Stripping Down the BlackSuit Ransomware Network Aided by DNS Data | WhoisXML API

Threat Reports

Stripping Down the BlackSuit Ransomware Network Aided by DNS Data

Ransomware attacks are among the biggest threats organizations face, potentially costing them millions of dollars. One of the most recent campaigns involves the BlackSuit ransomware, a rebranded version of Royal ransomware. BlackSuit actors stole and exposed 1 million individuals’ full names, Social Security numbers (SSNs), birthdays, and insurance claim details.1

In response, the Cybersecurity and Infrastructure Security Agency (CISA) updated its BlackSuit ransomware advisory, which now includes 91 indicators of compromise (IoCs) comprising 14 domain names, five subdomains, and 72 IP addresses.2

Our researchers expanded the list of IoCs to uncover more potentially connected artifacts. Using WHOIS, IP, and DNS intelligence, our analysis led to the discovery of:

  • 112 email-connected domains
  • 10 additional IP addresses, five of which were found to be malicious
  • 21 IP-connected domains
  • 137 string-connected domains

Download a sample of the threat research materials now or contact sales to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

  • [1] https://www.bleepingcomputer.com/news/security/blacksuit-ransomware-stole-data-of-950-000-from-software-vendor/
  • [2] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a
Try our WhoisXML API for free
Get started