According to Resecurity researchers, threat actors are currently spreading Nevada ransomware in the Dark Web via the ransomware-as-a-service (RaaS) model.1 The malware underwent several upgrades in January 2023 alone and has been plaguing both Windows and Linux computer users today.
Using a list of indicators of compromise (IoCs) from AlienVault OTX2 as jump-off points, WhoisXML API searched for Nevada ransomware digital crumbs in the DNS.
Our deep dive into the threat revealed:
- Eight additional IP addresses to which the domains identified as IoCs resolved
- One unredacted registrant email address from the historical WHOIS record of one of the domain IoCs
- 70+ additional domains that shared one of the IoCs’ registrant email address, one of which turned out to be malicious
- 1,100+ additional domains that shared some of the IoCs’ IP hosts, one of which turned out to be a malware host
- 2,000+ additional domains that contained the strings github., click., continue., repository., signup., and submit., three of which turned out to be malicious
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
—
- [1] https://www.resecurity.com/blog/article/nevada-ransomware-waiting-for-the-next-dark-web-jackpot
- [2] https://otx.alienvault.com/pulse/6408625672614e92a996a642