Ransomware Tracker offers various types of blocklists that allows you to block Ransomware botnet C&C traffic. The available Ransomware blocklists are documented below. The update interval is 5 minutes.
If you don't want to implement a separate blocklist for each malware and blocklist type, you can use the combined blocklists below.
|RW_DOMBL||Domain Blocklist||All *_DOMBL datasets except CW_C2_DOMBL, TC_C2_DOMBL (recommended)|
|RW_URLBL||URL Blocklist||CW_C2_URLBL, TC_C2_URLBL, TC_DS_URLBL, LY_DS_URLBL (recommended)|
|RW_IPBL||IP Blocklist||TC_PS_IPBL, LY_C2_IPBL, TL_C2_IPBL, TL_PS_IPBL, CB_PS_IPBL (recommended)|
The combined blocklists above are the recommended blocklists that should be used. They might not catch everything, but the false positive rate should be low. However, false positives are possible, especially with regards to RW_IPBL. IP addresses associated with Ransomware Payment Sites (*_PS_IPBL) or Locky botnet C&Cs (LY_C2_IPBL) stay listed on RW_IPBL for a time of 30 days after the last appearence. This means that an IP address stays listed on RW_IPBL even after the threat has been eliminated (e.g. the VPS / server has been suspended by the hosting provider) for another 30 days.
The table below provides separated blocklists for each malware and blocklist type. They allow you to be more specific in what you want to block (e.g. only a certain malware family or blocklist type).
|Blocklist||Malware||Scope||Blocklist Type||FP Risk||Download|
|CW_PS_DOMBL||CryptoWall||Payment Sites||Domain Blocklist|
|CW_PS_IPBL||CryptoWall||Payment Sites||IP Blocklist|
|TC_PS_DOMBL||TeslaCrypt||Payment Sites||Domain Blocklist|
|TC_PS_IPBL||TeslaCrypt||Payment Sites||IP Blocklist|
|TC_DS_URLBL||TeslaCrypt||Distribution Sites||URL Blocklist|
|LY_PS_DOMBL||Locky||Payment Sites||Domain Blocklist|
|LY_PS_IPBL||Locky||Payment Sites||IP Blocklist|
|LY_DS_URLBL||Locky||Distribution Sites||URL Blocklist|
|TL_PS_DOMBL||TorrentLocker||Payment Sites||Domain Blocklist|
|TL_PS_IPBL||TorrentLocker||Payment Sites||IP Blocklist|
|CB_PS_IPBL||Cerber||Payment Sites||IP Blocklist|
|CB_PS_DOMBL||Cerber||Payment Sites||Domain Blocklist|
As for all abuse.ch projects, the use of the Blocklist mentioned above is free for both commercial and non-commercial usage without any limitation. However, if you are a commercial vendor of security software/services and you would like to integrate data from Ransomware Tracker into your products / services, I would appreciate if you could give me a short heads up using the contact form.
abuse.ch is not responsible for any false positives caused by Ransomware Tracker, nor is abuse.ch liable for any harm that may be caused by the use of Ransomware Tracker. All data comes with absolutely no warranty and is provided on a best effort basis only.