Malware (and ransomware) - very short statistics.

[Andy Ful]

• Taken from Statista (the year 2021):
  Malware attacks ......: over 10 000 per minute
  Ransomware attacks: over 1 000 per minute
  So ransomware attacks are only about 10% of all malware attacks.

Topic: State of malware worldwide

Find the most up-to-date statistics and facts on worldwide impact of malware

www.statista.com

• From the SonicWall mid-year 2022 Cyber Threat Report it follows that about 2/3 of all new malicious threats are non-EXE files.

• About 90% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.
  
  

  Dark Web Research Suggests 87% of Ransomware Brands Exploit Malicious Macros

  The findings uncovered 475 web pages of elaborate ransomware products and services

  www.infosecurity-magazine.com

Conclusion.
The best anti-ransomware protection is hardening MS Office (especially Excel). The chances of ransomware infection can decrease to about 1/100 compared to the infection by another malware type.

 

[struppigel]

I wish I could see the source for these statistics because most malware reports are utterly misleading. E.g., it is very common for them to just take the usual sample streams (from sandbox systems, security vendors, from VT etc) and equate the number of samples with number of attacks. That means all of the malware that replicates themselves on sandbox systems are seen as different attacks (I would estimate that more than 50% of the samples are from just that because such malware creates thousands of new samples from one run).
That also means old malware that is very common to occur in such sample streams, is counted as recent attacks.

I think we should take this with a grain of salt.
If someone has a statista account and access to the source, it would be great to know.

 

[Andy Ful]

I wish I could see the source for these statistics because most malware reports are utterly misleading. E.g., it is very common for them to just take the usual sample streams (from sandbox systems, security vendors, from VT etc) and equate the number of samples with number of attacks. That means all of the malware that replicates themselves on sandbox systems are seen as different attacks (I would estimate that more than 50% of the samples are from just that because such malware creates thousands of new samples from one run).
That also means old malware that is very common to occur in such sample streams, is counted as recent attacks.

Yes, different sources can report different data. I am aware of this problem. From the known sources (Microsoft, Webroot) it follows that about 90% of samples are morphed.
But the conclusion from my post is probably independent of this issue, because it is a ratio of the attack numbers.
So, ransomware is probably about 10% of malware, and EXE files are about 30% of all malware files. Hardening MS Office can prevent most ransomware. Anyway, the exact numbers are not important.

One should realize that ransomware attacks are not so frequent (although still growing) and simple prevention can significantly decrease the chances of infection. Of course, this conclusion is not true for highly targeted attacks.

 

[struppigel]

But the conclusion from my post is probably independent of this issue, because it is a ratio of the attack numbers.

No, it is not because the ratios are also skewed if you equate attacks with samples. Many attacks reuse samples. And many samples are never used to attack. The ratios if checking the samples only will be in high favor of self-replicating malware, especially old self-replicating malware that has almost no attack surface in the real world anymore.

 

[Andy Ful]

No, it is not because the ratios are also skewed if you equate attacks with samples.

I do not equate samples with attacks. I calculate ratios of attacks. When looking at the number of attacks, it is rather clear that they include morphed samples. The results can be skewed when the data presented by Statista is skewed.
Anyway, what is in your opinion the more precise percentage of ransomware attacks? I think that 10% (+- 5%) is reliable and rather conservative.
The open question is if this percentage is similar when we take into account only attacks on home users.

 

[Andy Ful]

Many attacks reuse samples.

Do you mean that exactly the same sample is reused or that the modified sample is reused?
According to Microsoft and Webroot, only a few percent of malware samples are reused (the same sample) in the attacks. About 90% of samples (+- 5% in some years) were unique to only one machine.
If this statistic is generally true, it can be important for malware testing.

 

[struppigel]

I do not equate samples with attacks. I calculate ratios of attacks.

I did not mean you as in you Andy Ful personally, I meant the statistics that you are basing your ratios from, where I am not sure where they come from.

Anyway, what is in your opinion the more precise percentage of ransomware attacks?

I have no precise numbers and I did not say the percentage is wrong (it could accidentally be correct). I said the methods that are used to create said statistics are in most cases wrong.

Do you mean that exactly the same sample is reused or that the modified sample is reused?

Exactly the same as in same hash.

 

[Andy Ful]

I did not mean you as in you Andy Ful personally, I meant the statistics that you are basing your ratios from, where I am not sure where they come from.

The source of the Statista data is the "Mid-Year Update to the 2022 SonicWall Cyber Threat Report".

Mid-Year Update to the 2022 SonicWall Cyber Threat Report

Geopolitical forces are rapidly reshaping cyber frontlines — and some threat types are seeing triple-digit increases. To find out why, download the full report.

www.sonicwall.com

The data is collected via SonicWall Capture Threat Network (real-world data):

Capture Labs

capturelabs.sonicwall.com

I compared the data with the Microsoft report. The "attack" term used by SonicWall and Statista is very similar to the term "malware threat blocked by Microsoft Defender for Endpoint" (18265 blocked threats per 1 minute = 4.8 billion in 6 months).
https://www.microsoft.com/en-us/sec...sider/threat-intelligence/cyberthreat-minute/

So, the term "attack" means a threat detected/blocked via SonicWall Capture Threat Network.

Exactly the same as in same hash.

The 90% (+-5%) of unique samples is intriguing. It would mean that most samples are not reused at all, because they are replaced very quickly by other morphed samples.