Google's VirusTotal reports that 95% of ransomware spotted targets Windows

Criminals follow the money, code flaws

Google's VirusTotal service showing that 95 per cent of ransomware malware identified by its systems targets Windows.

VirusTotal, acquired by Google in 2012, operates a malware scanning service that can be used manually or via an API, to analyze suspicious files. The team collected data between January 2020 and August this year to investigate how ransomware is evolving. VirusTotal receives over two million suspicious files per day from 232 countries, it said, placing it in a strong position to analyse the problem.

Over the period there are at least 130 different ransomware families, the report said, and change is constant. "It seems that in most cases attackers prepare fresh new samples for their campaigns," the report states.

Geographical distribution of ramsomware samples identified

Geographical distribution of ramsomware samples identified

There were notable geographic distinctions, with Israel submitting by far the most ransomware samples, follows by South Korea, Vietnam and China. The UK is 10th. This does not necessarily mean that these territories were the most attacked though. VirusTotal security engineer Vicente Diaz, in a video presentation, said that the high figures for Israel "could be related to many companies [there] automating their submission."

In other words, territories which are more diligent in submitting samples will show more positives, so a high figure may indicate better defences rather than more attacks, or perhaps both.

Getting their claws in

The top family of ransomware was one dubbed Grandcrab, accounting for 78.5 per cent of positive samples, largely thanks to a spike in activity between January and July 2020. In July 2021 there was another spike, this time for Babuk.

What systems are most attacked? 93.28 per cent of ransomware detected were Windows executables, and 2 per cent Windows DLLs, the report said. "This is not a surprise … most of this malware is meant for Windows Systems," said Diaz. Android accounts for just over 2 per cent of the files, and around mid-2020 a number of positive samples, called EvilQuest, were identified, targeting the Mac.

Ransomware files types: mostly Windows

Ransomware files types: mostly Windows

In the presentation, Diaz also addressed the key question of building an effective anti-ransom strategy. Detect the well-known malware, he said, and ensure a patching strategy that prioritised privilege escalation issues such as SMB (Server Message Block, the Windows network file sharing protocol) vulnerabilities.

Scripting languages, he said "are very easy droppers that the attackers can use," and increasingly taken advantage of, so he suggests hardening and restricting them where possible. Monitor new waves of ransomware, he said. Finally, and possibly most important, he advised implementing cyber resilience strategies, meaning we surmise well-protected backups and tested recovery strategies.

While this is sound advice its implementation can be challenging. The Windows printing system has proven to be an escalation of privilege vulnerability, for example, and although it can be mitigated Microsoft has not fixed it completely and some administrators have struggled to follow best practice without breaking functionality.

It's where the money is

Why is Windows so prominent? There are several factors, including massive market share and ubiquity, the value of the targets, and the fact that legacy code in Microsoft's operating system is hard to secure.

"Our Chrome OS cloud-first platform has had no reported ransomware attacks … on any business, education or consumer Chrome OS device," brags Google.

When Microsoft has tried to establish more locked-down editions of Windows though, such as Windows RT and Windows S, it has met resistance from users unable to run the software they need. Google with Chrome OS, and Apple with iOS, designed new operating systems with security in mind.

VirusTotal's report measures the malware it has detected, and not successful attacks. In general, malware submitted to VirusTotal has probably been unsuccessful, since it has been detected.

There are also other vectors of attack, such as phishing, or exploiting bugs and vulnerabilities in network appliances, the majority of which run Linux. The overall picture may not be quite as Windows-dominated as it first appears. That said, security Microsoft's operating system looks set to remain a key challenge for the industry. ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading
  • Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

    Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

    Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

    Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

    Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

    Continue reading

Biting the hand that feeds IT © 1998–2022