Ransomware gangs are now a dime a dozen. But in reality, victims rarely engage directly with their members. They are, in fact, more likely communicating with what the cybersecurity community has dubbed “ransomware affiliates” who earn as much as 75% of the ransom payment.

Among his other OSINT findings, Dancho Danchev recently identified three email addresses—one Gmail and two Yahoo! addresses—confirmed to belong to ransomware affiliates, along with 21 domains that figured in some of their campaigns.

The Threat Intelligence Platform (TIP) research team used these as jump-off points to scour the DNS for connected domains and IP addresses that could be part of the ransomware affiliates’ infrastructure. Our indicator of compromise (IoC) expansion analysis found:

• 90 domains that were registered using the email addresses identified as IoCs, three of which turned out to be malicious
• 22 IP addresses the email-connected and other domains identified as IoCs resolved to, six of which were confirmed to be malware hosts
• 3,955 domains that shared the IoCs’ IP hosts, 38 of which have already figured in malware and spam campaigns

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know So Far

Danchev’s OSINT analysis led to the discovery of three email addresses and 21 domains tied to confirmed ransomware affiliates listed in the table below.

What Our Analysis Found

First, we scoured the DNS for all domains that indicated they were registered using the three email addresses identified as IoCs. That led to the discovery of 90 domains, 16 of which continued to host live content. Of these properties, one proved to be the most interesting—driverslicensepsd[.]net—based on its screenshot.

Driverslicensepsd[.]net, despite not being flagged as malicious, hosted a site that seemingly let users create their own licenses for use in various countries.

In addition, since the domains were registered by ransomware affiliates, they could be involved in other cybercriminal activities, notably phishing targeting known brands whose names appeared as strings. Potential targets include small business, courier, and utilities and security providers’ customers; cryptocurrency investors; news readers; property buyers; students and their parents; charity donors; and job seekers. Sample domains not tagged malicious per se but likely targeted each user base are listed in the following table.

Global brands commonly targeted by phishers also appeared as strings in some of the email-connected domains, notably HSBC, Citibank, and PayPal. A TIP bulk malware check for the email-connected domains also revealed that three were confirmed to be malicious, including the supposed HSBC-owned domain hsbcgrouponline[.]com.

The 111 domains (21 identified as IoCs and 90 email-connected properties) resolved to 22 unique IP hosts. Eight of them were dedicated hosts while the remaining 14 were shared. A majority of the IP addresses (16 to be exact) traced their origins to the U.S., while the remaining six were scattered across five other countries as shown in the chart below.

According to TIP malware checks, six of the IP hosts were malicious, including 198[.]38[.]82[.]77, 198[.]251[.]89[.]144, and 167[.]114[.]64[.]93.

TIP reports for the IP hosts allowed us to collate a list of 3,955 connected domains. Like the IP-connected domains, these properties could also figure in malicious campaigns targeting the same sets of users as evidenced by the examples listed in the table below.

A bulk malware check for the IP-connected domains showed that 38 of them were malicious. Specifically, 37 were malware hosts while one was flagged for spamming. Despite their involvement in cyber attacks, however, 15 of the malicious domains continued to host live content.

Of these malicious domains, three could be especially dangerous to visitors—alliedcreditunib[.]com, alliedtrustbo[.]com, and anchorcreditunb[.]com—as they seem to be legitimate-looking banking sites despite the absence of proof that such institutions exist based on intensive web searches. While we found organizations bearing similar names (Allied Federal Credit Union, Allied Trust, and Anchor Bank, respectively), none of them showed distinctive similarities with the brands used in the malicious domains.

What It Could All Mean

Despite the huge financial gains ransomware affiliates can already get their hands on, many of them may be involved in other cybercriminal activities, notably phishing. Our IoC expansion analysis showed that parts of their infrastructure, comprising 4,006 connected domains and IP addresses, could be doing more than ransomware distribution.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.