this Teslacrypt attack, sharing infrastructure with some of the malicious domains in question. In addition to Teslacrypt, some of these are connected with PoSeidon, Pony and Gozi malware.
The analysis [csv] includes SURBL and Google ratings, ISP information and a recommended blocklist.
Partly or wholly malicious IPs:
18.104.22.168/26 (Duomenu Centras, UA)
22.214.171.124/24 (JSC Server, RU)
126.96.36.199/27 (New Wave NetConnect, US)
188.8.131.52/27 (Net3 Inc, US)
184.108.40.206/30 (OVH / Dmitry Shestakov, BZ)
220.127.116.11/20 (PE Ivanov Vitaliy Sergeevich, UA)
18.104.22.168 (Fornex Hosting, NL)
22.214.171.124/28 (CloudSol LLC, Russia)
I've blocked traffic to 126.96.36.199/20 for two years with no ill-effects, it seems to be a particularly bad network. There may be a few legitimate sites hosted in these ranges, they would mostly be Russian.. so if you don't usually visit Russian websites then the collateral damage might be acceptable.