Understanding the dark web and ransomware attacks

By Prof. Danny Myburgh, Managing Director at Cyanre – The Digital Forensic Lab

In 2014, South Africa was largely ignored by cyber criminals on the dark web. By 2016, mentions of South Africa were increasing, and by 2019, Accenture’s Insight into the cyber threat landscape in South Africa revealed that South Africa had the third-highest number of cybercrime victims of any country in the world. Hackers on the dark web loved us, and it’s only gotten worse. Ransomware attacks are on the rise around the world, and South Africa is increasingly under attack.

According to the 2021 SonicWall Cyber Threat Report, ransomware attacks rose by 62% worldwide between 2019 and 2020, and Accenture confirms that ransomware can be bought on the dark web for as little as US$100. You don’t need to be a skilled hacker to launch a cyber-attack – you just need to be able to find what you’re looking for on the dark web and have some working knowledge of cryptocurrencies.

Cryptocurrencies and ransomware demands

The rise of cryptocurrencies is one of the factors influencing the steady increase of ransomware attacks. They facilitate the safe, anonymous payments of ransoms to cyber criminals. Without cryptocurrencies, it would be far easier to trace a ransomware attack back to the perpetrator, as we have seen with the numerous cases Cyanre has worked on during the past 17 years.

The challenge is that many organisations hit with ransomware demands are not familiar with threat actors, cryptocurrencies or have the expertise to navigate the dark web. There is also the risk of breaching international sanction lists and legislation if the correct legal processes are not followed. If the worst happens, an experienced negotiator who has dealt with cybercriminals, ransomware demands and cryptocurrencies can guide businesses through the unfamiliar terrain and ensure that there are no backdoors left open for another attack.

The surface web, the deep web and the dark web

Most ransomware attacks are the result of do-it-yourself ransomware-as-a-service (RaaS) software, which has been available on the dark web for a number of years to anyone with the right tools to access it.
So, what is the dark web, and what can criminals buy there? First, it’s important to understand that there are three layers of the web: The surface or clear web, the deep web and the dark web.

The surface web is the public web. If you can Google it or use Bing to find it, it’s information that lives on the surface web. This is because the content is designed to be discoverable through ‘indexing.’ For example, your company website is indexed to ensure that search engine ‘crawlers’ can find it and generally Search Engine Optimisation (SEO) is used to make a website or media platform even more discoverable and (hopefully) get listed on page one of a Google search. Interestingly, the surface web only makes up about 4% of the Internet, even though we all spend a large amount of time on it.

The next layer is the deep web, which is also known as the hidden web and this is estimated to make up about 96% of the Internet. Think of every platform you use that requires a user name and password to access. This includes streaming services, banking platforms, messaging boards, collaboration platforms, or any information stored online that you cannot access via Google. These include intranets, fee-based content, medical records, banking records and membership websites. We access the deep web every day without thinking about it – or using Google or a search engine to get there.

The reason this data is ‘hidden’ is because it’s not indexed, and therefore isn’t discoverable by search engines. You need a URL to access (and the right passwords and credentials, of course).

The dark web takes ‘not being indexed’ and anonymity to the next level. Not to be confused with the deep web, the dark web cannot be accessed without special software, and it can be very difficult to navigate once you’re there. The dark web has multiple layers of encryption, which means users can browse it and post information with near anonymity. It’s not surprising that criminals quickly took to buying and selling illegal services and goods on it, even though that’s not what the dark web was originally created for.

The dark web and ransomware

The U.S. Naval Research Laboratory developed the Onion Router (also known as the Tor browser) in the 1990s. According to the RAND report Identifying Law Enforcement Needs for Conducting Criminal Investigations Involving Evidence on the Dark Web, the Tor browser was originally created to protect the identities of American operatives who were working overseas. It also protected dissidents attempting to communicate with US agencies from within oppressive regimes.

In 2002, the browser was released to the public. Since then, it has been a safe haven for many legitimate users, such as journalists working internationally who need to protect their identities. There are many reasons to stay anonymous online – unfortunately, one of them is to conduct criminal activities.

We have discussed criminal organisations like REvil and DarkSide on the Cyanre blog page before. They sell RaaS software on illicit forums on the dark web. According to HP’s Into the Web of Profit study conducted in 2019, 60% of all listings on the dark web can potentially harm enterprises. These aren’t guns or drugs – they are purposely designed to attack businesses. Additionally, 4 in 10 dark net cybercriminals offered hacking services targeting FTSE 100 or Fortune 500 businesses.

The reason? Cybercrimes – and ransomware in particular – is highly profitable. After all, how much would most organisations pay to get their data back or to get themselves back online and operational? Which brings us to crypto currencies.

Collaborating for emergencies

Instead of waiting for an attack to cripple your business, Cyanre recommends:

  • Partner with a credible and experienced team that can effectively conduct Digital Forensic investigations and Incident Response services prior to a crisis situation.
  • Prepare for the worst from a security, IT, crisis communications and legal point of view.
  • Regularly connect with the team and update disaster recovery plans when needed or to accommodate internal developments and deployments.
  • Conduct simulation training exercises with your team to test your response, not just on a technical level but also exco level.

With clear planning and the relevant expertise in place, companies are more prepared to deal with ransomware attacks, and thankfully there are people who specialise in dealing with these issues.