Happy Sunday dear readers and please don your Sherlock Cap to help sus out this mystery. I regularly track newly-registered ransomware-themed domain names to see if there are any interesting patterns and I might have one.

Since the beginning of June, there have been three seemingly related domains registered:

• June 15th - ransomware-recovery-method-916663[.]zone

• June 13th - ransomware-recovery-method-75138236[.]today

• June 5th - ransomware-recovery-method-377612[.]world

The [.]world and [.]zone domain names were registered through enom, while the [.]today domain was registered through GoDaddy. None of the domains have subdomains, as far as I can tell, and all are currently parked.

None of them register as being malicious on any of the usual sites.

But, this feels shady. And so much of what we do in intelligence analyst starts with your Spidey Sense tingling. Of course, as any good analyst will tell you, sometimes your Spidey Sense is wrong and it just sends you down a path that leads to nowhere.

For now, I am going to keep my eyes out for these domains, and any new domains that match the pattern, to see if anything changes. If anything does change I will update you all.