Evolving Ransomware Tactics: Dynamic URL-Based Distribution

Evolving Ransomware Tactics: Dynamic URL-Based Distribution

As ransomware attacks continue to evolve, cybercriminals are resorting to increasingly sophisticated techniques to bypass security measures and deliver their malicious payloads. One such strategy gaining traction is the use of dynamic URL-based distribution. By employing a single URL or a group of URLs to deliver hundreds of distinct ransomware variants, threat actors aim to evade hash-based blocking efforts and maximize their chances of successful infections. In this article, we delve into this emerging trend and its implications for cybersecurity.

Dynamic URL-Based Distribution Explained:

Dynamic URL-based distribution is a technique wherein a single URL or a set of URLs consistently delivers ransomware with different SHA-256 hash values upon each visit. This constant change in the hash value for each delivered ransomware variant renders traditional hash-based blocking methods ineffective, as the ransomware samples are essentially unique in each instance.

The Impact of Dynamic URL-Based Distribution

Evasion of Hash-Based Blocking: Hash-based blocking, a common mechanism used by security solutions, relies on maintaining a database of known malicious hashes. When a file’s hash matches a known malicious entry, it is blocked or flagged. However, dynamic URL-based distribution renders this method ineffective, as the ransomware delivered through these URLs generates unique hashes for each variant.

  • Increased Infection Opportunities: The variability of the ransomware hashes ensures that even if a security solution successfully detects and blocks one variant, the next iteration remains undetected until it causes harm.
  • Challenging Signature-Based Detection: With dynamic URL-based distribution, the ever-changing code of the ransomware impedes signature-based detection efforts, making it harder for cybersecurity solutions to identify and stop the threats in real-time.

Analyzing the STOP/DJVU Ransomware Campaign

The STOP/DJVU ransomware campaign serves as a vivid example of dynamic URL-based distribution in action. In this case, a single URL or group of URLs were found to be associated with more than 800 different ransomware samples. Each ransomware file carried a distinct SHA-256 hash value, making it highly challenging for security systems to preemptively block or detect them.

The compromise indicators that every IT professional should tune his security solutions to detect and prevent:

Implications for Cybersecurity

Indicator typeIndicator
domain                              zerit.top                           
domain                              veterinary-surgeons.net 
domain                              ugll.org                            
domain                              uaery.top                           
domain spaceris.com                  
domain rgyui.top                     
domain privacy-tools-for-you-780.com             
domain privacy-tools-for-you-453.com             
domain oddsium.com             
domain miiwes.top  
domain host-coin-data-1.com
domain ex3mall.com
domain data-host-file-16.com               
domain coin-coin-coin-2.com                
domain clicktoevent.com              
domain bihsy.com         
URL                     https://privacy-tools-for-you-780.com/downloads/toolspab3.exe                 
URL                     https://privacy-tools-for-you-453.com/downloads/toolspab4.exe                 
URL                     https://host-coin-data-1.com/downloads/toolspab1.exe              
URL                     https://data-host-file-16.com/downloads/toolspab2.exe 
URL                     https://coin-coin-coin-2.com/downloads/toolspab4.exe              
URL                     https://coin-coin-coin-2.com/downloads/toolspab2.exe              
URL                     http://zerit.top/dl/buildz.exe                  
URL                     http://zerit.top/dl/build2.exe                  
URL                     http://zerit.top/dl/build.exe             
URL                     http://veterinary-surgeons.net/g76dbf?grpvldcmq=pnstptslwh              
URL                     http://ugll.org/files/1/build3.exe              
URL                     http://uaery.top/dl/buildz.exe                  
URL                     http://uaery.top/dl/build2.exe                  
URL                     http://uaery.top/dl/build.exe    
URL                     http://spaceris.com/files/1/build3.exe                
URL                     http://s30.stazeni.ua.rs/download/p1rcwy69oe09csyefqj4j9fmhmx1hamq                  
URL                     http://s25.stazeni.ua.rs/download/ill2a7r2hsyufadaluvhv71xuuhubneg                  
URL                     http://s24.stazeni.ua.rs/download/5pg08rc9pxvy743ncrn30d2zylf2l12a                  
URL                     http://s20.stazeni.ua.rs/download/z2guqagslno4pb06hnpuy1ocf7wstfxf                  
URL                     http://rgyui.top/dl/buildz.exe                  
URL                     http://rgyui.top/dl/build2.exe                  
URL                     http://rgyui.top/dl/build.exe             
URL                     http://oddsium.com/g76dbf                 
URL                     http://miiwes.top/dl/buildz.exe  
URL                     http://ex3mall.com/files/1/build3.exe
URL                     http://clicktoevent.com/g76dbf?lrebib=kvqqhaohs
URL http://bihsy.com/files/1/build3.exe
FileHash-SHA256 ff6d6f616687fac25a1d77e52024838239e9a3bbb7b79559b0439a968ac384fe              
FileHash-SHA256  d05a67845680af53a1efe0d852aa7ab85ad97e76cc8aaa62b1aad70288665026              
FileHash-SHA256 ba8533bd8118ec6881e25e4af2e2101996b4a9aef3f1f1931423bff03da0ace5 
FileHash-SHA256  9921cc50e6272053814c7fe2ab5ae566a9deaebc9c0412c8b518313eee65d9d9  
The compromise indicators

The rise of dynamic URL-based distribution poses significant challenges for cybersecurity professionals and organizations seeking to defend against ransomware attacks. To enhance resilience against this evolving threat, the following strategies are recommended:

  1. Behavior-Based Analysis: Deploy behavior-based analysis tools capable of detecting ransomware based on its actions rather than relying solely on signatures or hashes.
  2. Real-Time Monitoring: Implement real-time monitoring to promptly detect suspicious activities and potential ransomware threats.
  3. Updated Threat Intelligence: Regularly update threat intelligence sources to stay informed about the latest ransomware campaigns and distribution techniques.
  4. User Awareness: Educate users about the risks associated with clicking on unknown or suspicious links, emphasizing the importance of vigilance.
  5. Multi-Layered Security: Employ a multi-layered security approach, combining endpoint protection, network monitoring, and advanced threat detection systems.

Dynamic URL-based distribution is a concerning trend in the realm of ransomware attacks, allowing threat actors to circumvent traditional security measures and deliver unique ransomware variants with each visit. As cybercriminals continuously refine their tactics, the cybersecurity community must adapt and employ innovative strategies to combat this persistent threat. Through proactive defense mechanisms and user awareness, organizations can bolster their resilience and reduce the risk of falling victim to these dynamic ransomware campaigns.

Original source: Teknologiia Team

Let's talk

If you want to get a free consultation without any obligations, fill in the form below and we'll get in touch with you.

    Open chat
    Need help?
    Hello 👋
    Can we help you?