Ransomware leak site security breaches saved six companies from paying hefty ransoms

Six companies were spared potentially large ransom payments, a security researcher said, thanks in part to emerging security holes in the web infrastructure used by the ransomware gangs themselves.

Two companies received decryption keys that allowed them to decrypt their data without having to pay ransom to the cybercriminals. In addition, four hacked crypto companies were warned before the ransomware gang could encrypt their files, resulting in rare successes for the intended victim organizations.

Vangelis Stykas, a security researcher and chief technology officer at Atropos.ai, embarked on a research project to identify the command and control servers behind more than 100 ransomware and extortion-focused groups and their data breach sites. The goal was to identify flaws that could be used to expose information about the gangs themselves, including their victims.

Stykas told TechCrunch ahead of his talk at the Black Hat security conference in Las Vegas on Thursday that he had found a number of simple vulnerabilities in the web dashboards used by at least three ransomware gangs that were large enough to compromise the internal workings of the operations.

Ransomware gangs typically hide their identities and activities on the dark web, an anonymous version of the web accessible through the Tor browser. This makes it difficult to track down the real servers used to launch cyberattacks and store stolen data.

But coding errors and security bugs in the leak sites, which ransomware gangs use to extort money from their victims by publishing their stolen files, allowed Stykas to peer inside without logging in and extract information about each operation. In some cases, the bugs exposed the IP addresses of the leak site’s servers, which could be used to trace their real locations.

Some of the bugs include that the Everest ransomware gang used a default password to access the back-end SQL databases, and the file directories and API endpoints were exposed, revealing the targets of the BlackCat ransomware gang during the attacks.

Stykas said he also used a bug known as an insecure direct object reference (IDOR) to scan all chat messages from a Mallox ransomware administrator. These messages contained two decryption keys, which Stykas then shared with the affected companies.

The researcher told TechCrunch that two of the victims were small businesses and the other four were crypto companies. Two of them are considered unicorns (startups with a valuation of more than $1 billion). He declined to name the companies, however.

He added that none of the companies he notified have publicly disclosed the security incidents and he did not rule out disclosing the names of the companies in the future.

The FBI and other government agencies have long advised ransomware victims not to pay hackers’ ransoms, to prevent malicious actors from profiting from their cyberattacks. But the advice offers little recourse for businesses that need to regain access to their data or find themselves unable to operate.

Law enforcement agencies have had some success in compromising ransomware gangs to obtain their database of decryption keys and deprive cybercriminals of their illicit revenue streams, but results have been mixed.

The research shows that ransomware gangs can be susceptible to many of the same simple security issues as large corporations, providing law enforcement with a potential way to crack down on criminal hackers operating far outside their jurisdiction.