Oh the places you'll go

 

In part I of our ‘Who’s Behind Ransomware’ series we talked about how commoditized ransomware can be purchased and deployed by criminals with minimal technical skills.  As a follow up to that blog post, the kind folks at ID Ransomware / MalwareHunter uncovered a great example of such technical inadequacy. The MalwareHunter team showed that a recent CryptoLite sample was using the same bitcoin wallet address...

 
Ransom notice with re-used wallet address

Ransom notice with re-used wallet address

 

...that was used for a really amateur ponzi-scheme being run through a bitcoin chat forum.

 

 
amateur ponzi scheme on bitcoin forum

amateur ponzi scheme on bitcoin forum

 

The date on the forum was mid 2016.  Two years later and the same criminal has graduated to blasting out ransomware - using the same wallet address. Oh the places you’ll go!