How To Discover And Access Ransomware Data Dumps On The Dark Web

Since I was cited recently in Harriet Ryan’s article for the LA Times about the recent Azusa Police ransomware data dump I’ve gotten a few requests for info on how to access this kind of material. This post is a practical guide, so I’m relegating background material to footnotes. There’s a quick guide for beginners and a more advanced guide for people comfortable with the Linux command line and similar techniques.

Quickstart guide (for beginners)

  1. Download the appropriate Tor Browser and figure out how to get it running on your preferred device.1
  2. When you have that installed and running paste in the following link and bookmark it. This is a directory of ransomware dump sites. I have no idea who runs it but it’s updated very regularly.2

    http://ransomwr3tsydeii4q43vazm7wofla5ujdajquitomtd47cxjtfgwyyd.onion/
  3. Follow these Twitter accounts for timely dump announcements:
  4. When you find a dump that looks interesting, either from browsing the sites from the directory or on Twitter, download the stuff via the Tor Browser and look at it!
  5. Downloading large amounts of data in a browser isn’t always workable, but I don’t know a better way to do it that’s accessible to beginners.

Advanced information

  1. Download the TAILS Linux Distro and make a bootable USB stick from it. The maintainers have guides on how to do this for Mac, Windows, and Linux, but I haven’t tried any of these methods. Check this list of problematic USB drives and don’t use one of them. I’ve had really good luck with this Kingston drive.3
  2. It’s not necessary for this method to set up persistent storage in TAILS but it’s pretty useful. Also if the bootable drive you’re using isn’t big enough to hold the data you’re after you’ll need a separate storage medium. I use a portable 5TB USB drive.
  3. Start up your computer with TAILS and figure out how to connect to the Internet. In my experience ethernet always works. I’ve had WiFi problems with newer computers, but I’ve had great luck with this Panda USB dongle, which worked straight out of the box.4
  4. TAILS will only connect to the Internet over Tor, so it’s not required to use a browser to retrieve files.
  5. Make a text file comprising a list of links to the files you’re interested in, one link per line. One way to do this is to install the Link Gopher plugin to the Tor Browser, which you’ll have to do each time you restart the computer because that’s how TAILS works, but it doesn’t matter how you make the list.5
  6. In the terminal change directory to where you want the files to end up and use some version of a command like this:

    wget -i list_of_links -c -t 0
  7. The -i option loads the list of links. The -c option tells wget to continue partially downloaded files if possible, and the -t 0 option tells wget to keep trying indefinitely if a download fails due to the server. This is useful since some of the ransomware sites are not really stable.
  8. Note that some of the sites use homemade SSL certificates. Wget doesn’t work for these by default but this can be overridden. Read the man page to see how to do this. Also if you get TLS errors Google them and figure out how to override the problem if you want to.
  9. Wget works on many but not all of the ransomware sites. I haven’t been able to find a way to do scripted sequential downloads in Tails for the ones it doesn’t work for, but I have no doubt that it’s possible using wget’s various authentication capabilities.
  10. One nice thing about the -c option is that it’s possible to interrupt the process at any point and as long as the server supports it, to resume by just running the command again. Wget will run through the list of links until it finds the first incomplete one and then take it up again as long as the server is down with it, which most of them are.
  11. If you’re burning too much bandwidth downloading files, which can take weeks for big sets, wget allows rate limiting by adding the –limit-rate=XXXK (or M as you desire). It’s pretty easy to use all the bandwidth you have, so this is useful if you’re sharing your connection or if you want to do other things with it while you’re waiting.6
  12. Some of the ransomware sites are configured oddly and I can’t get them to work with wget, so that can happen.7

And that’s the story! Feel free to leave questions in the comments and I will maybe even respond!

  1. Tor is an Internet privacy protocol that, among other things, allows servers and clients to communicate with each other without revealing their locations. The technical details of how this works are beyond me. The Tor Browser allows people to access the so-called Dark Web without extensive technical knowledge.
  2. Web services are accessed over Tor using so-called onion links, which cannot be used in an ordinary browser. They look like garbled nonsense for technical reasons that are totally beyond me.
  3. NOT an affiliate link.
  4. Also NOT an affiliate link.
  5. There is at least one way to make installed plugins persist between restarts, but it’s beyond the scope of this guide. If you’re interested in doing this look for instructions on how to enable dotfiles in your TAILS installation and then Google everything.
  6. It’s easy enough to write a script to switch back and forth automatically during TV streaming times or whatever.
  7. I’m not at all saying they can’t be made to work with it, but just that I don’t know enough about it to be able to do it.
Share

Leave a Reply

Your email address will not be published. Required fields are marked *