Bugs on ransomware sites help six companies avoid ransom payments

Illustration: JMiks | Shutterstock

Six companies narrowly avoided costly ransom payments thanks to rookie mistakes by the ransomware gangs that targeted them. The discovery, made by security researcher Vangelis Stykas, highlights the vulnerabilities in the web infrastructure of these cybercriminal organizations and shows that even sophisticated attackers are not immune to basic security holes.

Two small businesses and four cryptocurrency companies, two of which are valued at over $1 billion, were saved by Stykas’ actions. However, none of these companies have publicly acknowledged the incidents, a common occurrence as companies seek to avoid reputational damage.

First reported by TechCrunchStykas’ main goal was to analyze the command-and-control servers used by over 100 ransomware and extortion groups in order to discover weaknesses that could unmask these gangs and reveal information about their victims.

Stykas revealed that he had discovered fundamental vulnerabilities in the web dashboards of at least three ransomware gangs, allowing him to investigate their activities, disrupt their attacks and save companies from financial ruin.

These vulnerabilities allowed Stykas to access internal information without logging in, providing a rare glimpse into the inner workings of these criminal organizations. In some cases, the flaws exposed the IP addresses of the leak sites, a crucial piece of information that could lead to the physical locations of the servers.

One of the flaws was the default password used by the Everest ransomware gang to protect their back-end SQL databases, allowing anyone with sufficient knowledge to get in.

Another group, BlackCat, inadvertently exposed API endpoints, revealing details of their ongoing attacks.

Another important finding was an unsafe direct object reference (IDOR) flaw discovered by the researcher. This vulnerability allowed unauthorized access to conversation data of a Mallox ransomware operator.

Two decryption keys were discovered in these records. The researcher quickly provided these keys to the affected organizations, allowing them to recover their encrypted data without demanding ransom.

While Stykas did not disclose the names of the companies involved, he did not rule out the possibility that he might do so in the future. This raises questions about the responsibility of companies to report such incidents, especially when the potential for significant financial damage is limited.

Law enforcement agencies have consistently discouraged ransom payments. In some cases, however, paying the ransom is the only way out, and companies are reluctant to pay. This new effort offers a glimmer of hope for victims of ransomware gangs, and shows that it is possible to outsmart them.

In the news: Cybercriminals Abuse Trusted Sites in Sophisticated Open Redirect Campaign