IOC for latest locky ransomware infection:
Locky Infection URL:
hxxp://konferencjaora[.]pl/w/523f.php
hxxp://autonikos[.]pl/w/6dty.php
hxxp://oxfordschoolkotputli[.]com/w/vait.php
hxxp://j3[.]rodolfogn[.]com/w/qn0b.php
hxxp://martinagebhardt[.]hu/w/uol4.php
Regex created for this php file is \/w\/[0-9a-z]{4}\.php.
Fake Dropbox landing page which serve locky ransomware:
hxxp://albion-cx22.co[.]uk/dropbox.html
hxxp://ambrogiauto[.]com/dropbox.html
hxxp://arthurdenniswilliams[.]com/dropbox.html
hxxp://autoecoleathena[.]com/dropbox.html
hxxp://autoecoleboisdesroches[.]com/dropbox.html
hxxp://autoecoledufrene[.]com/dropbox.html
hxxp://avtokhim[.]ru/dropbox.html
hxxp://bayimpex[.]be/dropbox.html
hxxp://binarycousins[.]com/dropbox.html
hxxp://charleskeener[.]com/dropbox.html
hxxp://campusvoltaire[.]com/dropbox.html
hxxp://dar-alataa[.]com/dropbox.html
hxxp://flooringforyou.co[.]uk/dropbox.html
hxxp://gestionale-orbit[.]it/dropbox.html
hxxp://griffithphoto[.]com/dropbox.html
hxxp://jakuboweb[.]com/dropbox.html
hxxp://jaysonmorrison[.]com/dropbox.html
hxxp://patrickreeves[.]com/dropbox.html
hxxp://potamitis[.]gr/dropbox.html
hxxp://tasgetiren[.]com/dropbox.html
hxxp://willemshoeck[.]nl/dropbox.html
It is advised to block these malicious url in the firewall, if you find any of these urls in your proxy logs or firewall that it is an indication of your system has been infected.
Post made by
newWorld researchers
Locky Infection URL:
hxxp://konferencjaora[.]pl/w/523f.php
hxxp://autonikos[.]pl/w/6dty.php
hxxp://oxfordschoolkotputli[.]com/w/vait.php
hxxp://j3[.]rodolfogn[.]com/w/qn0b.php
hxxp://martinagebhardt[.]hu/w/uol4.php
Regex created for this php file is \/w\/[0-9a-z]{4}\.php.
Fake Dropbox landing page which serve locky ransomware:
 |
| Fake Dropbox link in the mail |
hxxp://albion-cx22.co[.]uk/dropbox.html
hxxp://ambrogiauto[.]com/dropbox.html
hxxp://arthurdenniswilliams[.]com/dropbox.html
hxxp://autoecoleathena[.]com/dropbox.html
hxxp://autoecoleboisdesroches[.]com/dropbox.html
hxxp://autoecoledufrene[.]com/dropbox.html
hxxp://avtokhim[.]ru/dropbox.html
hxxp://bayimpex[.]be/dropbox.html
hxxp://binarycousins[.]com/dropbox.html
hxxp://charleskeener[.]com/dropbox.html
hxxp://campusvoltaire[.]com/dropbox.html
hxxp://dar-alataa[.]com/dropbox.html
hxxp://flooringforyou.co[.]uk/dropbox.html
hxxp://gestionale-orbit[.]it/dropbox.html
hxxp://griffithphoto[.]com/dropbox.html
hxxp://jakuboweb[.]com/dropbox.html
hxxp://jaysonmorrison[.]com/dropbox.html
hxxp://patrickreeves[.]com/dropbox.html
hxxp://potamitis[.]gr/dropbox.html
hxxp://tasgetiren[.]com/dropbox.html
hxxp://willemshoeck[.]nl/dropbox.html
 |
| Fake Dropbox landing page |
Post made by
newWorld researchers
No comments:
Post a Comment