Home / Industry

Profiling a Massive Portfolio of Domains Involved in Ransomware Campaigns

Security researcher Dancho Danchev discovered a portfolio of domains and IP addresses used by known threat actors in ransomware campaigns. The said portfolio consists of 62,763 domain names and 810 IP addresses. We analyzed a sample of these malicious properties using TIP and found that:

  • Threat attribution and subsequent threat discovery can be made easier since 72.7% of the domains had unredacted WHOIS records.
  • DropCatch was the top registrar, while Team Internet AG was the leading ISP of the resolving properties.
  • About 36% of the domains were less than a year old and newly registered upon weaponization.
  • The U.S. was the top registrant country and IP geolocation.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Infrastructure Analysis

With the help of TIP, we studied a sample of the malicious domain portfolio consisting of 2,500 domains. We determined their WHOIS data redaction status, domain age, administrative details, and location to help the cybersecurity community understand the malicious infrastructure.

How Easily Can We Perform Threat Attribution?

Most of the domains had unredacted WHOIS records, with 72.7% of their registrant names publicly available.

Merely 6.6% of the domains had redacted WHOIS data, provided mainly by their registrars or WHOIS privacy services. About 20% of the fields were left blank, most of which pertained to .cn and .ir domains. That could mean the domains do not currently have active WHOIS records..

What Organizations Are Responsible for Domain Administration?

This analysis looked at two entity types—registrars and ISPs. The registrars are in charge of domain registration, while the ISPs oversee the IP addresses that are part of domain resolutions.

About 18% of the domains were registered through DropCatch, a domain registrar known for using an automated registration technique. Dynadot followed with a 12% share, while Tucows and the remaining top 10 registrars only accounted for less than 7% each. The rest of the domains, about 26%, were distributed across 227 other registrars.

About 54% of the sample had IP resolutions. Based on that, we determined that Team Internet AG was the top ISP, accounting for 10% of the resolutions. Amazon closely followed with a 9% share and Cloudflare with 8%. Liquid Web LLC, Google, and Abazarhaye Farsi Shabakeh (Persian Tools) Co., Ltd. accounted for 7% each. Sharktech, MOACK.Co.LTD, and Oath Holdings Inc., meanwhile, each accounted for 5% of the IP resolutions, while Trellian Pty. Limited for 3%. All in all, the top 10 ISPs accounted for 75% of the resolving resources. The remaining resolutions were distributed across 17 other ISPs.

How Old Are the Domains?

As of 15 February 2023, most of the domains (36%) were less than a year old. They were, therefore, newly or recently registered when used by the threat actors. These domains were created sometime in 2022 up to the first two weeks of February 2023. In fact, about 19% of them were just created this year.

The domains created from 2021 to early 2022 made up 17% of the portfolio, while 12% were between 2—3 years old. The older the domains got, the fewer they figured in the malicious domain portfolio, although 18% were more than five years old. This trend can be seen in the chart below.

Where Are the Domains Located?

We looked at two location types—the registrant countries and their IP geolocation. The U.S. topped both lists, accounting for 34% of the domain registrations and about 60% of the IP resolutions. The remaining top countries on both lists differed.

Estonia (10.8%), the Cayman Islands (9.4%), Romania (7%), China (5.4%), Japan (5.4%), the Czech Republic (1%), Canada (.5%), Turkey (.4%), and Russia (.4%) were the top registrant countries, following the U.S. The top 10 accounted for 97% of the domain registrations, with only 3% spread across 24 other countries.

On the other hand, the remaining top IP geolocation countries were Canada (9.51%), Australia (8.09%), China (7.9%), Iran (7.41%), the Netherlands (1.54%), France (1.42%), Russia (.86%), the British Virgin Islands (.8%), and Germany (.62%). The remaining 2.10% of the resolutions originated from 17 other countries.

The Anatomy of a Malicious Domain

Despite being connected to known threat actors, less than 1% of the sample was found malicious. That left a considerable portion of the domain portfolio unreported and possibly accessible.

Still, knowing the domain infrastructure of a malicious domain can help the cybersecurity community recognize potential threats. To demonstrate, we analyzed watchyfilmy[.]com using TIP. The screenshot below shows a snapshot of the results.

The table below lists some notable infrastructure findings and warnings gleaned from TIP.

CheckTIP Findings
Malware• The domain was flagged as a malware host.
• When accessed, the domain http://watchfilmy[.]com redirected to http://ww7[.]watchfilmy[.]com/.
Website content• The domain continued to host live content despite being tagged as malicious.
SSL• TIP warned that the domain’s SSL certificate was recently obtained, specifically on 7 February 2023.
• The domain also had SSL vulnerabilities and misconfigurations, such as using suboptimal cipher suites and lacking HTTPS protocol enforcement.
WHOIS• TIP detected that the domain was registered in an offshore country, specifically the Cayman Islands.
Real-time blackhole• The domain’s mail exchanger (MX) server had misconfigurations and was found on two blocklist sites, including Spamhaus.
Mail server• Email validation system Domain-based Message Authentication, Reporting, and Conformance (DMARC) is not configured.
Name server• The Start of Authority (SOA) record’s retry interval doesn’t follow best practices.

By tracing known threat actors and the domains they owned, we learned more about their favored infrastructure setup. We also know that most of the domains in the portfolio had unredacted WHOIS data, so threat attribution may lead to threat discovery, as we find more domains through proactive monitoring.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byDNIB.com


Sponsored byVerisign