Ransomware attacks have become a growing concern for businesses around the world, with cybercriminals targeting organizations of all sizes and industries. However, a recent discovery by security researcher Vangelis Stykas has shed light on potential vulnerabilities within the ransomware gangs themselves, ultimately saving six companies from paying hefty ransoms.
Stykas, the CTO of Atropos.ai, embarked on a research project to uncover the command and control servers used by over 100 ransomware and extortion-focused groups. His goal was to identify flaws in their web infrastructure that could expose information about the gangs and their victims. What he discovered was a series of simple vulnerabilities within the web dashboards used by three ransomware gangs, which allowed him to compromise their operations.
Typically, ransomware gangs hide their identities and operations on the dark web, making it difficult for authorities to trace their real-world servers. However, coding errors and security bugs in the leak sites used by these gangs to extort their victims provided Stykas with a window into their activities. These bugs exposed the IP addresses of the leak site’s servers, enabling Stykas to trace their real-world locations.
Among the vulnerabilities discovered, Stykas found that the Everest ransomware gang was using a default password for its back-end SQL databases, exposing its file directories. Additionally, the BlackCat ransomware gang had exposed API endpoints that revealed the targets of their attacks in real-time.
In one instance, Stykas exploited an insecure direct object reference (IDOR) bug to access the chat messages of a Mallox ransomware administrator. Within these messages, he discovered two decryption keys which he then shared with the affected companies.
While Stykas did not disclose the names of the companies, he revealed that two of the victims were small businesses, and the other four were crypto companies, including two considered unicorns with valuations over $1 billion. He noted that none of the companies have publicly disclosed the security incidents but did not rule out the possibility of disclosing their names in the future.
The FBI and other government authorities have long advised against paying ransoms to hackers, as it only fuels their illegal activities. However, this advice offers little solace to companies in desperate need of regaining access to their data. Stykas’ research highlights the potential for law enforcement to target ransomware gangs by exploiting their own security flaws, ultimately disrupting their operations and preventing them from profiting.
Law enforcement agencies have had some success in compromising ransomware gangs to obtain decryption keys and cut off their revenue streams. While there are challenges in prosecuting cybercriminals operating outside of jurisdictional reach, the vulnerabilities discovered by Stykas provide a potential avenue for targeting these criminals.
The research serves as a reminder that even big companies and criminal hackers can fall victim to simple security issues. By identifying and exploiting these flaws, researchers like Stykas can play a crucial role in protecting organizations from ransomware attacks and disrupting the operations of cybercriminals.