The joy of running a Security Operations Centre (SOC) is that we see a lot of things before many others. We are on the front-line and are seeing things sometimes weeks earlier and defending our clients. Most days are the same - I come in every morning and it is the usual "Hey team. Anyone want a coffee? Anything interesting happen overnight?" Mostly, it is the usual; just a few things, nothing much going on. This last week, that response has changed to a bit of trepidation and it is all because of 216.239.36.21.
Over the last week, we have been seeing a lot more malicious traffic coming from this IP address. The worst part is, up until yesterday, some of the world's best GINs (Global Intelligence Networks, for those playing at home) were not picking this IP up as malicious. It seems to have all really kicked off on the 12th May and our research identified immediately that this IP address is, in fact, a Command and Control server that is launching a TON of ransomware at networks around the world.
We have identified this IP address attempting to infect half of our clients this week alone. It is only in the last 2 days that this IP address has popped up on the GINs. Fortunately, for those with our SOC, we identified this and blocked it before it could rain terror. We are doing more research, but we can see this IP is dropping some nasty malware including Kraken and some really nasty ransomware.
Yes, it is possible that the authors will just change the IP. That is totally fine - go for it! But we found it once, and we will do it again. For those of you that don't have our SOC (and you should), jump into your logs and see if there is any communication to 216.239.36.21. If there is, block it! Better yet, take immediate action and just block outbound comms to this IP and do a sweep for other Indicators of Compromise (IOCs). But expect the IP to change and make sure you get some layered tech in place with some 24x7x7365 monitoring.