Share this article on:
A new report revealed that where once email was king when it came to infecting networks with ransomware, all the cool hackers are now turning to using URLs – web browsing, basically – to spread their malicious wares.
In fact, while email was the most prevalent vector for spreading ransomware in 2021, in 2022 it dropped to a distant second behind malicious URLs, with a mere 12 per cent of samples being spread via SMTP or POP3.
URLs are now the entry vector for more than 77 per cent of infections, with the remainder being other sources and third-party apps, which makes for a shade over 8 per cent of infections.
The report – Ransomware Delivery URLs: Top Campaigns and Trends, from Palo Alto’s Unit 42 threat research unit – also notes that while the Clop ransomware gang may be making headlines, its synonymous ransomware is a lowly eighth among the top 10 ransomware variants.
This is likely due to the fact that some operators are now focusing more on data exfiltration, particularly via third-party vulnerabilities, than on their own software. The two top ransomware suites, however, have been around for some time. The Lazy and Virlock ransomware take out the top two spots, with over 50 per cent of the ransomware action.
When it comes to the most popular top-level domains that are used, .com is by far the most popular, along with the rest of the generic domains, such as .net and .xyz. However, two country-level domains also make the top 10 cut, and – perhaps unsurprisingly – they are .ru. and .cn, representing Russia and China, respectively.
According to Palo Alto, this suggests “that these countries have less strict policies in place for registration of domains”.
The report also showed that threat actors are more than willing to take advantage of legitimate infrastructure. Social media sites, media sharing services, and hosting services are all popular with ransomware operators.
“We observed that 64 per cent (547) of these domains were registered two or more years earlier and, according to passive DNS footprints, these domains were visited on average 215,892 times in the last six months,” Unit 42 said in its report.
“Long-lived domains coupled with consistently high DNS footprints indicate that these were compromised benign domains. Attackers take advantage of the trust in these websites to slip through people’s defences.”
According to Unit 42, many of the compromised URLs remain active well after detection. In fact, 20 per cent of those compromised remain active for weeks after the fact.
“As ransomware operators continue to probe victim’s defences using a revolving set of tactics,” Unit 42’s researchers conclude, “these threats require a defence-in-depth strategy where both binaries and URLs are analysed to proactively detect ransomware to keep networks secure.”