A security researcher exploited rookie security flaws in the web infrastructure used by ransomware gangs to help six companies avoid paying hefty ransoms. Two companies received decryption keys without payment, while four others were alerted before their files could be encrypted.
Vangelis Stykas’ Research Project Ransomware
Objective:
Vangelis Stykas, CTO at Atropos.ai, conducted a research project to identify vulnerabilities in the command and control servers of over 100 ransomware groups. The goal was to uncover flaws that could expose the gangs’ operations and victims.
Exploiting Simple Vulnerabilities Ransomware
Findings:
Stykas discovered several basic vulnerabilities in the web dashboards of at least three gangs. These flaws allowed him to compromise their operations, including extracting information about ongoing attacks and accessing decryption keys.
Exposing Ransomware Gangs’ Infrastructure
Tactics:
Ransomware gangs typically operate on the dark web, making it challenging to trace their real-world servers. However, coding errors in their leak sites exposed IP addresses and other critical information, allowing Stykas to trace their locations and access internal data.
Specific Vulnerabilities Identified Ransomware
Examples:
The Everest gang used a default password for its SQL databases, while BlackCat exposed API endpoints that revealed attack targets. Stykas also exploited an insecure direct object reference (IDOR) to access chat messages from a Mallox administrator, leading to the recovery of decryption keys.
Impact on Victims Ransomware
Results:
The researcher’s efforts prevented attacks on four crypto companies, including two unicorns. They also helped two small businesses recover their data without paying the ransom. None of the companies have publicly disclosed the incidents, and Stykas has not ruled out revealing their identities in the future.
Implications for Law Enforcement
Law Enforcement Challenges:
The FBI and other authorities advise against paying ransoms but offer limited solutions for recovering data. Stykas’ research highlights how simple security flaws in ransomware operations can be exploited, potentially aiding law enforcement in targeting cybercriminals beyond their jurisdiction.
Lessons from the Research
Broader Insights:
The findings demonstrate that ransomware gangs can suffer from the same basic security issues as large companies, providing opportunities for disrupting their operations and preventing them from profiting from cyberattacks.