After exposing the crook who was behind the Ranscam ransomware, Cisco researchers decided to look deeper and managed to find a clue that links the same individual to other very similar pieces of ransomware – Jigsaw and AnonPop.
Ranscam, Jigsaw and AnonPop all belong to the same ransomware family known as “destructive” because they delete the victims` encrypted data if they don`t pay the ransom demanded.
Only one domain name was found responsible for distributing Ranscam so the Cisco team decided to start their research from there. They discovered three email addresses connecting the three ransomwares.
The domain distributing Ranscam was registered to the following email address: cryptofinancial[@]yandex[.]com. Shortly after, the researchers found out that other domain names were also registered to the same address. When these domain names were moved to a different account using a different address (minercount[@]yandex[.]com) but with the same phone number as the first one, Cisco took that as a serious clue that only one person may be behind these operations.
According to Cisco, Jigsaw and AnonPop samples and post-AnonPop-infection malware were distributed from some of these domains. Moreover, other domains, which share the same host server as the malicious domains, were registered to a third but very similar to the second address – minercount2[@]yandex[.]com.
While looking through the “minercount” username used for two of the email addresses, researchers found out that the crook has been very active on programming and hacking forums. In one of the forums minercount was even thanking the creator of the .NET code obfuscation used in both AnonPop and Ranscam`s codes, and in another he was advertising a new ransomware variant for only $50. Each of minercount`s posts were found to go back to domains using one of the three email addresses.
Presently, the cybercriminal is distributing malware, including a new ransomware version using the famous social news networking service Reddit. Disguised under a different username, /u/cryptoconsulate, the crook`s posts are also linked to the domains using those three addresses.
Although the impostor did recycle one if the Bitcoin addresses used in Jigsaw, linking him one more time to Jigsaw distribution, Cisco can`t be absolutely sure that “minercount” is behind all of this.
“A single actor could be responsible for multiple distinct variants in an attempt to maximize their profits, or as they refine their tactics in an attempt to maximize the amount of revenue they collect from victims,” Cisco researchers explain.