A new strain of ransomware called MadCat has been linked by security researchers...
A new strain of ransomware, MadCat, has emerged, creating a stir among security researchers and cybercrime enthusiasts alike. Damien Black, a seasoned journalist, unveils the intricate web of deception woven by this group of cybercriminals.
### Deceptive Prelude
On November 23rd, cybersecurity pundit Dominic Alvieri hinted at the debut of MadCat, a ransomware group that purportedly stole passport details. However, a subsequent investigation led by cyber investigator Karol Paciorek revealed a shocking twist – MadCat was not a force to be reckoned with but rather a group of scammers preying on their fellow criminals.
## Unmasking the Culprits
Paciorek, along with his team at CSIRT KNF cybersecurity firm, exposed the perpetrators behind MadCat. The investigation linked dark web accounts @plessy, @rooted, and @whitevendor to the fraudulent sale of 246,000 screenshotted Polish passport pages and other dubious offers of stolen travel documents. The scammers were cunningly enticing their targets with fake promises.
### Scam Unveiled
The scam, discovered on October 30th, involved @plessy posing as the seller of the entire illegal passport collection for a hefty sum of $3,400. CSIRT's analysis pointed to a potential link between @plessy and @whitevendor, suggesting they might be the same individual. The writing style, thread creation methods, and sales focus on identity documents were key indicators.
## Criminal Fallout
As the web of deception expanded, criminals on platforms like BreachForums started sharing tales of being duped. One user, "onesandzeroes," lamented losing nearly 20 units of Monero (XMR) cryptocurrency, approximately $3,000, to @rooted's false promises of stolen Japanese and Chinese passport details. The CSIRT report further solidified the connection between @rooted and @whitevendor.
### Tracing the Web Presence
Paciorek's investigation unveiled the web address plessy.eu, it was associated with the aliases @plessy, @rooted, and @whitevendor. Surprisingly, when Cybernews attempted to access the site, it redirected to a Telegram channel, @shinyenigma, connected to @plessy. The tangled web expanded to a GitHub profile with the same name but showed signs of dormancy, except for a recent update.
## The Ransomware Link
The investigation also connected @plessy to @MadCatR, leading to a discussion channel called @MadCatRansom, with @plessy as the sole user. CSIRT highlighted the possibility of this channel being a hub for the ransomware group. The unfolding narrative pointed towards a group that had set its sights on deception from the beginning.
### Downfall in Sight
Paciorek, commenting on the exposed MadCat group, foresaw a swift downfall akin to RansomedVC, another newcomer in the cybercrime scene. The Mad Cat ransomware site, linked by Alvieri, was found dead at the time of writing. Whether this was a response to Paciorek's revelations or a mere coincidence remains unclear.
## The Evolution of Deception
The perpetrators, having been unmasked, showcased a history of deception that extended beyond their cybercriminal activities. User @WhiteVendor, facing negative feedback, abandoned the account and rebranded as @Plessy, continuing the scam under a new pseudonym. CSIRT's findings irrefutably connected these identities to the MadCat ransomware group.
### Lessons Learned
The MadCat saga serves as a cautionary tale in the cybersecurity realm, emphasizing the need for vigilance, even among criminals. The deceptive tactics employed by these scammers highlight the importance of thorough investigations and collaboration within the cybersecurity community to unveil and neutralize potential threats.