Researchers Share Techniques for Discovering Anonymous Ransomware Sites on the Dark Web

The cybersecurity researcher detailed the various measures ransomware attackers take to conceal their true identity online and the location where their Web server infrastructure is hosted.

"Most ransomware operators use hosting service providers outside their country of origin (such as Sweden, Germany and Singapore) to host their ransomware operating sites," said Paul Eubanks, a Cisco Talos researcher. "When they connect to their ransomware network infrastructure for remote management tasks, they use a VPS as a proxy to hide their true location."

Also prominent is the use of TOR networks and DNS proxy registration services to provide an additional layer of anonymity for their illicit operations.

However, by exploiting operational security lapses and other techniques of threat participants, the cybersecurity firm disclosed last week that it was able to identify TOR hidden services hosted on public IP addresses, some of which were previously unknown infrastructure associated with the DarkAngels, Snatch, Quantum and Nokoyawa ransomware groups.

While ransomware groups are known to rely on the dark web to mask their illegal activities, from leaking stolen data to negotiating payments with victims, Talos revealed that it was able to identify "public IP addresses hosting the same threat participant infrastructure as the dark web" network."

"The method we use to identify public Internet IPs involves matching the threat participant's [self-signed] TLS certificate serial number and page elements to an index on the public Internet." Eubanks said.

In addition to TLS certificate matching, a second method used to discover an attacker's clear network infrastructure is to use a Web crawler such as Shodan to compare Web site icons associated with Dark Web sites to the public Internet.

In the case of Nokoyawa, a new Windows ransomware that emerged earlier this year and shares a lot of code similarities with Karma, sites hosted on the TOR hidden service were found to have directory traversal vulnerabilities that allowed researchers to access the "/var/log/auth.log" file used to capture user logins " file.

The findings showed that not only could the criminals' compromised site be accessed by any user on the Internet, but other infrastructure components, including identifying server data, were also exposed, effectively making it possible to obtain the login location used to manage the ransomware server.

Further analysis of the login information for the successfully logged-in root user showed that they came from two IP addresses, 5.230.29.12 and 176.119.0.195, the former belonging to GHOSTnet GmbH, a hosting provider offering virtual private server (VPS) services.

"However, 176.119.0.195 belongs to AS58271, which is listed under the name Tyatkova Oksana Valerievna," Eubanks noted, adding that "operators may forget to use German-based VPS for obfuscation and logged into a session with that Web server directly from its real IP of 176.119.0.195."

With the emerging Black Basta ransomware operators expand their attack arsenal by using QakBot for initial access and lateral movement and exploiting the PrintNightmare vulnerability (CVE-2021-34527) for privileged file manipulation.

What's more, the LockBit ransomware gang announced the release of LockBit 3.0 last week with the tagline "Make Ransomware Great Again!" in addition to launching their own bug bounty program, which offers rewards of $10 million to $1 million for "brilliant ideas" to find security flaws and improve their software.

In a statement, Tenable Senior Research Engineer Satnam Narang said, "The release of LockBit 3.0 and the introduction of the Vulnerability Bounty Program is a formal invitation to cybercriminals to help assist the organization in its quest to stay ahead of the curve."

"A key focus of the Vulnerability Bounty Program is on defensive measures: preventing security researchers and law enforcement from finding vulnerabilities in its leaked sites or ransomware, identifying ways in which members, including the membership program, may be manned, and discovering vulnerabilities in the messaging software the organization uses for internal communications and in the Tor network itself."

"The threat of being manned or identified shows that law enforcement efforts are clearly a great concern for organizations such as LockBit. Finally, the organization is planning to offer Zcash as a payment method, which is important because Zcash is harder to track than Bitcoin, making it more difficult for researchers to monitor the organization's activities."