Overview
Back in June of 2022, Talos published an exceedingly interesting blog post which centered around de-anonymizing Tor Hidden Services via a variety of techniques. After that post, I wanted to take a stab at de-anonymizing some of these well known ransomware blogs or leak sites not just to validate the techniques described, but to potential gain some additional, valuable threat intelligence.
Enter Lockbit 3.0. This ransomware group has been prolific of late, taking responsibility for a variety of intrusions and subsequent encryption of various companies such as:
Continental
SteelSolutions (Lockbit Blog)
tdwood.com (Lockbit Blog)
SSL Serial Technique
Their leak site is fairly easy to find (https://darkfeed.io/ransomwiki/) due to their public stance that anyone can become an affiliate. Thus upon browsing to the site I figured to give the SSL Hash method a try as their favicon was not present at the time of my testing.
