- On February 3, European hosting providers and computer emergency response teams (CERTs) began warning of a widespread ransomware campaign exploiting CVE-2021-21974, a VMWare ESXi vulnerability for which a patch has been available since February 2021.
-
Shortly after the warnings’ publication, SecurityScorecard developed an emergency informational signal to give customers visibility into potentially impacted servers. SecurityScorecard researchers also created a tool for hunting ESXiArgs using SecurityScorecard datasets, available here: https://lnkd.in/gXvytttW
-
The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team began an investigation into this new campaign in response to the advisories about it.
-
Our Attack Surface Intelligence (ASI) tool has revealed a population of servers that may be subject to this vulnerability, and our global network flow (netflow) analysis capability (available via professional services) has uncovered possible communication between target IP addresses and infrastructure involved in the exploitation of this vulnerability.
Background
Beginning on February 3, European hosting providers and computer emergency response teams (CERTs) began warning of a widespread ransomware campaign exploiting CVE-2021-21974, a VMWare ESXi vulnerability for which a patch has been available since February 2021. In their initial warning regarding the vulnerability, French cloud service provider OVH linked this activity to the Nevada ransomware group, but subsequently retracted this attribution. The cybersecurity community has instead taken to tracking the campaign as ESXiArgs, as the ransomware involved creates a file with a .args extension once it encrypts a file.
Especially in light of OVH’s retraction, it may bear noting that ESXiArgs is not the only ransomware campaign to target ESXi; Croatia’s CERT published a flowchart that specifically helps distinguish ESXiArgs activity from that of the aforementioned Nevada ransomware group, indicating that the Nevada group does indeed target ESXi services as well, but that this activity is distinct from ESXiArgs. Similarly, research circulated on February 5 noted that the Royal ransomware group had also begun targeting ESXi, and recent years also have also seen the Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive ransomware groups targeting it.
SecurityScorecard’s Attack Surface Intelligence (ASI) tool reveals that ESXi is, in general, fairly widespread, detecting some version of it in use at 139,491 IP addresses worldwide.
Additionally, Attack Surface Intelligence (ASI) has identified ninety-two IP addresses attributed to previous ransomware victims where ESXi is also in use; this may reflect other ransomware groups’ targeting of these services prior to the announcement of the ESXiArgs campaign.
Findings: Possibly Affected Services
While other ransomware groups have previously exploited other ESXi vulnerabilities in the past, Attack Surface Intelligence (ASI) has revealed the three versions of ESXi that this specific vulnerability may affect: V (versions 6.5, 6.7, and 7.0) are in use at seven, eight, and fifty-eight IP addresses respectively.
The STRIKE Team then used these Attack Surface Intelligence (ASI) results to identify IP addresses from which to collect a sample of traffic that may reflect ESXiArgs activity; given European CERTs’ particular concern with ESXiArgs, researchers selected the French, Italian, and British IP addresses where versions 7.0, 6.7, and 6.5 are in use, respectively, in hopes of identifying potential attempts by ransomware groups to target these services.
Findings: Netflow Analysis
STRIKE Team researchers leveraged SecurityScorecard’s exclusive access to global netflow data to analyze a month (January 3-February 3) of traffic involving the potentially affected IP addresses identified by Attack Surface Intelligence (ASI) (the four French IP addresses where ESXi 7.0 is in use, the Italian IP address where ESXi 6.7 is in use, and the British IP address where ESXi 6.5 is in use). They compared these three samples both to one another and to the samples from previous ransomware investigations. The latter comparison enabled researchers to identify possibly ransomware-linked IP addresses that communicated with these potential targets, while the former enabled researchers to narrow their focus further to those that may specifically have targeted vulnerable ESXi systems, as ESXi is a common trait of the target IP addresses.
The IP address that appears most likely to reflect an attempt by a ransomware group to exploit this vulnerability is 161.47.17[.]28.; Iit not only appeared in all three of the ESXi traffic samples collected in response to the recent advisories, but also appeared in multiple previous STRIKE Team ransomware investigations.
Three IP addresses (, 143.198.7[.]33, 159.89.246[.]130, and 159.89.188[.]11), appeared in both the French and British IP addresses’ traffic samples while also appearing in previous ransomware victims’ traffic samples, two , (41.94.22[.]2 and 131.108.156[.]113), appeared in both the Italian and French IP addresses’ traffic samples as well as previous ransomware victims’ traffic samples, and another two (, 134.213.193[.]62 and 103.235.46[.]191), appeared in both the Italian and British IP addresses’ traffic samples as well as previous ransomware victims’ traffic samples. These overlaps suggest that, of the IP addresses to appear in the possible targets’ traffic samples, these may be especially likely to have been involved in the ESXiArgs campaign. That said, though, without internal visibility into the target networks, STRIKE researchers cannot determine the specific activity this traffic represents with certainty.
In addition to the above, researchers identified 402 other IP addresses that the cybersecurity vendors who contribute to VirusTotal have linked to malicious activity, forty-six other IP addresses that appeared in previous ransomware investigations (but which VirusTotal does not detect), and five IP addresses that communicated with multiple potential target IP addresses but did not appear in previous ransomware investigations. While less likely to specifically be involved with the ESXiArgs campaign, these IP addresses may nonetheless be suspicious. T; they are available in appendices below.
Recommendations
- Apply the relevant update to any still-unpatched servers as soon as possible. If, for some reason, you cannot apply the patch, deactivate OpenSLP services (or limit access to them to a list of trusted IP addresses).
- Take the standard precautions against ransomware:
- Maintain up-to-date backups of data threat actors may target for encryption;
- Only expose services to the wider internet when necessary; and
- Consistently monitor network traffic for any unexpected behavior.
Attack Surface Intelligence and Managed Threat Hunting with Cyber Risk Intelligence
In addition to the visibility offered by the new signal in our ratings platform, SecurityScorecard’s other tools and services can support organizations’ efforts to respond to and defend against these vulnerabilities and their exploitation. SecurityScorecard’s new Attack Surface Intelligence (ASI) solution gives you direct access to SecurityScorecard’s deep threat intelligence data through a global tab on the ratings platform and via API, all of which can contribute to improved visibility into internal and external resources, supporting the infrastructure management advised above.
Attack Surface Intelligence (ASI) analyzes billions of sources to provide deep threat intelligence and visibility into any IP, network, domain, or vendor’s attack surface risk, from a single pane of glass. This helps a variety of customers do more with the petabytes of data that form the basis of SecurityScorecard Ratings, including identifying all of an organization’s connected assets, exposing unknown threats, conducting investigations at scale, and prioritizing vendor remediation with actionable intelligence.
Attack Surface Intelligence (ASI) is built into SecurityScorecard’s ratings platform through an enhanced Portfolio view or Global search across all Internet assets, leaked credentials, and infections and metadata from the largest malware sinkhole in the world. Access Attack Surface Intelligence (ASI) today on the SecurityScorecard platform with 20 free search queries per month or request a demo on our website.
SecurityScorecard’s threat research and intelligence services could be the competitive advantage organizations need to stay ahead of fast-moving threat actors like those exploiting these new vulnerabilities. For more custom insights from our team with 100+ years of combined threat research and investigation experience, or more details on these findings, please contact us to discuss our Cyber Risk Intelligence as a Service (CRIaaS) offering. The above investigation can offer a trustworthy but preliminary view of our capabilities. Our team can continue diving into these details, especially with the ability to provide further support by working with on-site staff.
If you believe your organization to be under immediate threat from actors linked to ESXiArgs and other threats like it, SecurityScorecard also provides managed incident response and digital forensics teams as a professional service driven by a large group of former law enforcement and private sector experts with decades of experience in the space. For immediate support from our teams, please contact us.
Appendix: VirusTotal-Detected IP Addresses Communicating with Possible Targets
u003culu003en tu003cliu003e167[.]99[.]184[.]51u003c/liu003en tu003cliu003e167[.]71[.]16[.]153u003c/liu003en tu003cliu003e41[.]94[.]22[.]2u003c/liu003en tu003cliu003e45[.]232[.]73[.]46u003c/liu003en tu003cliu003e43[.]129[.]33[.]99u003c/liu003en tu003cliu003e104[.]248[.]246[.]104u003c/liu003en tu003cliu003e193[.]57[.]40[.]49u003c/liu003en tu003cliu003e45[.]232[.]73[.]56u003c/liu003en tu003cliu003e143[.]198[.]28[.]117u003c/liu003en tu003cliu003e147[.]182[.]182[.]55u003c/liu003en tu003cliu003e45[.]232[.]73[.]51u003c/liu003en tu003cliu003e146[.]190[.]85[.]130u003c/liu003en tu003cliu003e162[.]243[.]189[.]2u003c/liu003en tu003cliu003e188[.]166[.]160[.]164u003c/liu003en tu003cliu003e46[.]101[.]128[.]25u003c/liu003en tu003cliu003e137[.]184[.]149[.]253u003c/liu003en tu003cliu003e183[.]82[.]13[.]80u003c/liu003en tu003cliu003e137[.]184[.]58[.]169u003c/liu003en tu003cliu003e89[.]248[.]165[.]166u003c/liu003en tu003cliu003e177[.]39[.]196[.]112u003c/liu003en tu003cliu003e167[.]172[.]40[.]239u003c/liu003en tu003cliu003e27[.]0[.]183[.]209u003c/liu003en tu003cliu003e138[.]197[.]32[.]222u003c/liu003en tu003cliu003e217[.]147[.]224[.]94u003c/liu003en tu003cliu003e102[.]220[.]13[.]85u003c/liu003en tu003cliu003e5[.]188[.]87[.]3u003c/liu003en tu003cliu003e138[.]68[.]76[.]27u003c/liu003en tu003cliu003e201[.]150[.]126[.]212u003c/liu003en tu003cliu003e164[.]92[.]176[.]210u003c/liu003en tu003cliu003e134[.]209[.]124[.]226u003c/liu003en tu003cliu003e131[.]108[.]156[.]1u003c/liu003en tu003cliu003e89[.]203[.]249[.]28u003c/liu003en tu003cliu003e97[.]74[.]81[.]123u003c/liu003en tu003cliu003e64[.]225[.]50[.]135u003c/liu003en tu003cliu003e192[.]206[.]6[.]96u003c/liu003en tu003cliu003e161[.]35[.]140[.]163u003c/liu003en tu003cliu003e167[.]172[.]43[.]20u003c/liu003en tu003cliu003e89[.]203[.]150[.]42u003c/liu003en tu003cliu003e131[.]108[.]156[.]113u003c/liu003en tu003cliu003e131[.]221[.]37[.]179u003c/liu003en tu003cliu003e139[.]59[.]47[.]1u003c/liu003en tu003cliu003e177[.]85[.]4[.]41u003c/liu003en tu003cliu003e132[.]255[.]53[.]97u003c/liu003en tu003cliu003e82[.]196[.]7[.]246u003c/liu003en tu003cliu003e134[.]122[.]88[.]171u003c/liu003en tu003cliu003e157[.]230[.]237[.]83u003c/liu003en tu003cliu003e64[.]227[.]3[.]24u003c/liu003en tu003cliu003e138[.]68[.]91[.]192u003c/liu003en tu003cliu003e157[.]230[.]15[.]216u003c/liu003en tu003cliu003e45[.]232[.]73[.]185u003c/liu003en tu003cliu003e159[.]223[.]184[.]185u003c/liu003en tu003cliu003e104[.]131[.]190[.]193u003c/liu003en tu003cliu003e188[.]166[.]58[.]179u003c/liu003en tu003cliu003e162[.]243[.]48[.]133u003c/liu003en tu003cliu003e159[.]223[.]148[.]18u003c/liu003en tu003cliu003e46[.]101[.]175[.]103u003c/liu003en tu003cliu003e157[.]230[.]83[.]80u003c/liu003en tu003cliu003e157[.]230[.]218[.]88u003c/liu003en tu003cliu003e206[.]81[.]24[.]160u003c/liu003en tu003cliu003e159[.]203[.]179[.]230u003c/liu003en tu003cliu003e142[.]93[.]14[.]124u003c/liu003en tu003cliu003e143[.]110[.]183[.]17u003c/liu003en tu003cliu003e209[.]97[.]160[.]227u003c/liu003en tu003cliu003e178[.]128[.]55[.]198u003c/liu003en tu003cliu003e188[.]166[.]146[.]208u003c/liu003en tu003cliu003e159[.]203[.]85[.]196u003c/liu003en tu003cliu003e159[.]65[.]11[.]5u003c/liu003en tu003cliu003e142[.]93[.]116[.]249u003c/liu003en tu003cliu003e206[.]81[.]4[.]81u003c/liu003en tu003cliu003e128[.]199[.]77[.]201u003c/liu003en tu003cliu003e106[.]51[.]3[.]214u003c/liu003en tu003cliu003e138[.]197[.]32[.]150u003c/liu003en tu003cliu003e68[.]183[.]27[.]133u003c/liu003en tu003cliu003e104[.]236[.]7[.]248u003c/liu003en tu003cliu003e165[.]227[.]83[.]174u003c/liu003en tu003cliu003e159[.]65[.]129[.]227u003c/liu003en tu003cliu003e41[.]63[.]1[.]226u003c/liu003en tu003cliu003e84[.]88[.]59[.]1u003c/liu003en tu003cliu003e165[.]22[.]59[.]229u003c/liu003en tu003cliu003e128[.]199[.]154[.]5u003c/liu003en tu003cliu003e14[.]97[.]218[.]174u003c/liu003en tu003cliu003e147[.]182[.]188[.]81u003c/liu003en tu003cliu003e159[.]65[.]154[.]92u003c/liu003en tu003cliu003e161[.]35[.]125[.]167u003c/liu003en tu003cliu003e167[.]71[.]166[.]90u003c/liu003en tu003cliu003e207[.]154[.]215[.]181u003c/liu003en tu003cliu003e134[.]122[.]8[.]241u003c/liu003en tu003cliu003e137[.]184[.]215[.]213u003c/liu003en tu003cliu003e139[.]59[.]105[.]82u003c/liu003en tu003cliu003e170[.]210[.]46[.]4u003c/liu003en tu003cliu003e41[.]93[.]31[.]73u003c/liu003en tu003cliu003e165[.]22[.]16[.]134u003c/liu003en tu003cliu003e46[.]101[.]224[.]184u003c/liu003en tu003cliu003e85[.]152[.]57[.]60u003c/liu003en tu003cliu003e154[.]68[.]232[.]20u003c/liu003en tu003cliu003e138[.]197[.]80[.]24u003c/liu003en tu003cliu003e104[.]236[.]111[.]25u003c/liu003en tu003cliu003e137[.]184[.]135[.]135u003c/liu003en tu003cliu003e142[.]93[.]178[.]56u003c/liu003en tu003cliu003e159[.]223[.]95[.]166u003c/liu003en tu003cliu003e154[.]68[.]225[.]162u003c/liu003en tu003cliu003e164[.]90[.]231[.]253u003c/liu003en tu003cliu003e138[.]197[.]19[.]166u003c/liu003en tu003cliu003e162[.]243[.]237[.]90u003c/liu003en tu003cliu003e138[.]197[.]175[.]169u003c/liu003en tu003cliu003e134[.]122[.]20[.]244u003c/liu003en tu003cliu003e147[.]182[.]145[.]89u003c/liu003en tu003cliu003e103[.]246[.]240[.]28u003c/liu003en tu003cliu003e167[.]71[.]33[.]249u003c/liu003en tu003cliu003e157[.]230[.]34[.]158u003c/liu003en tu003cliu003e61[.]2[.]224[.]84u003c/liu003en tu003cliu003e164[.]92[.]142[.]65u003c/liu003en tu003cliu003e134[.]209[.]162[.]114u003c/liu003en tu003cliu003e45[.]55[.]180[.]7u003c/liu003en tu003cliu003e178[.]128[.]229[.]120u003c/liu003en tu003cliu003e167[.]71[.]170[.]172u003c/liu003en tu003cliu003e142[.]93[.]201[.]51u003c/liu003en tu003cliu003e142[.]93[.]50[.]8u003c/liu003en tu003cliu003e134[.]122[.]74[.]24u003c/liu003en tu003cliu003e104[.]131[.]68[.]23u003c/liu003en tu003cliu003e68[.]183[.]104[.]78u003c/liu003en tu003cliu003e103[.]246[.]240[.]30u003c/liu003en tu003cliu003e188[.]166[.]247[.]82u003c/liu003en tu003cliu003e178[.]62[.]105[.]122u003c/liu003en tu003cliu003e170[.]210[.]203[.]211u003c/liu003en tu003cliu003e206[.]189[.]185[.]21u003c/liu003en tu003cliu003e104[.]248[.]146[.]84u003c/liu003en tu003cliu003e68[.]183[.]170[.]149u003c/liu003en tu003cliu003e174[.]138[.]64[.]63u003c/liu003en tu003cliu003e159[.]89[.]141[.]221u003c/liu003en tu003cliu003e170[.]210[.]83[.]90u003c/liu003en tu003cliu003e178[.]128[.]214[.]153u003c/liu003en tu003cliu003e159[.]65[.]223[.]90u003c/liu003en tu003cliu003e143[.]244[.]172[.]59u003c/liu003en tu003cliu003e104[.]248[.]252[.]80u003c/liu003en tu003cliu003e138[.]197[.]180[.]102u003c/liu003en tu003cliu003e95[.]85[.]34[.]53u003c/liu003en tu003cliu003e206[.]189[.]80[.]198u003c/liu003en tu003cliu003e161[.]35[.]0[.]70u003c/liu003en tu003cliu003e157[.]245[.]218[.]29u003c/liu003en tu003cliu003e174[.]138[.]16[.]16u003c/liu003en tu003cliu003e159[.]65[.]63[.]94u003c/liu003en tu003cliu003e178[.]62[.]17[.]94u003c/liu003en tu003cliu003e137[.]184[.]104[.]77u003c/liu003en tu003cliu003e104[.]131[.]181[.]4u003c/liu003en tu003cliu003e104[.]236[.]78[.]19u003c/liu003en tu003cliu003e165[.]227[.]106[.]20u003c/liu003en tu003cliu003e161[.]35[.]210[.]148u003c/liu003en tu003cliu003e207[.]154[.]241[.]112u003c/liu003en tu003cliu003e165[.]22[.]66[.]147u003c/liu003en tu003cliu003e159[.]65[.]218[.]99u003c/liu003en tu003cliu003e139[.]59[.]27[.]92u003c/liu003en tu003cliu003e64[.]227[.]120[.]10u003c/liu003en tu003cliu003e170[.]210[.]45[.]123u003c/liu003en tu003cliu003e104[.]248[.]20[.]85u003c/liu003en tu003cliu003e134[.]209[.]69[.]41u003c/liu003en tu003cliu003e137[.]184[.]154[.]154u003c/liu003en tu003cliu003e103[.]16[.]202[.]187u003c/liu003en tu003cliu003e147[.]182[.]128[.]252u003c/liu003en tu003cliu003e159[.]65[.]235[.]114u003c/liu003en tu003cliu003e157[.]245[.]195[.]132u003c/liu003en tu003cliu003e139[.]59[.]76[.]127u003c/liu003en tu003cliu003e167[.]99[.]84[.]28u003c/liu003en tu003cliu003e177[.]91[.]79[.]21u003c/liu003en tu003cliu003e137[.]184[.]21[.]86u003c/liu003en tu003cliu003e157[.]245[.]193[.]85u003c/liu003en tu003cliu003e157[.]245[.]207[.]215u003c/liu003en tu003cliu003e128[.]199[.]204[.]124u003c/liu003en tu003cliu003e128[.]199[.]171[.]119u003c/liu003en tu003cliu003e206[.]81[.]9[.]31u003c/liu003en tu003cliu003e46[.]101[.]249[.]11u003c/liu003en tu003cliu003e115[.]113[.]11[.]143u003c/liu003en tu003cliu003e159[.]223[.]80[.]140u003c/liu003en tu003cliu003e159[.]65[.]163[.]42u003c/liu003en tu003cliu003e161[.]35[.]124[.]45u003c/liu003en tu003cliu003e165[.]22[.]181[.]245u003c/liu003en tu003cliu003e165[.]227[.]114[.]124u003c/liu003en tu003cliu003e167[.]172[.]190[.]215u003c/liu003en tu003cliu003e102[.]215[.]196[.]206u003c/liu003en tu003cliu003e128[.]199[.]45[.]37u003c/liu003en tu003cliu003e134[.]209[.]244[.]230u003c/liu003en tu003cliu003e182[.]156[.]1[.]58u003c/liu003en tu003cliu003e157[.]230[.]111[.]25u003c/liu003en tu003cliu003e187[.]243[.]248[.]114u003c/liu003en tu003cliu003e167[.]99[.]15[.]190u003c/liu003en tu003cliu003e134[.]209[.]211[.]170u003c/liu003en tu003cliu003e143[.]110[.]185[.]99u003c/liu003en tu003cliu003e178[.]128[.]29[.]118u003c/liu003en tu003cliu003e64[.]227[.]35[.]112u003c/liu003en tu003cliu003e206[.]189[.]226[.]38u003c/liu003en tu003cliu003e103[.]129[.]108[.]14u003c/liu003en tu003cliu003e134[.]122[.]30[.]150u003c/liu003en tu003cliu003e147[.]182[.]185[.]145u003c/liu003en tu003cliu003e178[.]128[.]248[.]121u003c/liu003en tu003cliu003e104[.]131[.]3[.]1u003c/liu003en tu003cliu003e165[.]22[.]184[.]212u003c/liu003en tu003cliu003e104[.]131[.]249[.]57u003c/liu003en tu003cliu003e142[.]93[.]187[.]197u003c/liu003en tu003cliu003e165[.]227[.]148[.]167u003c/liu003en tu003cliu003e104[.]131[.]39[.]193u003c/liu003en tu003cliu003e128[.]199[.]64[.]114u003c/liu003en tu003cliu003e128[.]199[.]192[.]230u003c/liu003en tu003cliu003e46[.]101[.]49[.]191u003c/liu003en tu003cliu003e161[.]35[.]4[.]85u003c/liu003en tu003cliu003e138[.]68[.]8[.]161u003c/liu003en tu003cliu003e157[.]230[.]229[.]202u003c/liu003en tu003cliu003e68[.]183[.]20[.]198u003c/liu003en tu003cliu003e167[.]99[.]67[.]143u003c/liu003en tu003cliu003e146[.]190[.]27[.]250u003c/liu003en tu003cliu003e37[.]186[.]127[.]96u003c/liu003en tu003cliu003e161[.]35[.]177[.]39u003c/liu003en tu003cliu003e165[.]227[.]193[.]157u003c/liu003en tu003cliu003e188[.]166[.]5[.]84u003c/liu003en tu003cliu003e134[.]209[.]106[.]24u003c/liu003en tu003cliu003e128[.]199[.]194[.]1u003c/liu003en tu003cliu003e157[.]245[.]156[.]72u003c/liu003en tu003cliu003e41[.]63[.]10[.]8u003c/liu003en tu003cliu003e167[.]71[.]196[.]217u003c/liu003en tu003cliu003e41[.]93[.]33[.]2u003c/liu003en tu003cliu003e104[.]248[.]51[.]246u003c/liu003en tu003cliu003e165[.]22[.]55[.]238u003c/liu003en tu003cliu003e164[.]92[.]152[.]140u003c/liu003en tu003cliu003e104[.]248[.]253[.]245u003c/liu003en tu003cliu003e161[.]35[.]152[.]153u003c/liu003en tu003cliu003e134[.]122[.]63[.]199u003c/liu003en tu003cliu003e45[.]114[.]195[.]2u003c/liu003en tu003cliu003e192[.]241[.]169[.]184u003c/liu003en tu003cliu003e157[.]245[.]143[.]248u003c/liu003en tu003cliu003e147[.]182[.]169[.]252u003c/liu003en tu003cliu003e143[.]244[.]161[.]152u003c/liu003en tu003cliu003e143[.]110[.]255[.]245u003c/liu003en tu003cliu003e164[.]90[.]172[.]83u003c/liu003en tu003cliu003e165[.]22[.]221[.]230u003c/liu003en tu003cliu003e139[.]59[.]121[.]188u003c/liu003en tu003cliu003e159[.]223[.]38[.]199u003c/liu003en tu003cliu003e159[.]203[.]81[.]114u003c/liu003en tu003cliu003e184[.]168[.]122[.]62u003c/liu003en tu003cliu003e162[.]243[.]80[.]57u003c/liu003en tu003cliu003e159[.]223[.]97[.]88u003c/liu003en tu003cliu003e138[.]197[.]162[.]56u003c/liu003en tu003cliu003e104[.]131[.]185[.]48u003c/liu003en tu003cliu003e167[.]99[.]239[.]101u003c/liu003en tu003cliu003e147[.]182[.]218[.]64u003c/liu003en tu003cliu003e134[.]122[.]72[.]235u003c/liu003en tu003cliu003e128[.]199[.]253[.]34u003c/liu003en tu003cliu003e47[.]241[.]223[.]102u003c/liu003en tu003cliu003e61[.]2[.]241[.]214u003c/liu003en tu003cliu003e107[.]170[.]39[.]69u003c/liu003en tu003cliu003e165[.]227[.]133[.]23u003c/liu003en tu003cliu003e167[.]172[.]132[.]44u003c/liu003en tu003cliu003e64[.]227[.]28[.]246u003c/liu003en tu003cliu003e165[.]227[.]196[.]30u003c/liu003en tu003cliu003e68[.]183[.]105[.]114u003c/liu003en tu003cliu003e188[.]166[.]14[.]99u003c/liu003en tu003cliu003e143[.]198[.]116[.]232u003c/liu003en tu003cliu003e167[.]71[.]28[.]141u003c/liu003en tu003cliu003e62[.]149[.]128[.]154u003c/liu003en tu003cliu003e178[.]62[.]36[.]171u003c/liu003en tu003cliu003e128[.]199[.]146[.]3u003c/liu003en tu003cliu003e202[.]160[.]145[.]243u003c/liu003en tu003cliu003e45[.]191[.]91[.]45u003c/liu003en tu003cliu003e46[.]101[.]187[.]42u003c/liu003en tu003cliu003e188[.]166[.]39[.]184u003c/liu003en tu003cliu003e167[.]172[.]141[.]86u003c/liu003en tu003cliu003e150[.]165[.]37[.]44u003c/liu003en tu003cliu003e128[.]199[.]84[.]25u003c/liu003en tu003cliu003e139[.]59[.]120[.]201u003c/liu003en tu003cliu003e146[.]164[.]51[.]48u003c/liu003en tu003cliu003e165[.]22[.]246[.]63u003c/liu003en tu003cliu003e165[.]22[.]234[.]248u003c/liu003en tu003cliu003e200[.]137[.]65[.]37u003c/liu003en tu003cliu003e68[.]183[.]31[.]114u003c/liu003en tu003cliu003e200[.]137[.]5[.]196u003c/liu003en tu003cliu003e202[.]83[.]16[.]8u003c/liu003en tu003cliu003e147[.]182[.]190[.]189u003c/liu003en tu003cliu003e187[.]86[.]135[.]246u003c/liu003en tu003cliu003e165[.]227[.]202[.]89u003c/liu003en tu003cliu003e157[.]230[.]127[.]240u003c/liu003en tu003cliu003e207[.]154[.]226[.]163u003c/liu003en tu003cliu003e159[.]223[.]92[.]245u003c/liu003en tu003cliu003e157[.]245[.]212[.]8u003c/liu003en tu003cliu003e138[.]197[.]103[.]160u003c/liu003en tu003cliu003e142[.]93[.]77[.]1u003c/liu003en tu003cliu003e167[.]99[.]152[.]121u003c/liu003en tu003cliu003e159[.]65[.]188[.]65u003c/liu003en tu003cliu003e47[.]254[.]21[.]33u003c/liu003en tu003cliu003e157[.]230[.]208[.]92u003c/liu003en tu003cliu003e104[.]236[.]228[.]230u003c/liu003en tu003cliu003e45[.]55[.]134[.]210u003c/liu003en tu003cliu003e62[.]149[.]128[.]163u003c/liu003en tu003cliu003e104[.]248[.]127[.]185u003c/liu003en tu003cliu003e128[.]199[.]32[.]98u003c/liu003en tu003cliu003e134[.]122[.]114[.]136u003c/liu003en tu003cliu003e167[.]99[.]218[.]101u003c/liu003en tu003cliu003e157[.]230[.]84[.]180u003c/liu003en tu003cliu003e188[.]166[.]95[.]44u003c/liu003en tu003cliu003e104[.]236[.]94[.]202u003c/liu003en tu003cliu003e111[.]93[.]191[.]170u003c/liu003en tu003cliu003e68[.]183[.]132[.]99u003c/liu003en tu003cliu003e183[.]82[.]96[.]133u003c/liu003en tu003cliu003e159[.]65[.]242[.]16u003c/liu003en tu003cliu003e46[.]101[.]2[.]4u003c/liu003en tu003cliu003e165[.]22[.]186[.]178u003c/liu003en tu003cliu003e167[.]172[.]187[.]120u003c/liu003en tu003cliu003e161[.]35[.]71[.]152u003c/liu003en tu003cliu003e104[.]248[.]242[.]125u003c/liu003en tu003cliu003e167[.]71[.]16[.]158u003c/liu003en tu003cliu003e67[.]205[.]167[.]168u003c/liu003en tu003cliu003e128[.]199[.]97[.]155u003c/liu003en tu003cliu003e178[.]128[.]209[.]69u003c/liu003en tu003cliu003e128[.]199[.]142[.]208u003c/liu003en tu003cliu003e45[.]232[.]73[.]83u003c/liu003en tu003cliu003e165[.]90[.]14[.]164u003c/liu003en tu003cliu003e128[.]199[.]247[.]226u003c/liu003en tu003cliu003e64[.]227[.]67[.]194u003c/liu003en tu003cliu003e189[.]177[.]201[.]48u003c/liu003en tu003cliu003e68[.]183[.]127[.]157u003c/liu003en tu003cliu003e143[.]198[.]191[.]25u003c/liu003en tu003cliu003e159[.]223[.]120[.]180u003c/liu003en tu003cliu003e64[.]227[.]25[.]222u003c/liu003en tu003cliu003e128[.]199[.]148[.]70u003c/liu003en tu003cliu003e162[.]243[.]172[.]239u003c/liu003en tu003cliu003e142[.]93[.]245[.]58u003c/liu003en tu003cliu003e167[.]172[.]243[.]183u003c/liu003en tu003cliu003e64[.]225[.]19[.]94u003c/liu003en tu003cliu003e167[.]71[.]169[.]21u003c/liu003en tu003cliu003e159[.]203[.]179[.]44u003c/liu003en tu003cliu003e138[.]68[.]102[.]83u003c/liu003en tu003cliu003e164[.]92[.]193[.]67u003c/liu003en tu003cliu003e159[.]65[.]6[.]45u003c/liu003en tu003cliu003e198[.]199[.]72[.]47u003c/liu003en tu003cliu003e67[.]207[.]83[.]228u003c/liu003en tu003cliu003e134[.]209[.]175[.]24u003c/liu003en tu003cliu003e206[.]189[.]232[.]29u003c/liu003en tu003cliu003e142[.]93[.]241[.]93u003c/liu003en tu003cliu003e200[.]17[.]114[.]130u003c/liu003en tu003cliu003e147[.]139[.]45[.]22u003c/liu003en tu003cliu003e139[.]59[.]14[.]115u003c/liu003en tu003cliu003e67[.]205[.]171[.]223u003c/liu003en tu003cliu003e164[.]92[.]189[.]191u003c/liu003en tu003cliu003e52[.]199[.]105[.]183u003c/liu003en tu003cliu003e62[.]149[.]128[.]74u003c/liu003en tu003cliu003e198[.]148[.]92[.]176u003c/liu003en tu003cliu003e104[.]248[.]179[.]42u003c/liu003en tu003cliu003e139[.]59[.]187[.]229u003c/liu003en tu003cliu003e138[.]197[.]97[.]212u003c/liu003en tu003cliu003e67[.]205[.]144[.]9u003c/liu003en tu003cliu003e41[.]89[.]196[.]16u003c/liu003en tu003cliu003e159[.]65[.]183[.]47u003c/liu003en tu003cliu003e207[.]154[.]244[.]8u003c/liu003en tu003cliu003e157[.]230[.]23[.]46u003c/liu003en tu003cliu003e45[.]55[.]134[.]67u003c/liu003en tu003cliu003e64[.]225[.]20[.]153u003c/liu003en tu003cliu003e13[.]212[.]228[.]23u003c/liu003en tu003cliu003e167[.]172[.]243[.]126u003c/liu003en tu003cliu003e157[.]245[.]138[.]97u003c/liu003en tu003cliu003e212[.]62[.]96[.]86u003c/liu003en tu003cliu003e43[.]153[.]2[.]147u003c/liu003en tu003cliu003e167[.]172[.]146[.]169u003c/liu003en tu003cliu003e178[.]128[.]87[.]65u003c/liu003en tu003cliu003e165[.]227[.]194[.]124u003c/liu003en tu003cliu003e157[.]230[.]133[.]15u003c/liu003en tu003cliu003e165[.]22[.]190[.]39u003c/liu003en tu003cliu003e18[.]142[.]120[.]133u003c/liu003en tu003cliu003e134[.]209[.]107[.]178u003c/liu003en tu003cliu003e174[.]138[.]23[.]45u003c/liu003en tu003cliu003e192[.]241[.]182[.]74u003c/liu003en tu003cliu003e167[.]71[.]160[.]75u003c/liu003en tu003cliu003e103[.]134[.]44[.]42u003c/liu003en tu003cliu003e206[.]81[.]16[.]240u003c/liu003en tu003cliu003e138[.]197[.]6[.]174u003c/liu003en tu003cliu003e178[.]128[.]195[.]69u003c/liu003en tu003cliu003e103[.]83[.]158[.]66u003c/liu003en tu003cliu003e159[.]223[.]221[.]95u003c/liu003en tu003cliu003e143[.]110[.]217[.]201u003c/liu003en tu003cliu003e137[.]184[.]111[.]153u003c/liu003en tu003cliu003e62[.]149[.]128[.]157u003c/liu003en tu003cliu003e143[.]198[.]182[.]160u003c/liu003en tu003cliu003e62[.]149[.]128[.]160u003c/liu003en tu003cliu003e178[.]128[.]167[.]226u003c/liu003en tu003cliu003e113[.]190[.]245[.]2u003c/liu003en tu003cliu003e103[.]235[.]46[.]191u003c/liu003en tu003cliu003e103[.]82[.]242[.]27u003c/liu003en tu003cliu003e147[.]182[.]173[.]182u003c/liu003en tu003cliu003e52[.]221[.]209[.]153u003c/liu003en tu003cliu003e134[.]209[.]218[.]186u003c/liu003en tu003cliu003e64[.]227[.]77[.]252u003c/liu003en tu003cliu003e164[.]92[.]179[.]157u003c/liu003en tu003cliu003e203[.]115[.]99[.]220u003c/liu003en tu003cliu003e143[.]198[.]33[.]14u003c/liu003en tu003cliu003e198[.]199[.]86[.]89u003c/liu003en tu003cliu003e134[.]209[.]119[.]196u003c/liu003en tu003cliu003e159[.]203[.]92[.]179u003c/liu003en tu003cliu003e134[.]209[.]212[.]251u003c/liu003en tu003cliu003e45[.]55[.]42[.]227u003c/liu003en tu003cliu003e138[.]185[.]172[.]129u003c/liu003en tu003cliu003e103[.]210[.]44[.]190u003c/liu003en tu003cliu003e69[.]164[.]45[.]0u003c/liu003en tu003cliu003e168[.]167[.]69[.]86u003c/liu003en tu003cliu003e159[.]65[.]255[.]251u003c/liu003en tu003cliu003e193[.]0[.]14[.]129u003c/liu003en tu003cliu003e64[.]225[.]16[.]177u003c/liu003enu003c/ulu003e
Appendix: IP Addresses From Previous Ransomware Investigations
u003culu003en tu003cliu003e107[.]167[.]20[.]230u003c/liu003en tu003cliu003e192[.]33[.]214[.]47u003c/liu003en tu003cliu003e130[.]59[.]35[.]198u003c/liu003en tu003cliu003e167[.]71[.]87[.]161u003c/liu003en tu003cliu003e104[.]131[.]15[.]126u003c/liu003en tu003cliu003e164[.]90[.]143[.]171u003c/liu003en tu003cliu003e143[.]198[.]7[.]93u003c/liu003en tu003cliu003e64[.]225[.]9[.]37u003c/liu003en tu003cliu003e157[.]230[.]89[.]254u003c/liu003en tu003cliu003e134[.]209[.]219[.]19u003c/liu003en tu003cliu003e138[.]197[.]0[.]92u003c/liu003en tu003cliu003e146[.]20[.]132[.]153u003c/liu003en tu003cliu003e146[.]20[.]132[.]141u003c/liu003en tu003cliu003e103[.]155[.]16[.]129u003c/liu003en tu003cliu003e157[.]230[.]93[.]231u003c/liu003en tu003cliu003e177[.]66[.]152[.]137u003c/liu003en tu003cliu003e184[.]106[.]10[.]72u003c/liu003en tu003cliu003e184[.]106[.]10[.]77u003c/liu003en tu003cliu003e192[.]241[.]189[.]146u003c/liu003en tu003cliu003e195[.]176[.]26[.]206u003c/liu003en tu003cliu003e159[.]203[.]145[.]121u003c/liu003en tu003cliu003e167[.]172[.]26[.]233u003c/liu003en tu003cliu003e23[.]253[.]188[.]26u003c/liu003en tu003cliu003e146[.]190[.]223[.]190u003c/liu003en tu003cliu003e192[.]241[.]157[.]60u003c/liu003en tu003cliu003e185[.]14[.]184[.]154u003c/liu003en tu003cliu003e64[.]225[.]1[.]58u003c/liu003en tu003cliu003e143[.]244[.]220[.]80u003c/liu003en tu003cliu003e64[.]185[.]181[.]238u003c/liu003en tu003cliu003e165[.]22[.]12[.]234u003c/liu003en tu003cliu003e130[.]60[.]204[.]10u003c/liu003en tu003cliu003e162[.]242[.]174[.]138u003c/liu003en tu003cliu003e162[.]13[.]32[.]69u003c/liu003en tu003cliu003e146[.]20[.]128[.]191u003c/liu003en tu003cliu003e162[.]13[.]202[.]201u003c/liu003en tu003cliu003e146[.]20[.]128[.]116u003c/liu003en tu003cliu003e138[.]197[.]155[.]84u003c/liu003en tu003cliu003e138[.]197[.]63[.]78u003c/liu003en tu003cliu003e192[.]241[.]243[.]218u003c/liu003en tu003cliu003e64[.]15[.]159[.]210u003c/liu003en tu003cliu003e68[.]183[.]118[.]126u003c/liu003en tu003cliu003e159[.]223[.]180[.]245u003c/liu003en tu003cliu003e137[.]184[.]213[.]124u003c/liu003en tu003cliu003e186[.]237[.]182[.]226u003c/liu003en tu003cliu003e177[.]66[.]152[.]139u003c/liu003en tu003cliu003e85[.]13[.]90[.]185u003c/liu003enu003c/ulu003e
Appendix: IP Addresses Communicating With Multiple Potential Target IP Addresses
u003culu003en tu003cliu003e104[.]236[.]65[.]181u003c/liu003en tu003cliu003e68[.]183[.]136[.]212u003c/liu003en tu003cliu003e159[.]65[.]249[.]246u003c/liu003en tu003cliu003e134[.]122[.]88[.]171u003c/liu003en tu003cliu003e45[.]172[.]198[.]114u003c/liu003enu003c/ulu003e
