"Bringing Ransomware Infrastructure Into the Light"

Researchers at Cisco Talos uncovered previously unknown infrastructure operated by several ransomware groups, including DarkAngels, Snatch, and Quantum, using various methods and some helpful mistakes by the operators themselves. Ransomware groups typically hide their infrastructure on sites on the dark web accessible via TOR. Their goal is to keep their activities hidden from law enforcement and security researchers who want to expose them. Many groups use this method for both communication and payment sites, as well as a blog/leak site where they publish stolen data and the names of victims. Cisco Talos researchers used different techniques to correlate ransomware groups' hidden infrastructure with sites visible on the public Internet, such as matching TLS certificates used on TOR hidden services with those used on public sites. The researchers explain that a significant part of operating on the dark web is to maintain anonymity, so certificates providing identity attestation can help identify the operator behind a website. The ransomware group may be using an SSL/TLS site on the dark web to give their victims the impression that they are operating in a secure environment and that their operation is legitimate. The researchers successfully applied this method to Dark Angels, a ransomware group that has been identified as a rebranding of the Babuk ransomware group. They operate similarly to other groups in that they have established a blog website as a TOR hidden service with a countdown timer to the publication of victim data, as well as links for victims to use to enter a chat room with DarkAngels affiliates to negotiate ransom payments. The researchers discovered, using Shodan, that the DarkAngels operators used the same self-signed certificate that they use for their dark web site for a public site hosted in Singapore. That public site contains all of the same information as the hidden site, and the researchers were also able to identify some database information and a login portal for DarkAngels operators. This article continues to discuss the discovery of several ransomware groups' previously unknown infrastructure. 

Decipher reports "Bringing Ransomware Infrastructure Into the Light"