Last week, the United States joined Britain and Australia in sanctioning and indicting a Russian man. Dmitry Yuryevich Khoroshev as a notorious leader lock bit ransomware group. Rockbit leaderlock bit supply” claimed federal authorities named the wrong man and said they could not explain how the charges linked him to Khoroshev. This post examines the activities of Khoroshev's many alter egos on cybercrime forums and traces the career of a talented malware author who has been writing and selling malicious code for the past 14 years.
Dmitry Yuryevich Khoroshev. Image: Ministry of Finance.gov.
On May 7, the U.S. Department of Justice indicted Khoroshev on 26 criminal charges, including extortion, wire fraud, and conspiracy. The government says Mr. Khoroshev created, sold and used LockBit ransomware to personally extort more than $100 million from hundreds of victim organizations, and that LockBit as a group extorted approximately $500 million over four years. claims.
Federal investigators say Mr. Khoroshev operated Rockbit as .Ransomware as a service” operation, he kept 20 percent of the ransoms paid by victim organizations infected with his code, and the remaining 80 percent was paid to Rockbit affiliates involved in spreading the malware.
Financial sanctions against Khoroshev US Treasury It listed his known email and mailing address (Voronezh, southwestern Russia), passport number, and even his tax identification number (hello, Russian tax authorities).Treasury filings say Khoroshev used email sitedev5@yandex.ruand khoroshev1@icloud.com.
According to DomainTools.com, the address sitedev5@yandex.ru was used to register at least six domains, including a Russian company registered in Khoroshev's name. tkaner.comThis is a blog about clothes and fabrics.
Search for phone numbers in Tkaner's registration records with infringement tracking service Constella Intelligence – 7.9521020220 — Produces several official Russian government documents stating that the owner of the number is Dmitry Yuryevich Khoroshev.
Another domain registered to that phone number is stairwell[.]Ru, at one point was advertising wooden stairs for sale. Constella discovered that her email addresses webmaster@stairwell.ru and admin@stairwell.ru were using passwords. 225948.
DomainTools reports that stairwell.ru has had registrant names for several yearsDmitry Ju Khoroshev” and email address pin@darktower.su. According to Constella, this email address was used by him in 2010 to register Dmitry Yuryevich from Voronezh, Russia, with his hosting provider for his Khoroshev account. firstvds.ru.
Image: Shutterstock.
Cyber intelligence firm Intel 471 discovered that pin@darktower.ru was being used by a Russian-speaking member of an English-language cybercrime forum named Pin. Open school. Pin was active on Opensc around March 2012 and created 13 posts, mostly about data encryption issues and how to fix bugs in the code.
Other posts claim that Pin wrote custom code that bypasses memory protections on Windows XP and Windows 7 systems and injects malware into memory areas normally allocated to trusted applications on Windows machines. .
Pin was also active on Russian-language security forums around the same time. anti chatdirected fellow forum members to contact the ICQ instant messenger number. 669316.
Nerowolf
Searching for ICQ number 669316 on Intel 471 shows that in April 2011, a user named Nerowolf Participated in Russian cybercrime forum Zuroy using your email address d.horoshev@gmail.comand from an Internet address located in Voronezh, RU.
Constella discovered that the same password associated with webmaster@stairwell.ru (225948) was used in an email address. 3k@xakep.ruAccording to Intel 471, the account was registered to more than a dozen NeroWolfe accounts between 2011 and 2015, as many as Russian cybercrime forums.
Introductory post to NeroWolfe's forum Confirmed In October 2011, I stated that I was a system administrator and a C++ programmer.
“Install SpyEYE, ZeuS, any DDoS and spam management panels,” NeroWolfe wrote. This user stated that he specializes in developing malware, creating computer worms, and creating new ways to hijack web browsers.
“My portfolio is available upon request,” NeroWolfe wrote. “P.S. I don't modify anyone else's code or use anyone else's framework.”
In April 2013, NeroWolfe wrote in a private message to another verified forum user that he was selling a malware “loader” program that can bypass all security protections in Windows XP and Windows 7.
“Access to the network is somewhat limited,” NeroWolfe said of the loader, which he was selling for $5,000. “It is not possible to bind a port. However, it is quite possible to send data. The code is written in C.”
In a discussion at a cybercrime forum in October 2013. exploit, NeroWolfe considered the causality of ransomware. At the time, ransomware-as-a-service didn't yet exist, and many exploiters were still making big bucks with “lockers,” relatively crude programs that locked users out of their systems until they made a small profit. did. Payment (usually a few hundred dollars with a prepaid Green Dot card).
Foreshadowing the coming ransomware scourge, lockers are generally viewed as harmless on Russian-speaking cybercrime forums, as they are usually not intended to harm the host computer or compromise files on the system. It was seen as an opportunity to make money. There were also still plenty of locker programs that would-be cybercriminals could buy or rent to earn a steady income.
NeroWolfe reminded forum residents that they too are just as vulnerable as potential victims to ransomware attacks, and that what happened will happen someday.
“Do you all have a conscience?” Nerowolf wrote. “Okay, locker, network hopstop, also called business in Russian. ”Continue reading
