Blocklist

Ransomware Tracker offers various types of blocklists that allows you to block Ransomware botnet C&C traffic. The available Ransomware blocklists are documented below. The update interval is 5 minutes.

Combined Blocklists

If you don't want to implement a separate blocklist for each malware and blocklist type, you can use the combined blocklists below.

BlocklistDescriptionDatasetsFP RiskDownload
RW_DOMBLDomain BlocklistAll *_DOMBL datasets except CW_C2_DOMBL, TC_C2_DOMBL (recommended)
Low
download
RW_URLBLURL BlocklistCW_C2_URLBL, TC_C2_URLBL, TC_DS_URLBL, LY_DS_URLBL (recommended)
Low
download
RW_IPBLIP BlocklistTC_PS_IPBL, LY_C2_IPBL, TL_C2_IPBL, TL_PS_IPBL, CB_PS_IPBL (recommended)
Medium
download

The combined blocklists above are the recommended blocklists that should be used. They might not catch everything, but the false positive rate should be low. However, false positives are possible, especially with regards to RW_IPBL. IP addresses associated with Ransomware Payment Sites (*_PS_IPBL) or Locky botnet C&Cs (LY_C2_IPBL) stay listed on RW_IPBL for a time of 30 days after the last appearence. This means that an IP address stays listed on RW_IPBL even after the threat has been eliminated (e.g. the VPS / server has been suspended by the hosting provider) for another 30 days.

Separated Blocklists

The table below provides separated blocklists for each malware and blocklist type. They allow you to be more specific in what you want to block (e.g. only a certain malware family or blocklist type).

BlocklistMalwareScopeBlocklist TypeFP RiskDownload
CW_C2_URLBLCryptoWallC2URL Blocklist
Low
download
CW_C2_DOMBLCryptoWallC2Domain Blocklist
High
download
CW_PS_DOMBLCryptoWallPayment SitesDomain Blocklist
Low
download
CW_PS_IPBLCryptoWallPayment SitesIP Blocklist
Medium
download
TC_C2_URLBLTeslaCryptC2URL Blocklist
Low
download
TC_C2_DOMBLTeslaCryptC2Domain Blocklist
High
download
TC_PS_DOMBLTeslaCryptPayment SitesDomain Blocklist
Low
download
TC_PS_IPBLTeslaCryptPayment SitesIP Blocklist
Medium
download
TC_DS_URLBLTeslaCryptDistribution SitesURL Blocklist
Low
download
LY_C2_DOMBLLockyC2Domain Blocklist
Low
download
LY_C2_IPBLLockyC2IP Blocklist
Medium
download
LY_PS_DOMBLLockyPayment SitesDomain Blocklist
Low
download
LY_PS_IPBLLockyPayment SitesIP Blocklist
High
download
LY_DS_URLBLLockyDistribution SitesURL Blocklist
Low
download
TL_C2_DOMBLTorrentLockerC2Domain Blocklist
Low
download
TL_C2_IPBLTorrentLockerC2IP Blocklist
Medium
download
TL_PS_DOMBLTorrentLockerPayment SitesDomain Blocklist
Low
download
TL_PS_IPBLTorrentLockerPayment SitesIP Blocklist
Medium
download
CB_PS_IPBLCerberPayment SitesIP Blocklist
Medium
n/a
CB_PS_DOMBLCerberPayment SitesDomain Blocklist
Low
n/a

Terms Of Use

As for all abuse.ch projects, the use of the Blocklist mentioned above is free for both commercial and non-commercial usage without any limitation. However, if you are a commercial vendor of security software/services and you would like to integrate data from Ransomware Tracker into your products / services, I would appreciate if you could give me a short heads up using the contact form.

abuse.ch is not responsible for any false positives caused by Ransomware Tracker, nor is abuse.ch liable for any harm that may be caused by the use of Ransomware Tracker. All data comes with absolutely no warranty and is provided on a best effort basis only.