorithms and statistical models it analyses and draw inferences from patterns in data.
  • It analyses huge amounts of data, detect trends, and provides deep insight that identifies anomalies in code suggestive of malware and then makes decisions based on these findings.
  • When it identifies potentially malicious code BullGuard software is automatically updated so the threats are blocked before any harm is done.
Despite millions of ransomware samples circulating in the cyber underground, BullGuard is more than equal to the task of identifying and nullifying it. The important thing is BullGuard never stands still, our protection is always evolving to detect and head of future threats as they emerge, whether this is new strains of ransomware or other types of malware.