Uncovering ransomware gangs’ dark web domains

Several publicly hosted TOR hidden services leveraged by ransomware groups including infrastructure linked to the Snatch, Nokoyawa, Quantum, and DarkAngels ransomware gangs have been uncovered by Cisco Talos researchers, reports The Hacker News. Despite being known to use the dark web to evade detection, ransomware gangs were discovered to have utilized public IP addresses for hosting dark web infrastructure, according to a Cisco Talos study. "The methods we used to identify the public internet IPs involved matching threat actors' [self-signed] TLS certificate serial numbers and page elements with those indexed on the public internet," said researcher Paul Eubanks. The report also showed ransomware domain de-anonymization by checking darknet site-linked favicons on Shodan and other public internet web crawlers, with researchers finding that the novel Nokoyawa ransomware strain involved the use of a TOR hidden service with a directory traversal flaw allowing access to the user login-capturing file. The findings suggest that leak sites could be leveraged for securing login locations for ransomware server management.