Dark web intelligence investigations have utilized Open Source Intelligence (OSINT) tools for some time now. But the boundaries of traditional OSINT tools are being redrawn. For years, OSINT was defined by scraping public records and social media. But today’s security experts have more potent OSINT tools – like the ransomware API.
The ransomware API is just one of many OSINT tools provided by DarkOwl. As DarkOwl explains, the tool has been made necessary by hackers who have transformed first generation ransomware attacks into industrialized extortion. These threat actors have adopted professional software development techniques, including leveraging public-facing APIs. The same APIs can be weaponized against threat actors to stop them.
The Dark Webs Modern API Economy
DarkOwl says the most prolific ransomware operations active today are very similar to Silicon Valley startups. They turn to APIs that facilitate quick and easy streamlining of their business activities. These APIs are furnished to affiliates for their use. Fortunately for security analysts, they can use the same APIs to programmatically query data leak sites (DLS).
What does this mean practically? By integrating feeds with internal monitoring, a security team can move from a passive posture to an active one. Instead of simply reacting when a vendor self-reports a breach, leveraging APIs means gaining real-time visibility into a threat actor’s potential victims. Instead of waiting until the organization’s own data appears on the dark web, the security team can constantly scan so they are prepared to act the minute any such data shows up.
Intelligence Instead of Extortion
As an OSINT tool, the ransomware API transforms extortion into intelligence. Monitoring threat actor APIs offers three distinct advantages security experts place considerable value on:
- Zero-Day Visibility – Modern supply chain attacks are often silent. An SaaS provider could be breached without others knowing until the legal notification is made. But by monitoring ransomware APIs, a security team can identify compromised vendors long before official notifications emerge.
- Attribution and Correlation – Ransomware APIs have a habit of exposing metadata about both ransomware campaigns and their affiliates. Security teams can use harvested data to draw correlations between generic phishing attempts and known threat actors or groups.
- Defensible Due Diligence – Organizations need to be able to demonstrate the necessary due diligence to prevent data breaches. Monitoring ransomware APIs and tracking data relating to how an organization responds creates a better defense.
Ransomware APIs make it possible for software developers to sell their services to hackers. They are aimed at hackers who do not possess the required coding skills on their own. But that means they also include an inherent weakness: skilled security analysts can access them too. They offer the opportunity for intelligence that can protect an organization against extortion.
A Key Risk Management Addition
A final consideration is how OSINT tools, like the ransomware API, are implemented within an organization’s overall security strategy. DarkOwl recommends looking at OSINT tools as a key risk management addition rather than a standalone means of stopping cybercrime.
This approach is based on integration. OSINT tools are integrated with the organization’s current security stack. They are used alongside things like TTP mapping, threat actor profiling, and SOAR. Integration provides a more effective defensive mechanism compared to maintaining separate silos for every security tool.
The ‘open’ in OSINT includes the very same infrastructure criminals use against their victims. Accessing that infrastructure is possible with the right OSINT tools. The ransomware API is a perfect example. The same API that equips less skilled hackers to pull off ransomware attacks can be leveraged by security teams to defend their organizations against such attacks.
