Ransomware Anonymity Tools: How Ransomware Attackers Avoid Detection

Ransomware attacks have been getting worse for quite a while. This leaves many of us wondering why they can’t be stopped. Can’t law enforcement somehow trace their activities and track them down? Ransomware anonymity tools are one reason they can’t. These tools can also make it more difficult to detect the activities of attackers.

To understand why, you need to learn a little bit about the history of encryption.

The Crypto Wars

In the early days of the internet, regulators actually wanted to limit the type of encryption available to civilians. Most of the encryption standards used by hackers and ransomware attackers today were originally used by the military. At the time, the NSA wanted to limit the encryption available to 48 bit encryption, as opposed to the 256 bit encryption used by many ransomware attackers today. As it turns out (surprise, surprise), the NSA was actually able to crack 48 bit encryption. This information first came to light with the Edward Snowden leak in 2013.

The justification for this ban was preventing foreign governments from gaining access to cryptography. The only problem with this is that it would also compromise the level of privacy available to normal internet users.

In the end, privacy activists challenged the legality of the ban and succeeded in overturning it. They did this on the basis of the US constitution, which guarantees freedom of expression. The military tried to argue that cryptographic algorithms are a form of weapon. Privacy activists took the position that they are simply a means of communication.

This was a great victory for believers in freedom. Cryptographic algorithms have helped activists and whistleblowers in many authoritarian countries protect their identities. Even in countries where the right to expression is protected, many still feel anxiety about excessive government surveillance, or abuses of power by authorities. Encryption allows law abiding citizens to enjoy privacy, and puts a check on unrestrained expansion of government power.

Unfortunately, there’s also a dark side to the proliferation of encryption technology.

 

The Downside of Cryptography: Ransomware Anonymity

While there are all kinds of moral and ethical activities enabled by cryptography, it’s just as useful for criminals. Hackers, child pornography, drug dealers, and even professional killers all benefit from cryptography. Part of this is related to cryptocurrencies; at first, cryptography allowed only for the secure transfer of communication, but Bitcoin allowed for the secure transfer of economic value. Bitcoin is based on the same military grade cryptography that the US government wanted to keep secret. Both of these dimensions are necessary for many modern-day cyber bandits and criminals, including ransomware hackers.

Ransomware attackers use multiple instances of cryptography. The actual encryption of files on a computer is achieved using cryptographic algorithms. This is how they hold data hostage, demanding a ransom in exchange for the decryption key. Next, they demand payment via Bitcoin or another cryptocurrency, which is also secured by encryption. They also use encryption to cover their tracks while they attempt to break into networks, and when communicating with their victims.

Understanding the tools that ransomware hackers use can help to explain why it’s so difficult to catch them and bring them to justice.

Ransomware Anonymity Tools Used by Hackers

Anonymity tools are an essential addition to any ransomware hacker’s arsenal. Some of the most commonly use anonymity tools are:

• TOR
• BlockchainDNS
• I2P

TOR (the Onion Router)

You might be familiar with Virtual Private Networks (VPN). These are virtual connections that can be overlain on a public connection in order to make it private. If you’ve used a VPN, you might have been denied access to a website before. This is because websites can detect connections using VPN’s and block them. Some hackers use SOCKS5 proxies to avoid this problem, and more recently hackers working with ransomware gangs have switched to TOR.

Like many other cryptographic algorithms used by hackers, the US government developed TOR. It stands for “the onion router,” since it routes internet traffic through multiple layers of proxies. TOR is what makes the dark web marketplaces like the Silk Road possible.

Blockchain DNS

Blockchain DNS is a domain name system (DNS) that is stored on a blockchain. Blockchains consist of a chain of data that is cryptographically linked together, making the data very difficult or impossible to modify. This means that, unlike conventional domains, Blockchain DNS domains are very censorship resistant. Traditional, centralized DNS services like ICANN can detect hackers using domains for malicious activity and shut them down. Alternately, if law enforcement tracks down a group of hackers, they can request that ICANN revoke their domain credentials.

Not so with Blockchain based DNS. In this way, it automatically issues domains in a decentralized manner. It saves domains in the form of a hash code on a blockchain, making them irrevokable.

The Invisible Internet Project (I2P)

I2P is shorthand for the Invisible Internet Project. I2P overlays a network layer on top of other applications to anonymize internet traffic. It also secures all communications by end-to-end encryption. It adds another layer of security by using garlic routing, a variant of onion routing that breaks messages into multiple layers of encryption. This makes it much more difficult to perform traffic analysis on communications, which is one way to trace the origin of a signal and determine the identity of the sender.

I2P routes communications through a network of over 50,000 computers, which makes it almost impossible to trace those who use the network. This is an incredibly powerful ransomware anonymity tool for hackers, and it makes them much harder to track.

Anonymity: A Mixed Blessing

Privacy is a sword that cuts both ways. It helps many people defend their rights and expose government abuses, but at the same time it makes the internet a much more dangerous place. It also makes life more difficult for law enforcement.

Whether we like it or not, the cat is out of the bag and there is no going back. The best we can do is try to use these tools for good.

Using these tools can also be an effective way to protect against ransomware hackers. For example. encrypting backups may not prevent a ransomware attack, but it can stop data exfiltration, which is becoming increasingly common. In any case, it’s helpful to understand the methods that ransomware attackers use. The better you understand their methods, the better equipped you will be to avoid becoming their next victim.

If you do get hit by ransomware, you can always check our guide on ransomware first response, or contact us directly for a free consultation.