Anna Ohori

Anna is a university student majoring in Information Science. She is an alumna of the Security Camp National Convention 2024 (Threat Analysis Class) and previously served as a tutor for the program. Her research primarily focuses on the empirical analysis of attack tools and attacker decision-making, supported by hands-on verification. She is currently an intern at Powder Keg Technologies, where she works on technologies for evaluating detection by EPP/EDR products and online detection/evasion services.

Is VirusTotal Really an Attacker’s Ally? — An Empirical Analysis of VT vs. Local EDR and What the Sample-Sharing Ecosystem Reveals About Detection Blind Spots and Opportunities for Attackers

VirusTotal (VT) is widely used by defenders to analyze and evaluate suspicious files through its 70+ scanning engines and sample-sharing ecosystem. At the same time, it has long been assumed that attackers avoid VT because uploaded samples may be shared. However, an analysis of internal chat logs from the Black Basta ransomware group, leaked in 2025, reveals a more complex reality. While internal discussions warned against uploading samples to VT, the logs also show that “undetected on VT” was used as a factor in deciding whether to proceed with an attack. Why do attackers continue to use VT despite being aware of the risks of sample sharing? This talk examines that question through empirical data.

In this session, I present an analysis of the Black Basta logs alongside a chronological observation of custom samples incorporating evasion techniques across VT and local EPP/EDR environments for seven major security products. This analysis highlights cases in which detection coverage remains uneven even long after upload, and shows that the relationship between being “undetected on VT” and being “undetected in local endpoint environments” varies significantly across vendors.

Furthermore, I propose two new metrics to quantify this discrepancy: VDG (Vendor Detection Gap) and SSR (Safety-side Rate). I discuss how attackers may strategically use VT based on these characteristics, and how defenders should assess the reliability of VT results. The presentation will also include a live demo of “VDG-Tracker,” a continuous observation tool designed to help practitioners interpret VT data more effectively.