A new report revealed that where once email was king when it came to infecting networks with ransomware, all the cool hackers are now turning to using URLs – web browsing, basically – to spread their malicious wares.
In fact, while email was the most prevalent vector for spreading ransomware in 2021, in 2022 it dropped to a distant second behind malicious URLs, with a mere 12 per cent of samples being spread via SMTP or POP3.
URLs are now the entry vector for more than 77 per cent of infections, with the remainder being other sources and third-party apps, which makes for a shade over 8 per cent of infections.
The report – Ransomware Delivery URLs: Top Campaigns and Trends, from Palo Alto’s Unit 42 threat research unit – also notes that while the Clop ransomware gang may be making headlines, its synonymous ransomware is a lowly eighth among the top 10 ransomware variants.
This is likely due to the fact that some operators are now focusing more on data exfiltration, particularly via third-party vulnerabilities, than on their own software. The two top ransomware suites, however, have been around for some time. The Lazy and Virlock ransomware take out the top two spots, with over 50 per cent of the ransomware action.
When it comes to the most popular top-level domains that are used, .com is by far the most popular, along with the rest of the generic domains, such as .net and .xyz. However, two country-level domains also make the top 10 cut, and – perhaps unsurprisingly – they are .ru. and .cn, representing Russia and China, respectively.
According to Palo Alto, this suggests “that these countries have less strict policies in place for registration of domains”.
The report also showed that threat actors are more than willing to take advantage of legitimate infrastructure. Social media sites, media sharing services, and hosting services are all popular with ransomware operators.