Security experts have described the many steps ransomware perpetrators have attempted to conceal their online identities and the physical location of their web server infrastructure.
According to Cisco Talos analyst Paul Eubanks, “the majority of ransomware operators host their ransomware operations sites outside of their nation of origin, in places like Sweden, Germany, and Singapore.” When logging onto their ransomware web infrastructure to do remote administrative chores, “they employ VPS hop-points as a proxy to conceal their genuine location.”
To add another degree of secrecy to their unlawful activities, they often utilize the TOR network and DNS proxy registration services.
However, the cybersecurity company revealed last week that it was able to identify TOR hidden services hosted on public IP addresses, some of which are previously unknown infrastructure connected with DarkAngels, Snatch, Quantum, and Nokoyawa ransomware groups. It did this by exploiting the operational security mistakes made by the threat actors as well as other techniques.
Talos reported that it was able to identify “public IP addresses hosting the same threat actor infrastructure as those on the dark web,” despite the fact that ransomware groups are known to use the dark web to conceal their illegal activities, which can include disclosing stolen data and negotiating payments with victims.
Matching threat actors’ [self-signed] TLS certificate serial numbers and page components with those indexed on the public internet was one of the techniques used to locate the public internet IPs, according to Eubanks.
A second technique used to find the adversaries’ clear web infrastructures, in addition to TLS certificate matching, was comparing the favicons of the darknet domains to those of the public internet using web crawlers like Shodan.
The website hosted on the TOR hidden service was discovered to harbor a directory traversal bug that allowed the researchers to access the “/var/log/auth.log” file used to capture user logins in the case of Nokoyawa, a new Windows ransomware strain that first appeared this year and shares significant code similarities with Karma.
The results show that in addition to the criminal actors’ leak sites being open to internet users, other infrastructure elements, such as server identification data, were also exposed, making it easy to discover the login credentials for controlling the ransomware servers.
The successful root user logins were further examined, and it was discovered that they came from two IP addresses: 220.127.116.11 and 18.104.22.168, the former of which is owned by hosting company GHOSTnet GmbH, which provides Virtual Private Server (VPS) services.
However, according to Eubanks, “176.119.0[.]195 belongs to AS58271, which is recorded under the name Tyatkova Oksana Valerievna.” It’s likely that the operator entered into a session with this web server straight from their actual location at 176.119.0[.]195 since they failed to utilize the German-based VPS for obfuscation.
LockBit updates its RaaS operation and introduces a bug bounty program.
The change occurred when the creators of the newly discovered Black Basta ransomware increased the scope of their assault by exploiting QakBot for initial access and lateral movement and the PrintNightmare vulnerability (CVE-2021-34527) for privileged file actions.
In addition, the LockBit ransomware gang launched its own Bug Bounty program this week, promising incentives ranging from $1,000 to $1,000,000 for finding security holes and “bright ideas” to enhance its software. The announcement for LockBit 3.0 included the slogan “Make Ransomware Great Again!”
According to Satnam Narang, senior staff research engineer at Tenable, “the launch of LockBit 3.0 with the establishment of a bug bounty program is a formal appeal to cybercriminals to help support the organization in its drive to stay at the top.”
Defensive measures, such as preventing security researchers and law enforcement from discovering bugs in its leak sites or ransomware, figuring out how members, such as the affiliate program boss, could be doxed, and discovering bugs in the messaging software the group uses for internal communications as well as the Tor network itself, are a key focus of the bug bounty program.
“The risk of being exposed or discovered indicates that law enforcement activities certainly pose a significant danger to organizations like LockBit. Last but not least, the organization intends to accept Zcash as payment, which is important since Zcash is more difficult to track than Bitcoin, making it more difficult for researchers to monitor the group’s behavior.