Leveraging Shodan for Proactive Security

Hi, welcome to my blog! During a recent engagement on LinkedIn, I discovered a gap in accessibility. Not everyone has the resources to explore the dark web and its marketplaces, where new Ransomware-as-a-Service (RaaS) or other services often first appear. While experts and professionals can bridge this gap, many security researchers, particularly those new to threat intelligence, might benefit from alternative methods.

This blog aims to empower those researchers with valuable OSINT techniques for ransomware hunting. So, buckle up and get ready to hone your skills — the hunt for ransomware begins now!

Tools required:

Of course Shodan!

What is Shodan:

Shodan (Sentient Hyper-Optimized Data Access Network) is a search engine designed to map and gather information about internet-connected devices and systems.

Why use Shodan?

Shodan can show screenshots of compromised servers, and that makes it a powerful tool for identifying internet-connected devices that may be vulnerable or compromised. These devices could be legitimate assets or even honeypots designed to attract attackers.

In case of ransomware hunting, the true value of Shodan lies in its ability to help researchers discover new threat actors. By analyzing information like:

1. Communication channels: How attackers communicate with each other and their victims.(For example, Telegram, TOX, TOR link)
2. Encryption methods: The type of encryption used to hide stolen data.
3. Attack methods: The techniques used to gain access to systems.

Security professionals can use this information to piece together an attacker’s Tactics, Techniques, and Procedures (TTPs). This allows them to develop better defenses and identify future attacks more effectively.

Hunting Ransomware

On shodan, lets simply try by typing “ransomware” in the search box and see the results.

Shodan results by simply typing the relevant keywords. Here we can see RDP attack by Cloak Ransomware

Explore Threat Hunting Techniques on Shodan:

• Search for devices with encrypted data: encrypted
• Identify potential ransomware attacks: “all your files are stolen and encrypted”
• Find Remote Desktop Protocol (RDP) servers with encrypted connections: product:”Remote Desktop Protocol” encrypted
• Locate devices potentially infected with ransomware that captures screenshots: has_screenshot:true ransomware
• List of specific ransomware groups [2]

Tip:

1. Break down a ransom note into sections of commonly occurring phrases and use them as search strings on shodan. For example, ‘Your files are encrypted’ is the most commonly occurring phrase in a ransom note and the chances of stumbling on more victims is higher than complicated ones.
2. Using Shodan Monitor can provide better visual imagery of the actual threat.

How This Incident Connects to a Broader Threat

For the sake of an example, let’s take this threat found through multiple such images where a particular internet facing asset was targeted by Redeemer ransomware.

Please note that this is an old ransomware so multiple news bytes are available online explaining detailed analysis. This is just an example to educate.

The ransom note looked like this:

Reedemer Ransomware discovered on Shodan by using the above dorks

Based on the image, the attributable data is as follows:

Ransomware Name: Redeemer

Made By: Celebrate

TOR Link: redeemergd6qjtzgiuf5jgpkk6i3xybkhsldzjoyjaxivyzinhvmzcad[.]onion

Note: The ransomware was released publicly around May 2021.

Unveiling the Threat with Open-Source Intel

Extension Used: “.redeem”

Ransom Amount asked: 20 XMR (approximately)

Cybercriminal contact:

Source: https://pcrisk.com/removal-guides/21165-redeemer-ransomware

Leveraging Cybercrime Forums for Threat Hunting

An advertisement mentioned an actor named “Celebrate” having advertised Redeemer ransomware on different forums, and then further advertising its next version in July 2023.

TOX ID provided by the threat actor named Celebrate, as mentioned in the ransom note as well.

From the same post, some SHA251 hashes and files were found for downloading, shared by the actor.

SHA251 shared by the actor acquired from the cybercrime forum

Getting latest hashes:

By following the right hashtags and accounts, you can get a steady stream of the latest hunting news and tips. It’s a great way to stay informed and learn from experienced hunters. For example, this is the latest hash available for Redeemer ransomware.

Acquiring latest hashes from X, from the same affiliate toolkit as mentioned above

Bonus

Ransomware is just one area of adversarial arsenal, however, shodan can be used to monitor different threats. For example hacktivism, broadly defined as groups acting as activists who use tools like hacking to raise awareness about an issue, influence public opinion, or even cause disruption to get their message across.

“Hacked By” — Hunting for Hacktivism

Using the keywords “hacked by”, one can get new insights on existing or newly emerged hacktivist groups. More has been described in one of the blogs by Shodan, click here.

Key Takeaway:

For effective threat intelligence, security analysts should consider these key points:

1. Beyond the Surface: Don’t accept an incident at face value. Analyze it thoroughly to understand the bigger picture.
2. Open Web Intelligence: Open-source intelligence (OSINT) gathering is crucial. Utilize all available methods to gather information.
3. Deep Web Insights: The dark web can provide valuable insights into threat actor activity, including the origin of tools and malware used in the incident.
4. Dork Power: Maintaining a curated list of effective search queries (“dorks”) and regularly testing them on various search engines can help identify new and emerging threats.

Shodan offers a vast treasure trove for threat intelligence, and dorks are the key to unlocking it. While I shared some examples to get you started, there are countless possibilities for crafting unique queries. What have you found particularly useful in your Shodan hunts? Share your favorite dorks in the comments below!