Connect with us

VirusTotal has released its first ransomware activity report



The most active forms of ransomware were GandCrab, Babuk and Cerber.

At least 130 different ransomware families were active throughout 2020 and the first half of 2021, according to report VirusTotal, based on the analysis of over 80 million ransomware samples uploaded to the service during the specified period.

At the same time, samples were most often loaded from Israel, South Korea, Vietnam, China, Singapore, India, Kazakhstan, the Philippines, Iran and Great Britain. As VirusTotal security engineer Vincente Diaz explained, the high number of downloads does not mean that the above countries are the most attacked. For example, Israel’s strong performance (the number of downloads of ransomware samples from this country increased by 600%) may be due to the fact that “many companies [в стране] automate downloads ”to the service.

The top most active ransomware families were headed by GandCrab (78.5% of samples), mainly due to high activity in the period from January to July 2020 (in the second half of the year, the group’s activity decreased significantly). The ransomware Babuk (7.61%) was in second place, followed by Cerber (3.11%), Matsnu (2.63%), Wannacry (2.41%), Congur (1.52%), Locky ( 1.29%), Teslacrypt (1.12%), Rkor (1.11%) and Reveton (0.70%).

“Among the top 10 ransomware families, we see the presence of wannacry. Perhaps these are remnants of old detections that are still relevant to some of the current ransomware families. However, we do not believe this is indicative of a new wave of wannacry attacks, ”the report says.

As for the most attacked systems, the first in this category belongs to the Windows OS – 95% of the detected samples were executable files for Windows or DLL libraries. At the same time, the share of malware for Android was only 2.09%. In addition, in mid-2020, the EvilQuest malware attacking Apple Mac was detected.

As noted, approximately 5% of the samples analyzed were associated with exploits, mainly for privilege escalation or remote code execution vulnerabilities in Windows.

Almost all ten most active ransomware families involved various malware such as Emotet, Zbot, Dridex, Gozi, or Danabot, as well as tools to move around the network (Mimikatz and Cobaltstrike) and dozens of Trojans for remote access (Phorpiex, Smokeloader, Nanocore, Ponystealer etc.).

VirusTotal is a free service, owned by Google, that provides information about the reputation and context of threats to help analyze suspicious files, URLs, domains and IP addresses to identify cyber threats.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


CronRAT: Linux malware scheduled to launch on February 31



Malware masks its malicious activity by scheduling it to occur on a non-existent calendar day.

Cybersecurity Researchers from Sansec Threat Research discovered a new remote access Trojan for Linux systems that uses a stealth method never seen before. Malware disguises its malicious activity by scheduling it to occur on February 31st, a nonexistent calendar day.

The malware, dubbed CronRAT, can steal data from e-commerce sites on the server side, bypassing browser-based security solutions. Experts found RAT samples in several online retailers, including the largest store in an unspecified country.

A standout feature of CronRAT is its ability to use the Unix cron job-scheduler utility to hide malicious payloads using the names of tasks programmed to run on February 31st. This not only allows malware to evade detection by security solutions, but also allows it to launch a number of attack commands that can compromise e-commerce servers running Linux.

Most online retailers implement browser-only protection, and attackers take advantage of an unsecured internal server. Security professionals should consider the entire attack surface, said Sansec Threat Research.

“CronRAT adds a number of tasks to the crontab with an interesting date specification: 52 23 31 2 3. These lines are syntactically correct, but will generate a runtime error when executed. However, this will never happen, since their launch is scheduled for February 31, experts explained.

Continue Reading


Google has agreed with UK regulator on cookie changes



Google is committed to promoting competition in digital markets and protecting the interests of other businesses.

Google has promised to introduce additional restrictions on the use of data in its Google Chrome browser. The decision stems from concerns from the UK competition regulator about the tech giant’s plan to ban third-party cookies that advertisers use to track consumers.

Competition and Markets Authority (CMA) examines Google’s plan to reduce support for certain cookies in Chrome is an initiative called the Privacy Sandbox that is developing a new set of open standards. With their help, Google seeks to create a balance between the privacy of users and the desire of advertising companies to track their preferences.

The new set of standards will allow advertising companies to determine the interests of the user without individual identification. General categories of interests, such as music genre, will be taken into account, but data at the level of the history of visits to specific sites will remain unaffected.

As noted by Google, users want more privacy when browsing the web, including not being tracked across different sites. However, other companies have stated that losing browser cookies will limit their ability to collect information to personalize ads and make them more dependent on Google’s user databases.

Google previously agreed not to implement the plan without CMA approval, and the changes agreed with the UK regulator will apply globally. Google has addressed some remaining issues, including a commitment to curtail access to IP addresses and clarify internal restrictions on the data it can use, the CMA said.

Continue Reading


Researchers Accused Microsoft of Reducing Bug Bounty Amounts



In some cases, the tech giant has reduced the remuneration tenfold or 90%.

A number of security researchers have accused Microsoft of reducing the amount of fees that the company pays for reporting vulnerabilities as part of its bug bounty program. Apparently, in some cases, the tech giant has reduced the remuneration tenfold or 90%.

As recently as last year, researcher Marcus Hutchins, also known as MalwareTech, reported on Twitter, that for the discovered vulnerability he received from the company only $ 1,000, although earlier the amount of remuneration for such vulnerabilities was $ 10,000.

Other researchers are posting similar complaints. For example, as a security researcher for Hyper-V virtualization under the alias rthhh17 recently reported, Microsoft estimated its vulnerability, which can be exploited from a guest machine, at only $ 5,000.

The most recent example of a disgruntled researcher is Abdelhamid Naseri, who posted a PoC code for an as-yet-unpatched Windows vulnerability in retaliation for Microsoft’s reduced bounty.

The current bug bounty pricing is as follows:




It is noteworthy that although rthhh received for its vulnerability of remote code execution in Hyper-V only $ 5 thousand, according to the Microsoft website, such vulnerabilities are estimated “up to $ 250 thousand.” In other words, the company has cut the remuneration amount by 80%.

Continue Reading

Most Popular