A security researcher says six companies have been saved from paying potentially large ransom demands, in part because novel security flaws were found in the web infrastructure used by the ransomware gangs themselves.
Two companies received the decryption keys to decrypt their data without having to pay a ransom to the cybercriminals, and four hacked crypto companies were alerted before the ransomware gang could start encrypting their files, marking a rare success for the targeted victim organizations.
Vangelis Stykas, security researcher and technical lead at Atropos.ai, launched a research project to identify the command and control servers behind over 100 ransomware and extortion-focused groups and their data leak sites. The goal was to find vulnerabilities that could be exploited to uncover information about the gangs themselves, including their victims.
Stykas told TechCrunch ahead of his talk at the Black Hat security conference in Las Vegas on Thursday that he found several simple vulnerabilities in the web dashboards used by at least three ransomware gangs that were enough to compromise the way the operations themselves work.
Ransomware gangs typically hide their identities and activities on the dark web, an anonymous version of the internet accessed through the Tor browser, making it difficult to determine where the real servers used to carry out cyberattacks and store stolen data are located.
But code errors and security flaws in the leak sites used by ransomware gangs to blackmail their victims by publishing the stolen files allowed Stykas to peek inside without logging in and retrieve information about each operation. In some cases, the flaws exposed the IP addresses of the leak site’s servers, which could be used to determine their real locations.
The flaws include the Everest ransomware gang using a default password to access their back-end SQL databases and exposing their file directories and API endpoints, which revealed the targets of the BlackCat ransomware gang’s ongoing attacks.
Stykas said he also exploited a flaw called Insecure Direct Object Reference (IDOR) to search all chat messages from a Mallox ransomware administrator, which contained two decryption keys, which Stykas then passed on to the affected companies.
The researcher told TechCrunch that two of the victims were small businesses and the other four were crypto companies, two of which are considered “unicorns” (startups valued at over $1 billion), but he declined to name the companies.
He added that none of the companies he notified had publicly disclosed the security incidents and did not rule out disclosing the names of the companies in the future.
The FBI and other government agencies have long advised ransomware victims not to pay hackers’ ransoms to prevent malicious actors from profiting from their cyberattacks. But that advice leaves little recourse for companies that need to regain access to their data or are unable to continue operating.
Law enforcement agencies have succeeded in compromising ransomware gangs and obtaining their database of decryption keys, thereby depriving cybercriminals of their illegal sources of income – but with mixed results.
The research shows that ransomware gangs can be vulnerable to many of the same simple security issues as large corporations, providing law enforcement with a potential opportunity to target criminal hackers who are well beyond the reach of justice.
