New Techniques To Identify Ransomware Operators’ Dark Web Domains – Cisco Talos

Researchers from Cisco Talos found techniques that help them to identify the dark web domains operating by the ransomware groups, and the techniques have been successfully implemented to identify the unknown infrastructure for the DarkAngels, Snatch, Quantum and Nokoyawa ransomware groups.

These techniques are used against ransomware operators’ security failure, and match the actor’s publically indexed SSL certificate serial number and page elements.

Ransomware is one of the most common cyber threats that attack both companies and private users. It works by encrypting the victim files, making them available to access unless they have the key.

Once executed in your system, ransomware encrypts your files and makes them inaccessible since It uses the most advanced forms of end-to-end encryption that’s almost impossible to recover the affected systems without a decryption key.

Mostly Ransomware operators are utilizing the dark web for their illegal activities such as distribution, affiliation, and collecting payment from victims with the help of Onion Router (TOR) which is the only medium to access the dark web sites.

But the Threat actor’s improper usage of TOR and makes configuration mistakes lead their activity to become public, security researchers, or law enforcement agencies.

Since the Dark web domains aren’t publically indexed, Researchers employed the following techniques to identify the ransomware operators’ such as DarkAngels, Snatch, Quantum, and Nokoyawa ransomware groups’ hidden infrastructures.

TLS Certificate Matching

In this method, researchers identified the self-signing certificate associated with the dark websites and matched it with indexed web to find whether it has any indication that used on the public internet.

This TLS certificate matching method has been successfully applied and found the Dark Angels ransomware groups’ Dark web operations and their non-indexed TOR hidden service.

“Through which operators set up a countdown timer to the publication of victim data, as well as links for victims to use to enter a chat room with DarkAngels affiliates to discuss ransom payment negotiations.” Talos Researchers said.

In the further analysis, researchers extract the serial number from the TLS certificate and matched them with the web crawlers Shodan which catalogs TLS certificate information.

“By leveraging Shodan’s index, we discover the same certificate the DarkAngels actors have created for themselves is also in use by a host in Singapore with the IP address 89.38.225[.]166. According to whois.ripe.net, this host belongs to M247 LTD Singapore (AS9009).” Talos Researchers said.

Favicon Matching

 Favicon is an icon that is associated with the URL displayed in the address bar and serves as a visual branding badge for web properties.

In this case, similar to the previous method, researchers index the public internet to see if specific favicons on the dark web appear on the clear net as well.

This approach has been successfully used to identify the Quantum ransomware gang to discover their dark web infrastructure hosted on the public internet. 

“Quantum has been making the news lately for their high-speed ransomware campaigns, but they’re not immune to making basic operational security (OPSEC) failures. Much like every ransomware group, Quantum operates a hidden service blog on TOR on which they post stolen victim data.”

Later moment researchers found the favicon file stored in the web root directory as favicon.ico from Quantum blog’s hidden service on TOR and they calculate the hash value.

Finally, Shodan reveals that the hash files matched the indexed favicon file hash and obtains the clear web IP address of 185.38.185[.]32 which is hosted in the Netherland.

Catastrophic Opsec Failures

Due to poor configuration make catastrophic security error that reveals their anonymity ransomware operator fails to establish proper file permissions, and creates a glaring directory traversal vulnerability which leads to finding the exact ransomware admin location.

With the help of this method, Researchers found the traces of Nokoyawa ransomware group that shares the code similarities with the Karma ransomware operation.

“Like most ransomware groups, once they’ve breached a network and encrypted its contents, they drop a ransom note for the system administrators containing a web address for a TOR hidden service, and the victim can then go chat with the ransomware affiliates to try and negotiate for a decryption key. “

Through which each victim gets a unique identifier as following that is unique to each company they attack:

http(:)//lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onion/pay?id=qruytnwpfyfjozignatcmtblnhtcqgaa

By accessing this, victims communicate with affiliates to upload their files, and the ransomware operators will decrypt the sample to prove the validation that their key works for decryption.

In this care, researchers take advantage of the affiliate’s catastrophic security mistakes and tamper with the files for a directory traversal attack.

As a result, researchers successfully root user logins from two IP addresses  5.230.29[.]12 , 176.119.0[.]195 which belong to GHOSTnet GmbH and Tyatkova Oksana Valerievna respectively.

“We find that most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany and Singapore) to host their ransomware operations sites. They use VPS hop-points as a proxy to hide their true location when they connect to their ransomware web infrastructure for remote administration tasks.” Researchers said.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.