Category Archives: Monitoring & Reporting

Introducing: Ransomware Tracker

Two years have passed since I published my last project, SSLBL. The past years have been very busy, so I couldn’t find any time for neither expansion of existing projects nor coming up with any new ones. However, in the past months I’ve seen so many people becoming victims of Ransomware, which motivated me to spend my time for a new project. Today I’m happy to announce my newest project, introducing: Ransomware Tracker.

Ransomware Tracker
The purpose of Ransomware Tracker is:

  • Providing an overview on internet infrastructure used by cybercriminals for their Ransomware operations
  • Providing hosting- and internet service providers (ISPs), law enforcement agencies (LEA) and national CERTs/CSIRTs intel on such infrastructure within their consticuency
  • Offering blocklists for internet users, enterprises and antivirus vendors and security solution providers
  • Giving internet users and enterprises a brief overview on Ransomware mitigation strategies

At the moment, Ransomware Tracker tracks the following Ransomware families:

  • CryptoWall
  • TeslaCrypt
  • TorrentLocker
  • PadCrypt
  • Locky
  • CTB-Locker

More Ransomware families will be added to Ransomware Tracker in the future.
As for all of my tracking projects, Ransomware Tracker needs as much data as possible. New submissions for Ransomware Tracker are warmly welcome. You can send new additions to (remove all letters in uppercase). Malware binaries that you suspect to be associated with a certain Ransomware family can be send to (remove all letters in uppercase) for analysis.

I also want to thank Shadowserver for donating a hosting plan for Ransomware Tracker. In addition, I would like to thank My Online Security, and Dynamoo for their blogging efforts about new malware campaigns.

Introducing: SSL Blacklist (SSLBL)

In the past year, there was a lot of discussion about Secure Sockets Layer (SSL). More service providers and internet users started using SSL for access to various services. But not only regular internet users and internet services have been using SSL encryption more. Cybercriminals also rely on SSL more often in order to bypass IDS / IPS based detection mechanisms and content scanners.

A while ago I started to play a bit with an open source intrusion detection / prevent system (IDS / IPS) called Suricata, which is being developed and maintained by the Open Information Security Foundation (OISF). A cool feature that Suricata comes with is an SSL/TLS module which is able to fingerprint SSL/TLS certificates. Since some malware families switched from plain HTTP to HTTPS recently, I decided to maintain and publish a collection of SHA1 fingerprint associated with bad SSL certificates.

Introducing: SSL Blacklist (SSLBL)

The goal of SSLBL is to provide a list of bad SHA1 fingerprints of SSL certificates that are associated with malware and botnet activities. Currently, SSLBL provides an IP based and a SHA1 fingerprint based blacklist in CSV and Suricata rule format (see SSLBL for more information). SSLBL helps you in detecting potential botnet C&C traffic that relies on SSL, such as KINS (aka VMZeuS) and Shylock. Happy malware hunting!

Follow on Twitter: