Sec Logo with tm (2).png 

ThreatSTOP Security Researchers have added three new target lists to our system. These targets leverage additional data from the ransomware tracker at to secure against ransomware threats.

The targets blocked based on's data are:

  • “Cerber IPs/Domains” - Better known by its previous name, Cerber, these lists block the CRBR ransomware. Despite the war on vowels, little has changed between Cerber and its recent rebranding. Magnitude EK is the primary dropper for CRBR. The ransomware itself uses a strong encryption with no established key available. You can read more about this malware on our blog.

  • “Sage IPs/Domains” - These two lists block the Sage ransomware. Sage, an offline ransom spread via phishing, encrypts target data with a variety of different keys. The encryption scheme is ChaCha20 (Similar to Salsa20 used by Petya) with a rotating key generating a new master key for each file encrypted. Sage also shows signs of borrowing from CRBR, in that it uses Microsoft's text-to-speech service to play a voice message about the infection.

  • “Paycrypt – IPs/Domains” - Paycrypt, also known as CryptoBot uses JavaScript to encrypt the target computer. Once this happens a ransom pop-up appears. A nifty bit of social engineering involved is the display of a Twitter account. This account displayed tweets from victims who paid the ransom. This has not appeared in some time, and it's considered possible Twitter banned the account.

If you have the “TS Curated – Ransomware – IPs/Domains” in your policy you automatically have these new targets added to your policy.

Alternatively, you could choose to enable the specific targets mentioned above or “Ransomware from – IPs/Domains” in your expert policy if you choose not to use the curated targets provided by ThreatSTOP (Note, that you do not need to add these if you have the curated targets in your policies as these are part of them).


If you do not have a ThreatSTOP account, Sign up for a free trial.

If you do have a ThreatSTOP account, instructions to add targets to a DNS or IP defense policies are available on the ThreatSTOP Documentation Hub. Or contact our Support team.