<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><img src="https://info.threatstop.com/hubfs/Sec%20Logo%20with%20tm%20(2).png" alt="Sec Logo with tm (2).png" width="320" style="width: 320px; display: block; margin-left: auto; margin-right: auto;">&nbsp;</p> <p>ThreatSTOP Security Researchers have added three new target lists to our system. These targets leverage additional data from <a href="https://ransomwaretracker.abuse.ch/">the ransomware tracker</a> at&nbsp;<a href="http://abuse.ch/">abuse.ch</a>&nbsp;to secure against ransomware threats.<br> <!--more--><br> The targets blocked based on&nbsp;<a href="https://abuse.ch/">abuse.ch</a>'s data are:</p> <ul> <li><strong>“Cerber IPs/Domains” - </strong>Better known by its previous name, <strong>Cerber</strong>, these lists block the <strong>CRBR</strong> ransomware. Despite the war on vowels, little has changed between <strong>Cerber</strong> and its recent rebranding.&nbsp;<a href="/magnitude-ek-whats-shakin"><strong>Magnitude</strong> <strong>EK</strong></a>&nbsp;is the primary dropper for <strong>CRBR</strong>. The ransomware itself uses a strong encryption with no established key available. You can read more about this <a href="/crbr-encryptor-a-ransomware-by-any-other-name-would-encrypt-as-well">malware on our blog</a>.<br><br></li> <li><strong>“Sage IPs/Domains”</strong>&nbsp;- These two lists block the <strong>Sage</strong> ransomware. <strong>Sage</strong>, an offline ransom spread via phishing, encrypts target data with a variety of different keys. The encryption scheme is ChaCha20 (Similar to Salsa20 used by Petya) with a rotating key generating a new master key for each file encrypted. <strong>Sage</strong> also shows signs of borrowing from <strong>CRBR</strong>, in that it uses Microsoft's text-to-speech service to play a voice message about the infection.<br><br></li> <li><strong>“Paycrypt – IPs/Domains”</strong>&nbsp;- <strong>Paycrypt</strong>, also known as <strong>CryptoBot</strong> uses JavaScript to encrypt the target computer. Once this happens a ransom pop-up appears. A nifty bit of social engineering involved is the display of a Twitter account. This account displayed tweets from victims who paid the ransom. This has not appeared in some time, and it's considered possible Twitter banned the account.</li> </ul> <p>If you have the “<strong>TS Curated – Ransomware – IPs/Domains</strong>” in your policy you automatically have these new targets added to your policy.</p> <p>Alternatively, you could choose to enable the specific targets mentioned above or “<strong>Ransomware from abuse.ch – IPs/Domains</strong>” in your expert policy if you choose not to use the curated targets provided by ThreatSTOP (Note, that you do not need to add these if you have the curated targets in your policies as these are part of them).</p> <p>&nbsp;</p> <p>If you do not have a ThreatSTOP account, &nbsp;for a free trial.<br> <br> If you do have a ThreatSTOP account, instructions to add targets to a DNS or IP defense policies are available on the ThreatSTOP Documentation Hub. Or contact our &nbsp;team.</p></span>
![45.146.165[.]168 exploiting Log4j is another reason to block Selectel](https://www.threatstop.com/hs-fs/hubfs/selectel_ip_virustotal.png?width=600&name=selectel_ip_virustotal.png)