Vulnerabilities in ransomware leak sites helped save six companies from paying hefty ransoms

Six companies have avoided paying potentially hefty ransoms, according to a security researcher, thanks in part to vulnerabilities discovered in internet infrastructure used by the ransomware gangs themselves.

Two companies received decryption keys to decrypt data without having to pay a ransom to cybercriminals, and four hacked cryptocurrency companies were notified before the ransomware gang could begin encrypting their files, a rare victory for organizations that were targeted.

Vangelis Stykas, a security researcher and CTO at Atropos.ai, launched a research project to identify the command and control servers of over 100 ransomware and extortion groups and their data leak sites, with the goal of identifying vulnerabilities that could be exploited to reveal information about the gangs themselves, including their victims.

Stykas told TechCrunch ahead of his keynote at the Black Hat security conference in Las Vegas on Thursday that he found several simple vulnerabilities in control panels used by at least three ransomware gangs that were enough to compromise the inner workings of the operations themselves.

Ransomware gangs typically hide their identities and activities on the darknet, an anonymous version of the web that can be accessed through the Tor browser. This makes it difficult to determine where the actual servers used for cyberattacks and storing stolen data are located.

But coding errors and vulnerabilities in the leak sites that ransomware gangs use to extort victims by publishing their stolen files allowed Stykas to peer inside without having to log in and extract information about each operation. In some cases, the errors revealed the IP addresses of the leak site servers, which could be used to track their actual locations.

The flaws include the Everest ransomware gang’s use of the default password to access the SQL backend and the exposure of file directories, and the exposure of API endpoints that indicated the targets of the BlackCat ransomware gang’s attack during the attack.

Stykas said he also exploited a bug known as an insecure direct object reference, or IDOR, to review all of the Mallox ransomware administrator’s chat messages, which contained two decryption keys, which Stykas then shared with the targeted companies.

The researcher told TechCrunch that two of the victims were small companies, while the other four were cryptocurrency firms, two of which are considered “unicorns” (startups valued at over $1 billion), though he declined to name the companies.

He added that none of the companies he notified had publicly disclosed security incidents and did not rule out disclosing the names of those companies in the future.

The FBI and other government agencies have long urged ransomware victims not to pay ransoms to hackers to prevent malicious actors from profiting from cyberattacks. But that advice offers few remedies for companies that need to regain access to their data or are unable to operate.

Law enforcement has had some success in targeting ransomware gangs to gain control of their trove of decryption keys and deprive cybercriminals of their illegal sources of income, although with varying degrees of success.

Research shows that ransomware gangs can be susceptible to many of the same common security issues as large companies, giving law enforcement the potential to target hackers who are far beyond the reach of their jurisdictions.