Profiling Yaroslav Vasinskyi from the Kaseya Ransomware Attack Campaign – An OSINT Analysis
It appears that the U.S Justice Department has recently made arrests in the Kaseya ransomware dropping campaign and I’ve decided to dig a little bit deeper and actually offer and provide the necessary actionable intelligence in the context of exposing the individuals behind these campaigns in the context of assisting U.S Law Enforcement on its way to track down and prosecute the cybercriminals behind these campaigns.
Sample personally identifiable information on Yaroslav Vasinskyi:
Mobile: +380993082660
Phone: 1-800-225-5324 which is actually the phone number of the FBI
Personal email address accounts: yarik45@gmail[.]com, yaroslav2468@mail[.]ru
Online handles: Yarik45, Yaroslav2468
ICQ: 635995970
including the following Web site which is he known to have been offering around various cybercrime-friendly forum communities as a template – hxxp://wholesale-dress[.]net which is currently owned and managed by hxxp://counterfeittechnology[.]com including the following domains known to have been registered by the same individual that registered the original domain:
opensib[.]com
fotonota[.]me
bartrans[.]net
nebolsina[.]com
digitalreality[.]world
digitalrealty[.]world
whitecrow[.]club
opensib[.]club
vkfoto[.]org
vkfoto[.]net
vkfoto[.]biz
foto2u[.]info
foto2u[.]org
foto2u[.]net
foto2u[.]biz
foto4u[.]biz
photo2u[.]biz
gospace[.]biz
aircitypost[.]com
youhavedownloaded[.]com
xmllogistic[.]org
mega-battery[.]com
aramzam[.]com
allforlaptop[.]com
soirot[.]com
mailingtechnology[.]info
mailingtechnology[.]org
counterfeit[.]technology
xmllogistic[.]net
xmllogistic[.]com
ftn-presentation[.]com
counterfeittechnology[.]com
toskanmarket[.]com
identificationninja[.]com
mrboating[.]com
ironsyssecurity[.]com
danandnadia[.]us
xmlshop[.]biz
shopxml[.]biz
xmlshop[.]us
shopxml[.]us
mrboating[.]us
mrboating[.]biz
xmlshop[.]org
shopxml[.]org
mrboating[.]org
dressinus[.]us
dressywomen[.]com
bridalcorn[.]org
promdressesuk[.]org
lafemmedresses2015[.]org
sherrihilldress[.]org
cheap-dressuk[.]org
talkdressprom[.]org
promdressbee[.]us
weddingdresshotsale[.]org
mypromdressstore[.]org
sweetymalada[.]us
onlydress[.]org
promdressstores[.]org
promdressesshop[.]org
addressingmachines[.]org
dresskey[.]org
justdress[.]org
Sample personally identifiable information on Yevgeniy Igorevich Polyanin also known as LK4D4, Damnating, Dam2life, Noodlleds, Antunpitre, Affilate 23:
Email: damnating@yandex[.]ru, antunpitre@gmail[.]com
The following email account – antunpitre@gmail[.]com is known to have registered an android malware C&C server in the past (hxxp://foto2u[.]biz) – 209[.]99[.]40[.]224; 209[.]99[.]17[.]27; 178[.]32[.]152[.]214; 5[.]254[.]113[.]102) which is known to have been serving the following malicious MD5 (7a140b4835e9ed857eda1f0dbfbfa3e8) and once executed is known to have phoned back to the following malicious C&C server domain – hxxp://phoneactivities[.]com – 103[.]232[.]215[.]133 including the following related malicious and fraudulent C&C server domains:
hxxp://vkfoto[.]org
hxxp:// vkfoto[.]net
hxxp:// vkfoto[.]biz
hxxp:// foto2u[.]info
hxxp:// foto2u[.]org
hxxp:// foto2u[.]net
hxxp:// foto2u[.]biz
hxxp:// photo2u[.]biz
Stay tuned!
*** This is a Security Bloggers Network syndicated blog from Dancho Danchev's Blog - Mind Streams of Information Security Knowledge authored by Dancho Danchev. Read the original post at: http://ddanchev.blogspot.com/2022/01/profiling-yaroslav-vasinskyi-from.html
