Tracing the Footprint of Ransomware Attack IoCs | WhoisXML API

Threat Reports

From Counties to Banks: Tracing the Footprint of Ransomware Attack IoCs

On 11 September 2022, a U.S. country announced that it fell prey to a cyber attack. SecurityScorecard believes the Cryxos trojan may be involved and published an in-depth analysis,1 which included three IP addresses tagged as indicators of compromise (IoCs).

WhoisXML API researchers built on the report in a two-part investigation where we looked into the IoCs involved in the U.S. county attack and those connected to the Cryxos trojan. Our key findings include:

  • One of the IP addresses tagged as an IoC had one resolving domain whose WHOIS history led us to 4,400+ potential artifacts.
  • We found 390+ domains connected to the Cryxos IoCs, some of which were malicious and targeted banks.
  • We uncovered 1,400+ Chase Bank typosquatting properties, nearly half of which were malicious.

Get access to our findings and uncover more on your own. Download the report now.

  • [1]
Try our WhoisXML API for free
Get started