Author: DarkOwl Content Team

DarkOwl Announces Release of Ransomware API

Written by DarkOwl Content Team on . Posted in Press Releases, Products and Use Cases.

The new endpoint is designed to offer customers on-demand insight into current and historical content from ransomware websites hosted on the darknet.

DENVER, June 1, 2022 /PRNewswire/ — DarkOwl today announced the release of Ransomware API, the latest in their suite of darknet products. By enabling users to monitor darknet ransomware sites for their strategic assets – including first and third party vendors – organizations have the most accurate information available as to whether an entity has been extorted or compromised in a ransomware attack.

Ransomware API accesses the same database of darknet content as DarkOwl’s other data products, but targets results to content that was posted on ransomware group websites. These sites include those where actors post about their victims, and frequently leak compromised data that resulted from their attacks. Using this data, a company could expose potential risk for their own organization, assess supply chain vendor risk, or calculate risk to support cybersecurity insurance underwriting processes.

“As ransomware actors become ever more prevalent and advanced in the darknet, companies need tools that allow them to monitor and stay ahead of any cyberattacks. We hope that our deep coverage of this space can help illuminate a criminal economy that is constantly shifting and evolving,” said Mark Turnage, President and CEO of DarkOwl.

DarkOwl’s newest product was developed as a direct result of market demand, and is the first in the industry to offer streamlined, targeted insight into ransomware-hosted content on the darknet. As stated by DarkOwl’s Director of Product Technology, Sarah Prime, “We’re excited to release this new endpoint as a response to what we were hearing from our customers. Our insight into this area of darknet is unique, particularly our historical archive. Through this API product, organization mentions on these sites can now serve as a critical risk indicator.”

For more information, please visit www.darkowl.com/products/ransomware-api

Interview with DarkOwl’s Director of Product on Ransomware API

Written by DarkOwl Content Team on . Posted in Blog.

Button Ransomware API
June 01, 2022

Sarah Prime, Director of Product Technology, continues to innovate new products that illuminate critical areas of the darknet. We spoke with Sarah to get the latest on DarkOwl’s new product, Ransomware API.

So Sarah, tell us about this product 

Our new product is called Ransomware API, which is an endpoint designed to allow organizations to monitor and have insight into ransomware sites on the darknet.  

What made you want to develop this endpoint? 

We developed it as a direct response to what we were hearing from our customers. We know that our insight and historical perspective into the darknet is unique, and we wanted to make it easy for people to find this critical information about their vendors or clients.  

With this API product, content on these sites – including organization mentions – can now serve as an important risk indicator for a variety of use cases.  

Tell me more about these ransomware group sites 

The sites available via our new Ransomware API are darknet sites where these groups will publish public announcements, as well as links to downloadable content – often in the form of stolen data. We retain all of the ransomware site content in our archive, as part of our darknet data collection, even after it’s taken down. 

As we all know, ransomware as a criminal activity has really skyrocketed in the past few years. Ransomware groups have become significantly more sophisticated and organized from a business perspective, and have created their own underground economy. They commonly use advanced economic strategies such as affiliate networks, third party mediation consultants, and referral programs. 

Part of the way groups bolster their clout and status as a reliable enterprise is by establishing a brand, which means they will launch a website just like a corporation might on the regular internet. They even gain income via ad revenue like any other website. Except, this is taking place in a criminal setting. 

What would a company being mentioned on one of these sites mean? 

It depends, but the vast majority of the time it would mean that the company has been successfully compromised as the result of a ransomware attack. There are certain exceptions, such as when a company has been targeted and the ransomware group posted a description of that company and it included a partner organization, for example. However, in that scenario, it would be important for that company to know that its partner had suffered a ransomware attack so that it could deploy appropriate cautionary and defensive measures within its own network. 

After it has been targeted and compromised as the result of a ransomware attack, the context in which a company is mentioned can vary from case to case. In some circumstances, a RaaS group may publish a post stating that they have compromised company X, and If that company doesn’t pay up, they will publish all of their data on their website for free to whomever wants to download it. In other cases, they will sell off portions of a company’s data for profit, regardless of whether they had paid their ransom or not.  

Image A: Screen capture of a ransomware group posting on the darknet that describes the data obtained from one of their victims
Image B: Screen capture of the same ransomware posting as Image A, as indexed within DarkOwl’s database and seen in Vision UI

If the attack has already happened, why does it matter? 

It’s critical to know whether your customers or companies in your supply chain have been subjected to a ransomware attack. If one of your third-party vendors is compromised by a ransomware attack, you don’t want to wait until they’re able to officially inform you to find out – especially considering that their networks may still be inaccessible to them. They may not even be able to effectively inform their partners/clients right away. Similarly, a services provider can monitor their customer base for these attacks, both to assist in their reaction and also to be aware of the risk associated with the attack. Insurance underwriters and reinsurance companies have a need to monitor on an ongoing basis.      

In cases where a company has not backed up their data, the records publicized by the criminals can be a means of understanding exactly what data was lost, what is being sold, and what missing records the group may be holding on to. 

Who are the most prolific ransomware actors? 

The LockBit 2.0 (LB2) ransomware group has the highest number of victims since the start of 2022. In our analysis of ransomware activity since the invasion of Ukraine in early May, we determined LB2 had successfully encrypted over 280 victims, averaging 4.5 victims per day. 

CL0P and CONTI were the two next groups with the highest number of victims, but according to open source reporting, CONTI may be in the process of shutting down their operations due to the impact of Russian sanctions, or simply rebranding to lessen public pressure on the group. We’ve also witnessed AlphaV and HiveLeak demonstrate exponential growth in victim announcements in recent weeks. 

How does DarkOwl track these groups?  

What’s interesting is that ransomware is a uniquely darknet-based phenomenon. By that I mean, its origins are on the darknet, its perpetrators primarily reside on the darknet, and its economy is hosted on the darknet. We are also increasingly seeing RaaS groups opening splinter or parallel operations on darknet-adjacent networks, such as on chat platforms like Telegram. 

We’ve been in the darknet space for a long enough time that our analysts have naturally been keeping tabs and in some cases gotten quite close to these networks, so that we’ve been able to maintain access. We’re also deeply familiar with the way in which these groups operate and are able to predict when new groups are gaining prominence, when popular groups are rebranding, when they might be launching new sites, and so forth.  

Is there a particular use case that you think Ransomware API is a good fit for? 

Any company that has a substantial vendor portfolio and is concerned about supply chain risk. It could also provide an important datapoint for cyber insurance underwriters who need to assess a company’s historical risk. In fact, because ransomware groups will often remove or delete their posts after a certain amount of time, this tool is one of the few – if not the only – that can provide an accurate picture of whether or not a company has been subject of a ransomware attack. 

How is this different from our other API products? 

This product provides information regarding a very specific use case that customers can use to build whatever they want, including monitoring functionality, auditing services, underwriting assessments, compliance tools, etc. While this is also possible with our other APIs, the targeted scope of this data makes it one of our more streamlined and scalable products. 

What else makes this product special? 

This product is built on dynamic data sources;  as ransomware groups evolve, so does our data coverage. We can also track specialty groups upon request, so it will be interesting to see what kind of growth there is in coming months as we continually add new ransomware sites to our collection.  

Anything to look forward to from DarkOwl team? What is the product team excited about? 

Yes! We always have a lot going on, but the biggest thing on the horizon from the product team is the development of a new DARKINT scoring model. It’s showing a lot of early promise in identifying heightened risk, making it an even more comprehensive measure of an organization’s darknet exposure. This is critical for risk assessment, risk monitoring and rating efforts. 

Where can people learn more?

To stay aware of ransomware group activity, I recommend keeping up with the research that our analysts publish regularly. Their latest piece, which is fascinating coverage RaaS group activity since the invasion of Ukraine, can be found here.

To learn more about Ransomware API, please reach out to schedule a demo with our sales and product teams.

View Ransomware API Product Page and Ransomware API Datasheet.

Understanding Darknet Intelligence (DARKINT)

Written by DarkOwl Content Team on . Posted in Blog.

April 28, 2022

NEW: Download this report as a PDF

The darknet (or “dark web”) is a thriving ecosystem within the global internet infrastructure that many organizations struggle to incorporate into security posture, but is becoming an increasingly vital component. In certain cases, that is because taking raw data and turning it into actionable security intelligence requires leveraging DARKINT – or data points sourced from the darknet and other OSINT sources that together form a risk and/or investigative portfolio.

Darknet 101

The darknet is a layer of the internet that was designed specifically for anonymity. It is more difficult to access than the surface web, and is accessible with only via special tools and software – specifically browsers and other protocols. You cannot access the darknet by simply typing a dark web address into your web browser. There are also darknet-adjacent networks, such as instant messaging platforms like Telegram, the deep web, some high-risk surface websites.

Quick Definitions:

darknet: Also referred to as the “dark web.” A layer of the internet that cannot be accessed by traditional browsers, but requires anonymous proxy networks or infrastructure for access. Tor is the most common. 

deep web: Online content that is not indexed by search engines, such as authentication required protected and paste sites and can be best described as any content with a surface web site that requires authentication.

high-risk surface web: consists of areas of the surface web (or “regular” internet) that have a high degree of overlap with the darknet community. This includes some chan-type imageboards, paste sites, and other select forums.

For a full list of darknet terms, check out our Glossary.

What is Darknet Intelligence (DARKINT)?

DARKINT is a term, trademarked by DarkOwl, that combines two concepts: darknet and intelligence.

The darknet, also referred to as the dark web, is a segment of the Internet, hidden by the novice user, that is only accessible by using specialized software or network proxies. Due to the inherently anonymous and privacy-centric nature of the darknet, it facilitates a complex ecosystem of cybercrime and illicit goods and services trade.

Data scientists define intelligence as a continuum of increasing data complexity. At the foundation of the pyramid is “raw data.” In statistics, raw data refers to data that has been collected directly from a primary source and has not been processed in any way. (Source)  

Assembled collections of raw, unverified data across multiple sources with context forms the basis of “information.”

Intelligence is the consequence of combining analyzed, interpreted, and validated information with informed perceptions and personal experience to drive decisions.

Some key features of intelligence:

  • Intelligence is created and shaped by humans. Machines can compile information but cannot produce intelligence.
  • Intelligence is based on multiple, trusted and verified sources.
  • Data intelligence is also sometimes referred to as ‘insights.’
  • Intelligence utilized by national security or geopolitical decision makers is often accompanied by a numerical confidence value, calculated using the history, veracity, and perceptions of the information available.

DARKINT™ is intelligence derived from pure darknet, deep web, and associated adjacent underground cyber information sources.

Darknet Intelligence and DARKINT™

DarkOwl’s product suite facilitates the formation of actionable, DARKINT because its Vision platform collates darknet data from multiple sources including the deep web, high-risk surface web, and darknet-adjacent networks, such as instant messaging platforms like Telegram and IRC. 

In the framework of underground criminal activity and darknet(s), the continuum of data, information, and intelligence follows the example: 

  • a sample of raw data could be a leaked credential for ABC software company; 
  • information consists of a document in DarkOwl Vision collected from a darknet forum where a threat actor shares a database containing the leaked credentials from ABC software company in conjunction with a known vulnerability against Microsoft Exchange server; 
  • a security analyst receives an alert of this document and analyzes this information to find the threat actor’s social media account touting they will carry out a ‘special’ cyber-attack next weekend, coupled with a scan of the software company’s network indicating they haven’t installed multi-factor authentication on their employee accounts. Using this analysis and their intuition, the analyst produces a security risk intelligence assessment stating they believe with high confidence the threat actor is very likely to attack ABC software company as early as next weekend and alerts ABC’s IT department to deploy multi-factor authentication and immediately patch all potential points of network entry. 

The information in DarkOwl Vision, combined with open-source intelligence (OSINT) resources such as social media, port scanning, and network data, facilitate comprehensive business decisions across a numerous diverse set of use cases: threat intelligence, fraud detection and mitigation, cyber insurance, supply chain and vendor risks, digital identity protection, national security, critical infrastructure protection, and law enforcement investigations. 

Common Types of Raw Data & Information Circulated on the Darknet

Personally Identifiable Information (PII)

Personally Identifiable Information, or PII, is any information used to identify an individual. This type of data is incredibly valuable on the darknet, especially when combined with credential information. Examples include full name, billing address with the zip code, date of birth, email address, passport numbers, national identification numbers, and phone numbers. It also includes anything associated with one’s online presence such as a social media profile. Even information like a leaked mobile phone number can be leveraged by threat actors for social engineering activities like SIM swapping, which is used by criminals to bypass multi-factor authentication and gain unauthorized access to online accounts. 

Banking and Transaction Data 

Debit and credit card numbers are a common type of raw data available on the darknet. Some criminals specialize in the trade of the cardholder’s sensitive PII associated with associated details for debit and credit card numbers, e.g. CVV, expiration date, and personal pin code. Criminals use card numbers to make fraudulent purchases online and deliver them to a different address, make a series of low-cost purchases the victim won’t notice, or buy expensive goods in person. 

There are numerous forums and marketplaces specializing in banking, carding, and financial fraud on the darknet and in DarkOwl Vision. 

Critical Corporate Data

Critical corporate data consists of mentions of company names, domain names, IP addresses and other corporate identifying markers on the darknet. Sometimes raw corporate data like the domain name, subdomains, or IP addresses for a company are shared in the darknet or deep web temporary paste sites for threat actors to collaborate ahead of a concerted cyberattack against the company. 

A darknet database brokerage service advertising a company’s stolen competitive intellectual property, product design schematics, and sensitive financial or contracts packages for sale is information, not intelligence.  

Credentials and Compromised Accounts 

Credentials are the secure information required to safely log in to network accounts. It is user-specific information that verifies the identity of the user attempting to access to the website or service. Some credentials are also considered PII. Credentials which include personal names such as usernames, are also considered PII. Email addresses and passwords are the most common type of credentials. More sophisticated credentials include PGP keys, AWS/Azure developer secret keys and security tokens. Credentials can also include user-verification and digital identity authentication tools. 

Malware, Exploit Toolkits, and Ransomware

Malware is malicious software with harmful code designed to break into, infect, steal, surveil, compromise, or crash networked devices. It is used to get what a criminal wants from a target without their consent. There are many categories of malware like viruses, spyware, keyloggers, and ransomware. 

Several types of malware, exploit toolkits, and ransomware are available for purchase on the darknet. High quality malware has detection-evasion, to bypass network security systems, and will establish persistence, meaning it will stay undetected and continue giving the cybercriminal access to the information on the compromised device for months or years. 

Information consists of feeds and documents in DarkOwl Vision detailing the advertisements for such malware on offer or a ransomware Tor service publishing the identities of their victims along with the extorted sensitive corporate data and PII stolen from the victim.  

Malware development and exploitation attack techniques are also openly discussed in darknet forums collected by DarkOwl Vision. 

Example Darknet Sources Containing High-Consequence Information 

Threat Actor Chatter from Instant Messaging Platforms 

Conversations (also known as “chatter”) directly from and associated with threat actors and their associated criminal communities on instant messaging platforms are an important aspect of information gathering to develop intelligence assessments based on DARKINT. 

Instant Relay Chat (IRC) has been a historical, real-time chat environment for threat actors to plan, collaborate, and securely distribute stolen information related to cybercrime. Modern chat platforms like Telegram are an increasingly popular, high-frequency source of substantial darknet-adjacent information, despite not being directly connected to the darknet. These types instant messaging platforms are widely utilized by threat actors, who administrate both public and private servers and channels. 

Chatter from instant messaging platforms coupled with darknet forum posts and OSINT aides in the translation of information into actionable, high-confidence DARKINT judgements. 

Nation State Actors and Political Activity 

Darknet intelligence concerning nation state actors and political activity is becoming increasingly relevant. Nation-states are typically on the darknet for intelligence gathering and espionage, campaigns to disrupt critical infrastructure of other nation-states, activism and propaganda, sharing and testing source code, exploits, and vulnerabilities, and for financial gain. Disinformation and misinformation are powerful tools some nation-states use to sway public perception and opinion.

Even before the invasion of Ukraine, DarkOwl found evidence that nation-states were increasingly using the darknet as an information-based battlefield for a variety of key intelligence and cyber military campaigns.

In just the last 90 days, Telegram has featured as a critical network for 24/7 disinformation campaigns and information operations spearheaded and sponsored by the governments of Russia and Ukraine. Channels regularly include interviews with prisoners of war (POWs), digitally altered videos to trigger false-flag operations or claim kinetic military success against critical infrastructure, and leaked data disseminated from successful cyber operations. 

Conclusions 

DARKINT is the byproduct of combining human-powered analysis of validated data derived from darknet sources with informed perceptions and personal experiences. 

By actively monitoring for raw data points such as sensitive PII, compiled information advertised and discussed on forums and marketplace, along with darknet-adjacent chatter and associated OSINT signals, one can create concrete DARKINT, and quickly deploy remediation or defense mechanisms accordingly. 

DARKINT is most effective when applied to drive complex decisions like quantifying supply chain and vendor risk, underwriting cyber insurance policies, fraud mitigation and digital identity protection efforts, or creating qualified, actionable threat intelligence products in matters of national security, critical infrastructure protection or law enforcement investigations. 

DarkOwl’s Vision-derived DARKINT helps international governments, local law enforcement, individuals, and companies create a more comprehensive security posture.

Download this report as a PDF

Products

Services

Use Cases

Company

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.