
Who’s Behind the GandCrab Ransomware? - feross
https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/
======
merlincorey
I am pretty shocked to find that they used their birth date as their password
for so long and on so many accounts.

I think it's definitely worth considering that this may be a frame job for
some poor unwitting person.

However, I agree completely that OPSEC is probably not at the top of most
larval stage hackers mind's working out of countries they don't fear
extradition in.

~~~
outworlder
The opsec job was so shoddy that I immediately suspected misdirection. I mean,
would anyone be so stupid as to use the same username they use for posting
_videos_ of themselves for such a purpose? They might as well embed a picture
of their ID in the binary.

I know that criminals tend to not be very bright, but this particular field
would require at least some basic competence, I would assume.

~~~
asdfasgasdgasdg
OK, but the blog also points out that the pattern is typical of cyber
criminals in this jurisdiction. It strains credulity that a ten year long
trail of red herrings would be created, when it would be just as easy
(easier!) to leave no evidence at all.

~~~
XMPPwocky
and remember we're often talking about people who would have been teenagers
when the trail started.

------
ryanlol
Besides ransomware operators Krebs also likes to dox security researchers and
people who leave negative reviews for his books.

[https://www.itwire.com/security/86867-infosec-researchers-
sl...](https://www.itwire.com/security/86867-infosec-researchers-slam-ex-wapo-
man-krebs-over-doxxing.html)

[https://twitter.com/arctaire/status/1121412963351420928](https://twitter.com/arctaire/status/1121412963351420928)

------
leetbulb
This was an amazing read. I love these types of articles. It's nuts how easy
it is to find people nowadays, especially with so many OSINT resources and
tools and a little bit of Google'fu.

~~~
mc32
>Igor Vladimirovich Prokopenko from Magnitogorsk who was born on June 16,
1991. Recall that “16061991” was the password used“

Does this take into account the Julian/Gregorian diff?

~~~
mikeash
Russia switched to the Gregorian calendar in 1918, so I don’t think it would
need to.

~~~
schoen
Although there are a small number of Russian Orthodox Christians who remain
disappointed about that:

[https://en.wikipedia.org/wiki/True_Orthodoxy](https://en.wikipedia.org/wiki/True_Orthodoxy)

(I don't think this would affect anyone's civil birthdate.)

------
Lowkeyloki
I trust Krebs to do the right thing, but hopefully he went to authorities with
this before publishing this dude's personal information.

Of course, I may be a little too sensitive about this kind of stuff. I am in
the middle of reading Neal Stephenson's REAMDE right now.

~~~
shakna
Unfortunately, Krebs has a history of not doing the right thing around
individuals. [0]

[0] [https://hacked.wtf/2019/04/26/dear-brian-krebs-no-more-
doxxi...](https://hacked.wtf/2019/04/26/dear-brian-krebs-no-more-doxxing-as-a-
result-of-a-disagreement-please/)

~~~
kabwj
Krebs is a charlatan like many others. I don’t know why he’s given so much
clout in technical circles. At this point he’s nothing more than a journalist.

~~~
ryanlol
Yes, Krebs is a journalist. I don’t think that’s a big secret.

I’m not a fan but I don’t see how you could call him a charlatan, he’s never
claimed to be anything but a journalist.

~~~
kabwj
Journalists are all charlatans since for the most part they know very little
of what they’re talking about. “Journalist” is practically an insult at this
point.

------
javajosh
Is RSA really bullshit, or did the crab people get the parameters right? (They
used RSA 2048 to encrypt files and HN has been claiming it's a footgun)

~~~
schoen
Maybe the ransomware author used someone else's library instead of
implementing textbook RSA from scratch.

It also occurs to me that (unfortunately) the ransomware setting may be one
where comparatively few kinds of attacks are feasible. The ransomware will
encrypt _one_ short fixed-length random value (chosen by itself, not the user)
once and then stop. The public key is presumably fixed and was most likely
generated offline using a separate tool like OpenSSL.

The decryption presumably happens only on the ransomware author's
infrastructure and is gated by a payment, so it's potentially hard to perform
oracle attacks (and perhaps different kinds of decryption failures don't
produce meaningfully different observable behavior, especially if a human
being is in the loop returning the decryption tokens to the ransomware victims
who've paid the random).

------
vectorEQ
krebs is behind the malware himself. after years of deluding people about
being on the hunt for these hackers finally he managed to get everyone into a
state where he can steal 2 billion and not get suspected :D designing his
emporium as a troll on himself to try and avoid being suspected. clever mr
krebs! #alexjones2020

------
mirimir
Funny. "Windows" does not appear in TFA.

