[ad_1]
In an excellent many ransomware assaults, the criminals who pillage the sufferer’s community are usually not the identical crooks who gained the preliminary entry to the sufferer group. Extra generally, the contaminated PC or stolen VPN credentials the gang used to interrupt in had been bought from a cybercriminal intermediary often known as an preliminary entry dealer. This submit examines a few of the clues left behind by “Wazawaka,” the hacker deal with chosen by a serious entry dealer within the Russian-speaking cybercrime scene.
Wazawaka has been a extremely lively member of a number of cybercrime boards over the previous decade, however his favourite is the Russian-language group Exploit. Wazawaka spent his early days on Exploit and different boards promoting distributed denial-of-service (DDoS) assaults that might knock web sites offline for about USD $80 a day. However in newer years, Wazawaka has targeted on peddling entry to organizations and to databases stolen from hacked corporations.
“Come, rob, and get dough!,” reads a thread began by Wazawaka on Exploit in March 2020, during which he bought entry to a Chinese language firm with greater than $10 billion in annual revenues. “Present them who’s boss.”
In keeping with their posts on Exploit, Wazawaka has labored with a minimum of two totally different ransomware affiliate applications, together with LockBit. Wazawaka mentioned LockBit had paid him roughly $500,000 in commissions for the six months main as much as September 2020.
Wazawaka additionally mentioned he’d teamed up with DarkSide, the ransomware affiliate group liable for the six-day outage at Colonial Pipeline final yr that triggered nationwide gasoline shortages and worth spikes. The U.S. Division of State has since supplied a $5 million reward for data resulting in the arrest and conviction of any DarkSide associates.
Wazawaka appears to have adopted the uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any knowledge stolen from the sufferer ought to be revealed on the Russian cybercrime boards for all to plunder — not privately bought to the very best bidder. In thread after thread on the crime discussion board XSS, Wazawaka’s alias “Uhodiransomwar” will be seen posting obtain hyperlinks to databases from corporations which have refused to barter after 5 days.
“The one and the primary precept of ransomware is: the data that you simply steal ought to by no means be bought,” Uhodiransomwar wrote in August 2020. “The group must obtain it completely freed from cost if the ransom isn’t paid by the facet that this data is stolen from.”
Wazawaka hasn’t at all times been so pleasant to different cybercrooks. Over the previous ten years, his contact data has been used to register quite a few phishing domains meant to siphon credentials from folks making an attempt to transact on varied darkish internet marketplaces. In 2018, Wazawaka registered a slew of domains spoofing the true area for the Hydra darkish internet market. In 2014, Wazawaka confided to a different crime discussion board member through non-public message that he made good cash stealing accounts from drug sellers on these marketplaces.
“I used to steal their QIWI accounts with as much as $500k in them,” Wazawaka recalled. “A vendor would by no means go to the cops and inform them he was promoting stuff on-line and somebody stole his cash.”
WHO IS WAZAWAKA?
Wazawaka used a number of e mail addresses and nicknames on a number of Russian crime boards, however knowledge collected by cybersecurity agency Constella Intelligence present that Wazawaka’s alter egos at all times used certainly one of three pretty distinctive passwords: 2k3x8x57, 2k3X8X57, and 00virtual.
These three passwords had been utilized by one or all of Wazawaka’s e mail addresses on the crime boards over time, together with wazawaka@yandex.ru, mixseo@mail.ru, mixseo@yandex.ru, mixfb@yandex.ru.
That final e mail handle was used virtually a decade in the past to register a Vkontakte (Russian model of Fb) account underneath the identify Mikhail “Combine” Matveev. The cellphone quantity tied to that Vkontakte account — 7617467845 — was assigned by the Russian telephony supplier MegaFon to a resident in Khakassia, located within the southwestern a part of Japanese Siberia.
DomainTools.com [an advertiser on this site] experiences mixfb@yandex.ru was used to register three domains between 2008 and 2010: ddosis.ru, best-stalker.com, and cs-arena.org. That final area was initially registered in 2009 to a Mikhail P. Matveyev, in Abakan, Khakassia.
Mikhail Matveev shouldn’t be essentially the most uncommon identify in Russia, however different clues assist slender issues down fairly a bit. For instance, early in his postings to Exploit, Wazawaka will be seen telling members that he will be contacted through the ICQ on the spot message account 902228.
An Web seek for Wazawaka’s ICQ quantity brings up a 2009 account for a Wazawaka on a now defunct dialogue discussion board about Kopyovo-a, a city of roughly 4,400 souls within the Russian republic of Khakassia:
MIKHAIL’S MIX
Additionally round 2009, somebody utilizing the nickname Wazawaka and the 902228 ICQ handle began posting to Russian social media networks making an attempt to persuade locals to frequent the web site “fureha.ru,” which was billed as one other web site catering to residents of Khakassia.
In keeping with the Russian area watcher 1stat.ru, fureha.ru was registered in January 2009 to the e-mail handle combine@devilart.web and the cellphone quantity +79617467845, which is identical quantity tied to the Mikhail “Combine” Matveev Vkontakte account.
DomainTools.com says the combo@devilart.web handle was used to register two domains: one referred to as badamania[.]ru, and a defunct porn web site referred to as tvporka[.]ru. The cellphone quantity tied to that porn web site registration again in 2010 was 79235810401, additionally issued by MegaFon in Khakassia.
A search in Skype for that quantity exhibits that it was related greater than a decade in the past with the username “matveevatanya1.” It was registered to a now 29-year-old Tatayana Matveeva Deryabina, whose Vkontakte profile says she presently resides in Krasnoyarsk, the biggest metropolis that’s closest to Abakan and Abaza.
It appears possible that Tatayana is a relative of Mikhail Matveev, maybe even his sister. Neither responded to requests for remark. In 2009, a Mikhail Matveev from Abaza, Khakassia registered the username Wazawaka on weblancer.web, a contract job change for Russian IT professionals. The Weblancer account says Wazawaka is presently 33 years previous.
In March 2019, Wazawaka defined a prolonged absence on Exploit by saying he’d fathered a toddler. “I’ll reply everybody in every week or two,” the crime actor wrote. “Turned a dad — went on trip for a few weeks.”
One of many many e mail addresses Wazawaka used was devdelphi@yandex.ru, which is tied to a newer however since-deleted Vkontakte account for a Mikhail Matveev and used the password 2k3X8X57. As per typical, I put collectively a thoughts map exhibiting the connections referenced on this story:
Analysts with cyber intelligence agency Flashpoint say Wazawaka’s postings on varied Russian crime boards present he’s proficient in lots of specializations, together with botnet operations, keylogger malware, spam botnets, credential harvesting, Google Analytics manipulation, promoting databases for spam operations, and launching DDoS assaults.
Flashpoint says it’s possible Wazawaka/Combine/M1x has shared cybercriminal identities and accounts with a number of different discussion board members, most of whom seem to have been companions in his DDoS-for-hire enterprise a decade in the past. For instance, Flashpoint factors to an Antichat discussion board thread from 2009 the place members mentioned M1x labored on his DDoS service with a hacker by the nickname “Vedd,” who was apparently additionally a resident of Abakan.
STAY TRUE, & MOTHER RUSSIA WILL HELP YOU
All of that is tutorial, in fact, supplied Mr. Wazawaka chooses to a) by no means depart Russia and b) avoid cybercrime activities that target Russian citizens. In a January 2021 thread on Exploit concerning the arrest of an affiliate for the NetWalker ransomware program and its subsequent demise, Wazawaka appears already resigned these limitations.
“Don’t shit the place you reside, journey native, and don’t go overseas,” Wazawaka mentioned of his personal private mantra.
Which could clarify why Wazawaka is so lackadaisical about hiding and protecting his cybercriminal identities: Extremely, Wazawaka’s alter ego on the discussion board XSS — Uhodiransomware — nonetheless makes use of the identical password on the discussion board that he used for his Vkontakte account 10 years in the past. Fortunate for him, XSS additionally calls for a one-time code from his cellular authentication app.
Wazawaka mentioned NetWalker’s closure was the results of its administrator (a.okay.a. “Bugatti”) getting grasping, after which he proceeds to evangelise about the necessity to periodically re-brand one’s cybercriminal identification.
“I’ve had some enterprise with Bugatti,” Wazawaka mentioned. “The man acquired too wealthy and started recruiting Individuals as affiliate companions. What occurred now’s the outcome. That’s okay, although. I want Bugatti to do some rebranding and begin from the start 🙂 As for the servers that had been seized, they need to’ve hosted their admin panels in Russia to keep away from getting their servers seized by INTERPOL, the FBI, or no matter.”
“Mom Russia will allow you to,” Wazawaka concluded. “Love your nation, and you’ll at all times get away with every little thing.”
In the event you appreciated this submit, you might also take pleasure in Who Is the Network Access Broker “Babam”?
[ad_2]
Source link