Tracking An Effective Ransomware Campaign – Part 2
Posted on October 26th, 2021
Since our last post at the end of August 2021, we have continued to track an effective ransomware group and they have been busy! We are tracking over 120 domains correlated to this threat group. They have been busy in October registering over 20 new domains in the last two weeks.
The following new domains have been linked to this threat group:
|
academyads.com |
emerictech.com |
newseo.org |
troncaselink.com |
|
accountsupdate.org |
escondidoseo.com |
novadigitalgroup.com |
turbojax.com |
|
acronicssolutions.org |
gessertmedia.com |
ogsbd.com |
uniselect.org |
|
appinternet.net |
get4tech.com |
perscitech.org |
unrigusa.com |
|
av-sat.net |
go-instant.com |
phpjoblist.com |
updatedlinux.com |
|
bdeduinfo.com |
herosoft.org |
radardefence.com |
updater-panel.com |
|
bestupdate.net |
hsncsoft.com |
rdadev.com |
us-time.org |
|
cbdallas.org |
ifftools.com |
rootmailer.com |
us-time.us |
|
cloud-dock.net |
introwebsites.com |
router-manager.net |
vpn-updates.net |
|
cnetdownloader.net |
ircontent.com |
rq-technologies.com |
wget-upd.com |
|
codegemba.com |
iweb-tech.com |
shopyscripts.com |
wiredobserver.com |
|
codessional.com |
jetkm.com |
slot-download.com |
wmi-technologies.com |
|
competitionsites.com |
metasportsystems.com |
smlsystem.com |
wotsafe.org |
|
crmdevnet.com |
mkvdb.com |
sourangroup.com |
zacstech.com |
|
database-updater.com |
msbackupservice.org |
tebo-tech.com |
zeoplan.com |
|
datasecuritytoday.com |
mysafexpress.com |
tmdiagnostics.com |
zoncat.com |
|
devpda.com |
new-release.net |
top-enter.com |
zorandev.com |
As you can see above, they continue to follow technology-related domain schemes. Each domain is hosted on a VPS with similar ports, protocols and services. During our analysis, we identified the actors running “Metasploit 4.20.0 – Update 2021083001” – a recent and likely cracked version of Metasploit.
This threat group is very active and has better tradecraft than other threat groups. The actors utilize non-standard ports, recently expired domains, employ trusted Let’s Encrypt certificates and do not reuse infrastructure to blend in with legitimate traffic that is not easily searchable. By proactively identifying their infrastructure we are able to prevent this threat and others like them from compromising our customers.
If you are in need of incident response support or ways to defend against this and other threats, please contact us at https://breakpoint-labs.com/.
