this Teslacrypt attack, sharing infrastructure with some of the malicious domains in question. In addition to Teslacrypt, some of these are connected with PoSeidon, Pony and Gozi malware.
The analysis [csv] includes SURBL and Google ratings, ISP information and a recommended blocklist.
Partly or wholly malicious IPs:
188.8.131.52/26 (Duomenu Centras, UA)
184.108.40.206/24 (JSC Server, RU)
220.127.116.11/27 (New Wave NetConnect, US)
18.104.22.168/27 (Net3 Inc, US)
22.214.171.124/30 (OVH / Dmitry Shestakov, BZ)
126.96.36.199/20 (PE Ivanov Vitaliy Sergeevich, UA)
188.8.131.52 (Fornex Hosting, NL)
184.108.40.206/28 (CloudSol LLC, Russia)
I've blocked traffic to 220.127.116.11/20 for two years with no ill-effects, it seems to be a particularly bad network. There may be a few legitimate sites hosted in these ranges, they would mostly be Russian.. so if you don't usually visit Russian websites then the collateral damage might be acceptable.