Through an extensive analysis of a random sample of 7,000 URLs out of 27,000 unique ones, Unit 42 has identified various techniques employed by ransomware gangs to evade detection, takedown, or blocking of malicious sites. In their pursuit of bypassing victims' defenses, threat actors are now turning to the use of URLs as a primary means of delivering ransomware. Furthermore, they are adopting more sophisticated and dynamic behaviors to distribute their ransomware effectively.
Serving stats
The primary method for delivering ransomware in 2022 was through URLs or web browsing, accounting for 76.5% of attacks.
In contrast, the previous year, email attachments (delivery via SMTP, POP3, and IMAP protocols) were the dominant channel, but their usage significantly decreased to only 12% in 2022.
In Q4 2022, the researchers observed the distribution of URLs in the top 10 ransomware families. Among these families, Lazy and Virlock ransomware, which have been circulating for years, accounted for more than 50% of the ransomware observed during that period.
Among the 855 second-level domains hosting ransomware, which were not involved in abusing public hosting, social media, or sharing services, 64% had been registered two or more years prior. By analyzing passive DNS footprints, the researchers found that these domains had been visited an average of 215,892 times in the last six months.
Why this matters
Researchers observed attackers using different URLs/hostnames to host or deliver different malware, including ransomware strains.
Raccoon Stealer and SmokeLoader were sometimes used during the initial steps of ransomware attacks. This tactic of delivering ransomware from different hostnames aims to evade URL-blocking services and prevent takedowns.
The use of long-lived domains with high DNS footprints indicates compromised benign domains, allowing attackers to exploit user trust and slip past defenses.
The bottom line
The rise of URL-delivered ransomware poses a significant threat to cybersecurity. With URLs and web browsing becoming the primary ransomware delivery method, attackers continually evolve their tactics to bypass defenses. Vigilance, user education, advanced security solutions, regular backups, and efficient incident response are crucial to mitigating this emerging threat.