ThreatSTOP Blog

ThreatSTOP releases new ransomware targets

Written by rcarterts | October 31, 2016

The ThreatSTOP Security Team has introduced a new list of ransomware targets. We highly recommend customers update their policies to include these targets for immediate increased protection from the growing number of ransomware attacks.

Ransomware has emerged as the “hot topic threat” of the security industry, and rightfully so. Ransomware, a malicious software type that holds your system and/or data ransom, has affected millions with an estimated cost of $1 billion in damages to date.

The profitability of ransomware has made it very attractive to attackers, and they are getting creative by developing a multitude of new ransomware variants that constantly keep us on our toes

We at the ThreatSTOP Security Team are constantly working to identify new ransomware variants to update our protection and keep you safe. We have developed a list of new targets based on different ransomware family types to be incorporated into your policies.

The data for our ever-growing lists of ransomware targets is curated from data supplied by our friends at the abuse.ch ransomware tracker.

In this update, we have provided our customers with two types of targets:

  • Four synthetic targets that contain aggregated data about different ransomware families that are available in ThreaSTOP’s standard mode
  • Six Original targets that contain one ransomware family only and are available in ThreatSTOP’s Expert mode.
  • And just to remind you – back in March – we added 2 new targets that are manually curated by our team and are available in ThreatSTOP’s expert mode and as part of the synthetic targets as well.
  • All of the above are available in the policy editor.

The new ransomware data includes the following families:

TeslaCrypt

TeslaCrypt started out infecting computer game files, and was later updated to become a very strong mainstream ransomware. The TeslaCrypt authors gave up the encryption keys in May 2016 so if a connection to one of its indicators appears in your reports, you will need to remove the infection from the afflicted machine. This can be done using publicly available decryption tools.

TeslaCrypt indicators are included in:

  • Original RPZ target – TeslaCrypt Domains”
  • Synthetic RPZ targets – “Ransomware Domains From abuse.ch” and Ransomware Domains”

CryptoWall

CryptoWall, which debuted in 2013, became the most prevalent ransomware variant after the fall of CryptoLocker in 2014, and remained the foremost ransomware variant in the world until mid-2016.

CryptoWall indicators are included in:

  • Original RPZ target - “CryptoWall Ransomware Domains”
  • Synthetic RPZ targets – “Ransomware Domains From abuse.ch” and Ransomware Domains”

TorrentLocker

TorrentLocker is a ransomware variant that is distributed via targeted emails with malicious attachments or links being first observed in February 2014.

TorrentLocker indicators are included in:

  • Original RPZ target – “TorrentLocker Domains”
  • Original IP target – “TorrentLocker IPs”
  • Synthetic RPZ targets – “Ransomware Domains From abuse.ch” and Ransomware Domains”
  • Synthetic IP targets – “Ransomware IPs From abuse.ch” and “Ransomware IP Addresses”

Locky

Locky has become one of the most prevalent ransomware variants in 2016, and is mainly spread in vast spam email campaigns.

Locky indicators are included in:

  • Original RPZ target - “Locky Domains”
  • Original IP target – “Locky IPs”
  • Synthetic RPZ targets – “Ransomware Domains From abuse.ch” and Ransomware Domains”
  • Synthetic IP targets – “Ransomware IPs From abuse.ch” and “Ransomware IP Addresses”

Please Note: We only block C&Cs and distribution sites for ransomware, and do not block the payments sites.

All of our IP targets are available for both IP and DNS Firewall clients.

Our RPZ targets are only available to the DNS Firewall customers – if you do not have a DNS Firewall, it’s time to upgrade. Contact us at 1-855-958-7867 or success@threatstop.com