Security Flaws of Ransomware Leak Sites Help Six Companies Avoid Paying the Ransom

• Security researchers have found vulnerabilities in leak sites belonging to ransomware gangs.
• Six victims of extortion groups such as Everest, Mallox, and BlackCat were exempt from paying the ransom.
• The flaws are comprised of rookie mistakes that include coding errors and security bugs.

According to Anthropos' security researcher and chief technology officer, several fundamental security flaws in the Web infrastructure used by ransomware gangs like Everest, BlackCat, and Mallox saved six companies from having to pay potentially hefty ransom demands.

The security expert aimed to identify the command and control (C2) servers used by over 100 ransomware and extortion groups and discover flaws in their leak sites that could reveal information about the cyber criminals and their victims. 

In a rare win for victim companies, two small businesses got the decryption keys without paying the ransom, and four crypto firms were alerted before the file encryption even started.

Several simple flaws in the Web dashboards employed by at least three ransomware groups, such as coding errors and security bugs, facilitated the compromise of the extortion operations. Some bugs of leak sites even exposed their servers’ IP addresses.

These vulnerabilities enabled the security researcher to gain access without login and learn information about the threat actors’ operations.

The Everest ransomware gang used a default password for its backend SQL databases, exposing its file directories. The targets of the BlackCat ransomware gang’s attacks were revealed while in progress due to exposed API endpoints.

An insecure direct object reference (IDOR) bug helped the security expert cycle through all of a Mallox ransomware administrator’s chat messages and fish two decryption keys that ended up with the impacted companies.

As ransomware attacks on various companies in all major sectors are relentless, some victims decided to actually pay for the decryption key in an attempt to get back online, as CDK Global reportedly decided to pay millions in ransom to the hackers who crippled thousands of U.S. car dealerships.