Anika Begay
A security researcher says six companies have been saved from paying potentially large ransom demands, thanks in part to previously unseen security flaws found in the web infrastructure used by the same ransomware gangs.
Two companies received decryption keys to decipher their data without having to pay a ransom to cybercriminals, and four hacked cryptocurrency firms were alerted before the ransomware gang could begin encrypting their files, marking rare victories for the organizations that were targeted.
Vangelis Stykas, a security researcher and technical director at Atropos.ai, started a research project to identify the command and control servers behind over 100 ransomware and extortion groups and their data leak sites. The goal was to identify flaws that could be used to expose information about the gangs themselves, including their victims.
Stykas told TechCrunch ahead of his keynote address at the Black Hat security conference in Las Vegas on Thursday that he had found several simple vulnerabilities in web dashboards used by at least three ransomware groups, enough to compromise the internal workings of their operations.
Ransomware gangs typically hide their identities and operations on the dark web, an anonymous version of the web accessible through the Tor browser, making it difficult to identify where the actual servers used for cyberattacks and storing stolen data are located.
But coding errors and security bugs in the escape sites, which ransomware gangs use to extort money from their victims by publishing stolen files, allowed Stykas to peer inside without having to log in and extract information about each transaction. In some cases, the bugs exposed the IP addresses of escape site servers, which could be used to track their real-world locations.
The bugs included the Everest ransomware gang using a default password to access their backend SQL databases, exposing their file directories, and exposing API endpoints that revealed the BlackCat ransomware gang’s attack targets during execution.
Stykas said he also used a bug known as IDOR (insecure direct object reference) to sniff out all of the chat messages of a Mallox ransomware administrator, containing two decryption keys that Stykas then shared with affected companies.
The researcher told TechCrunch that two of the victims were small businesses and the other four were cryptocurrency companies, two of which are considered unicorns (startups with valuations above $1 billion), though he declined to name the companies.
He added that none of the companies he reported had made the security incidents public and he did not rule out revealing the names of the companies in the future.
The FBI and other government authorities have long advised ransomware victims not to pay hackers’ ransoms, to prevent bad actors from profiting from their cyberattacks. But the advice offers little recourse for companies that need to regain access to their data or are unable to operate their businesses.
Law enforcement has had some success in compromising ransomware gangs to obtain their bank of decryption keys and deprive cybercriminals of their illicit revenue streams, although with mixed results.
Research shows that ransomware gangs can be subject to many of the same simple security issues as large enterprises, offering law enforcement a potential avenue to target criminal hackers who are well outside the jurisdiction’s reach.
