Home / Industry

A Look at Recent Attacks on K-12 Distance Learning Providers Using Domain Intelligence

As early as December of last year, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) received reports of several cyber attacks targeting K-12 distance learning institutions. Investigations revealed a number of threats putting not only the institutions but their students at risk of ransomware infection, data theft, and learning disruption.

Threat actors are known for targeting insufficiently protected networks, which, unfortunately, is often true for educational institutions. Microsoft Security Intelligence, in fact, touts the education sector as the top industry most affected by cyberthreats in the last 30 days.

This post will tackle some of the ransomware (one of the greatest threats to the education sector) variants that were used in the attacks.

Ransomware: The Bane of the K-12 Institution Targets

The threat actors behind the recent spate of cyber attacks used four malware variants to get to their targets, two of which (i.e., Cerber and Kovter) are ransomware.


Cerber is known for its sophisticated detection evasion tactics aided by machine learning (ML) algorithms, allowing it to encrypt files in offline mode. It ranked fourth in the top 10 malware as of July 2020, according to the Center for Internet Security (CIS).

Confirmed Malicious Cerber Domains

We obtained the following list of confirmed malicious domains related to Cerber from VirusTotal:

  • btc[.]blockr[.]io
  • p27dokhpz2n7nvgr[.]1hpvzl[.]top
  • hjhqmbxyinislkkt[.]1j9r76[.]top
  • cs11[.]wpc[.]v0cdn[.]net

The attackers also used the potentially hijacked subdomain a767[.]dscg3[.]akamai[.]net, which uses a legitimate root domain, possibly as an added precautionary measure against blocking.

We ran the domains on Subdomains Lookup and discovered close to an additional 30 subdomains that could figure in similar attacks. Examples of these include two[.]blockr[.]io and cs1[.]adn[.]v0cdn[.]net.

K-12 distance learning institutions may also benefit from monitoring typosquatting domains that could be related to Cerber or ransomware and malware attacks in general.

We downloaded the typosquatting data feed for the whole month of December 2020 and found some domains like xingkongyx147[.]top and its 31 variations that were bulk-registered on 1 December 2020. Those appear to use randomly generated numbers, a characteristic that two Cerber-connected domains (i.e., p27dokhpz2n7nvgr[.]1hpvzl[.]top and hjhqmbxyinislkkt[.]1j9r76[.]top) share. Note, however, that this characteristic is not unique to Cerber. Many malware use domain generation algorithms (DGAs) to come up with diverse URLs for their hosts.


Kovter takes its roots as a police ransomware but has evolved to become a fileless click fraud malware or downloader that evades detection and consequent blocking by hiding in registry keys. Some variants can have backdoor capabilities, letting operators know what exactly goes on in infected systems. It ranked ninth in the CIS top 10 malware in July 2020.

Confirmed Malicious Kovter Domains

We applied the same technique for this malware and obtained the confirmed malicious domain www[.]yixun[.]com. A subdomain lookup for it turned up 12 potentially harmful links that organizations want to consider avoiding to prevent Kovter infection. Examples include ecclogin[.]yixun[.]com, campus[.]yixun[.]com, and total[.]yixun[.]com.

Like Cerber, Kovter also used potentially hijacked subdomains that fall under a legitimate root domain, particularly dc[.]services[.]visualstudio[.]com.

As this post showed, digging deeper into known ransomware distribution domains affecting K—12 distance learning providers and other organizations is possible with domain intelligence feeds—notably to gather a list of potentially harmful subdomains and bulk-registered domains.

If you’re a security researcher or solution provider interested in knowing more about the threats currently targeting the education industry, contact us for more information about the IoCs and artifacts found in this piece.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com


Sponsored byVerisign

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix