xCryptoPandax t1_j62m2ik wrote on January 27, 2023 at 7:02 AM

Reply to comment by JohnGillnitz in FBI has seized website used by notorious ransomware gang by Bananaramas

That’s highly inaccurate, idk why that’s gotten so many upvotes.

Most malware use sketchy top level domains ex.) .xyz .makeup .me, etc not to mention most ransomware gangs compromise legitimate sites and host malware on them in order to bypass new domain creation and add that level of legitimacy.

One indicator for a ransomware gang which I think is actually this one was official government sites of Texas after they themselves were victim of ransomware.

Source: I work Incident Response

JohnGillnitz t1_j62vyqs wrote on January 27, 2023 at 9:13 AM

I'm not sure how what I said was any different from what you said. No matter if they use an IP address or domain, those C&C servers are still set at the time of deployment. One of the first things they do is phone home (or homes) and get an updated list of C&C servers. That still leaves them dependent on reaching a limited number of sites that can be shut down effectively killing the that variant of the malware.
Do you live in Corpus and drive a Tesla? We may have met.
Edit: The CISA notice with the deets: https://www.cisa.gov/uscert/ncas/alerts/aa22-321a

[deleted] t1_j63upmy wrote on January 27, 2023 at 3:03 PM

[removed]