New cybersecurity research showed that threat actors primarily used URLs for ransomware delivery. These findings come from analysing about 27,000 unique URLs, of which 7,000 are vectors for threat actors to bypass detection, takedowns, or website blocking.
Moreover, these ransomware operators are adopting more sophisticated and dynamic strategies to spread their payloads efficiently.
URLs were the most used vector for ransomware delivery last year.
The primary technique of threat actors for their ransomware delivery last year was through web browsing or URLs. These transmitters account for 76% of all ransomware attacks that occurred in 2022.
On the other hand, email attachments in 2021 were the dominant channel for delivering payloads, but their usage significantly dropped to only 12% last year.
In the last quarter of 2022, the researchers also noticed that the top 10 ransomware families had utilised URLs as their distribution tactic. The ransomware families that widely used URLs as vectors for their payloads are the Lazy and Virlock ransomware groups.
The ransomware operators registered 64% of the domains two or more years before their payload delivery usage. Additionally, about 855 second-level domains storing ransomware do not abuse public hosting sharing services or social media platforms.
The researchers also discovered that online traffic visited these domains by an average of more than 215,000 times in the last six months through analysing passive DNS footprints.
Researchers noted threat actors that use different URLs to store or deliver numerous malware strains. Multiple attackers have sometimes used the SmokeLoader and Raccoon Stealer during the initial stage of ransomware attacks. These strategies of disseminating malicious strains from different hostnames aim to bypass URL-block services and block takedown attempts from security solutions.
Lastly, the threat actors utilise old domains with outstanding DNS footprints to exploit user trust and avoid raising suspicions that alert defences.
The surge of URL-delivered ransomware displays a looming threat to cybersecurity. Ransomware attackers have constantly evolved their strategies to avoid security solutions, which allowed them to discover the use of web browsing and URLs.
Users should adapt to these tactics by being vigilant and aware. Therefore, they should employ sophisticated security solutions and regular backups and conduct incident response to mitigate this growing threat in the cybercriminal ecosystem.