Author: DarkOwl Content Team

RansomAWARE

August 15, 2023

With just a few keystrokes, a malicious actor can gain access to a network, determine the scope and worth of information available, and then steal and encrypt the data, preventing access to it. Organizations have hopefully prepared themselves for these kinds of cyber incidents, known as ransomware attacks, by having an up-to-date system backup from which they can restore data and continue operations. Despite business continuity suggestions and planning advice, backups are still not a regular entity despite how common and how popular ransomware attacks have become in the past decade. Even changes from one year to another witness more stealth movement and larger impacts in the ransomware ecosystem.  

Ransomware’s explosion has been sustained for years. As tech advances, so do the actor tactics, techniques, and procedures (TTPs). Heading towards the final quarter of the year, it is imperative to explore the 2023 mindset of ransomware actors: They are pursuing “target rich, cyber poor” industries that will make them money by selling data, exploiting the victims they target, the partners and third-party services linked to the victims, and infiltrating supply chains. While double-, triple-, and quadruple- extortion practices are still around, actors are also adapting/changing their encryption processes to better emulate protective services such as anti-virus and file scanning software to blend in and provide no red flags to technical and cyber practitioners. This allows for a long-term, stealth presence in networks which facilitates lateral movement to collect as much information as possible. 

Ransomware is quickly evolving, and it is imperative to pay attention to its trends and try to get cyber practitioners, government, law enforcement (LE), Computer Emergency Response Teams (CERTs), and more collective bodies to take strides towards prevention and disruption of ransomware groups. With the use of artificial intelligence (Al) and internet of things (IOT) growing, the attack surface is larger than ever and must be addressed. Private and public partnerships (PPP) are one of the most effective ways to share intelligence and indicators of compromise (IOCs) to combat ransomware as the holistic problem it is. 

Key Findings:

  • 2023 ransomware profits are up as of the middle of the year 
  • This profit margin is expected to increase 
  • Multi-extortion layers and techniques are more common, and this is expected to continue throughout all ransomware operations 
  • As groups are caught by law enforcement or shut down to preemptively avoid legal actions, they are recruited into other groups and share expertise, tools, and TTPs 

2022 Compared to 2023

Ransomware is a cybercrime phenomenon impacting every industry, large and small. Additionally, there is a “hacktivist” angle to ransomware incidents, accompanying the criminal faction. Fringe groups are using the easily available ransomware as a service (RaaS) market to procure simple ransomware kits and then go attack. The 2022 Conti leaks showed the world that ransomware organizations are operating more like businesses than criminal groups, well-funded and organized. Furthermore, after Conti’s decline, more organizations are witnessing splinter groups and “copycat” actors, working together to have a maximum impact spreading ransomware and gaining profit and data. 

January 2023 saw the highest number of ransomware incidents ever reported for the month of January, with 33 reported incidents. The unreported incidents must also be considered: Organizations often choose to keep cyber incidents private, and malicious cyber actors don’t keep the most trustworthy stats and data. In July of 2023, data emerged demonstrating that 2023 is on track to be the most active ransomware year per reported incidents. According to some reviews, actors have already made ~$450 million dollars up to June 2023, and are on track to make approximately $900 million dollars if the rate of attacks continues through the second half of the year.

Ransomware incidents are expected to continue at a high pace, especially as hacktivists all over the world side with their chosen nation, government, or ideoloqv and then proceed with the intent to attack an organization who differs from the chosen ideology. This is in addition to technology trends like cloud computing and the IOT space increasing access points and increasing the overall attack surface area, allowing malicious actors more opportunities to enter a network. Available payment data for 2023 also indicated that ransomware is the only criminal market that saw an increase in profit while scamming, malware, and fraud operations all witnessed a decline in profit and revenue.

Changes in TTP: Extortion at Entry Level

Much like the cybersecurity industry changes and adapts to protect and defend, ransomware actors also change and adapt to remain effective and profitable. A focus on continued extortion techniques, higher profitization and a surprising change to encryption practices all emerged in 2022 and 2023 and are expected to continue throughout 2023 and into 2024. 

Traditional ransomware incidents involve unauthorized access to a system where actors steal sensitive data, encrypt it, and demand money from the victim for restored access. There is a new level of harassment implemented by ransomware actors, making their attacks multi-layered and more impactful: Extortion. 

Double, Triple, and Quadruple Extortion 

With double extortion, ransomware actors conduct a traditional attack and encrypt data. However, if an organization restores their data from a backup and does not pay the ransom, the actors then threaten to sell it on criminal forums, sell it through a bidding process, or permanently prevent access to the stolen data if there is no payment. This way, the reputation of the organization still suffers when it is revealed there was a security incident. Actors demand payment to keep quiet about the incidents if the organization can salvage data access on their own. 

As of June 2023, Base ransomware gang operated a prolific double extortion ransomware campaign. They listed victims from the legal, pharmaceutical, medical, agricultural, and many other sectors on their website:  

Figure 1: Source: Base8 ransomware’s onion site

Demonstrating the continued organizational efforts of ransomware groups, 8base also offers their contact information, a FAQ section, and a detailed rule section for their victims. This continues to prove the developing professional and organizational caliber of ransomware groups, which was previously revealed as Conti’s efforts and business acumen was detailed in 2022: 

Figure 2: Source: Base8 ransomware’s onion site
Figure 3: Source: Base8 ransomware’s onion site

8base’s operations reveal another trend: A pivot from procuring personally identifiable information (Pll) operations only, and going after blueprints, sensitive documents of physical layouts for buildings, and those related to critical infrastructure and key resources (CI/KR). Ransomware is no longer just about getting and selling Pll; now, more sensitive documents are stolen and sold on DDW forums. This is a hybrid security issue, both physical and digital. Ransomware gang Cl0p, who has made headlines in 2023 for penetrating hundreds of organizations, is also a prolific double extortion group. 

With triple extortion, the same process occurs as above, with the added threat (the third layer of extortion) including a distributed denial of service (DDoS) attack to the ransomware threat. The DDoS ensures an extra level of chaos and prevention of services while sensitive data is also stolen and encrypted. Ransomware groups Killnet, Avaddon, and Darkside are some examples of triple extortion ransomware operators. Extortion became quite popular during the Covid-19 pandemic, and criminal forums on the darkweb started to sell and offer extortion services and software to further ransomware operations. 

A 2022 post on criminal market XSS offers triple extortion software for purchase: 

Figure 4: Source: DarkOwl Vision UI

Quadruple extortion entails everything above, with the addition that ransomware actors threaten to directly contact partners or other customers of the organization, threatening the reputation as well as adding the risk of legal action against the entity that was breached. BlackCat and the now defunct DarkSide ransomware gangs were some of the noted users of quadruple extortion in their operations. 

Stealers, RATs, and Ransomware 

Infostealers take information from web browsers, chat platforms, email clients, cryptocurrency wallets, and more applications. Similar to ransomware, they have exploded in popularity among the criminal underground. Like all malware, infostealers vary in capability but focus on procuring tons of personal data to sell, use, and reuse in malicious operations. 

RedEnergy, a new Stealer-as-a-Ransomware technology, steals information from various web browsers while also facilitating ransomware activities. The entities behind RedEnergy use publicly available LinkedIn pages to target the oil, gas, and telecom sectors. After users click on a link that they expect to provide a typical browser update, RedEnergy exfiltrates data over FTP, and then encrypts the data and demands a ransomware payment. 

The combination of stealers and ransomware follows a similar combination of RATs and ransomware, which emerged in the wild in 2022. A September 2022 post on criminal market AlphaBay discusses how a RAT can be used as a triple threat in cyber operations: 

Figure 5: Source: DarkOwl Vision UI

A June 2023 post on criminal market XSS details the use of ShadowVault stealer, which specifically targets Mac operating systems and can be used in Chrome, Edge, Brave, and other browsers:  

Figure 6: Source: DarkOwl Vision UI

Cybercriminals are constantly evolving and combining malicious tools to procure as much information as possible from organizations while then attaching reputational damage onto the end of their operations by subjecting their victims to ransomware. The criminal underground forums facilitate the combination of tools and the advanced implementation of criminal processes to impart maximum damage to victims. 

As of July 2023, the financially motivated cybercrime group FIN8, active since 2016, is now using variants of ransomware in its activities. FIN8 originally started targeting point-of-sale (PoS) systems using malware specific to PoS theft in the retail, restaurant, entertainment, and hospitality industries. Now, however, researchers have identified backdoors purportedly authored by FIN8.  This additional combination of a general cybercrime group TTP combined with ransomware demonstrates that FIN8 is dedicated to maximizing their impact and profit. They also show a continued dedication to remaining undetected and updating and authoring their customized tools, all while dabbling in ransomware. 

A Club IO post from September 2022, detailing FIN8’s possession of White Rabbit ransomware: 

Figure 7: Source: DarkOwl Vision UI

Reduction in Using Encryption 

Actors proficient in ransomware also know that encryption is a time-consuming process. Both encrypting the stolen data and then decrypting, if/when the victim chooses to pay, are costly in resources and the flow of operations. For this reason, some ransomware groups are now practicing intermittent encryption, where only small portions versus the totality of a file are encrypted. Encrypting only select portions also helps evade security tools on a network. When only parts of a file are encrypted, this emulates legitimate software practices, and there are no flags or processes on the network that stop the activity. In some instances, ransomware groups have completely forgone encryption. Karakurt, who emerged from Conti after the latter disbanded, commonly operates this way. 

Future Predictions 

When the pro-Russia Conti ransomware group suffered a leak in 2022, it revealed an organized group of actors operating very much like a business. Emerging ransomware groups are following this business-plan setup, establishing organized points of contact, liaisons between ransomware group operators and victims, authoring rules of engagement, and working within stringent timelines. Researchers and everyone in cybersecurity were able to learn from the leaks and inform future cybersecurity tools, processes, and potentials. 

Conti’s internal chats, leaked by a disgruntled employee, revealed a professional setup replete with: 

  • Interviews to hire the right personnel 
  • Russian government involvement and funding 
  • Feature developments (for both deploying and improving their ransomware effectivity) 
  • A control panel for monitoring Conti operations, victims, and payment status 
  • Templates for phishing emails to use in operations 

Not only are ransomware actors setting up formal, almost corporate like operations, but they are also recruiting from now-defunct groups, as well as sharing TTPs between one another to help maximize the impact of their operations. Furthermore, there are segregated “branches” of ransomware. For example, some researchers and analysts deem Karakurt the “Extortion” arm of ransomware, as that is a specialty of Karakurt. 

In addition to ransomware operations continuing to focus on stolen personal information and data, automation, and the advent of Artificial Intelligence (Al) are both expected to facilitate ransomware groups further streamlining their activities. Several ransomware groups already use scripts and automation to scan for vulnerabilities and entry points to a network; this allows ransomware efforts with few personnel and minimal resources to identify appropriate targets which can easily be made into victims and earn them revenue with an attack. 

Ransomware groups are also branching out from focusing purely on Windows operating systems and moving towards attacking Linux based systems. This demonstrates a new sophistication when outlining attacks and identifying potential victims. Now that Linux based operating systems are in the crosshairs, this allows for entry into attacking both IOT and container orchestration platform, such as Kubernetes, greatly expanding the attack surface. 

Conclusion

Ransomware is an efficient criminal operation yielding high profit for minimal work. Due to pseudo-anonymous technology, using the dark web for ransomware operations and cryptocurrency for payments, as well as email and VPN services that do not track physical location, ransomware groups will continue their activities because the risk of punishment is minimal, and the operations are profitable. The lack of prosecution coupled with the increase of the attack surface ensures continuous and robust ransomware operations. Critical infrastructure, academic, technology, and government sectors must all raise awareness and assist in protection from ongoing ransomware campaigns. 


Interested in learning how DarkOwl can help get ahead of potential attacks? Contact us.

Examination of the Darknet Exposure of Top Supply Chain Technology Vendors

August, 2023

Using DarkOwl’s leading darknet data product, Vision UI, DarkOwl analysts were able to search across the darknet and darknet adjacent sites to uncover and examine the darknet exposure of five top supply chain vendors. Supply chain attacks, also referred to as value-chain or third-party attacks, are industry-agnostic cybersecurity attacks that cause damage and destruction to an organization when an outside partner or provider compromises less secure elements in the organization’s supply chain. Vision UI provides the largest commercially available source of darknet data, allowing for powerful querying capabilities to search, monitor and create alerts for critical infrastructure. Outlined in this report are the findings of this research.


Don’t miss any updates from our team. Register for email.

Darknet Services Reports: What Do Our Expert Analysts Do?

August 03, 2023

DarkOwl Darknet Services

The darknet is used by a wide range of groups and individuals but is most well-known for its use by threat actors. The darknet is a haven for illicit activities many of which can pose a direct threat to organizations and individuals with stolen data being made available for purchase, access to illicit goods, and hacking activities as well as forums being used to discuss all manner of topics from extremism to CSAM to hacking practices and education.

For individuals who are not familiar traversing the darknet it can be a daunting task to search for threats and risks to an organization. DarkOwl’s team of expert analysts are able to conduct these investigations on behalf of customers identifying mentions of organizations as well as data relating to them that may be exposed. Our customizable service options allow customers to leverage our in-house expertise to save time, keep their employees safe, and fulfill the need for actionable threat intelligence.

The below example reports are samples of what the analyst team researches and reports on for darknet services clients.

Binge-O-Rama Darknet Exposure

Here we provide a sample report of an exposure analysis from the darknet, demonstrating the types of information that can be found with analyst comments. This is a fictional report created for example purposes only, the company name is fabricated and any information relating to real organizations or entities is redacted or unintentional. Any similarities to real entities are purely coincidental.

Threat Actor Analysis: SiegedSec

The darknet is a breeding ground for emerging threats, providing insights into evolving techniques, vulnerabilities, and attack vectors. Darknet data assists in identifying key individuals involved in cybercriminal activities, tracking their digital footprints, and uncovering connections to other criminal acts. This information aids in the apprehension of criminals, the disruption of illicit operations, and the prevention of future crimes. It can also assist organizations in understanding the threats that are posed to them by appreciating the motivations that threat actors have and who they are targeting and for what reasons.

DarkOwl analysts regularly conduct in-depth research into prominent threat actors and their operations. As part of DarkOwl’s Darknet services we can provide summaries of threat actors activities, their digital footprint and targets.

Here we provide a sample report examining recent activity by the groups SiegedSec. You can also check our threat actor spotlight blog on SiegedSec here.


Check out DarkOwl’s Darknet Services to see how your company and investigations can benefit from expert darknet analysts.

Threat Intelligence RoundUp: July

August 01, 2023

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Evasive Meduza Stealer Targets 19 Password Managers and 76 Crypto Wallets – The Hacker News

Cybercrime and cybercriminals continue to evolve and get more creative. Early July, researchers found a newly created Windows-based information stealer going by the name of Meduza Stealer that is designed to evade detection by software solutions. Read full article.

2. Beware of Big Head Ransomware: Spreading Through Fake Windows Updates – The Hacker News

One new developing piece of malware, Big Head, is being used to trick Windows users into installing an update while encrypting files on the victim’s computer. The majority of victims have been in the U.S., Spain, France, and Turkey. It deploys three encrypted binaries, with the “archive[.]exe” binary allowing for communications over Telegram. Read more.

3. BlackCat ransomware pushed Cobalt Strike via WinSCP search ads – Bleeping Computer

The ransomware group “BlackCat” (aka ALPHV), has been found running malvertising campaigns. They try to get their victims to click into fake pages that look nearly identical to the real WinSCP file-transfer application for Windows and then push their malware. Their goal is to get IT professionals and admins to be their victims so they can then get access to corporate networks. Learn more.

4. Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX – The Hacker News

In early July, a chinese nation-state group was found targeting European Foreign Affairs ministries and embassies with HTML smuggling techniques (given the name SmugX). Their goal was to deliver the PlugX remote access trojan on compromised systems. Read full article.

5. Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware – The Hacker News

The China-linked nation-state actor, APT41 (aka Axiom, Blackfly, Brass Typhoon, Bronze Atlas, HOODOO, Wicked Panda, and Winnti) is known for their strains of Android spyware called WrymSpy and DragonEgg. They have been active since 2007 and are known to conduct intellectual property theft. Read more.

6. Deutsche Bank confirms provider breach exposed customer data – Bleeping Computer

On July 11, Deutsche Bank confirmed that one of their services providers had experienced a data breach that exposed customers’ data – likely a MOVEit Transfer data-theft attack, related to CL0P’s ransomware wave of MOVEit attacks. Read full article.

7. HCA confirms breach after hacker steals data of 11 million patients – Bleeping Computer

HCA Healthcare stated that they experienced a data breach which affected 11 million patients. A threat actor leaked samples of the stolen data on a hacking forum and began selling the data of patient records that had been created between 2001 and 2003. Read more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Darknet Services

Accessing and analyzing data from the darknet is challenging, even for the most experienced of analysts. DarkOwl is the darknet expert, with access to the largest database of darknet and darknet adjacent content. Our customizable service options allow customers to leverage our in-house expertise to save time, keep their employees safe, and fulfill the need for actionable threat intelligence. Let us be an extension of your team.


Want to learn how DarkOwl analysts can help your investigation? Contact us.

Introducing DarkOwl’s Cutting-Edge Darknet Services: Unveiling Actionable Darknet Threat Intelligence

July 31, 2023

DarkOwl, a leading provider of darknet data solutions, is thrilled to announce the launch of its Darknet Services, empowering organizations to advance their darknet investigations and monitoring with DarkOwl analyst expertise.

DarkOwl’s Darknet Services offer customizable, tailored, expert analyst support to enrich darknet data and provide customers with investigative reconnaissance, darknet monitoring, data acquisition and brand protection.

Key features and benefits of DarkOwl’s Darknet Services include:

  • Comprehensive Darknet Visibility: DarkOwl’s extensive monitoring infrastructure constantly scans and indexes darknet, deep web, and high-risk surface net data, ensuring comprehensive visibility into evolving threats and malicious activity.
  • Actionable Threat Intelligence: Leveraging machine learning and human analyst expertise, DarkOwl transforms raw data into actionable intelligence, providing organizations with precise insights to identify emerging threats, assess risks, and enhance their cybersecurity posture.
  • Darknet Investigation Support: DarkOwl’s expert analysts offer enhanced support to organizations in investigating incidents related to the deep and darknet, providing critical insights into threat actors, their tactics, and potential vulnerabilities to a company, VIP or brand.

Mark Turnage, CEO of DarkOwl states, “We are excited to introduce Darknet Services, which marks a significant milestone for DarkOwl and the darknet threat intelligence community. With Darknet Services, businesses can now gain a deeper understanding of the darknet landscape, arming them with invaluable insights that can help prevent devastating attacks and inform decisions to safeguard their digital assets.”


To learn more about DarkOwl’s Darknet Services and request a demo, please visit www.darkowl.com/products/darknet-services/

The Darknet Unveiled: Unlocking the Importance of Darknet Data in OSINT Investigations

July 26, 2023

The internet is a vast realm that extends far beyond the surface web we commonly explore. Beneath the surface lies the darknet, a hidden network that poses significant challenges but also holds immense potential for open-source intelligence (OSINT) investigations. In this blog post, we will delve into the importance of darknet data in OSINT investigations and how it expands the scope of information available to researchers and analysts.

OSINT 101

OSINT allows access to a vast amount of openly available information from diverse sources such as social media platforms, news articles, blogs, public records, academic publications, and more. This wealth of information provides investigators, researchers, and analysts with a comprehensive understanding of a particular subject, individual, or organization. By harnessing OSINT techniques, one can obtain valuable insights, uncover patterns, and make connections that might have otherwise remained hidden. DarkOwl analysts are able to combine the power of traditional OSINT investigations with darknet intelligence providing organizations with a more robust picture to help them protect themselves in the cyber landscape.

Darknet 101

The darknet, also referred to as the dark web, is a layer of the internet designed specifically for anonymity. It is more difficult to access than the surface web or the deep and is accessible only via using specialized software or network proxies – specifically browsers supporting special protocols. Users cannot access the darknet by simply typing a dark web address into a web browser. Adjacent to the darknet are other networks, such as instant messaging platforms like Telegram and the deep web (non-public web).

Due to its inherently anonymous and privacy-centric nature, the darknet facilitates a complex ecosystem of cybercrime and illicit goods and services trade. The dark web is a thriving ecosystem within the global internet infrastructure that many organizations struggle to incorporate into security posture. Still, it is an increasingly vital component for organizations with forward-thinking strategies.

Why Incorporate Darknet Data into OSINT Investigations?

As stated, the darknet serves as a sanctuary for illicit activities, providing a veil of anonymity for cybercriminals, hackers, and individuals seeking to engage in nefarious endeavors. OSINT investigations that incorporate darknet data can unveil hidden information, shed light on illicit operations, and expose criminal networks. By venturing into the darknet, investigators can access forums, marketplaces, and communication channels used by cybercriminals. This enables the collection of valuable intelligence related to cyberattacks, data breaches, drug trafficking, human trafficking, money laundering, and other illicit activities.

However, investigators need to have access to the right sites, with many requiring high levels of authentication and the need to interact with threat actors. Navigating the darknet(s) can be frustrating and challenging for any OSINT or darknet investigator. DarkOwl analysts have extensive experience working within the darknet, collecting data and can leverage this to assist with darknet and OSINT investigations across a broad spectrum of areas.

The darknet is a breeding ground for emerging threats, providing insights into evolving techniques, vulnerabilities, and attack vectors. Integrating darknet data into OSINT investigations helps enhance threat intelligence capabilities and enables proactive risk assessment. By monitoring darknet forums and marketplaces, analysts can identify discussions surrounding new hacking tools, zero-day vulnerabilities, exploit kits, and malware. This information is invaluable for cybersecurity professionals seeking to fortify their defenses, mitigate potential risks, and stay one step ahead of cybercriminals but don’t always have access to that data themselves. Darknet data empowers organizations to better understand the tactics and strategies employed by threat actors, ultimately strengthening their security posture.

Real-World Examples

Identity theft and fraud have become pervasive in the digital age, causing significant financial and reputational damage to individuals and organizations. Darknet data plays a crucial role in unmasking stolen personal information, fraudulent activities, and the sale of compromised data.

Below we see an example of threat actors on the popular Russian forum XSS discussing the use of TinyNuke malware and ways to solve issues.

Figure 1: Users on XSS forum discuss malware tools; Source: DarkOwl Vision

OSINT investigations involving the darknet allow researchers to monitor underground marketplaces where stolen credentials, credit card information, and personal data are bought and sold. By obtaining and analyzing this data, investigators can identify compromised accounts, detect patterns of fraudulent activity, and alert affected individuals or organizations. This proactive approach assists in mitigating the impact of identity theft and fraud, protecting individuals’ privacy and preserving the integrity of businesses.

Law enforcement agencies and intelligence organizations rely on darknet data to augment their investigative capabilities and dismantle criminal networks. OSINT investigations that encompass the Darknet provide critical leads, actionable intelligence, and evidence.

Below we see threat actors sharing Fullz information for sale on the darknet, this is darknet slang for all identifying information. This can be used by others to conduct identity theft and fraud.

Figure 2: Identifying information being sold on Darknet which can be used for identity theft; Source: DarkOwl Vision

Darknet data assists in identifying key individuals involved in cybercriminal activities, tracking their digital footprints, and uncovering connections to other criminal acts. This information aids in the apprehension of criminals, the disruption of illicit operations, and the prevention of future crimes. Darknet data is a valuable asset in combating terrorism, organized crime, human trafficking, and other serious offenses.

Below we see an example of real-world information being released on the darknet relating to a threat actor. This individual was the administrator of RaidForums, a popular site selling people’s personal data. His true identity was revealed and he was later arrested by law enforcement.

Figure 3: Identifying information about threat actor on RaidForums; Source: DarkOwl Vision

Final Thoughts

As the digital landscape expands, the inclusion of darknet data in OSINT investigations becomes increasingly important. The darknet acts as a hidden realm where cybercriminals thrive, but it also offers a wealth of information that can be harnessed for the greater good. By venturing into this enigmatic realm, researchers and analysts can uncover hidden activities, enhance threat intelligence, unmask identity theft and fraud, and support law enforcement and intelligence operations.

Integrating darknet data into OSINT investigations strengthens our ability to combat cybercrime, protect individuals and organizations, and maintain a safer digital ecosystem.

However, it is important to note that accessing and navigating the Darknet comes with legal and ethical considerations, and it should only be done by trained professionals and in compliance with applicable laws and regulations. DarkOwl analysts are able to navigate this area providing added resources to teams, expert knowledge and compliance.


Contact us to learn how to put our darknet expertise to your use.

Review of CL0P’s Zero-Day Exploit Against MOVEit

Updated August 02, 2023

Reviewing Victims on DarkOwl’s DarkSonar API

While ransomware attacks have continued to grow in 2023, the recent attacks leveraged by CL0P against the MOVEit file transfer software have garnered much publicity. Additionally, the zero-day exploit against the MOVEit software has led to huge data theft and extortion attacks. 

On June 7th, CL0P began posting the names of the victims they had successfully targeted. By July 11th, they had listed 140 companies which had been compromised. These companies were from a variety of industries as illustrated in Figure 1. These attacks highlight the risk posed to organizations through third parties who have access to sensitive information relating to some of their clients.

Figure 1: Breakdown of industries targeted by CL0P

DarkOwl’s DarkSonar risk signal can be used to forecast cyber threats to an organization by measuring the relative risk rating for an individual domain. Additionally, organizations can measure the risk of third parties who have access to sensitive data. An elevated signal is a cause for concern as it shows a dramatic increase in relative risk, providing warnings of potential threats. We tracked DarkSonar in the weeks and months leading up to the attack for all 140 company domains to see if there was an elevated signal. The results are shown in Table 1. Of the companies attacked, 10% had no email exposure. Of the remaining companies, we found an elevated signal (1) within the 4 months leading up to an attack for 67% of the organizations. In addition, 94% of organizations had a signal that was trending upwards.

Elevated Signal (1)Signal Trending Upwards
All Attacks60%84%
All Attacks for Domains w/ Email Exposure67%94%

A prior independent third-party analysis of DarkSonar showed that a trending upward signal is also a significant indicator of risk. Thus, we explored not only an elevated signal prior to the attack, but also an upward trending signal. We calculated the trend line in the 4 months leading up to the attacks to determine the number of upward trending signals. For the companies with an elevated signal or an upward trending signal, we saw a true positive rates between 84% and 94%.

Breaking down the results across the industries with the most attacks, we see the positive accuracies shown in Figure 2. While this requires further analysis, it does point to some industries where DarkSonar may have the potential to be a higher indicator of risk.

Figure 2: Positive accuracy across the main industries

To learn more about how DarkSonar may predict future attacks on your organization, contact us.

Review of CL0P’s Zero-Day Exploit Against MOVEit

Original Post: July 25, 2023

Ransomware attacks continue to grow in 2023, with the number of attacks taking place this year surpassing those at the same stage last year. One of the most successful groups this year has been CL0P which leveraged a zero-day exploit against MOVEit, a managed file transfer software which has led to huge data theft and extortion attacks.

Figure 1: Initial vendor alert on the newly discovered MOVEit vulnerability; Source: Community Progress

CL0P have been active since early 2019 conducting both ransomware and extortion attacks, highlighting the fact that they are financially motivated. They have been known to make large scale demands to release data, in 2020 they became one of the first ransomware groups to demand over $20 million. While law enforcement activity has identified some members of the group, they continue to be active.

DarkOwl analysts have been actively monitoring CL0P, and the leak site to which they post victim data. On June 6th, 2023, they claimed responsibility for the use of the privilege escalation vulnerability in the MOVEit Transfer. In their post they threatened to post the stolen data if victims did not pay an extortion fee and also provided instructions for how to make payments. Security researchers have indicated that CL0P are likely to raise $75 million from their extortion attacks.

Figure 2: Instructions on making payment; Source: CL0P blog

On June 7th, they began posting the names of the victims they had successfully targeted. As of July 24th, they have added 187 victims’ names, however a number of other organizations have indicated that they are also victims of the attack. The group appears to be slowly releasing names, holding back those which could be considered more high profile. It is not currently clear how many organizations they were successfully able to compromise. The group have been teasing new victims and also what data will be included in the document leaks.

Figure 3: Teasing data threatened to be released; Source: CL0P blog

As of July 24th, only 11 victims have been removed from the leak site, which would suggest that they paid the extortion fee or are currently in negotiations with the threat actor. Full data has been provided for 21 victims and partial data has been released for a further 65. DarkOwl’s assessment of the victims indicates that the industry most impacted by this attack is finance.

Although some government and law enforcement agencies have self-reported as victims of the MOVEit campaign, no victim data has been provided. CL0P issued a notice on their website indicating that although they have successfully targeted government and law enforcement sites they will not be releasing this information as their intentions are purely financial in nature.

Figure 4: CL0P’s notice that they are not interested in government data; Source: CL0P blog

However, it does seem that CL0P may have fallen victim to too much success. Their leak site appears to have been overwhelmed by the amount of media attention they have received. The site has regularly gone down, there is often a queue to enter the site, and the download of data is very slow, offering an advantage to the victims that means it is not easy for people to download the information which has been stolen. It could be argued that it is not worth paying the extortion fee if no one can access the data. This could be why so few victims have been removed from the site.

Figure 5: Waiting page; Source: CL0P blog

Perhaps as a result of this issue on their darknet site, coupled with known slowness on TOR, the group have started releasing some of the data on clear websites. It is not yet clear if that will make the victim data more readily available.

The MOVEit attack has also highlighted the risk posed to organizations through third-parties, high profile consultancy companies have been included in the CL0P leaks, which are likely to contain information relating to some of their clients. Some of the reported victims, which have not yet appeared on the list use vendors that are known or have been reported to be breached.

Below is an example of a media item discussing a vendor breach that affected other organizations:

Figure 6: Source: TechMonitor

DarkOwl collects data released by ransomware groups in order to identify what information has been released, what victim data has been present and what risk it may pose to the organization. As well as the named victims, this data can also include large amounts of third-party data. It is therefore important to access this to enable searches for mentions of all organizations. DarkOwl can help your organization be alerted if their information appears in any of the data that we collect and further, how to turn that data into actionable threat intelligence.


Schedule a time to chat with us to learn more.

Around the World with DarkOwl

July 21, 2023

The DarkOwl team had a busy week all over the world last week, from the Washington DC area to India. Alison Halland, Chief Business Officer of DarkOwl, kicked off the week with our first ever hands-on training of DarkOwl Vision and ended the week by attending AFCEA/INSA Intelligence and National Security Summit in National Harbor, MD. Meanwhile, Mark Turnage, CEO of DarkOwl, attended the G-20 Conference on the “Crime and Security in the Age of NFTs, AI, and Metaverse” under the G20 in Gurugram, Haryana, India. This blog highlights those events and key takeaways and summarises each.

On Wednesday, Alison hosted “Explore the Darknet with DarkOwl” at the Carahsoft headquarters in Reston, VA. Attendees got access to DarkOwl Vision and got to conduct hands-on searches during a Scavenger Hunt. DarkOwl’s industry leading Vision UI provides access to the largest commercially available database of darknet content in the world, without having to access the darknet directly, so you can take action to prevent potentially devastating cybersecurity incidents. After an afternoon of learning about the darknet and diving into it, attendees enjoyed networking during happy hour. The team is excited to do more of these intimate in-person trainings, make sure you don’t miss the invite to our next one!

The Intelligence and National Security Summit

Alison and Steph Shample represented the DarkOwl team at the Intelligence and National Security Summit on Thursday and Friday. The event describes themselves as “the nation’s premiere conference for unclassified dialogue between U.S. Government intelligence agencies and their industry and academic partners,” and was celebrating their 10 year anniversary this year. In addition to the exhibit hall, attendees could participate in a number of speaking session and breakout sessions. During the plenary sessions, top agency and military intelligence leaders discussed strategic intelligence challenges, military intelligence priorities, and the state of the community, and during the breakout sessions, senior executives, technology experts, and thought leaders explored some of the most pressing issues facing the community. Speakers included leaders from the Federal Bureau of Investigation, the Defense Intelligence Agency, Defense Innovation Unit, US Navy, U.S. Space Force and many more.

Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into.

The DarkOwl team was able to meet with several clients at the event, including Siren and OSINT Combine. You can read about our partnerships here. Being able to connect with current clients is always a huge plus when attending events and hearing feedback, brainstorming new ideas, and connecting with new members in person is invaluable.

G-20 Summit: Crime and Security in the Age of NFTs, AI, and Metaverse

The group of 20 (G-20) is comprised of 19 countries (Argentina, Australia, Brazil, Canada, China, France, Germany, India, Indonesia, Italy, Japan, Republic of Korea, Mexico, Russia, Saudi Arabia, South Africa, Turkey, United Kingdom, and the United States) and the European Union. Together these countries represent 85% of the global GDP and about 66% of the global population.

On Friday, Mark Turnage, CEO and Co-Founder of DarkOwl, presented on “Connecting the Dots on the Darknet: Darknet and Cryptocurrency.” This presentation covers the use of cryptocurrency (crypto) as it is used on the deep and dark web (DDW), as well as nascent efforts to regulate the cryptocurrency markets and transactions. On dark web marketplaces and forums, which sell everything from drugs and weapons to the latest malware and data leaks, the currency of choice for transactions — due to what cyber actors espouse is the provided anonymity — is crypto. Most common is Bitcoin, but DDW markets are accepting more currencies such as Ethereum, Monero, Litecoin, and Zcash, among others. Cyber actors generally feel that Bitcoin has become less anonymous as global entities move to regulate Bitcoin and follow financial transactions and state this as the reason they are using other cryptocurrencies. Regulatory efforts towards cryptocurrencies vary greatly by nation, but standard Know Your Customer (KYC) and Anti-Money Laundering (AML) policies are common, agnostic of country or entity efforts to regulate crypto transactions. Efforts to change from crypto into more traditional cash, known as “fiat”, are also analyzed from a regulatory standpoint.

Other speakers covered topics such as internet governance, security digital public infrastructure, the Metaverse and digital ownership, challenges of AI, and information and communication technologies. An official overview of the conference can be found in the Chair’s Summary.


Interested in meeting with the DarkOwl team? See where we are around the world the rest of the year here.

Q2 2023: Product Updates and Highlights

July 19, 2023

Read on for highlights from DarkOwl’s Product Team for Q2, including new product features and collection stat updates!

Data and Product Updates

DarkSonar Launch and Updated Features

In April, DarkOwl announced the release of a new product, DarkSonar API, to help organizations better assess and track their potential cyber risk based on the nature of their exposure on the darknet. 

Built on DarkOwl’s proprietary Entity dataset, DarkSonar generates a risk rating that is unique to each company. The algorithm used to generate these signals takes into account key quantitative and qualitative factors over time of organizational exposure of email addresses with associated passwords, and weights each signal accordingly. The result is a quantifiable risk indicator that can help companies and organizations monitor and potentially predict cyberattacks. 

In testing internally and with beta partners in the insurtech and third-party risk industries, DarkOwl found an elevated DarkSonar score in the months before a cyberattack in nearly 75% of the cases where a company publicly acknowledged a breach. 

Date Input Option

This recently added feature allows users to input the date of a known event or breach, to get DarkSonar signals and trending for the months leading up to that date. This update is particularly important for customers with known historical incidents (reminder – DarkOwl never captures API queries in the system!).

Resources

In case you missed it and want to learn more about DarkSonar and the importance of forecasting cyber threats, there are several resources available to check out: 

  • Report: Forecasting Cyber Threats: This report outlines DarkOwl’s new metric based on email and credential volume to measure an organization’s exposure. We tested our metric against 237 public cyberattacks occurring in 2021 and 2022 and found our signal was elevated within the last four months prior to an attack for 74% of the organizations.  
  • Blog: Cyber Risk Modeling: Introducing DarkSonar: With cyberattacks on the rise, organizations need better intelligence to enable them to model cyber risk to prevent and predict cyberattacks. 
  • Webinar: Tracking Your Relative Risk on the Darknet: DarkOwl’s CTO explains how to potentially predict cyberattacks and why modeling risk is essential for all organizations of any size. 
  • DarkSonar API Document: Signals to inform threat modeling, third party risk management, and cyber insurance, that potentially predict the likelihood of attacks. 

Search Tabs

The product team has added Search Tabs into the Research section of the UI, thanks to customer feedback! With Search Tabs, a user can have up to four search inquiries open at the same time. This will help users pivot while still retaining results from another search. To start a new search, simply click on the “+” icon next to the current result tab. With this new feature, the quick filter menu has also been adjusted to be more streamlined.

Enhanced Forum Presentation

The product team is most excited about improvements to forum presentation in our UI and Search API. A user will be able to easily distinguish thread Titles, number of posts on the time of collection, Users, Post Dates, and Posts. The numbers of forums available in the new format is growing every day, as of early July, there are 60 available. The below screenshot demonstrates the new formatting.

Decode/Encode Buttons

The Decode URL feature allows users to see the original (non-encoded) URL. Users need the encoded version to search in URL in our system. If a URL has been encoded, there will be a new Decode URL button below the URL in the search result.

Example of improved forum presentation and Decode URL

User-Selected Default Search Settings

The team has also added more personalization to the UI so that users can select their own Default search options for sorting, seeing duplicates, or seeing empty bodies. Ease of use for customers is always top of mind when implementing new changes and features.

Alternate Telegram Usernames

Telegram channels have become increasingly popular with threat actors as a means of advertising illicit goods and communicating with each other. Although Telegram users can change their display name as often as they want, when registering they are assigned a user ID which cannot be changed.

This quarter the team added a feature which allows the user to search on the User ID with the click of a button to see all the posts made by that user regardless of their username saving the analyst time and making it easy to focus in on posts. The screenshot below from Vision UI shows exactly when someone has changed their name in a channel, what their old name was and what they have changed it to. As mentioned above, their user ID is not changed.

Lexicon Updates

DarkOwl Vision’s DARKINT Search Lexicon is an easy-to-use tool intended to help users find interesting content within our database. This quarter a huge audit took place updating and adding hundreds of Lexicon entries for Forums, Markets, and Ransomware Sites. Clients can always submit content for us to add. Curious what DarkOwl means by “DarkInt?” Check out our full write up.

Collection Stats and Initiatives 

The collections efforts and team continue to grow as advances are made in crawling technology and focus on emerging areas of activity continues. Below stats show tremendous areas of growth over Q1, 2023.

Highlights

This quarter 386 new chat channels and groups and 56 unique data leaks, totaling 900,000 new documents, were added. The team was able to obtain and index most channels and data leaks requested by customers within 24 hours of the incoming request. Some of the most notable include Shell.com, Viva Air, and Eye4Fraud.

Entity Numbers

As of the beginning of Q3 this year, DarkOwl Vision has captured the below number of critical entities and the database is growing every day.

Notable Leaks added in Q1:

Shell.com

Russian ransomware gang Cl0p, mainly oriented around double extortion ransomware, successfully exploited a zero-day vulnerability in the MOVEit file transfer tool in June 2023 which has led to the exposure of over 150 victims. The group listed Shell.com as one of their victims and released files including names, email addresses, phone numbers, social security numbers, physical addresses and more of customers and employees as well as internal documents. DarkOwl analysts are seeing their activity continue into July, with more victims being added and more files released. Learn more about the Shell Data Breach. 

File structure in  DarkOwl Vision from Shell breach indicating what victim information is available.

Throughout June, the actors were highly active using the nascent MOVEit zero-day vulnerability. They have shared details of their victims on their leak site which now contains over 150 organizations with information relating to 15 million individuals. Stay tuned as we release more in-depth analysis of MOVEit and their recent activities.

Viva Air

Viva Air, a budget airline based in Colombia, was allegedly hacked in March 2023 by Ransomexx ransomware. According to the original posting, shown in the DarkOwl Vision screenshot below, on BreachForums, 26.5 million records containing clients names, dates of birth, passport numbers, phones, and emails were leaked with a total size of 18.25GB. The posting also provided a sample of the data showing the personally identifiable information leaked. Processing this alone added nearly 450,000 documents into the DarkOwl darknet database. DarkOwl analysts also found listings and conversations about the leaked data re-posted for sale on several other forums and marketplaces as well as Telegram.  

Eye4Fraud

In March 2023, Eye4Fraud, a global fraud detection firm, publicly announced that they fell victim to a data breach that resulted in the compromise of over 16 million unique email addresses, as well as full names, phone numbers, physical addresses from businesses that use their services. The company provides services to help protect against fraudulent orders for eCommerce companies and received criticism for their slow response to notify customer about the breach. 

On the Horizon

Be the first to hear an exciting announcement from the DarkOwl team – we are about to launch something you will not want to miss! To get a preview of this new release, schedule a time to speak to one of our team members.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.