IP addresses that have been observed sending ransomware-like traffic to port 445
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
payloads Add a list of payloads Nov 18, 2017
LICENSE Initial commit Nov 16, 2017
README.md Update README.md Sep 26, 2018
generate.sh Update IP set for 2018-24-01 00:00:01 Jan 23, 2018
ms-ds-violation-ips.ipset Update IP set for 2019-21-01 04:00:01 Jan 21, 2019


Microsoft DS Exploiting IP Addresses

This is a list of IP addresses that have been caught either doing stealth SYN scans or attacking port 445 of Windows machines. This behaviour, along with payloads that we've collected, coming from some of these IPs, match that of ransomware malware. The update frequency is currently set to 4 hours and will be completely automated from now on.

Importing and Using

This list contains a lot of IP adresses and is typically not suggested to import all of them because it could slow down your firewall.

Import to UFW

while read -r line; do
    ufw insert 1 deny from $line to any
done < <(grep "^[^#]" ms-ds-violation-ips.ipset)

Import to IPTables

This is similar to the UFW import, just change the command.

while read -r line; do
    iptables -A INPUT -s $line -j DROP
done < <(grep "^[^#]" ms-ds-violation-ips.ipset)


Where do these IPs come from?

From various places and people. There has been proof for all IPs added to the list.

Are you sure they are evil?

These IPs have been reported to scan servers/honepots specifically on port 445 and/or that have attempted to send malicious payloads on an open 445 port. There's no reason someone would try to do this other than being having malicious intent.

How do I report IPs?

Coming soon.

How long will these IPs stay on this list?

For a long time, but likely not more than a year.

I see my IP in that list, how do I get it off the list?

If you're asking yourself this question, it is likely that you are not a bad actor, thus IPs will be whitelisted based on proof that you (recently) obtained said IP address. However, the reputation of the organization that owns this IP address or space will greatly influence the decision. Regardles, open an issue and the request will be evaluated. If your IP is removed from this list and it later appears to have resumed malicious activity, then it'll remain on the list for a very long time.


This repository is licenced under the MIT License because threat intelligence should be completely open.