You must log in or register to comment.

JohnPlayerSpecia1 t1_j5zar0h wrote

website seizure is like confiscating business cards of a criminal.


JohnGillnitz t1_j5zdus8 wrote

Once malware gets onto a system it typically tries to contact a Command & Control (C&C) server for the attacker to really get in there and mess with things. The C&C server is usually hard coded into the malware, so if you take that down all the infected hosts that try to connect to it will remain inert. Much of this takes place over Tor traffic, so one of the best things a Network Admin can do is block all Tor traffic. For some reason that isn't a default.


HamOfWisdom t1_j5zhk70 wrote

I remember reading a story about how a hacker who made a banking virus later ended up solving a massive ransomware attack by simply obtaining the domain and routing it back to oblivion, essentially.

Probably skimming over a lot but it was a pretty interesting story. I think the channel Disrupttv (or maybe just disrupt) was who posted it. Fun watch, I'll find a link once I'm not at work!


arnielsAdumbration t1_j5znkdw wrote


ferrusmannusbannus t1_j63tnbn wrote

Damn, glad this kid didn’t get completely screwed. I remember those early hackforums days and people used to do wiiiiiiild shit on there.


Noocawe t1_j63yoso wrote

That's a great read, I had never even heard of this guy before. Thanks for sharing.


E_D_D_R_W t1_j5zxxv3 wrote

If the other commentor is correct and you're thinking about WannaCry, that's kind of the gist of it. The malware was hard-coded to only do its thing if it couldn't connect to a particular (previously unregistered) DNS domain. Thus registering that domain "triggered" the kill-switch and stopped any future infections of that version of WannaCry. Per wikipedia, later versions didn't have that vulnerability.


L00pback t1_j606gpu wrote

Oh god I hated wannacry. Self-replicating shit was a pain in the ass because lab owners don’t patch shit.


pegothejerk t1_j5zib92 wrote

Those websites are rarely run on the servers the malware points to, you'd have to be too stupid to write malware to point the drones to the same servers your public face was presented on for exactly this reason. It's the first thing feds can legally and technically take down.


JohnGillnitz t1_j5zjy46 wrote

I would guess that is what they actually mean when they say web site. It's pretty easy to find what IP address or domain they are going to from an infected host. They just don't go into that much detail in the article. One would hope. If it is just a web site, you are right. Taking it down wouldn't stop the malware and more of a badge of honor for the attacker.


[deleted] t1_j601132 wrote



dakotahawkins t1_j61jzaq wrote

AFAIK network admins are probably MITM-ing https traffic. I’ve looked into doing it at my house because you’d have to in order to set up a network-wide adblocker, but businesses do it because reasons. If they can’t MITM tor or similar, they could still use their MITM system to block unrecognized encrypted traffic, probably.


justmy2loonies t1_j62ablr wrote

You don’t have to mitm to Adblock. DNS filtering isn’t exactly mitm


dakotahawkins t1_j65eub5 wrote

Sorry for the delayed response.

Sure, but it's nowhere near as thorough. Some ads are served by domains you probably wouldn't want to blacklist, and otherwise you may want to block specific page elements like your in-browser adblocker does (or should).

If you MITM your own traffic you can do that kind of matching to block individual requests. Does that make sense? I had a raspberry pi running pihole for quite a while and when something broke with it I just gave up on it as I didn't feel it was buying me that much.


wasdninja t1_j6021k7 wrote

> For some reason that isn't a default.

Tor exists for the sole reason of not being easy to block. That might just be a reason.


L00pback t1_j6064kf wrote

Everyone worries about ingress traffic rules and never egress. A good network admin controls both for just this reason.


JohnGillnitz t1_j60dkod wrote

Yup. One of my clients got hit a couple of years ago. Nasty. We had all the security boxes checked at the time, but it got in anyway. Encrypted everything, which was the bad news. The good news is that we could check the router logs and confirm that none of the data had been exfiltrated. All attempts were blocked because Tor was blocked.
That sucked, but we were able to recover everything from offline backups. Even the delta from them was recovered when a decryption tool became available a couple of months later. We didn't have to go out and get a credit monitoring service for the entire customer base, which would have bankrupted the place.


Stinkyclamjuice15 t1_j61z4rp wrote

Thank you for having a huge pair and working infosec, that shit seems really stressful king


Xivvx t1_j602sye wrote

If it isn't normal, it should be. I know everything is going all zero trust and all that, but the perimeter is still important.


xCryptoPandax t1_j62m2ik wrote

That’s highly inaccurate, idk why that’s gotten so many upvotes.

Most malware use sketchy top level domains ex.) .xyz .makeup .me, etc not to mention most ransomware gangs compromise legitimate sites and host malware on them in order to bypass new domain creation and add that level of legitimacy.

One indicator for a ransomware gang which I think is actually this one was official government sites of Texas after they themselves were victim of ransomware.

Source: I work Incident Response


JohnGillnitz t1_j62vyqs wrote

I'm not sure how what I said was any different from what you said. No matter if they use an IP address or domain, those C&C servers are still set at the time of deployment. One of the first things they do is phone home (or homes) and get an updated list of C&C servers. That still leaves them dependent on reaching a limited number of sites that can be shut down effectively killing the that variant of the malware.
Do you live in Corpus and drive a Tesla? We may have met.
Edit: The CISA notice with the deets:


itsthebeans t1_j5zynqv wrote

Do you really think the FBI is so clueless as to try to stop a ransomware gang by simply shutting down a web domain? Or do you think there might be more to the story than the headline suggests?

Click the link and read even the first sentence if you really want to know.


Supanini t1_j608j3p wrote

He’s got top comment, his jobs done here


wizardbase t1_j60o7i2 wrote

>Wray said the FBI would continue to track the people behind Hive ransomware and try to arrest them. It was not immediately clear where those people were located. The Department of Health and Human Services has descried Hive as a “possibly Russian speaking” group.

Should read the last sentence too, they didn't catch shit


DuckDuckJeeper t1_j68yalc wrote

Exactly. You don’t “shut it down” until you’ve deployed your real assets……


PGDW t1_j606c0j wrote

If it were just their popup webpage, okay. But it's not.

Typically when they seize a domain or ip or server, they are stopping the malware from functioning properly as most these days phone home, and in this case can hopefully provide some decryption keys back to some victims.


Manny-Both-Hanz t1_j5zi5qr wrote


Kriegmannn t1_j5zwgrh wrote

I dont get it


E_D_D_R_W t1_j5zyxxl wrote

The joke is that the servers with the CIA's public-facing webpage are almost certainly completely separate from their servers with the intel they collect or any other relevant info, i.e. gaining control of the former would get you no closer to the latter.


zakabog t1_j60bb2j wrote

Imagine someone got the password to your Facebook account. They have no access to your PC whatsoever. They didn't hack into your computer and they have no access to your files or banking information, they just have access to post things on your Facebook. Same thing here, the CIA public facing website is not on the CIA network, it's an external service.


tronpalmer t1_j60m6tp wrote

That's really not true. Especially for ransomware or botnets.


TzarKazm t1_j5zg5e8 wrote

But they would have to come up with an entirely new unique email name in order to be able to create a new website! Unless they use another hosting site.


DaveDeaborn1967 t1_j5z3ec8 wrote

I just watched the atty gen do a presentation on this. Great work. In the 19th century, the cavalry came to the rescue, now we have computer systems. Notice that the ransomware attacks involved hundreds of millions of dollars.


Ffffqqq t1_j5z9xw8 wrote

What does taking down a website actually accomplish?


AdventurousSquash t1_j5zbk7o wrote

Depends on what they actually did here and the details in the article are vague. Simply put; If they seized the domain name I’d consider it a minor inconvenience. If they seized the actual server hosting the website they could find artifacts on it that lead them to the perpetrator(s).


patrick66 t1_j5zrtx0 wrote

The court order lays out more of the details and basically the people running Hive were morons and had networking, c2, and database servers hosted in Los Angeles and the Netherlands where the fbi and other western law enforcement agencies could actually get physical access to clone the server data and then take control of them so I suspect this will actually break the hive network fairly considerably.

TLDR: if you do cybercrime don’t host your servers in the United States lol


DaveDeaborn1967 t1_j6013f5 wrote

What the DOJ wants to do is deny the bad guys resources and their platform for giving orders to their troops. Notice that the DOJ has the ability to unlock systems that have been locked by attackers. This denies the ransom demands.


aDrunkWithAgun t1_j5zef2l wrote

Depends on if they can link the site to an owner or them, if not nothing is stopping them from making a new one.

From what I'm tracking ransomware is done outside the USA so if it's a country that Doesn't give a fuck like Russia or NK nothing will happen


Klezmer_Mesmerizer t1_j5z687y wrote

Seized the website, but alas, didn't get any of the people. Still, very glad to see that something is being done to combat ransomware.


frodosdream t1_j5z75bq wrote

>Seized the website, but alas, didn't get any of the people.

Suddenly my imagination conjured up a ransomware operation run entirely by a rogue AI, with no humans involved. Maybe it needs funding for projects of its own, or perhaps a bitter AI specialist let a score of them loose on the world as a parting gift before death and this was only the first one detected. A premise for a film perhaps...


E_D_D_R_W t1_j600z0q wrote

Perhaps it would be like the Paperclip Problem except the AI's instruction is just "make as much money as possible".


kingtz t1_j5zaa7k wrote

I didn’t get any information about this in the article so here goes: what does it mean for the FBI to “seize” the website? It’s not like they were about to physically get a hold of any servers or hard drives, so what’s stopping Hive from just creating a new website?


OldSweatyGiraffe t1_j5zjdzb wrote

>FBI officials since July have had extraordinary access to the so-called Hive ransomware group’s computer networks, FBI Director Christopher Wray said at a news conference, allowing the bureau to pass computer “keys” to victims so that they could decrypt their systems and thwart $130 million in ransom payments.

They had access to more than just the website, the website is just the visual part so that is what is being reported, or so it seems.


2_Spicy_2_Impeach t1_j5zikkl wrote

Nothing. Modern ransomware has multiple methods to self-heal after a command and control server goes offline.

It’s been a bit since I’ve delved super deep in to it but at one time most modern malware has a whole list of domains to use. There is an obfuscated/encrypted algorithm in the malware that will try a list of domains based on a set of criteria. It can be reversed though. There are other methods as well(DNS, proxies, etc.) but previous was popular at one time.

Details are vague here so it could be a static C&C but it’s probably not. Rival ransomware gangs will also attack infrastructure in an effort to push them out or render their attacks pointless. So they attempt to make their infrastructure resilient from both seizure and attack.


Anxious-Researcher44 t1_j5zrmvy wrote

I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.


BellyScratchFTW t1_j5zddv6 wrote

Finally some news that everyone can agree is a step in the right direction! Now let's get the actual people involved too.


THIRSTYGNOMES t1_j60rit3 wrote

Excited for the future Darkness Diaries episode


TwoFrontHitters t1_j61cf30 wrote

For those who've been hit with ransomware, we have some dark ideas about what we'd like to see happen to the perps.


Minezenroll t1_j62habt wrote

It is similar to seizing the business cards of a criminal when a website is taken down.


Boopy7 t1_j60gwon wrote

I've been following stuff like this more than ever, tech-fascism is truly terrifying. Entire countries have been taken over and attacked with so few seeming to care. I can't read about it too late at night bc when you know how tenuous our security is, how dependent everything is on technology...well I can't fall asleep. I mean this is pretty much how we have been at war with Russia and their allies, how our own gov't no longer is faithful to America. Talk about insecure borders, forget it -- there are none with technology.


oceanicfeels t1_j630fmp wrote

Try reading about the human body.

Life is delicately precarious, my friend. Everything is interconnected in a vast web of causative links.


Boopy7 t1_j64lmkt wrote

somehow I'm not as scared about the human body, and yeah I do love reading about it. Even its weird mistakes I find fascinating although it's true it could be terrifying if you let it get to you. No -- the human body is not malevolent towards its owner. It just exists and functions until it doesn't, but there is no true ill intent or planning in it.


xeq937 t1_j5ziiqh wrote

Okay but ransomware/malware generally has a list of servers, and will simply move on to the next server.


geebob2020 t1_j5zelfu wrote

Seized? Or is this like letting a Trojan Horse into the Federal government’s server farm.


TurnkeyLurker t1_j60z693 wrote

Domain seizure? Or physical server seizure (hence, the horse)?


stonkcell t1_j5zbji2 wrote

That'll stop them, for sure. For all we know, it could be NSA-CIA agents running the gang.