Viewing a single comment thread. View all comments

xCryptoPandax t1_j62m2ik wrote

Reply to comment by JohnGillnitz in FBI has seized website used by notorious ransomware gang by Bananaramas

That’s highly inaccurate, idk why that’s gotten so many upvotes.

Most malware use sketchy top level domains ex.) .xyz .makeup .me, etc not to mention most ransomware gangs compromise legitimate sites and host malware on them in order to bypass new domain creation and add that level of legitimacy.

One indicator for a ransomware gang which I think is actually this one was official government sites of Texas after they themselves were victim of ransomware.

Source: I work Incident Response

2

JohnGillnitz t1_j62vyqs wrote

I'm not sure how what I said was any different from what you said. No matter if they use an IP address or domain, those C&C servers are still set at the time of deployment. One of the first things they do is phone home (or homes) and get an updated list of C&C servers. That still leaves them dependent on reaching a limited number of sites that can be shut down effectively killing the that variant of the malware.
Do you live in Corpus and drive a Tesla? We may have met.
Edit: The CISA notice with the deets: https://www.cisa.gov/uscert/ncas/alerts/aa22-321a

2