Searching for Nevada Ransomware Digital Crumbs in the DNS | WhoisXML API

Threat Reports

Searching for Nevada Ransomware Digital Crumbs in the DNS

According to Resecurity researchers, threat actors are currently spreading Nevada ransomware in the Dark Web via the ransomware-as-a-service (RaaS) model.1 The malware underwent several upgrades in January 2023 alone and has been plaguing both Windows and Linux computer users today.

Using a list of indicators of compromise (IoCs) from AlienVault OTX2 as jump-off points, WhoisXML API searched for Nevada ransomware digital crumbs in the DNS.

Our deep dive into the threat revealed:

  • Eight additional IP addresses to which the domains identified as IoCs resolved
  • One unredacted registrant email address from the historical WHOIS record of one of the domain IoCs
  • 70+ additional domains that shared one of the IoCs’ registrant email address, one of which turned out to be malicious
  • 1,100+ additional domains that shared some of the IoCs’ IP hosts, one of which turned out to be a malware host
  • 2,000+ additional domains that contained the strings github., click., continue., repository., signup., and submit., three of which turned out to be malicious

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.resecurity.com/blog/article/nevada-ransomware-waiting-for-the-next-dark-web-jackpot
  • [2] https://otx.alienvault.com/pulse/6408625672614e92a996a642
Try our WhoisXML API for free
Get started