Six companies have avoided paying potentially costly ransoms thanks to new security flaws in web infrastructure used by a ransomware gang, security researchers say.
Two of the companies received decryption keys to decrypt their data without having to pay ransom to the cybercriminals, and the four hacked cryptocurrency companies were warned before the ransomware gang began encrypting files, marking a rare win for targeted victim organisations.
Vangelis Stikas, security researcher and chief technology officer at Atropos.ai, embarked on a research project to identify the command and control servers behind more than 100 ransomware and extortion groups and their data leak sites, with the goal of identifying flaws that could be used to uncover information about the gangs themselves, including their victims.
Speaking to TechCrunch on Thursday ahead of his talk at the Black Hat security conference in Las Vegas, Stikas told the outlet that he'd found several simple vulnerabilities in web dashboards used by at least three ransomware gangs that were enough to compromise the inner workings of the operations themselves.
Ransomware gangs typically hide their identities and activities on the dark web, an anonymous version of the web accessible through the Tor browser, making it difficult to pinpoint the location of the real-world servers they use for cyber attacks and to store stolen data.
But the leak sites that ransomware gangs use to publish stolen files and extort money from their victims contained coding errors and security bugs that allowed Stykus to peer inside and extract information about each operation without logging in. In some cases, the bugs also exposed the IP addresses of the leak site's servers, potentially making it possible to trace their actual location.
Among the bugs were the Everest ransomware gang's use of default passwords to access the backend SQL database, exposing file directories, and exposing API endpoints to expose the targeting of the BlackCat ransomware gang during ongoing attacks.
Stykas also said he used a bug called Insecure Direct Object Reference (IDOR) to crawl all of the chat messages of the Malox ransomware administrators, which contained two decryption keys, which Stykas shared with victim companies.
The researchers told TechCrunch that two of the victims were small or medium-sized businesses, while the remaining four were cryptocurrency-related companies, two of which are believed to be unicorns (startups valued at more than $1 billion), but declined to disclose the names of the companies.
He added that none of the companies he had reported to had made their security incidents public, and did not rule out the possibility of disclosing the names of the companies in the future.
The FBI and other government agencies have long urged ransomware victims not to pay hackers' ransoms to prevent them from profiting from cyberattacks, but that advice offers little relief for businesses that need to regain access to their data or are unable to operate.
Law enforcement agencies have had some success in infiltrating ransomware rings and obtaining banks of decryption keys, cutting off cybercriminals' illicit revenue streams, but results have been mixed.
Research has shown that ransomware gangs are susceptible to the same simple security issues as larger companies, potentially allowing law enforcement to target criminal hackers outside of their jurisdiction.