Malware (and ransomware) - very short statistics.

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Forum Veteran
Dec 23, 2014
10,044
1
66,006
8,398
65
Poland
  • Taken from Statista (the year 2021):
    Malware attacks ......: over 10 000 per minute
    Ransomware attacks: over 1 000 per minute
    So ransomware attacks are only about 10% of all malware attacks.
1662503688676.png


1662503824487.png

www.statista.com

Topic: Malware

Find the most up-to-date statistics and facts on worldwide impact of malware
www.statista.com www.statista.com



  • From the SonicWall mid-year 2022 Cyber Threat Report it follows that about 2/3 of all new malicious threats are non-EXE files.
1662506449669.png




Conclusion.
The best anti-ransomware protection is hardening MS Office (especially Excel). The chances of ransomware infection can decrease to about 1/100 compared to the infection by another malware type.
 
Last edited:
  • Like
  • +Reputation
Reactions: SeriousHoax, EascapenMatrix, Venustus and 9 others
I wish I could see the source for these statistics because most malware reports are utterly misleading. E.g., it is very common for them to just take the usual sample streams (from sandbox systems, security vendors, from VT etc) and equate the number of samples with number of attacks. That means all of the malware that replicates themselves on sandbox systems are seen as different attacks (I would estimate that more than 50% of the samples are from just that because such malware creates thousands of new samples from one run).
That also means old malware that is very common to occur in such sample streams, is counted as recent attacks.

I think we should take this with a grain of salt.
If someone has a statista account and access to the source, it would be great to know.
 
  • Like
  • +Reputation
Reactions: EascapenMatrix, Venustus, Gandalf_The_Grey and 5 others
struppigel said:
I wish I could see the source for these statistics because most malware reports are utterly misleading. E.g., it is very common for them to just take the usual sample streams (from sandbox systems, security vendors, from VT etc) and equate the number of samples with number of attacks. That means all of the malware that replicates themselves on sandbox systems are seen as different attacks (I would estimate that more than 50% of the samples are from just that because such malware creates thousands of new samples from one run).
That also means old malware that is very common to occur in such sample streams, is counted as recent attacks.
Click to expand...

Yes, different sources can report different data. I am aware of this problem. From the known sources (Microsoft, Webroot) it follows that about 90% of samples are morphed.
But the conclusion from my post is probably independent of this issue, because it is a ratio of the attack numbers.
So, ransomware is probably about 10% of malware, and EXE files are about 30% of all malware files. Hardening MS Office can prevent most ransomware. Anyway, the exact numbers are not important.

One should realize that ransomware attacks are not so frequent (although still growing) and simple prevention can significantly decrease the chances of infection. Of course, this conclusion is not true for highly targeted attacks.
 
Last edited:
Andy Ful said:
But the conclusion from my post is probably independent of this issue, because it is a ratio of the attack numbers.
Click to expand...
No, it is not because the ratios are also skewed if you equate attacks with samples. Many attacks reuse samples. And many samples are never used to attack. The ratios if checking the samples only will be in high favor of self-replicating malware, especially old self-replicating malware that has almost no attack surface in the real world anymore.
 
  • Like
Reactions: upnorth
struppigel said:
No, it is not because the ratios are also skewed if you equate attacks with samples.
Click to expand...
I do not equate samples with attacks. I calculate ratios of attacks. When looking at the number of attacks, it is rather clear that they include morphed samples. The results can be skewed when the data presented by Statista is skewed.
Anyway, what is in your opinion the more precise percentage of ransomware attacks? I think that 10% (+- 5%) is reliable and rather conservative.
The open question is if this percentage is similar when we take into account only attacks on home users.
 
Last edited:
struppigel said:
Many attacks reuse samples.
Click to expand...
Do you mean that exactly the same sample is reused or that the modified sample is reused?
According to Microsoft and Webroot, only a few percent of malware samples are reused (the same sample) in the attacks. About 90% of samples (+- 5% in some years) were unique to only one machine.:unsure:
If this statistic is generally true, it can be important for malware testing.
 
Last edited:
Andy Ful said:
I do not equate samples with attacks. I calculate ratios of attacks.
Click to expand...
I did not mean you as in you Andy Ful personally, I meant the statistics that you are basing your ratios from, where I am not sure where they come from.

Andy Ful said:
Anyway, what is in your opinion the more precise percentage of ransomware attacks?
Click to expand...
I have no precise numbers and I did not say the percentage is wrong (it could accidentally be correct). I said the methods that are used to create said statistics are in most cases wrong.

Andy Ful said:
Do you mean that exactly the same sample is reused or that the modified sample is reused?
Click to expand...
Exactly the same as in same hash.
 
  • Like
Reactions: Andy Ful
struppigel said:
I did not mean you as in you Andy Ful personally, I meant the statistics that you are basing your ratios from, where I am not sure where they come from.
Click to expand...
The source of the Statista data is the "Mid-Year Update to the 2022 SonicWall Cyber Threat Report".
www.sonicwall.com

Mid-Year Update to the 2022 SonicWall Cyber Threat Report

Geopolitical forces are rapidly reshaping cyber frontlines — and some threat types are seeing triple-digit increases. To find out why, download the full report.
www.sonicwall.com www.sonicwall.com
The data is collected via SonicWall Capture Threat Network (real-world data):

1662597063847.png



I compared the data with the Microsoft report. The "attack" term used by SonicWall and Statista is very similar to the term "malware threat blocked by Microsoft Defender for Endpoint" (18265 blocked threats per 1 minute = 4.8 billion in 6 months).
https://www.microsoft.com/en-us/sec...sider/threat-intelligence/cyberthreat-minute/

So, the term "attack" means a threat detected/blocked via SonicWall Capture Threat Network.
struppigel said:
Exactly the same as in same hash.
Click to expand...
The 90% (+-5%) of unique samples is intriguing. It would mean that most samples are not reused at all, because they are replaced very quickly by other morphed samples.
 
  • Like
  • Thanks
Reactions: harlan4096 and struppigel

You may also like...