暗网之光：从起源到勒索软件的网络安全探索

本网络研讨会最初于2025年2月20日播出。加入Black Hills Information Security的安全分析师Joseph，分享他对暗网的发现与学习，让你无需亲自探索暗网。但如果你决定前往，他会教你如何安全导航。独自前往并不安全，带上这些知识吧。

亮点

• 1:13 暗网的起源与演变：从海军安全到隐私与人权
  暗网起源于海军对安全通信的需求，演变为Tor，强调去中心化和隐私。
• 2:08 揭开暗网的面纱：诈骗、杀手与卧底行动的角色
  暗网诈骗包括杀手网站，这些网站被当局监控。高调案例说明了风险与卧底行动的存在。
• 2:43 2021年高调勒索软件攻击：网络安全挑战与恢复之年
  2021年，对CNA Financial、Colonial Pipeline和JBS Foods的勒索软件攻击导致重大财务损失和中断。
• 1:49 勒索软件支付的复杂决策：平衡安全措施与操作风险
  对公司的指导包括渗透测试、补丁管理和日志记录以提高安全性。勒索软件支付是复杂的，会影响未来威胁。
• 1:20 响应勒索软件事件的首24小时步骤
  响应勒索软件涉及隔离系统、评估威胁、引入专家和保存证据以供调查。
• 2:01 领导团队准备勒索软件的策略：预防、响应与政策倡导
  通过制定强大的响应计划、定期培训、备份、网络保险和国际合作来准备勒索软件。
• 1:31 数字行动主义与审查在现代抗议中的角色
  阿拉伯之春抗议（2010-2012年）见证了在线通信的繁荣，导致政权更迭和对ISIS的黑客行动主义。
• 2:49 SecureDrop：在暗网复杂性中促进新闻业的 secure communication
  SecureDrop由Aaron Swartz和Kevin Paulson创建，通过Tor实现与媒体的安全文件共享，助力新闻业。
• 2:53 理解Tor与加密货币对勒索软件的影响
  讨论使用Tor、Whonix和Brave浏览器访问暗网，以及勒索软件需求与加密货币价格的关系。
• 2:55 领先暗网威胁：蓝队策略与当前网络安全挑战
  讨论蓝队防止凭证在暗网上泄露和网络攻击的资源与方法。

完整视频

文字记录

Deb Wigley
好的，Joseph，非常感谢你加入我们，以及所有观看的人，感谢你们今天加入这个Black Hills Information Security的网络研讨会，Joseph将谈论“暗网之光”。
他现在实际上在暗网中，从暗网向我们发送信号。所以Joseph，请开始吧。

Joseph
好的，太棒了。欢迎大家。这将是一个大约40分钟的视觉展示，关于暗网、暗网的起源。
这是关于勒索软件的。我有一个很酷的采访，对象是一个非常聪明的人。这里有很多很酷的东西。不会有幻灯片，没有PowerPoint。不会很技术性。所以，说到这里，放轻松，享受这个节目。

Joseph（画外音）
一个对某些人来说可能很神秘的互联网隐藏层。
beyond your typical web browser and favorite e-commerce sites lies a network where anonymity is king and secrets thrive.
有好的，有坏的。一个数字地下世界，很少有人探索。欢迎来到“暗网之光”。
在这个旅程中，我们将揭开Tor或洋葱路由器的一些层。我们将讨论好与坏。
那么暗网起源于哪里？回到90年代，海军明白互联网缺乏安全性，正如我们大多数人所知，存在一些严重的安全漏洞。
海军想要一个他们自己的互联网版本，在早期是匿名的。Tor的先驱知道网络需要去中心化， meaning it should be controlled by many instead of one.
在2002年底，Tor网络部署并迅速起飞。事实上，它起飞得如此之快，以至于电子前沿基金会开始资助这个项目。
不久之后，在2008年，一个专门为暗网设计的浏览器发布了。如今，Tor是去中心化的，由数千个中继站控制，这些中继站由一系列志愿者设置。
有些人可能认为暗网是一个危险的地方，充满了非法活动。其他人说这是关于隐私，关于人权。我们将让你自己判断。
你可能不熟悉互联网的不同部分及其含义。简单来说，你有表面网络，它是可见的，可被互联网上的每个人搜索，我们每天使用。
我们还有深网，它不一定被任何搜索引擎索引，可能需要用户名和密码，或者甚至可能受到你所在位置的限制。
最后，我们有暗网或洋葱路由器。Tor，类似于深网，主要关注匿名性。
为了访问它，你需要一个特殊的浏览器或特殊的软件。甚至有完全致力于让你访问Tor的操作系统。
为什么每个人对暗网都有很大的恐惧？是因为它未知吗？人们害怕他们不知道的事情。
新事物吓人。如果你看最近的新闻，人们对无人机感到 terrified。它 newly mainstream，人们没有意识到无人机变得多么普遍。
这是 engaging content。是爱好者在飞东西，还是来自外太空的东西？对于暗网，恐惧真正开始于在线市场销售从 exotic animal parts、毒品甚至勒索软件的任何东西。
你说得出来的，它都卖。如果你想想在2000年代初期这是一个多么有趣的故事，你有几件不同的事情。
一，一个公开销售非法物品的市场。二，市场在暗网或Tor上，这几乎像数字炼金术。
最后，你必须通过一种大多数人都 ignorant 的货币在这个难以访问的奇怪网络上支付这些非法物品。
当比特币是100美元一 coin时，回到110 BC，第一个大市场是丝绸之路。
以数千年来 lucrative material命名，丝绸之路促进了东西方世界的贸易，使许多人变得富有。
丝绸之路如此重要，以至于中国甚至扩展了长城以更好地保护这些贸易路线。
当然，交易的不仅仅是丝绸。其他商品如茶、香水、瓷器和火药也很受欢迎。
快进到2011年，一个新的市场形成， also called the丝绸之路。以 predecessor命名。
Ross Ulbricht，一位前书店老板和自由主义者，想给人们选择购买 whatever they wanted并 circumvent authorities。
它开始于 what some people think of generally as recreational drugs。丝绸之路 then slowly but surely introduced more and more until the invisible line was crossed and live and let live attitude began to change when things such as firearms were beginning to be sold.
Add shady characters, more money and law enforcement to that equation. As time went on, law enforcement did have a breath of fresh air when they were able to link the username Altoid to Ulbricht while he was trying to promote the site on a normal website.
Ultimately, the fresh Breath Ulbricht was charged with seven crimes and sentenced to two life sentences. The lure of money Was even too much for some law enforcement to handle.
DEA agent Carl Force and Secret Service agent NSA agent Sean Bridges stole hundreds of thousands of dollars worth of bitcoin.
They went to great lengths to launder bitcoin and convert it into traditional currency. Interestingly enough, Donald Trump stated in mid-2024 that he would commute the sentence of, old brick.
Did this stop Darknet marketplaces? The short answer is no. Other variations of the丝绸之路 were launched by former moderators.
Other entirely new marketplaces such as AlphaBay began to pop up. Now if you think that丝绸之路 was big, AlphaBay was much larger.
With丝绸之路 paving the way, disrupting the market for illegal commodities and a massive growth in cryptocurrency. At that time, AlphaBay Exponentiated丝绸之路’s earnings while operating for less time than丝绸之路 itself.
Alphabay became so big so fast, to no surprise it garnered the attention of multiple law enforcement agencies. Similar to the OPSEC fail of Albert, the founder of AlphaBay, Alpha02 left a personal email address and forum posts on AlphaBay.
He also did not take the time to mask his source IP address when logging in as an administrator, allowing authorities to trace activity back to Thailand.
What does the evolution of these contraband marketplaces look like? Interestingly enough, they aren’t too far off from a normal e-commerce site other than the products that they sell.
A quick look at currently operating Dark web marketplace Venus shows discount codes and even live chats to help customers. So how does law enforcement identify and shut down these operations?
It’s not easy. The rapid changes in technology over the past 15 years have been nothing short of monumental. The government has to adopt entirely new methods to catch criminals.
Tracking cryptocurrency transactions, patterns of those transactions, monitoring packages at postal facilities and performing control deliveries.
Even placing tracking code inside of messages that may reveal maybe a residential IP address, potentially circumventing your connection to Tor.
It’s a complex cat and mouse game that is ever evolving. There are also plenty of scams on the Dark web, such as Hitman for hire websites.
While these sites could be run by authorities, they are certainly monitored by authorities. In the case of Christy Lynn Falcons, a woman charged in a murder for hire plot, Christie paid 12 Bitcoin $5,000 at the time and over $1,000,000 today.
Thousands of messages were sent back and forth about the planning of this crime. Discussing workplace scheduling methodology, and possibly the most disturbing part of it proved that the job was done.
The assumed Hitman was an undercover FBI agent. Christie was charged and sentenced to Five years in prison, not exactly on the dark Web.
But in 2023, an airman in the Air National Guard was arrested for applying to a hitman website that was a parody. Authorities were alerted, and again, an undercover FBI agent made a deal.
After multiple attempts to dissuade the airman from going through with the job, the airman was charged and is facing up to 10 years.
He was sentenced on February 7, just a couple of weeks before this webcast. And while it’s reasonable to assume a hitman site would be monitored by authorities, thousands of orders still went through and still go through these sites.
Jealous lovers, disgruntled business partners, and even devastated gamblers. M Ransomware and malware is big business on the dark web.
You can pay for it as a service. You can buy the software all by itself. You can even buy access to a network to perform malicious actions from the context of an employee, potentially even an employee with privileges.
Now, you might be wondering, where did ransomware originate? Well, back in the late 1980s, a Trojan horse called AIDS would monitor the number of times your computer would boot.
Once your computer booted, 90 times. The files in your hard drive would be hidden and then encrypted. Oddly enough, the inventor of the first ransomware was a biologist with a PhD from Harvard who was also studying AIDS.
Another interesting fact is that to distribute this ransomware, it had to be mailed by snail. If you didn’t want to lose your life’s work, you had to pay $189 to a P.O.
box in Panama. Talk about a disgruntled employee. He was arrested in Amsterdam’s Schiffle Airport and charged with multiple counts of blackmail.
A very cool thing about the story is the humanity that was involved. Jim Bates, who published in detail how to decrypt the ransomware so that users could get their data back.
I truly feel like that is the cybersecurity community of today. Helping others and sharing knowledge. Now, in the 2020s, ransomware distribution is far more sophisticated.
There are as many ways to execute malware as there are ways to make a pizza. Another interesting trend that I’ve personally seen over the past six years is, is the businesslike function of ransomware groups.
These groups had official playbooks for compromise. They even use project management software like Jira.
A little bit about my past. Back in the late 2010s, I was entrenched in all of these different red team certifications, physical security certifications, trying to become the best I could be with all the different C sharp assemblies.
It did Post exploitation within a command and control framework. I actually made my own playbook and even had a public GitHub project that, attempted to automate certain enumeration and exploitation tasks so that all commands aside from the variables such as maybe a user or a computer name, would be consistent and you wouldn’t get errors when executing these tools, potentially ruining your own Red Team operation.
And during that time, while performing some Purple Team engagements, which are collaborative projects between hackers and defenders, I was given some direct ttps from a very expensive threat intel source who was concerned with the impact of a ransomware attack and what ransomware operators were performing.
And their playbooks were so similar to the, commands and the tools that I was using during Red Teams. I thought I was looking at my own notes from Red Team courses.
And it made me think, how many of these bad actors are in the same classrooms I’ve been in or studying the same thing I m am.
What kind of money can you make from a ransomware attack? Well, a lot more than dimebags on the Venus market place. Let’s talk about. Seemed like the year 2021 was rife with ransomware attacks, almost a golden age for attackers.
A lot of companies were rolling out their own security operations centers and EDR. However, many were not quite there yet. In 2021, CNA Financial paid out $40 million to a ransomware group believed to be linked to the criminal group Evil Corp, using a, variant of the Hades ransomware called Phoenix.
This ransomware appeared to be a browser update. CNA employees were locked out of the network for approximately two weeks, simply ignoring the hackers and trying to recover the data on their own.
Defenders who analyzed the ransomware came to the conclusion that it was definitely a variant of, a different type of ransomware Hades.
These days, modifying code, sometimes even a singular byte, could allow an attacker to use a, highly functional code base that’s detected statically, meaning just on disk, not running, and get around those detections.
Sanctions were ultimately brought against the Russian group Evil Corp. Also in 2021, a ransomware attack on the Colonial Pipeline affected more than just a business.
But had Americans panicked that gas stations would just stop working, people couldn’t get to their hot yoga classes, or worse, that an explosion would happen and casualties would be involved.
The payout from this attack amounted, into $4.4 million. This did cause some fuel shortages on the east coast, but luckily half of this ransom paid was actually recovered.
How the FBI recovered the Bitcoin is unknown. The interesting thing about this is The FBI just had a private key to a bitcoin wallet with this money in it.
Very interesting. Also in 2021, JBS Foods, one of the largest meat companies in the world, who processes approximately 20% of beef and pork in the United States, was hit by ransomware.
The group responsible for the attack was our evil, a Russian linked ransomware group. This ransomware attack caused five large plants in the US to be shut down.
This caused mass fear of meat shortages and price spikes. $11 million worth of Bitcoin were paid to get the data back and resume operations.
Our Evil really hit the FO button. As both the President and the FBI were investigating the attack, they worked with Russian authorities who were kicking in doors.
And the FBI seized their infrastructure to include payment portals and data leak sites. Going back a little bit further, in 2019, the Spring Hill Medical center in Mobile, Alabama was affected by a ransom ransomware.
This attack caused business disruptions and as a result the newborn baby suffered severe brain injuries and died shortly after. And this was due to monitoring equipment being inoperable during the ransomware attacks.

Oil and gas pipelines, supply chain disruptions for food, innocent women and children dying because of a ransomware cash grab have been real life consequences of of these attacks so far.
Fast forward to 2024. According to National Security Advisor Anne Neuberger, nine telecommunication companies and dozens of other companies have been compromised by China.
Phone calls can be recorded, metadata can be stolen and high value targets could possibly be geolocated. So what is the solution to this?
The guidance was just simply address cybersecurity gaps, nothing concrete. Now let me give a shameless plug and some guidance on how to address certain cybersecurity gaps.
Watch BHIS content. Companies that follow our guidance and get pen tests make life so hard for pen testers and red teamers. It might not protect against a zero day necessarily.
I mean it is a zero day, but if you keep patching up to date, perform vulnerability scans, you have mfa, you enforce least privilege, you have edr, all of that good stuff, you will make it tougher.
If you log all of the things that you can log and you still get compromised, that information could be valuable to other organizations and defenders trying to help.
And it may Help them not to go through what you go through. It is the official stance of the FBI and CISA not to pay ransomware, but this is not necessarily a cut and dry decision.
A few of the obvious reasons not to pay ransomware is. Well, paying a ransom, does not necessarily guarantee that you will get your data back.
It also does not guarantee that an attacker won’t create and maintain some type of persistence to compromise you in the future or even just sell access to your environment to another ransomware group.
Access as a service is a real thing. And finally, paying a ransom, it does further encourage other threat actors to, to continue these attacks.
A couple of things that you might want to think about and why it’s not necessarily a cut and dry question, and answer is, hey, how much money does the downtime of a network cost compared to the ransomware cost?

I worked with him once upon a time, and I have to say, this guy is the real deal. His name and voice have been changed due to the fact it’s right after Christmas and he should actually be putting away decorations instead of having lunch and doing interviews with his hacker friends.
Friends.

AI John Wayne
Welcome.

Joseph
Thanks for coming out here. Tell me, how did you get started doing cyber security?

AI John Wayne
Well, thank you for having me. it started kind of like