Cisco Talos techniques uncover ransomware sites on dark web
One of the three techniques Cisco Talos used to de-anonymize ransomware dark web sites is to match TLS certificate serial numbers from dark web leak sites to the clear web.
Three techniques developed by Cisco Talos aim to expose the infrastructure of dark web sites belonging to ransomware operators, a Tuesday blog said.
According to the blog post, titled "De-Anonymizing Ransomware Domains on the Dark Web," the methods are capable of providing additional visibility into dark web sites -- a task that is normally challenging due to the nature of hidden services.
Cisco Talos senior threat research engineer Paul Eubanks wrote in the post that the techniques have provided new insights into the infrastructure of ransomware groups DarkAngels, Nokoyawa, Quantum and Snatch.
The first method involves matching threat actors' TLS certificate serial numbers with those indexed on the clear web or public internet. The second works similarly to the first, except it matches browser favicons -- icons displayed next to a site's URL in the browser bar -- on the dark web with public websites.
The third technique involves exploiting "catastrophic security errors" and misconfigurations that reduce anonymity. For example, Eubanks described how Nokoyawa ransomware operators did not establish proper file permissions, which created a directory traversal vulnerability.
In an email to SearchSecurity, Eubanks wrote that "the techniques themselves aren't new, but [they] haven't been applied to unmasking ransomware domains."
For the TLS certificate method, Eubanks explained in the post that ransomware sites often don't use TLS certificates because they can be used for identification purposes. However, there are cases where threat actors might maintain a certificate on their dark web site "to give the impression to their victims they are operating in a secure environment and create a sense of legitimacy in their operation."
In the case of DarkAngels -- believed to be a rebrand of the Babuk ransomware group -- Cisco Talos used a Shodan web crawler to trace a TLS certificate used by the gang's dark web leak site back to its hosting provider. Researchers ultimately uncovered private keys and an operator login portal. Snatch was a slightly more complicated story, but researchers used the method to trace certificates back to a Swedish hosting provider.
Researchers used the favicon matching method to index the public internet to trace back the hosting on ransomware gang Quantum's dark web leak site and found other associated domains with the group.
SearchSecurity asked Eubanks why Cisco Talos decided to disclose these techniques, as threat actors would likely work to correct their mistakes. In response, he said there is "always a balance" in choosing to disclose observations with other defenders.
"The judgment call comes from the value to the defender vs. the cost to the attacker to change behavior," Eubanks said. "Ultimately, defense is a team game, and in this case we decided that informing the team carried more benefit than what we gave up. When trying to help defenders globally, there are very few easy decisions."
Alexander Culafi is a writer, journalist and podcaster based in Boston.