Resecurity threat researchers discovered a new ransomware they’ve dubbed “Nevada” being sold on the RAMP underground community. Their analysis of the malware showed it underwent several upgrades in January 2023 alone. Primarily distributed to non-English-speaking threat actors via the ransomware-as-a-service (RaaS) model in the Dark Web, Nevada ransomware has been plaguing both Windows and Linux computer users.

Using a list of indicators of compromise (IoCs) comprising seven IP addresses and 13 domains from AlienVault OTX, WhoisXML API searched for Nevada ransomware digital crumbs in the DNS. The following table shows the original IoC list.

Our deep dive led to the discovery of:

• Eight additional IP addresses to which the domains identified as IoCs resolved
• One unredacted registrant email address from the historical WHOIS records of one of the domain IoCs
• 79 additional domains that shared one of the IoCs’ registrant email address, one of which turned out to be malicious
• 1,178 additional domains that shared some of the IoCs’ IP hosts, one of which turned out to be a malware host
• 2,098 additional domains that contained the strings github., click., continue., repository., signup., and submit., three of which turned out to be malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Nevada Ransomware Digital Crumb Revelations

DNS lookups for the 13 domain IoCs allowed us to uncover eight IP addresses that aren’t part of the original IoC list. Reverse IP lookups for these additional IP addresses and the seven that have already been identified as IoCs revealed that four of them were dedicated hosts, another four were shared hosts, and seven didn’t have IP resolutions.

The reverse IP lookups also provided a list of 1,178 more domains. Of these, only one—gkneutomotive[.]com—turned out to be malicious. Its registrar may have already been made aware of its nature since its owner’s registration has been suspended as evidenced by the screenshot below.

Next, a bulk IP geolocation lookup for the 15 IP addresses revealed they were scattered across seven countries. Nine of the IP addresses were geolocated in the U.S. while one each pointed to France, Germany, India, Indonesia, Japan, and the Netherlands.

Subjecting the 13 domain IoCs to a bulk WHOIS lookup, meanwhile, showed they were created between February 1996 and August 2022. Only six of them had publicly visible registrant countries. Four of the domains were registered in the U.S. while the remaining two in Iceland. All of the IoCs’ WHOIS records were also privacy-protected or have been redacted, which isn’t typical of legitimate domains.

A closer look at the historical WHOIS records of the two oldest domains created before WHOIS redaction became widespread, click[.]org (created in 1996) and submit[.]org (created in 1998), led to the discovery of an unredacted registrant email address for the latter’s WHOIS record dated 15 May 2018.

A reverse WHOIS search for this registrant email address gave us 79 additional domains. One of them—dcchosting1[.]ws—turned out to be a malware host. It is unreachable as of this writing.

To ease domain monitoring for security teams, we sought to identify the TLD extensions the connected domains used. For that, we utilized the IP-connected domains as our sample. Our analysis revealed that .com led the pack, accounting for 46% of the total domain volume, followed by .net (12%); .de (6%); .org (4%); .is and .xyz (3% each); .fr, .quest, and .co (2% each); and .uk (1%). The remaining 17% was spread across 108 other TLDs. Take a look at the domain distribution by TLD chart below.

We also noticed the Nevada ransomware threat actors’ use of the following strings in their domains:

• github.
• click.
• continue.
• repository.
• signup.
• submit.

Our Domains & Subdomains Discovery searches for domains containing these strings uncovered 2,098 additional domains, three of which turned out to be malicious. These dangerous web properties were click[.]hn, github[.]cam, and signup[.]quest.

Note that despite github[.]cam’s usage of the GitHub logo and name, it doesn’t share any WHOIS record commonalities with the legitimate domain github[.]com. As such, it’s more likely to be a cybersquatting site designed to take advantage of GitHub’s popularity.

In fact, among the 495 .github-containing domains, only 106 could be publicly attributed to GitHub based on their registrant organization, GitHub,Inc.

Our search for Nevada ransomware digital crumbs in the DNS through an IoC expansion analysis uncovered more than 3,000 possibly connected domains and seven IP hosts that haven’t been publicized as IoCs.

This study also led to the discovery of five malicious domains that may not be part of any publicly accessible IoC list to date. We were also able to identify the most-abused TLDs that could aid in prioritizing web properties for threat monitoring and consequent blocking.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.