Three techniques developed by Cisco Talos aim to expose the infrastructure of dark websites owned by ransomware operators, a blog post said on Tuesday.
According to the blog post, titled “De-Anonymizing Ransomware Domains on the Dark Web,” the methods are capable of providing additional visibility into dark websites – a task that is normally difficult due to the nature of hidden services.
Cisco Talos Senior Threat Research Engineer Paul Eubanks wrote in the post that the techniques provided new insights into the infrastructure of the DarkAngels, Nokoyawa, Quantum, and Snatch ransomware groups.
The first method is to match the serial numbers of the attackers’ TLS certificates with those indexed on the clear web or public internet. The second works the same as the first, except it matches browser favicons (icons displayed next to a site’s URL in the browser bar) on the dark web with public websites.
The third technique is to exploit “catastrophic security errors” and misconfigurations that reduce anonymity. For example, Eubanks described how the operators of Nokoyawa ransomware failed to establish proper file permissions, which created a directory traversal vulnerability.
In an email to SearchSecurity, Eubanks wrote that “the techniques themselves are not new, but [they] have not been applied to unmask ransomware domains.”
For the TLS certificate method, Eubanks explained in the article that ransomware sites often do not use TLS certificates because they can be used for identification purposes. However, there are instances where threat actors may maintain a certificate on their dark website “to give their victims the impression that they are operating in a secure environment and create a sense of legitimacy in their operation.”
In the case of DarkAngels – believed to be a re-image of the Babuk ransomware group – Cisco Talos used a Shodan web crawler to trace a TLS certificate used by the gang’s dark web leak site back to its security provider. accommodation. Researchers eventually discovered private keys and an operator login portal. Snatch was a bit more complicated story, but the researchers used the method to trace the certificates back to a Swedish hosting provider.
The researchers used the favicon matching method to index the public internet to trace hosting on the Quantum ransomware gang’s dark web leak site and found other domains associated with the group.
SearchSecurity asked Eubanks why Cisco Talos decided to disclose these techniques, as threat actors would likely work to correct their mistakes. In response, he said there was “always a balance” in choosing to release sightings with other defenders.
“The judgment comes from the value to the defender versus the cost to the attacker of changing behavior,” Eubanks said. “At the end of the day, defense is a team game, and in this case we decided that informing the team brought more benefits than what we had given up. When we try to help defenders to Globally, there are very few easy decisions.”
Alexander Culafi is a Boston-based writer, journalist, and podcaster.