{"id":7221,"date":"2021-10-27T15:58:29","date_gmt":"2021-10-27T22:58:29","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7221"},"modified":"2024-08-07T12:30:07","modified_gmt":"2024-08-07T19:30:07","slug":"new-global-ransomware-report-from-virustotal-google-but-read-the-fine-print","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/new-global-ransomware-report-from-virustotal-google-but-read-the-fine-print\/","title":{"rendered":"New Global Ransomware Report from VirusTotal & Google (But Read the Fine Print!)"},"content":{"rendered":"

Google recently asked one of its portfolio companies, VirusTotal, to sift through global ransomware data collected from the samples submitted to their portal over the last few years to uncover data points and trends that traditional threat reports simply don\u2019t reveal.\u00a0 While there is some interesting information to be gained from this report, we should start with a warning:<\/p>\n

The \u201cRansomware in a Global Context<\/a>\u201d report from VirusTotal is based on samples submitted to VirusTotal by analysts and other security professionals.\u00a0 But \u2018submissions\u2019 do not equate to detections, infections, investigations, or even breaches.\u00a0 In many ways, this is a \u2018usage\u2019 report of VirusTotal services and not a threat report.<\/p>\n

Keep a few things in mind, and you\u2019ll do fine<\/h3>\n

With that said, this blog is not intended to disparage the report.\u00a0 In fact, many of the report\u2019s findings are truly interesting and may guide security teams in both general and specific areas.\u00a0 But in a world with so many threat reports it is easy to develop an automated response about how to interpret certain kinds of charts and tables.\u00a0 For example, look at this chart from the report labeled as \u201cGeographic distribution of ransomware-related submissions\u201d.<\/p>\n

\"\"<\/p>\n

A magazine article based on this chart claimed that \u201cIsrael has submitted the largest amount of ransomware samples since the start of 2020.\u201d\u00a0 But that is not what this chart is showing. This is about which countries have \u2018increased\u2019 their use of VirusTotal the most since 2020.\u00a0 It is measuring a delta, not total usage.\u00a0 So, if I was working for VirusTotal, this would tell me I could reduce my marketing budget in Israel because VirusTotal is already growing strong there. But it tells me little about ransomware activity or what I can do to improve my security.<\/p>\n

Readers note:\u00a0 This is the last chart I plan to include here.\u00a0 If I post all the pretty pictures here, you\u2019ll miss some of the context I\u2019m unable to include due to time, space, and typing endurance limitations. So read the full report<\/a>.<\/p>\n

Death, Disaster, and Drama Rule!<\/h3>\n

It is apparent from figure 1 in the report that about half of all the ransomware submissions over this 21 month period took place in the first 6 months of 2020.\u00a0 This means recent data is diluted and the report has little to offer about how ransomware has changed recently.\u00a0 But the early 2020 spike aligned with the start of the global pandemic when cyber criminals were creating many COVID-19 themed attacks using both old and new techniques and methods.\u00a0 SecOps were erring on the side of caution due to work-from-home and other shifts in business processes, resulting in submissions of anything suspicious. So it would make sense that VirusTotal would see many more submissions than usual.<\/p>\n

And this underscores the role of \u201cdeath, disaster, and drama\u201d in driving threat actor activity.\u00a0 Global or regional events around these themes are big drivers for cybercriminals who have an attack ready to go and are just waiting for the right opportunity.\u00a0 They want a theme that will cause stress in victims where they are proven to be more susceptible to social engineering.\u00a0 For example, about 10 years ago a Tsunami hit Japan<\/a> with devastating consequences which cyber criminals used to attack both victims and those trying to help. This approach worked so well that, a few years ago, one cybercriminal group faked a tsunami<\/a> in an effort to target Japanese citizens.\u00a0 And there are plenty of other examples of attacks using the death of a celebrity, drama around anything raging in social media, and so on.<\/p>\n

Watch the news because it might just tip you off to a new wave of threats.<\/p>\n

Exploits are not as common as you think<\/h3>\n

The VirusTotal report says only 5% of the submitted samples contained an exploit, or code designed to take advantage of an application or system vulnerability. While it is generally understood that social engineering remains the most successful tool for bypassing security, this 5% number appears deceivingly low.\u00a0 This is because the VirusTotal data includes a lot of known threats (see figure 5 in the report), and there is no sample breakdown into \u2018successful\u2019 and \u2018unsuccessful\u2019.\u00a0 So we must look at other threat reports where many security vendors conclude that \u2018exploits\u2019 are a common element of successful ransomware attacks.\u00a0 So, while 5% of overall samples may involve an exploit, it is more likely that more than 5% of \u2018successful\u2019 ransomware samples involved exploits.<\/p>\n

Regardless of how bad the problem may be, there are plenty of options to consider to address exploits.\u00a0 And, while security professionals know that you cannot simply match up a threat category with a security solution category, here are a few thoughts to keep in mind as you consider how your current defenses address this area of risk.\u00a0<\/p>\n