Skip to content

Ransomware site bugs help six firms dodge ransom payments

  • by
  • 3 min read

Illustration: JMiks | Shutterstock

Six companies narrowly avoided costly ransom payments thanks to rookie mistakes made by the very ransomware gangs targeting them. The discovery, made by security researcher Vangelis Stykas, highlights the vulnerabilities within the web infrastructure of these cybercriminal organisations, showcasing that even sophisticated attackers are not immune to basic security flaws.

Two small businesses and four cryptocurrency firms, two valued at over $1 billion, were saved by Stykas’ actions. However, none of these companies have publicly acknowledged the incidents, a common occurrence as businesses seek to avoid reputational damage.

First reported by TechCrunch, Stykas’s main aim was to analyse the command and control servers used by over 100 ransomware and extortion groups to uncover weaknesses that could potentially unmask these gangs and reveal information about their victims.

Stykas revealed that he discovered basic vulnerabilities in the web dashboards of at least three ransomware gangs, which allowed him to delve into their operations, disrupt their attacks, and save companies from financial ruin.

These vulnerabilities enabled Stykas to access internal information without logging in, providing a rare glimpse into the inner workings of these criminal organisations. In some cases, the flaws exposed the IP addresses of the leak sites, a critical piece of information that could lead to the physical locations of the servers.

Among the errors was the Everest ransomware gang’s default password to protect its back-end SQL databases, effectively leaving the door open for anyone with the know-how to walk in.

Another group, BlackCat, inadvertently exposed API endpoints, revealing the details of their ongoing attacks.

Another significant finding was an insecure direct object reference (IDOR) flaw uncovered by the researcher. This vulnerability allowed unauthorised access to conversation records belonging to a Mallox ransomware operator.

Two decryption keys were discovered within these records. The researcher quickly provided these keys to the impacted organisations, helping them recover their encrypted data without submitting to ransom demands.

While Stykas has not revealed the names of the companies involved, he has not ruled out the possibility of doing so in the future. This raises questions about the responsibility of companies to disclose such incidents, particularly when the potential for significant financial harm has been mitigated.

Law enforcement agencies have consistently discouraged ransom payments. However, in some instances, ransom payment is the only way out, and companies begrudgingly pay it. This new effort offers a glimmer of hope for victims of ransomware gangs and shows that it is possible to outsmart them.

In the News: Cyber crooks exploit trusted sites in sophisticated Open Redirect campaign

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>