As ransomware attacks continue to evolve, cybercriminals are resorting to increasingly sophisticated techniques to bypass security measures and deliver their malicious payloads. One such strategy gaining traction is the use of dynamic URL-based distribution. By employing a single URL or a group of URLs to deliver hundreds of distinct ransomware variants, threat actors aim to evade hash-based blocking efforts and maximize their chances of successful infections. In this article, we delve into this emerging trend and its implications for cybersecurity.
Dynamic URL-Based Distribution Explained:
Dynamic URL-based distribution is a technique wherein a single URL or a set of URLs consistently delivers ransomware with different SHA-256 hash values upon each visit. This constant change in the hash value for each delivered ransomware variant renders traditional hash-based blocking methods ineffective, as the ransomware samples are essentially unique in each instance.
The Impact of Dynamic URL-Based Distribution
Evasion of Hash-Based Blocking: Hash-based blocking, a common mechanism used by security solutions, relies on maintaining a database of known malicious hashes. When a file’s hash matches a known malicious entry, it is blocked or flagged. However, dynamic URL-based distribution renders this method ineffective, as the ransomware delivered through these URLs generates unique hashes for each variant.
- Increased Infection Opportunities: The variability of the ransomware hashes ensures that even if a security solution successfully detects and blocks one variant, the next iteration remains undetected until it causes harm.
- Challenging Signature-Based Detection: With dynamic URL-based distribution, the ever-changing code of the ransomware impedes signature-based detection efforts, making it harder for cybersecurity solutions to identify and stop the threats in real-time.
Analyzing the STOP/DJVU Ransomware Campaign
The STOP/DJVU ransomware campaign serves as a vivid example of dynamic URL-based distribution in action. In this case, a single URL or group of URLs were found to be associated with more than 800 different ransomware samples. Each ransomware file carried a distinct SHA-256 hash value, making it highly challenging for security systems to preemptively block or detect them.
The compromise indicators that every IT professional should tune his security solutions to detect and prevent:
Implications for Cybersecurity
| Indicator type | Indicator |
| domain | zerit.top |
| domain | veterinary-surgeons.net |
| domain | ugll.org |
| domain | uaery.top |
| domain | spaceris.com |
| domain | rgyui.top |
| domain | privacy-tools-for-you-780.com |
| domain | privacy-tools-for-you-453.com |
| domain | oddsium.com |
| domain | miiwes.top |
| domain | host-coin-data-1.com |
| domain | ex3mall.com |
| domain | data-host-file-16.com |
| domain | coin-coin-coin-2.com |
| domain | clicktoevent.com |
| domain | bihsy.com |
| URL | https://privacy-tools-for-you-780.com/downloads/toolspab3.exe |
| URL | https://privacy-tools-for-you-453.com/downloads/toolspab4.exe |
| URL | https://host-coin-data-1.com/downloads/toolspab1.exe |
| URL | https://data-host-file-16.com/downloads/toolspab2.exe |
| URL | https://coin-coin-coin-2.com/downloads/toolspab4.exe |
| URL | https://coin-coin-coin-2.com/downloads/toolspab2.exe |
| URL | http://zerit.top/dl/buildz.exe |
| URL | http://zerit.top/dl/build2.exe |
| URL | http://zerit.top/dl/build.exe |
| URL | http://veterinary-surgeons.net/g76dbf?grpvldcmq=pnstptslwh |
| URL | http://ugll.org/files/1/build3.exe |
| URL | http://uaery.top/dl/buildz.exe |
| URL | http://uaery.top/dl/build2.exe |
| URL | http://uaery.top/dl/build.exe |
| URL | http://spaceris.com/files/1/build3.exe |
| URL | http://s30.stazeni.ua.rs/download/p1rcwy69oe09csyefqj4j9fmhmx1hamq |
| URL | http://s25.stazeni.ua.rs/download/ill2a7r2hsyufadaluvhv71xuuhubneg |
| URL | http://s24.stazeni.ua.rs/download/5pg08rc9pxvy743ncrn30d2zylf2l12a |
| URL | http://s20.stazeni.ua.rs/download/z2guqagslno4pb06hnpuy1ocf7wstfxf |
| URL | http://rgyui.top/dl/buildz.exe |
| URL | http://rgyui.top/dl/build2.exe |
| URL | http://rgyui.top/dl/build.exe |
| URL | http://oddsium.com/g76dbf |
| URL | http://miiwes.top/dl/buildz.exe |
| URL | http://ex3mall.com/files/1/build3.exe |
| URL | http://clicktoevent.com/g76dbf?lrebib=kvqqhaohs |
| URL | http://bihsy.com/files/1/build3.exe |
| FileHash-SHA256 | ff6d6f616687fac25a1d77e52024838239e9a3bbb7b79559b0439a968ac384fe |
| FileHash-SHA256 | d05a67845680af53a1efe0d852aa7ab85ad97e76cc8aaa62b1aad70288665026 |
| FileHash-SHA256 | ba8533bd8118ec6881e25e4af2e2101996b4a9aef3f1f1931423bff03da0ace5 |
| FileHash-SHA256 | 9921cc50e6272053814c7fe2ab5ae566a9deaebc9c0412c8b518313eee65d9d9 |
| FileHash-SHA256 | 8a56cecfe36b7c105401fd246f8f3ba97bdc4d1db776eaa4991fcedf8aaaaa52 |
| FileHash-SHA256 | 87102e5614509da4c59b134861130708f239b68d1e062d08d1e71464c8041326 |
| FileHash-SHA256 | 647b12dd3809b62d8b051ec643a1c5d26c32ec3397266c76e6f58e3894e39c4b |
The rise of dynamic URL-based distribution poses significant challenges for cybersecurity professionals and organizations seeking to defend against ransomware attacks. To enhance resilience against this evolving threat, the following strategies are recommended:
- Behavior-Based Analysis: Deploy behavior-based analysis tools capable of detecting ransomware based on its actions rather than relying solely on signatures or hashes.
- Real-Time Monitoring: Implement real-time monitoring to promptly detect suspicious activities and potential ransomware threats.
- Updated Threat Intelligence: Regularly update threat intelligence sources to stay informed about the latest ransomware campaigns and distribution techniques.
- User Awareness: Educate users about the risks associated with clicking on unknown or suspicious links, emphasizing the importance of vigilance.
- Multi-Layered Security: Employ a multi-layered security approach, combining endpoint protection, network monitoring, and advanced threat detection systems.
Dynamic URL-based distribution is a concerning trend in the realm of ransomware attacks, allowing threat actors to circumvent traditional security measures and deliver unique ransomware variants with each visit. As cybercriminals continuously refine their tactics, the cybersecurity community must adapt and employ innovative strategies to combat this persistent threat. Through proactive defense mechanisms and user awareness, organizations can bolster their resilience and reduce the risk of falling victim to these dynamic ransomware campaigns.
Original source: Teknologiia Team
