Web browsing is the primary entry vector for ransomware infections

The most widely used method for ransomware delivery in 2022 was via URL or web browsing (75.5%), Palo Alto Networks researchers have found.

In 2021, it was email attachments (i.e., delivery via SMTP, POP3, and IMAP protocols), but in 2022 that particular delivery channel was used only in 12% of attempts.

Ransomware delivery vectors in 2022 (Source: Palo Alto Networks)

“Ransomware binaries are often delivered from compromised websites, which should serve as a reminder for site administrators to maintain up-to-date web applications to minimize the impact of known vulnerabilities,” the researchers noted.

Third-party apps were the primary entry vector for ransomware infections in 8.2% of cases recorded by the company in 2022.

Attackers’ tricks for avoiding detection

Palo Alto Networks has been tracking and analyzing URLs and hostnames hosting ransomware. Based on a hefty, random sample (7,000 URLs out of 27,000 unique ones), they pinpointed a variety of tricks ransomware gangs use to prevent these sites from being identified, taken down or blocked.

The attackers have been spotted rotating different URLs/hostnames to host the same ransomware or using the same URL to deliver different ransomware. Some attackers do both of these things.

“The same ransomware can be delivered through multiple URLs, and the same URL can deliver multiple ransomware variants, or even other types of malware (e.g., wipers, stealers or loaders),” the researchers noted. Racoon Stealer and Smoke Loader are occasionally used as a first step of a ransomware attack.

Delivering ransomware binaries from different hostnames is likely employed to evade URL blocking services and to avoid takedown.

Ransomware gangs are also fond of using popular public hosting, social media and media-sharing services, as well as long-lived benign domains they’ve managed to compromise, for ransomware delivery.

“These URLs are likely to fall through the cracks of many existing URL blocking services due to the good reputation involved with these services,” the researchers explained.