Command-and-control (C2) servers are an essential part of ransomware, commodity, and nation-state attacks. They are used to control infected devices and perform malicious activities like downloading and launching payloads, controlling botnets, or commanding post-exploitation penetration frameworks to breach an organization as part of a ransomware attack. Blocking these communications can mitigate attacks, sometimes before they’re even started.
For example, one of the most impactful cyberattack trends today is human-operated ransomware attacks, which succeed through a combination of components, including leveraging C2 infrastructure. To gain initial access, human-operated ransomware attacks are often delivered via spear-phishing with malicious attachments that, once launched by the target, typically reach out to a C2 server to download instructions and run payloads. These payloads persist on the device and periodically reach out to a (usually) separate set of C2s, awaiting instructions and takeover by a human operator as part of ransomware-as-a-service.