



According to Tuesday’s blog, the three methods developed by Cisco Talos aim to expose the infrastructure of dark websites owned by ransomware operators.

According to a blog post titled “De-anonymizing ransomware domains on the dark web,” this method can increase the visibility of dark websites. This is usually a difficult task due to the nature of the hidden service.

Paul Eubanks, senior threat research engineer at Cisco Talos, posts that this approach provides new insights into the infrastructure of the ransomware group Dark Angels, Nokoyawa, Quantum and Snatch.

The first way is to collate the threat actor’s TLS certificate serial number with the one indexed on the clear web or public internet. The second works the same as the first, except that it matches the dark web and public website browser favicon (the icon that appears next to the site URL in the browser bar).

The third technique exploits “catastrophic security errors” and misconfigurations that reduce anonymity. For example, Eubanks explained that a directory traversal vulnerability occurred because the Nokoyawa ransomware operator did not establish proper file permissions.

In an email to SearchSecurity, Eubanks wrote: [they] It does not apply to unmasking ransomware domains. “

In the case of the TLS certificate method, Eubanks explained in a post that ransomware sites are often used for identification purposes and therefore often do not use TLS certificates. However, threat actors may hold certificates on dark websites to “give victims the impression that they are operating in a safe environment and justify their operations.”

In the case of DarkAngels (believed to be a rebranding of the Babuk ransomware group), Cisco Talos used the Shodan web crawler to track the TLS certificate used by the gang’s dark web leak site to the hosting provider. Researchers eventually discovered a private key and an operator login portal. Snatch was a bit more complicated, but researchers used this method to trace the certificate back to a Swedish hosting provider.

Researchers used the favicon matching method to index the public internet, track hosting on the ransomware gang Quantum’s dark web leak site, and find other domains related to the group.

SearchSecurity asked Eubanks why Cisco Talos decided to disclose these techniques, as threat attackers are likely to work to correct mistakes. In response, he said there was “always a balance” in choosing to disclose observations with other advocates.

“The call for judgment comes from the value to the defenders and the cost of the attackers to change their behavior,” Eubanks said. “After all, defense is a team game, and in this case we decided that notifying the team would bring more benefits than we gave up. When trying to help defenders around the world, There are few easy decisions. “

Alexander Culafi is a Boston-based writer, journalist and podcaster.

