Members of the Cisco Talos Threat Intelligence team have developed 3 techniques to identify ransomware operators websites hosted on the dark web and their respective IP Addresses. This has given them the ability to uncover previously unknown and hidden infrastructure of DarkAngels, Snatch, Quantum, & Nokoyawa ransomware groups.
The method that was used to identify the public IPs involved and matching them to the respective threat actors was that of the TLS certificate serial number and page elements which are indexed on the public internet. Also the security flaws of the ransomware groups were also exploited.
By unmasking this infrastructure, used by ransomware groups, on the dark web this allows providers to cut down on illegal activities on their infrastructure, improves tracking of threat actors, assists in possible law enforcement investigations, and/or slows down the ransomware groups operations as they would need to make operational alterations.
The Infrastructure Landscape of Ransomware Groups
Ransomware groups usually keep their activities to the dark web in order to mask their illegal activities.
The sites that leak sensitive information through communication protocols are only accessible via The Onion Router (TOR) network. These sites have a specific URL that one can only know and obtain via direct disclosure. This limits the access to other ransomware groups, as well as victims and security research who track and discover the sites.
When used properly the TOR network provides a decent cloak of anonymity. If there are configuration errors made by the threat actors, their activities can wind up in the public and attract unwanted attention from security researchers and law enforcement. Ransomware operators try to avoid such attention at all costs and will go to great lengths to keep their operations anonymous.
In a number of cases the Talos team were able to identify public IP addresses that host the infrastructure as those on the dark web. This makes the leak sites and other components of a threat actors infrastructure accessible to anyone on the public internet.
With the removal of the anonymity that the TOR network gives, hosting providers can take proactive action against this threat actors and the potential illegal activities that would occur on their networks. As a result of these changes made by hosting providers we also can witness the evolutionary changes that the threat actors take when they know they have been discovered.
Search Engines do not directly index those services that are anonymized by the TOR network. The Talos team have used a number of methods to unmask threat actors and their infrastructure.
The first approach is to identify the threat groups self signed TLS certificates and their specific favicons. Both the icons and certificates are associated with their dark web website and favicon which are also visible and indexed on the clear web where one can see if they are used on the public internet.
The Talos team also uncovered a number of instances where the threat actors exposed sensitive server data. This allowed the Talos team to obtain specific login locations that threat actors use to administer their ransomware servers.
With these methods, the Talos team have exposed the infrastructure used by DarkAngels, Snatch, Quantum and Nokoyawa ransomware groups.
In upcoming articles we will look at the techniques used to uncover these groups infrastructure.