Using a variety of different methods, combined with some helpful mistakes by the operators themselves, researchers have been able to uncover previously unknown infrastructure operated by several ransomware groups, including DarkAngels, Snatch, and Quantum.
Ransomware groups for the most part hide their infrastructure on dark web sites accessible through TOR. The goal is to shield their activities from law enforcement and security researchers who are looking to expose them. Many groups operate both their communication and payment sites this way, as well as a blog/leak site on which they publish the names of victims and stolen data. Researchers at Cisco Talos used a few different techniques to help them correlate ransomware groups’ hidden infrastructure with sites that are visible on the public Internet, including matching TLS certificates used on TOR hidden services with those used on public sites.
“A big tenant of operating on the dark web is to maintain anonymity, so certificates providing identity attestation can actually help pinpoint the operator behind a website. It’s possible the ransomware group is using an SSL/TLS site on the dark web to give the impression to their victims they are operating in a secure environment and create a sense of legitimacy in their operation,” Paul Eubanks of Talos wrote in a post explaining the research Tuesday.
“We successfully applied this method to Dark Angels, a ransomware group that has been reported as a rebranding of the Babuk ransomware group. They operate much the same as other groups in that they have set up a blog website as a TOR hidden service with a countdown timer to the publication of victim data, as well as links for victims to use to enter a chat room with DarkAngels affiliates to discuss ransom payment negotiations.”
Using Shodan, the researchers found that the DarkAngels operators used the same self-signed certificate they use for their dark web site for a public site hosted in Singapore. That public site has all of the same information as the hidden site and the researchers were also able to identify some backend information for databases and a login portal for the DarkAngels operators.
The Talos researchers used the same certificate-matching technique to uncover public infrastructure used by the Snatch ransomware group. A second method the researchers used to find ransomware infrastructure was matching the favicon used on dark web sites to one used on public sites. Favicons are just small small files, typically sitting on a site’s web server. Talos researchers found on Shodan the favicon file used by the Quantum ransomware group and then discovered one public website using the same one, which turned out to be the public version of the Quantum hidden site.
In the case of the Nokoyawa ransomware group, Talos was able to take advantage of a directory traversal bug in the group’s site to insert a command to gain access to sensitive files on the web server.
“This command tells the web server to traverse up past the web root directory and fetch the system file /etc/passwd. Normally, this sensitive file is protected by user permission settings and access control lists, but because the ransomware operator has made an amateur data security mistake when configuring the web server, this actually succeeds. Worse yet, files which are typically only accessible by the root user of the system are also available via this directory traversal method, which means the web server is possibly running as the root user instead of a dedicated web-server user account. De-anonymization is then as simple as pulling /var/log/auth.log* and searching for the successful remote login connections,” Eubanks said in the post.
Ransomware groups frequently change names, affiliates, infrastructure, and other pieces of their operations in an effort to stay ahead of law enforcement and security researchers. But researchers and defenders are getting better and better at finding cracks in the foundation of these groups and bringing some of their activities into the light.