Malware (and ransomware) - very short statistics.

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,894
  • Taken from Statista (the year 2021):
    Malware attacks ......: over 10 000 per minute
    Ransomware attacks: over 1 000 per minute
    So ransomware attacks are only about 10% of all malware attacks.
1662503688676.png


1662503824487.png




  • From the SonicWall mid-year 2022 Cyber Threat Report it follows that about 2/3 of all new malicious threats are non-EXE files.
1662506449669.png




Conclusion.
The best anti-ransomware protection is hardening MS Office (especially Excel). The chances of ransomware infection can decrease to about 1/100 compared to the infection by another malware type.
 
Last edited:

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
650
I wish I could see the source for these statistics because most malware reports are utterly misleading. E.g., it is very common for them to just take the usual sample streams (from sandbox systems, security vendors, from VT etc) and equate the number of samples with number of attacks. That means all of the malware that replicates themselves on sandbox systems are seen as different attacks (I would estimate that more than 50% of the samples are from just that because such malware creates thousands of new samples from one run).
That also means old malware that is very common to occur in such sample streams, is counted as recent attacks.

I think we should take this with a grain of salt.
If someone has a statista account and access to the source, it would be great to know.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,894
I wish I could see the source for these statistics because most malware reports are utterly misleading. E.g., it is very common for them to just take the usual sample streams (from sandbox systems, security vendors, from VT etc) and equate the number of samples with number of attacks. That means all of the malware that replicates themselves on sandbox systems are seen as different attacks (I would estimate that more than 50% of the samples are from just that because such malware creates thousands of new samples from one run).
That also means old malware that is very common to occur in such sample streams, is counted as recent attacks.

Yes, different sources can report different data. I am aware of this problem. From the known sources (Microsoft, Webroot) it follows that about 90% of samples are morphed.
But the conclusion from my post is probably independent of this issue, because it is a ratio of the attack numbers.
So, ransomware is probably about 10% of malware, and EXE files are about 30% of all malware files. Hardening MS Office can prevent most ransomware. Anyway, the exact numbers are not important.

One should realize that ransomware attacks are not so frequent (although still growing) and simple prevention can significantly decrease the chances of infection. Of course, this conclusion is not true for highly targeted attacks.
 
Last edited:

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
650
But the conclusion from my post is probably independent of this issue, because it is a ratio of the attack numbers.
No, it is not because the ratios are also skewed if you equate attacks with samples. Many attacks reuse samples. And many samples are never used to attack. The ratios if checking the samples only will be in high favor of self-replicating malware, especially old self-replicating malware that has almost no attack surface in the real world anymore.
 
  • Like
Reactions: upnorth

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,894
No, it is not because the ratios are also skewed if you equate attacks with samples.
I do not equate samples with attacks. I calculate ratios of attacks. When looking at the number of attacks, it is rather clear that they include morphed samples. The results can be skewed when the data presented by Statista is skewed.
Anyway, what is in your opinion the more precise percentage of ransomware attacks? I think that 10% (+- 5%) is reliable and rather conservative.
The open question is if this percentage is similar when we take into account only attacks on home users.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,894
Many attacks reuse samples.
Do you mean that exactly the same sample is reused or that the modified sample is reused?
According to Microsoft and Webroot, only a few percent of malware samples are reused (the same sample) in the attacks. About 90% of samples (+- 5% in some years) were unique to only one machine.:unsure:
If this statistic is generally true, it can be important for malware testing.
 
Last edited:

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
650
I do not equate samples with attacks. I calculate ratios of attacks.
I did not mean you as in you Andy Ful personally, I meant the statistics that you are basing your ratios from, where I am not sure where they come from.

Anyway, what is in your opinion the more precise percentage of ransomware attacks?
I have no precise numbers and I did not say the percentage is wrong (it could accidentally be correct). I said the methods that are used to create said statistics are in most cases wrong.

Do you mean that exactly the same sample is reused or that the modified sample is reused?
Exactly the same as in same hash.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,894
I did not mean you as in you Andy Ful personally, I meant the statistics that you are basing your ratios from, where I am not sure where they come from.
The source of the Statista data is the "Mid-Year Update to the 2022 SonicWall Cyber Threat Report".
The data is collected via SonicWall Capture Threat Network (real-world data):

1662597063847.png



I compared the data with the Microsoft report. The "attack" term used by SonicWall and Statista is very similar to the term "malware threat blocked by Microsoft Defender for Endpoint" (18265 blocked threats per 1 minute = 4.8 billion in 6 months).
https://www.microsoft.com/en-us/sec...sider/threat-intelligence/cyberthreat-minute/

So, the term "attack" means a threat detected/blocked via SonicWall Capture Threat Network.
Exactly the same as in same hash.
The 90% (+-5%) of unique samples is intriguing. It would mean that most samples are not reused at all, because they are replaced very quickly by other morphed samples.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top