Home / Industry

Gauging the Scale of an Active Ransomware Gang’s Infrastructure

Ransomware gangs are now a dime a dozen. But in reality, victims rarely engage directly with their members. They are, in fact, more likely communicating with what the cybersecurity community has dubbed “ransomware affiliates” who earn as much as 75% of the ransom payment.

Among his other OSINT findings, Dancho Danchev recently identified three email addresses—one Gmail and two Yahoo! addresses—confirmed to belong to ransomware affiliates, along with 21 domains that figured in some of their campaigns.

The Threat Intelligence Platform (TIP) research team used these as jump-off points to scour the DNS for connected domains and IP addresses that could be part of the ransomware affiliates’ infrastructure. Our indicator of compromise (IoC) expansion analysis found:

  • 90 domains that were registered using the email addresses identified as IoCs, three of which turned out to be malicious
  • 22 IP addresses the email-connected and other domains identified as IoCs resolved to, six of which were confirmed to be malware hosts
  • 3,955 domains that shared the IoCs’ IP hosts, 38 of which have already figured in malware and spam campaigns

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know So Far

Danchev’s OSINT analysis led to the discovery of three email addresses and 21 domains tied to confirmed ransomware affiliates listed in the table below.

IoCs UNCOVERED FROM OSINT ANALYSIS
Email AddressesDomains
• xbo[REDACTED]@gmail[.]com
• jamesnolaxbo[REDACTED]@yahoo[.]com
• buyxbo[REDACTED]@yahoo[.]com
• badfail[.]info
• watchabag[.]com
• exchanger-cash[.]com
• sunrisekidsindia[.]com
• sqeets[.]com
• irancybp[.]ir
• ecotokens[.]su
• wheelipedia[.]com
• truongquocvi[.]info
• truongquocvi[.]com
• giwebsolutions[.]in
• vietonl[.]net
• softfilemanage[.]com
• a6tdn[.]com
• decode-india[.]com
• agendas-personalizadas[.]com
• elitemenu[.]xyz
• lixiongchen[.]com
• shelbysdatenight[.]com
• gotocosplay[.]com
• angiesensei[.]com

What Our Analysis Found

First, we scoured the DNS for all domains that indicated they were registered using the three email addresses identified as IoCs. That led to the discovery of 90 domains, 16 of which continued to host live content. Of these properties, one proved to be the most interesting—driverslicensepsd[.]net—based on its screenshot.

Driverslicensepsd[.]net, despite not being flagged as malicious, hosted a site that seemingly let users create their own licenses for use in various countries.

In addition, since the domains were registered by ransomware affiliates, they could be involved in other cybercriminal activities, notably phishing targeting known brands whose names appeared as strings. Potential targets include small business, courier, and utilities and security providers’ customers; cryptocurrency investors; news readers; property buyers; students and their parents; charity donors; and job seekers. Sample domains not tagged malicious per se but likely targeted each user base are listed in the following table.

Target User BaseSample Domain
Small business customercakesandmore[.]ng
Courier customerspfreightcourier[.]com
Utilities provider customeraeonwaterservices[.]com
Security provider customerprobatesecuritycompany[.]com
Cryptocurrency investorbitcointradinginvestment[.]com
News readeraloftnews[.]com
Property buyeradonaiprosperity[.]com[.]ng
Student/Parental-awwalschools[.]com
Charity donorcencod[.]org
Job seekergmrecruitments[.]com

Global brands commonly targeted by phishers also appeared as strings in some of the email-connected domains, notably HSBC, Citibank, and PayPal. A TIP bulk malware check for the email-connected domains also revealed that three were confirmed to be malicious, including the supposed HSBC-owned domain hsbcgrouponline[.]com.

The 111 domains (21 identified as IoCs and 90 email-connected properties) resolved to 22 unique IP hosts. Eight of them were dedicated hosts while the remaining 14 were shared. A majority of the IP addresses (16 to be exact) traced their origins to the U.S., while the remaining six were scattered across five other countries as shown in the chart below.

According to TIP malware checks, six of the IP hosts were malicious, including 198[.]38[.]82[.]77, 198[.]251[.]89[.]144, and 167[.]114[.]64[.]93.

TIP reports for the IP hosts allowed us to collate a list of 3,955 connected domains. Like the IP-connected domains, these properties could also figure in malicious campaigns targeting the same sets of users as evidenced by the examples listed in the table below.

Target User BaseSample Domain
Small business customeranchorcreditunb[.]com
Courier customeramericaexpresscourier[.]com
Utilities provider customeradcelectric[.]com[.]ng
Security provider customercenterasecurity[.]dk
Cryptocurrency investorcryptocoin24x7[.]com
News readerdailyaftabnews[.]com
Property buyer19gopropertysolutions[.]co[.]uk
Student/Parentaguleschools[.]com
Charity donorandtopcharityfoundation[.]org
Job seekercunardcareers[.]uk[.]com

A bulk malware check for the IP-connected domains showed that 38 of them were malicious. Specifically, 37 were malware hosts while one was flagged for spamming. Despite their involvement in cyber attacks, however, 15 of the malicious domains continued to host live content.

Of these malicious domains, three could be especially dangerous to visitors—alliedcreditunib[.]com, alliedtrustbo[.]com, and anchorcreditunb[.]com—as they seem to be legitimate-looking banking sites despite the absence of proof that such institutions exist based on intensive web searches. While we found organizations bearing similar names (Allied Federal Credit Union, Allied Trust, and Anchor Bank, respectively), none of them showed distinctive similarities with the brands used in the malicious domains.

What It Could All Mean

Despite the huge financial gains ransomware affiliates can already get their hands on, many of them may be involved in other cybercriminal activities, notably phishing. Our IoC expansion analysis showed that parts of their infrastructure, comprising 4,006 connected domains and IP addresses, could be doing more than ransomware distribution.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC