|
On 9 March 2022, the Cybersecurity and Infrastructure Security Agency (CISA) added 98 indicators of compromise (IoCs) to their Conti ransomware alert page. WhoisXML API researchers examined these flagged domain names for recurring characteristics to uncover more artifacts. Among our findings are:
You may download a sample of the data related to Conti ransomware from our website.
A majority of the domain IoCs share the same lexical features in that they don’t seem to be English words and follow a succession of consonant-vowel patterns. Below are a few examples.
While all the domains CISA added had redacted WHOIS records, some registration details still stood out because they recur across the web properties. The bulk WHOIS lookup results highlight this, as shown partially by the screenshot below.
Most of the 98 domain IoCs had identical patterns in their WHOIS record details, including:
Each WHOIS detail may not be valuable when taken individually. But when analyzed together, they may add more context and help us uncover additional connected domains.
We uncovered hundreds of artifacts using the key recurring WHOIS details listed above as reverse WHOIS search strings. These additional domains were created between 1 March and 17 April 2022. Some domains that followed the IoCs’ lexical features include:
Some artifacts use strings related to popular companies and brands, including:
We also did an IP analysis of the domain IoCs by subjecting them to a bulk geolocation lookup to retrieve their IP resolutions. Only 29.6% of the domains resolved to IP addresses. Most of the IP addresses belonged to the 23.0.0.0—23.255.255.255 IP range assigned to Leaseweb USA, Inc.
Using the domain IoCs’ IP addresses as search terms, we found more than 300 additional domains via reverse IP/DNS lookups. While some of the domains may resolve to the same IP addresses coincidentally, a few also shared the same WHOIS characteristics as the domain IoCs. Aside from this similarity, some also had the same lexical feature, including:
Through WHOIS and IP connections, we found more than 500 additional domains that could be part of the Conti ransomware network. Some of these domains may be false positives, but we can’t discount the fact that a few have already figured in malicious activities. In particular, over a dozen artifacts are present in malware engine platforms.
Analyzing threats in the context of shared WHOIS and IP characteristics can help detect potentially malicious domains early—before threat actors can use them in campaigns. For instance, the additional domains we uncovered in this analysis can be fed into security systems for monitoring to alert security teams when they appear in the network.
If you are a threat researcher or cybersecurity professional interested in the Conti ransomware IoCs and artifacts presented in this study, please contact us to learn more about our cyber threat intelligence sources and possible research collaboration.
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign