Tuesday, July 23, 2024

New Techniques To Identify Ransomware Operators’ Dark Web Domains – Cisco Talos

Researchers from Cisco Talos found techniques that help them to identify the dark web domains operating by the ransomware groups, and the techniques have been successfully implemented to identify the unknown infrastructure for the DarkAngels, Snatch, Quantum and Nokoyawa ransomware groups.

These techniques are used against ransomware operators’ security failure, and match the actor’s publically indexed SSL certificate serial number and page elements.

Ransomware is one of the most common cyber threats that attack both companies and private users. It works by encrypting the victim files, making them available to access unless they have the key.

Once executed in your system, ransomware encrypts your files and makes them inaccessible since It uses the most advanced forms of end-to-end encryption that’s almost impossible to recover the affected systems without a decryption key.

Mostly Ransomware operators are utilizing the dark web for their illegal activities such as distribution, affiliation, and collecting payment from victims with the help of Onion Router (TOR) which is the only medium to access the dark web sites.

But the Threat actor’s improper usage of TOR and makes configuration mistakes lead their activity to become public, security researchers, or law enforcement agencies.

Since the Dark web domains aren’t publically indexed, Researchers employed the following techniques to identify the ransomware operators’ such as DarkAngels, Snatch, Quantum, and Nokoyawa ransomware groups’ hidden infrastructures.

TLS Certificate Matching

In this method, researchers identified the self-signing certificate associated with the dark websites and matched it with indexed web to find whether it has any indication that used on the public internet.

This TLS certificate matching method has been successfully applied and found the Dark Angels ransomware groups’ Dark web operations and their non-indexed TOR hidden service.

“Through which operators set up a countdown timer to the publication of victim data, as well as links for victims to use to enter a chat room with DarkAngels affiliates to discuss ransom payment negotiations.” Talos Researchers said.

In the further analysis, researchers extract the serial number from the TLS certificate and matched them with the web crawlers Shodan which catalogs TLS certificate information.

“By leveraging Shodan’s index, we discover the same certificate the DarkAngels actors have created for themselves is also in use by a host in Singapore with the IP address 89.38.225[.]166. According to whois.ripe.net, this host belongs to M247 LTD Singapore (AS9009).” Talos Researchers said.

Favicon Matching

 Favicon is an icon that is associated with the URL displayed in the address bar and serves as a visual branding badge for web properties.

In this case, similar to the previous method, researchers index the public internet to see if specific favicons on the dark web appear on the clear net as well.

This approach has been successfully used to identify the Quantum ransomware gang to discover their dark web infrastructure hosted on the public internet. 

“Quantum has been making the news lately for their high-speed ransomware campaigns, but they’re not immune to making basic operational security (OPSEC) failures. Much like every ransomware group, Quantum operates a hidden service blog on TOR on which they post stolen victim data.”

Later moment researchers found the favicon file stored in the web root directory as favicon.ico from Quantum blog’s hidden service on TOR and they calculate the hash value.

Finally, Shodan reveals that the hash files matched the indexed favicon file hash and obtains the clear web IP address of 185.38.185[.]32 which is hosted in the Netherland.


Catastrophic Opsec Failures

Due to poor configuration make catastrophic security error that reveals their anonymity ransomware operator fails to establish proper file permissions, and creates a glaring directory traversal vulnerability which leads to finding the exact ransomware admin location.

With the help of this method, Researchers found the traces of Nokoyawa ransomware group that shares the code similarities with the Karma ransomware operation.

“Like most ransomware groups, once they’ve breached a network and encrypted its contents, they drop a ransom note for the system administrators containing a web address for a TOR hidden service, and the victim can then go chat with the ransomware affiliates to try and negotiate for a decryption key. “

Through which each victim gets a unique identifier as following that is unique to each company they attack:


By accessing this, victims communicate with affiliates to upload their files, and the ransomware operators will decrypt the sample to prove the validation that their key works for decryption.

In this care, researchers take advantage of the affiliate’s catastrophic security mistakes and tamper with the files for a directory traversal attack.

As a result, researchers successfully root user logins from two IP addresses  5.230.29[.]12 , 176.119.0[.]195 which belong to GHOSTnet GmbH and Tyatkova Oksana Valerievna respectively.

“We find that most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany and Singapore) to host their ransomware operations sites. They use VPS hop-points as a proxy to hide their true location when they connect to their ransomware web infrastructure for remote administration tasks.” Researchers said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.


Latest articles

Beware Of Dating Apps Exposing Your Personal And Location Details To Cyber Criminals

Threat actors often attack dating apps to steal personal data, including sensitive data and...

Hackers Abusing Google Cloud For Phishing

Threat actors often attack cloud services for several illicit purposes. Google Cloud is targeted...

Two Russian Nationals Charged for Cyber Attacks against U.S. Critical Infrastructure

The United States has designated Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members...

Threat Actors Taking Advantage of CrowdStrike BSOD Bug to Deliver Malware

Threat actors have been found exploiting a recently discovered bug in CrowdStrike's software that...

NCA Shut’s Down the Most Popular “digitalstress” DDoS-for-hire Service

The National Crime Agency (NCA) has successfully infiltrated and dismantled one of the most...

Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual...

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles