Ransomware actors have taken multiple measures to hide their real identity online along with the hosting location of their web server infrastructure.
Operational Security Missteps
The majority of ransomware operators use an out of country hosting provider to host their ransomware operations sites. Additionally, the use of VPS hop-points, TOR network, and DNS proxy registration services are used as an extra layer of protection to keep their identity anonymous.
Cybersecurity firms can take advantage of the threat's operational security missteps to identify their hidden identity. They are able to identify TOR hidden services hosted on public IP addresses.
Checking the favicons
Favicons are the icons that show up in your browser window next to the web address. It is often the logo that is associated with your brand. Similarly, the sites on the darknet have favicons or logos that are associated with their sites. It is one of the key identifiers for cybersecurity firms looking to catch criminals.
Through the use of web crawlers, cybersecurity firms check the favicons associated with the darknet websites against public internet. This method is used to uncover the threat's clear web infrastructures. The criminals' leak sites accessible for any user on the internet along with other infrastructure components are left exposed, which makes it possible to obtain the login locations that are used to administer the ransomware servers.
Now more than ever, cybersecurity firms are looking for employees to help combat these criminals. If you are interested in this field, take a look at our job openings to see if one is a right fit for you!
Job.com is a digital recruitment innovator with a unique perspective: Delivering technology and capabilities that shake up the market by bringing together a data-driven approach based in AI and machine learning with high-level, human-capital-delivered solutions, designed to efficiently attract and retain the right talent and provide consumer-level user experiences throughout the hiring process.