Anonymous Ransomware Attack Tools

Over the last few years, leaked data from some of the most devastating cyberattacks has found its way onto the Dark Web, a trend that seems to be increasing with the notable rise in double extortion ransomware attacks. Ransomware attack tools are routinely used to carry out these attacks. Every day we read about some of the largest organizations being hit by ransomware gangs, but have you ever wondered how these attacks were planned and executed in the first place?

Unfortunately, cybercriminals have access to the same tools as cybersecurity professionals and also employ artificial intelligence (AI) and machine learning (ML) to train their algorithms to bypass security. The ransomware attack tools they use to gain access and hold organizations to ransom are often available on the Dark Web. In this blog we’ll look into some of the anonymous ransomware attack tools used by cybercriminals and shed some light on the differences between the Dark Web and the Deep Web, and the misconceptions associated with them.

The Deep Web

The Deep Web is a part of the internet that is NOT indexed by search engines like Google, and it represents approximately 90% of the Internet. It includes a vast array of private databases and information compiled by governments, universities, corporations, and other private institutions.

The Dark Web

The Dark Web, which makes up only a small fraction, approximately 6%, is essentially the place criminals go to engage in all sorts of illegal trade such as purchasing stolen credit card numbers, drugs and firearms. It’s also where ransomware gangs expose personal data exfiltrated during cyberattacks. The Dark Web requires specific software to access content, typically anonymous browsers such as TOR. In contrast, the Deep Web requires access to specific networks and clients depending upon the actual content being consumed.

The Deep Web

What is TOR?

TOR (The Onion Router) is an anonymous web browser that conceals your identity while surfing the web by using a series of anonymous routes that constantly change. Think of it like a series of relay stations that make the request on your behalf and then forward the content to you instead of making the connection directly. It’s not illegal and it’s often used by journalists and law enforcement authorities. The nature of the TOR browser makes it a perfect tool for anyone looking to conduct a private transaction such as purchasing bitcoin anonymously. Unfortunately, it is also the same browser used by cybercriminals to stage ransomware attacks.

Some ransomware variants deploy TOR or the Onion network directly inside their payloads to abstract their activities and remain undetected.

What other tools are used on the Dark Web?

The Dark Web is used for conducting anonymous transactions and communications. TOR, ZeroNet, and I2P are the most frequently used to access it. All of these are used for staging coordinated ransomware attacks.

What is I2P?

I2P is a decentralized network that works by routing your traffic with other volunteers from across the world. Every machine in the network acts as a router known as Garlic Routing. Incoming and outgoing traffic is encrypted over several tunnels making it impossible for hackers and law enforcement agencies to track  browsing activities.

How safe and secure is I2P?

I2P, which stands for Internet Invisible Project, provides a secure means for anyone to access the Dark Web. It is an anonymous network with the sole purpose of encrypting a user’s identity from the prying eyes of the government and law enforcement agencies. Created back in the 2000s, I2P has been able to provide a secure and highly encrypted network with a customizable tunnel length and duration.

How does I2P work?

I2P was built for accessing the Dark Web anonymously, whereas TOR was built for accessing the surface web. Both have their pros and cons, but I2P is a winner in terms of better privacy and encryption, and it is a faster and more secure alternative to TOR.  I2P makes it difficult to intercept messages and provides complete end-to-end encryption, which is the main reason hackers use it to stage ransomware attacks.

Cryptocurrency and ransomware attacks

Launched in 2009, Cryptocurrency is a form of payment that can be exchanged online for goods and services.  Cryptocurrencies work using a technology called blockchain, a decentralized technology spread across many computers that manages and records transactions. While the introduction of Cryptocurrency was welcomed by investors and financial experts, it has also been adopted by cybercriminals. While blockchain and ransomware attacks are not directly connected, cybercriminals rely on getting paid in bitcoins from their victims, with 98% of ransomware payments being made this way.

Ransomware techniques, a serious challenge for Enterprises

Ransomware techniques are constantly evolving, posing serious challenges for organizations and their IT departments. Cybercriminals are very coordinated and share many of the tools and techniques across their vast networks to successfully bypass traditional cybersecurity solutions.

Ransomware attacks are staged by well-resourced, highly skilled, and extremely competent (often state-sponsored) threat actors. Perimeter defense based cybersecurity tools such as Firewalls, Antivirus and VPNs are no longer enough to prevent these types of attacks.

A cyberattack is only successful if unauthorized data is stolen or removed from a device or network, infiltrating a network or a device in and of itself does not make a successful cyberattack.

Preventing modern attacks requires a new way of thinking and a new approach including a data exfiltration strategy. By making the assumption that the bad actors are going to get in regardless of perimeter defense tactics, we can focus less on how they get in and more on what data they may be trying to steal.

If you’re ready to find out where your data is going, register for your free 7 day ransomware assessment.

*** This is a Security Bloggers Network syndicated blog from BlackFog authored by Darren Williams. Read the original post at: