URLs have emerged as the leading method of delivering ransomware to victims, according to research from Palo Alto Networks’ Unit 42.
The research found that URL or web browsing has taken over from email attachments as the most widely used channel for distributing ransomware since 2021, with URLs accounting for over 77% of cases analysed by the company.
Third party apps are the next most common method, responsible for 8.2% of cases, followed by SMPT- (6.4%) and POP3- (4.2%) based email attachments.
Meanwhile the Lazy and Virlock ransomware families are dominating in terms of ransomware traffic, accounting for over 50% of ransomware observed during the last quarter of 2022.
During the quarter, Palo Alto detected over 27,000 unique URLs and hostnames hosting ransomware. Based on an analysis of 7000 random samples from the ransomware hosting URLs, Palo Alto estimates that more than 20% of malicious URLs remain active days or weeks after being detected.
The .com top level domain dominates in terms of compromised or malicious websites, but attackers are increasingly utilising country code top level domains including .ru (Russia) and .cn (China).
Palo Alto noted that since its inception in October, the Palo Alto Networks Advanced URL Filtering and DNS Security product releases have automatically blocked over 2000 sessions involving ransomware URLs daily. Over 49% of these are blocked from customers’ traffic before reaching their devices.