BlackCat Hacks Reddit Again, Take a Look at What the DNS Revealed
The BlackCat ransomware gang first trailed their sights on Reddit last February.1 They were able to steal user data by phishing an employee. They weren’t done, though, as they again hacked the sharing platform’s network, managing to lock employees out of their systems and threatening to leak the stolen data should the company fail to pay the ransom.
A total of 13 IP addresses were identified as indicators of compromise (IoCs) related to the ransomware.2
To uncover yet-unidentified connected artifacts as part of our ultimate goal—to make the Internet safer and more transparent—WhoisXML API trooped to the DNS and found:
- Three domains that shared two dedicated IP addresses identified as IoCs as hosts
- 437 domains containing the string office365logs, off365, or office365 akin to a closely related IP-connected artifact, 53 of which have been classified as malicious based on a bulk malware check
- 20 domains containing the string rbcbank akin to another closely related IP-connected artifact, two of which have been found malicious based on a bulk malware check
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
-  https://www.reversinglabs.com/blog/the-week-in-security-blackcat-threatening-to-leak-reddits-data-more-attacks-on-npm-packages
-  https://www.ic3.gov/Media/News/2022/220420.pdf