A cybersecurity expert has highlighted how security oversights within the digital systems utilized by ransomware syndicates played a pivotal role in thwarting extortion attempts against six enterprises, preventing them from succumbing to significant ransom payouts.
Two organizations were furnished with the necessary decryption keys to recover their data without fulfilling the ransom fees demanded by the cyber offenders, while four cryptocurrency firms were forewarned in time to avert the encryption of their data by the ransomware group, delivering an uncommon triumph for those under attack.
In a mission to dismantle the command and control infrastructure of more than a hundred groups dedicated to ransomware and data extortion, Vangelis Stykas, a cybersecurity investigator and the chief technology officer at Atropos.ai, embarked on a research endeavor. His goal was to unearth vulnerabilities that could disclose insights about these criminal collectives and their targets.
Speaking to TechCrunch prior to his presentation at the Black Hat security conference in Las Vegas, Stykas revealed his discovery of several basic security lapses in the ransomware groups’ web panels. These flaws were significant enough to interfere with their clandestine operations.
Ransomware collectives often operate from the shadows of the dark web, a version of the internet that promises anonymity through the Tor browser, complicating the task of pinpointing the actual servers involved in cyberattacks and the storage of pilfered data.
Stykas, however, was able to exploit mistakes and vulnerabilities on the ransom gangs’ leak platforms, which are used to blackmail their victims by threatening to release their stolen data. These slip-ups allowed him to access information about these operations without needing to log in, in some instances revealing the IP addresses of the servers hosting these leak sites, thereby hinting at their physical locations.
Among the identified vulnerabilities were the Everest ransomware group’s negligence in setting a default password for its SQL database backend and the exposure of its file directories, as well as unveiled API endpoints that betrayed active targets of the BlackCat ransomware group.
Moreover, Stykas leveraged a bug, identified as an insecure direct object reference (IDOR), to peruse through all the chat communications of a Mallox ransomware admin, uncovering two decryption keys in the process. These were promptly shared with the impacted firms.
Stykas shared that among the beneficiaries were two small businesses and four cryptocurrency organizations, including two considered to be unicorns, startups valued at over $1 billion. He opted not to disclose their identities but did not discount the possibility of doing so in the future.
Despite government and FBI recommendations urging ransomware victims to avoid paying ransoms, to deter cybercriminals from profiting off their criminal activities, this advice often leaves victims in a difficult position if they need to retrieve their data or continue their operations.
While law enforcement has had some successes in infiltrating ransomware groups to seize their decryption keys, these victories are met with variable outcomes, reducing the financial gains of these cybercriminals.
This investigation underscores the vulnerability of ransomware gangs to the same basic security shortcomings that plague large organizations, suggesting a possible route for law enforcement to pursue these digital malefactors beyond their jurisdictional grasp.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
