[ad_1]
In January, KrebsOnSecurity examined clues left behind by “Wazawaka,” the hacker deal with chosen by a serious ransomware felony within the Russian-speaking cybercrime scene. Wazawaka has since “misplaced his thoughts” based on his erstwhile colleagues, making a Twitter account to drop exploit code for a widely-used digital personal networking (VPN) equipment, and publishing weird selfie movies taunting safety researchers and journalists.
Wazawaka, a.okay.a. Mikhail P. Matveev, a.okay.a. “Orange,” a.okay.a. “Boriselcin,” displaying off his lacking ring finger.
In final month’s story, we explored clues that led from Wazawaka’s multitude of monikers, e mail addresses, and passwords to a 30-something father in Abakan, Russia named Mikhail Pavlovich Matveev. This put up issues itself with the opposite half of Wazawaka’s identities not talked about within the first story, comparable to how Wazawaka additionally ran the Babuk ransomware associates program, and later grew to become “Orange,” the founding father of the ransomware-focused Darkish Net discussion board referred to as “RAMP.”
The identical day the preliminary profile on Wazawaka was printed right here, somebody registered the Twitter account “@fuck_maze,” a attainable reference to the now-defunct Maze Ransomware gang.
The background photograph for the @fuck_maze profile included a brand that learn “Waka Waka;” the bio for the account took a swipe at Dmitry Smilyanets, a researcher and blogger for The File who was as soon as a part of a cybercrime group the Justice Division referred to as the “largest identified knowledge breach conspiracy ever prosecuted.”
The @fuck_maze account messaged me a number of occasions on Twitter, however largely stayed silent till Jan. 25, when it tweeted three movies of a person who appeared an identical to Matveev’s social media profile on Vkontakte (the Russian model of Fb). The person appeared to be slurring his phrases fairly a bit, and began by hurling obscenities at Smilyanets, journalist Catalin Cimpanu (additionally at The File), and a safety researcher from Cisco Talos.
At the start of the movies, Matveev holds up his left hand to show that his ring finger is lacking. This he smugly presents as proof that he’s certainly Wazawaka.
The story goes that Wazwaka at one level made a wager whereby he wagered his finger, and upon dropping the wager severed it himself. It’s unclear if that’s the actual story about how Wazawaka misplaced the ring finger on his left hand; his remaining fingers seem oddly crooked.
“Howdy Brian Krebs! You probably did a extremely nice job truly, rather well, fucking nice — it’s nice that journalism works so nicely within the US,” Matveev mentioned within the video. “By the way in which, it’s my voice within the background, I simply love myself rather a lot.”
In one in every of his three movies, Wazawaka says he’s going to launch exploit code for a safety vulnerability. Later that very same day, the @fuck_maze account posted a hyperlink to a Pastebin-like website that included working exploit code for a lately patched safety gap in SonicWall VPN home equipment (CVE-2021-20028).
When KrebsOnSecurity first began researching Wazawaka in 2021, it appeared this particular person additionally used two different essential nicknames on the Russian-speaking crime boards. One was Boriselcin, a very talkative and brash character who was concurrently the general public persona of Babuk, a ransomware associates program that surfaced on New Yr’s Eve 2020.
The opposite deal with that appeared tied to Wazawaka was “Orange,” the founding father of the RAMP ransomware discussion board. I simply couldn’t convincingly join these two identities with Wazawaka utilizing the data obtainable on the time. This put up is an try to treatment that.
On Aug. 26, 2020, a brand new consumer named Biba99 registered on the English language cybercrime discussion board RaidForums. However the Biba99 account didn’t put up to RaidForums till Dec. 31, 2020, once they introduced the creation of the Babuk ransomware associates program.
On January 1, 2021, a brand new consumer “Babuk” registered on the crime discussion board Verified, utilizing the e-mail deal with teresacox19963@gmail.com, and the moment message deal with “admin@babuk.im.” “We run an associates program,” Babuk defined of their introductory put up on Verified.
Quite a lot of clues counsel Boriselcin was the person appearing as spokesperson for Babuk. Boriselcin talked brazenly on the boards about working with Babuk, and fought with different members of the ransomware gang about publishing entry to knowledge stolen from sufferer organizations.
In keeping with analysts at cyber intelligence agency Flashpoint, between January and the tip of March 2021, Babuk continued to put up databases stolen from firms that refused to pay a ransom, however they posted the leaks to each their sufferer shaming weblog and to a number of cybercrime boards, an uncommon method.
This matches the ethos and exercise of Wazawaka’s posts on the crime boards over the previous two years. As I wrote in January:
“Wazawaka appears to have adopted the uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any knowledge stolen from the sufferer ought to be printed on the Russian cybercrime boards for all to plunder — not privately bought to the best bidder. In thread after thread on the crime discussion board XSS, Wazawaka’s alias ‘Uhodiransomwar’ might be seen posting obtain hyperlinks to databases from firms which have refused to barter after 5 days.”
Round Apr. 27, 2021, Babuk hacked the Washington Metropolitan Police Division, demanding $4 million in digital forex in alternate for a promise to not publish the police division’s inner knowledge.
Flashpoint says that on April 30, Babuk introduced they have been shuttering the associates program and its encryption companies, and that they’d now concentrate on knowledge theft and extortion as a substitute. On Might 3, the group posted two further victims of their knowledge theft enterprise, displaying they’re nonetheless in operation.
On Might 11, 2021, Babuk declared negotiations with the MPD had reached an deadlock, and leaked 250 gigabytes value of MPD knowledge.
On Might 14, 2021, Boriselcin introduced on XSS his intention to put up a writeup on how they hacked the DC Police (Boriselcin claims it was through the group’s VPN).
On Might 17, Babuk posted about an upcoming new ransomware leaks website that can function a “enormous platform for impartial leaks,” — i.e., a neighborhood that might publish knowledge stolen by no-name ransomware teams that don’t have already got their very own leaks/sufferer shaming platforms.
On Might 31, 2021, Babuk’s web site started redirecting to Payload[.]bin. On June 23, 2021, Biba99 posted to RaidForums saying he’s prepared to purchase zero-day vulnerabilities in company VPN merchandise. Biba99 posts his distinctive consumer ID for Tox, a peer-to-peer immediate messaging service.
On July 13, 2021, Payload[.]bin was renamed to RAMP, which based on Orange stands for “Ransom Anon Market Place.” Flashpoint says RAMP was created “instantly in response to a number of massive Darkish Net boards banning ransomware collectives on their website following the Colonial Pipeline assault by ransomware group ‘DarkSide.” [links added]
“Babuk famous that this new platform is not going to have guidelines or ‘bosses,’” Flashpoint noticed in a report on the group. “This response distinguishes Babuk from different ransomware collectives, a lot of which modified their guidelines following the assault to draw much less consideration from regulation enforcement.”
The RAMP discussion board opening was introduced by the consumer “TetyaSluha. That nickname quickly switched to “Orange,” who seems to have registered on RAMP with the e-mail deal with “teresacox19963@gmail.com.” Recall that this is identical e mail deal with utilized by the spokesperson for the Babuk ransomware gang — Boriselcin/Biba99.
In a put up on RAMP Aug. 18, 2021, wherein Orange is trying to recruit penetration testers, he claimed the identical Tox ID that Biba99 used on RaidForums.
On Aug. 22, Orange introduced a brand new ransomware associates program referred to as “Groove,” which claimed to be an aggressive, financially motivated felony group dealing in industrial espionage for the earlier two years.
In November 2021, Groove’s weblog disappeared, and Boriselcin posted an extended article to the XSS crime discussion board explaining that Groove was little greater than a pet undertaking to mess with the media and safety industries.
On Sept. 13, 2021, Boriselcin posted to XSS saying he would pay handsomely for a dependable, working exploit for CVE-2021-20028, the identical exploit that @fuck_maze would later launch to Twitter on Jan. 25, 2022.
Requested for touch upon this analysis, cyber intelligence agency Intel 471 confirmed that its analysts reached the identical conclusion.
“We recognized the consumer because the Russian nationwide Михаил Павлович Матвеев aka Mikhail Pavlovich Matveev, who was broadly identified within the underground neighborhood because the actor utilizing the Wazawaka deal with, a.okay.a. Alfredpetr, andry1976, arestedByFbi, boriselcin, donaldo, ebanatv2, futurama, gotowork, m0sad, m1x, Ment0s, ment0s, Ment0s, Mixalen, mrbotnet, Orange, posholnarabotu, popalvprosak, TetyaSluha, uhodiransomwar, and 999,” Intel 471 wrote.
As typical, I put collectively a tough thoughts map on how all these knowledge factors point out a connection between Wazawaka, Orange, and Boriselcin.
A thoughts map connecting Wazawaka to the RAMP discussion board administrator “Orange” and the founding father of the Babuk ransomware gang.
As famous in January’s profile, Wazawaka has labored with not less than two completely different ransomware affiliate applications, together with LockBit. Wazawaka mentioned LockBit had paid him roughly $500,000 in commissions for the six months main as much as September 2020.
Wazawaka additionally mentioned he’d teamed up with DarkSide, the ransomware affiliate group chargeable for the six-day outage at Colonial Pipeline final yr that triggered nationwide gasoline shortages and value spikes. The U.S. Division of State has since supplied a $5 million reward for data resulting in the arrest and conviction of any DarkSide associates.
[ad_2]
