Profiling Yaroslav Vasinskyi of the Kaseya Ransomware Attack Campaign – An OSINT Analysis

0
It seems that the US Department of Justice recently made arrests as part of the Kaseya ransomware removal campaign and I decided to dig a little deeper and offer and provide the necessary actionable intelligence in the context of exposing the individuals behind these campaigns in the context of helping US law enforcement track down and prosecute the cybercriminals behind these campaigns.

Example of personally identifiable information about Yaroslav Vasinskyi:

Mobile: +380993082660

Call: 1-800-225-5324 which is actually the phone number for the FBI

Online handles: Yarik45, Yaroslav2468

CQI: 635995970

including the following website which he is known to have offered around various pro-cybercrime forum communities as a model – hxxp://wholesale-dress[.]net which is currently owned and operated by hxxp://counterfeittechnology[.]com, including the following domains known to be registered by the same person who registered the original domain:

openib[.]com

photograph[.]me

bartrans[.]report

nebolsin[.]com

digital reality[.]world

digital reality[.]world

white crow[.]club

openib[.]club

vkfoto[.]org

vkfoto[.]report

vkfoto[.]business

foto2u[.]information

foto2u[.]org

foto2u[.]report

foto2u[.]business

foto4u[.]business

photo2u[.]business

gospace[.]business

aircitypost[.]com

you downloaded[.]com

xmllogistics[.]org

mega battery[.]com

aramzam[.]com

allforlaptop[.]com

evening[.]com

mail technology[.]information

mail technology[.]org

counterfeit[.]Technology

xmllogistics[.]report

xmllogistics[.]com

ftn presentation[.]com

counterfeit technology[.]com

toskanmarket[.]com

identificationninja[.]com

boating[.]com

ironsyssecurity[.]com

danandnadia[.]we

xmlshop[.]business

shopxml[.]business

xmlshop[.]we

shopxml[.]we

boating[.]we

boating[.]business

xmlshop[.]org

shopxml[.]org

boating[.]org

dressinus[.]we

dressed women[.]com

bridal[.]org

promdressesuk[.]org

thewomandresses2015[.]org

sherrihilldress[.]org

cheap-dressuk[.]org

talkdressprom[.]org

promdressbee[.]we

hotsale wedding dress[.]org

mypromdressstore[.]org

sweetymalada[.]we

onlydress[.]org

promdressstores[.]org

promdressesshop[.]org

addressing machines[.]org

dress key[.]org

just get dressed[.]org

Example of personally identifiable information about Yevgeniy Igorevich Polyanin also known as LK4D4, Damnating, Dam2life, Noodlleds, Antunpitre, Affilate 23:

The following email account – [email protected][.]com is known to have registered an Android malware C&C server in the past (hxxp://foto2u[.]biz) – 209[.]99[.]40[.]224; 209[.]99[.]17[.]27; 178[.]32[.]152[.]214; 5[.]254[.]113[.]102) which is known to have served the following malicious MD5 (7a140b4835e9ed857eda1f0dbfbfa3e8) and when executed is known to have called back to the following malicious C&C server domain – hxxp://phoneactivities[.]com-103[.]232[.]215[.]133, including the following malicious and fraudulent C&C server domains:

hxxp://vkfoto[.]org

hxxp://vkfoto[.]report

hxxp://vkfoto[.]business

hxxp://foto2u[.]information

hxxp://foto2u[.]org

hxxp://foto2u[.]report

hxxp://foto2u[.]business

hxxp:// photo2u[.]business

Stay tuned!

*** This is a syndicated blog from Dancho Danchev’s Blog Security Bloggers Network – Mind Streams of Information Security Knowledge written by Dancho Danchev. Read the original post at: http://ddanchev.blogspot.com/2022/01/profiling-yaroslav-vasinskyi-from.html

Share.

Comments are closed.