DNS Deep Diving into 2025’s Up and Coming Ransomware Families | WhoisXML API

DNS Deep Diving into 2025’s Up and Coming Ransomware Families

Ransomware attacks are expected to continue plaguing individual users and organizations worldwide because they work. As of 2024, victims were asked to pay an average of US$2.5 million per incident.1

A report named 10 of the most active ransomware families in 2024,2 which WhoisXML API decided to further investigate. We obtained lists of indicators of compromise (IoCs) for RansomHub,3 LockBit 3.0,4 Play,5 Akira,6 Hunters,7 Medusa,8 BlackBasta,9 Qilin,10 BianLian,11 and INC. Ransom12 (aka Lynx).13

We expanded a list of 120 IoCs comprising 48 domains and 72 IP addresses to uncover connected artifacts and found:

  • 944 email-connected domains, 27 of which turned out to be malicious
  • 48 additional IP addresses, 34 of which already figured in malicious campaigns
  • 201 IP-connected domains, two of which were already associated with threats
  • 1,192 string-connected domains, three of which have already been weaponized for attacks

Download a sample of the threat research materials now or contact sales to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

  • [1] https://www.huntress.com/ransomware-guide/cost-of-ransomware-attacks
  • [2] https://thehackernews.com/2025/03/the-new-ransomware-groups-shaking-up.html
  • [3] https://otx.alienvault.com/pulse/672ca9e4874fcbee26d0b631
  • [4] https://otx.alienvault.com/pulse/66618d7f95d9672a3604cfc6
  • [5] https://otx.alienvault.com/pulse/6726025258edd3e34410bec5
  • [6] https://otx.alienvault.com/pulse/6788b4daa6fb8eeb5e2eccc3
  • [7] https://otx.alienvault.com/pulse/670cc6978575debca12b4f29
  • [8] https://otx.alienvault.com/pulse/67508be45f644e4ae2a878d2
  • [9] https://otx.alienvault.com/pulse/67bdd8f7ef4e2e3e43204f78
  • [10] https://otx.alienvault.com/pulse/667e56a74b3d793fc644ece2
  • [11] https://otx.alienvault.com/pulse/646f226ab22ea2afcec4db3f
  • [12] https://otx.alienvault.com/pulse/67c18eaab1926a43cfc1b88c
  • [13] https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/
Try our WhoisXML API for free
Get started