Red Teaming

9 min read

Why Everyone’s Talking about Ransomware on the Dark Web

The Dark Web is the greatest source of ransomware. Learn all about this mysterious world.

KimCrawley avatar

KimCrawley,
Jun 28
2021

Ransomware is some of the nastiest malware around. When it infects a computer, it encrypts its files with a key that’s unavailable to the computer’s owner. A ransom note will appear in a text file, a local webpage, or by some other means. The ransom note will say something to the effect of “We encrypted your files! If you want them back, send this large amount of cryptocurrency to this address.”

I worked in remote tech support in the years before Bitcoin was invented. In the 2000s, ransomware typically targeted Windows consumer PCs. And as cryptocurrencies weren’t around yet, they would demand a credit card number instead. Several times per day, my coworkers and I had to beg customers to not enter their credit card number. “But I just want my computer back!” customers would cry.

 

What you must know about ransomware

If it can possibly be avoided, it’s best to avoid paying a ransom to a cybercriminal. Occasionally paying a ransom won’t get your files decrypted, cybercriminals will just take your money and run. Most of the time, paying the ransom will get your files decrypted. But then you’re showing cyber crime groups that ransomware is a profitable business.

To avoid harm to your business from ransomware attacks, it’s best to security harden your computer endpoints, backup your crucial files to an external device, and be aware of how to avoid phishing attacks. If you keep good backups, you can restore your encrypted files without paying a ransom to a cybercriminal. Some antivirus companies are able to develop decryptors for certain strains of ransomware. Also, if you have Windows client or server computers, disable or closely monitor your RDP port! That’s a common vector for ransomware in Windows. Ransomware also targets MacOS, Linux, and other operating systems. We also strongly advise you to be careful about which email links or attachments, or websites you click on. Ransomware often infects a machine through phishing attacks, where a cybercriminal pretends to be a trusted party, such as your bank or Amazon. Explore our HTB Academy modules on Hacking WordPress, File Inclusion/Directory Traversal and SQLmap Essentials, and you can learn how an attacker may exploit  web applications to install malware. 

Ordinary consumers used to be the primary target of ransomware attacks. But in the past several years, there’s been a major shift. Now businesses, institutions, and enterprises are much more likely to be targeted by ransomware. It’s easy to understand why. A person at home may only pay a $100 ransom. But a hospital, power plant, or public school system may be able to pay a much larger ransom. Sometimes larger companies can face ransoms in the millions of dollars! Cybercriminals quickly learned who the more profitable targets are.

 

Ransomware and the DarkSide group

Ransomware is now one of the most common destructive cyber attacks that businesses and enterprises face every day. And newer ransomware attacks not only maliciously encrypt data, they also threaten to leak sensitive data to the public. So even if you can restore from your backups or crack the ransomware’s encryption yourself, you’ll be coerced into paying the ransom to protect your organization’s privacy and security. The recent Colonial Pipeline attack in the United States is illustrative of this trend. It was executed by DarkSide, a cyber crime group that was formed in 2020. From CNN:

“DarkSide runs what is effectively a ‘ransomware-as-a-service’ business. It develops tools that help other criminal ‘affiliates’ carry out ransomware attacks, wherein an organization's data is stolen and its computers locked, so victims must pay to regain access to their network and prevent the release of sensitive information. When affiliates carry out an attack, DarkSide gets a cut of the profit. (In the Colonial case, it's not clear whether the attack was from DarkSide or an affiliate.) 

‘It sounds a lot like a business, and ultimately, that's because it is,’ said Drew Schmitt, principal threat intelligence analyst at GuidePoint Security. ‘A lot of these ransomware groups have customer service, they have chat support... all of these different mechanisms that you would see in a normal business.

After the Colonial shutdown, DarkSide said on its website that it is a ‘profit motivated’ entity and not a political organization. And several experts said they don't think DarkSide intended to cause such a debacle.”

 

Let’s explore the Dark Web

Cyber crime businesses like DarkSide largely operate through the Dark Web. What is the Dark Web, you may ask? The Dark Web is the parts of the web that are only accessible through encrypted proxy networks, namely Tor and I2P. You may explore the Dark Web yourself by installing Tor Browser or I2P Browser and see what you can find. In most countries, accessing the Dark Web is completely legal. No crime is committed unless you do something on the Dark Web that would also be illegal offline. These proxy networks were developed partly by American government. Namely, Tor was developed by people who worked at the United States Naval Research Laboratory. The Tor and I2P networks facilitate encrypted, anonymized internet communications for a variety of purposes, both good and bad.

Illustration of warning signs.

But inevitably, it’s the anonymized nature of these networks which incidentally facilitates cyber crime. Tor is used for many Dark Web markets. Dark Web markets work very much like eBay, but for illegal goods and services. Anyone who sets up an account can buy or sell items with cryptocurrency. Vendors and customers develop a reputation on a Dark Web market based on how honest people have found them to be. If you say you’re selling malware, but you’re actually just selling non-malicious Windows applications, your reputation as a vendor will likely take a blow.

Once you’ve installed Tor Browser on your phone, laptop, or desktop computer, I recommend visiting my favorite source of Dark Web links, Darkfail at darkfailllnkf4vf.onion. You can access anywhere on the “clearnet” web through Tor Browser, including this blog page. But that Darkfail link will only work in Tor Browser. The reason why Darkfail is useful is because Dark Web markets and forums change addresses constantly, mainly to evade law enforcement. I need to visit Darkfail if I want an address that will work for a particular Dark Web site on that particular day. If you’re an adult, feel free to take a look at any Dark Web market or forum that strikes your fancy. Do what I do and just look at what’s there without doing anything illegal. You’ll be amazed by all the evidence of cyber crime that you’ll find there.

It’s possible to buy multiple varieties of ransomware through Dark Web markets such as White House Market and ToRReZ Market. 

On the Tor network, the Dread forum is equivalent to Reddit. There are “subdreads” full of useful cyber crime information, and communication between cybercriminals. A lot of the “subdreads” are completely innocuous too, about video games and stuff like that. 

The DarkSide cyber crime group largely communicated through the Russian XSS forum. I couldn’t find the XSS forum on Darkfail. But I also have a favorite Dark Web search engine - ahmia.fi. Although it’s a search engine for the Dark Web, it’s accessible through any web browser. But the Dark Web links will need Tor Browser or I2P to open. (How can you tell whether or not a website needs Tor or I2P? It’s easy! Tor sites use the .onion top level domain, I2P sites use the .i2p top level domain, and sites with any other top level domain can be opened in an ordinary web browser.)

I found XSS through ahmia.fi, but then my inability to understand Russian made it impossible for me to use. But no worries, because I found some information on the English language Dread forum! On May 18th, a user posted this on d/CafeDread:

 

“Earlier, the administration of the XSS site announced a ban on topics related to ransomware.

The team of the largest cybercriminal forum Exploit has decided to ban topics related to ransomware, so as not to attract too much attention. Earlier this week, a similar decision and for the same reasons was made by the administration of the popular Russian-language site XSS.

We are glad to penetrate testers, specialists, coders. But they are not happy with lockers, they attract a lot of attention. The very type of activity is not pleasant to us in view of the fact that everything is located in a row, we do not consider it advisable to be present on our forum, partner programs of lockers. It was decided to remove all affiliate programs and prohibit them as a type of activity on our forum. All topics related to lockers will be removed,” reads a statement on the Exploit website.

“Operators of the ransomware have already expressed dissatisfaction with the decision of the administration of the forums. For example, representatives of the extortionist group REvil announced that they would ‘move’ to a private platform within a week.

In the same week it became known that the DarkSide group, responsible for the sensational attack on the American company Colonial Pipeline, which led to disruptions in the supply of fuel in part of the United States, lost access to part of the public infrastructure, including the blog, payment and CDN servers. The team also lost money stored on the payment server, which was transferred to an unknown address.”

Next time you hear about a major cyber crime group in the news, take a peek through my favorite corners of the Dark Web and see what you can find there.

 

Learn more with Hack The Box

In the meantime, Hack The Box has excellent resources and labs that can help you understand many cyber exploits.

Malware of all kinds, including ransomware, needs to find creative ways to evade antivirus detection. Traditional antivirus depends on detecting known strings that only appear in malware signatures, as Master hacker IppSec demonstrates a creative antivirus evasion technique here. Cybercriminals often spend a lot of time doing OSINT research on their corporate cyber attack targets. HTB Academy has an exciting module called OSINT: Corporate Recon which will show you how to research an enterprise target for possible vulnerabilities or compromised employee credentials that can facilitate the installation of ransomware, using only publicly available resources.

Hack The Blog

The latest news and updates, direct from Hack The Box