Security bugs in ransomware leak sites helped save six companies from paying hefty ransoms

A security researcher says six companies were saved from having to pay potentially hefty ransom demands, in part thanks to rookie security flaws found in the web infrastructure used by the ransomware gangs themselves.

Two companies received the decryption keys to unscramble their data without having to pay the cybercriminals a ransom, and four hacked crypto companies were alerted before the ransomware gang could begin encrypting their files, marking rare wins for the targeted victim organizations.

Vangelis Stykas, a security researcher and chief technology officer at Atropos.ai, set out on a research project to identify the command and control servers behind over 100 ransomware and extortion-focused groups and their data leak sites. The aim was to identify flaws that could be used to unmask information about the gangs themselves, including their victims. 

Stykas told TechCrunch ahead of his talk at the Black Hat security conference in Las Vegas on Thursday that he found several simple vulnerabilities in the web dashboards used by at least three ransomware gangs, which were enough to compromise the inner workings of the operations themselves.

Ransomware gangs typically hide their identities and operations on the dark web, an anonymous version of the web accessible through the Tor browser, which makes it difficult to identify where the real-world servers are that are used for cyberattacks and storage of stolen data.

But coding errors and security bugs in the leak sites, which ransomware gangs use to extort their victims by publishing their stolen files, allowed Stykas to peek inside without having to log in and extract information about each operation. In some cases, the bugs exposed the IP addresses of the leak site’s servers, which could be used to trace their real-world locations.

Some of the bugs include the Everest ransomware gang using a default password for accessing its back-end SQL databases, and exposing its file directories, and exposed API endpoints that revealed the targets of the BlackCat ransomware gang’s attacks while in progress.

Stykas said he also used one bug, known as an insecure direct object reference, or IDOR, to cycle through all of the chat messages of a Mallox ransomware administrator, which contained two decryption keys that Stykas then shared with the affected companies.

The researcher told TechCrunch that two of the victims were small businesses and the other four were crypto companies, with two of them considered unicorns (startups with valuations over $1 billion), though he declined to name the companies.

He added that none of the companies he notified has publicly disclosed the security incidents, and did not rule out disclosing the names of the companies in the future.

The FBI and other government authorities have long advocated victims of ransomware not to pay the hackers’ ransom, as to prevent the malicious actors from profiting from their cyberattacks. But the advice offers little by way of recourse for the companies that need to regain access to their data or can’t operate their business.

Law enforcement has seen some success in compromising ransomware gangs in order to obtain their bank of decryption keys and starve cybercriminals from their illegal revenue streams, albeit with mixed results.

The research shows that ransomware gangs can be susceptible to much of the same simple security issues as big companies, providing a potential avenue for law enforcement to target criminal hackers that are far out of jurisdictional reach.