An individual claiming to be a former member of the URSNIF malware operation has leaked the real-world identities of three of the gang’s members in a series of tweets last week.
The account, going by the name of URSNIFleak, has also released snippets from the gang’s internal chats, along with screenshots of some of the URSNIF malware’s source code and private messages sent via an underground malware forum, discussing topics like money laundering and the war in Ukraine.
Leaker has shared a JSON of a sample of the Jabber chats, they ok'd me to share the download link https:// gofile . io/d/EUfRQ7 Will be dropping some other spicy content soon. #URSNIF #drama #URSNIFleaks #ransomware #hohono #leakurshit #cybersecurity #infosec pic.twitter.com/DxbwudBLZg
— Memediant Threat Intel (@SASSnRaaS) December 9, 2022
2 hours to go. Last chance.only message on TOX pic.twitter.com/7rBZ46RznJ
— URSNIFleak (@URSNIFleak) December 8, 2022
Trying to be a big man with very small amounts of money. Focher, overcompensating much? #URSNIF #drama #URSNIFleaks #ransomware #hohono #leakurshit #cybersecurity #infosec pic.twitter.com/Bt54rPBNRV
— Memediant Threat Intel (@SASSnRaaS) December 8, 2022
The irony of Focher telling someone to do their job, when he is barely a functioning human. #URSNIF #drama #URSNIFleaks #ransomware #hohono #leakurshit #cybersecurity #infosec pic.twitter.com/biEPQn1OPH
— Memediant Threat Intel (@SASSnRaaS) December 8, 2022
Seems like a great new business plan, hire contractors to work for you and then have them take a loan cause you won't pay them. #URSNIF #drama #URSNIFleaks #ransomware #hohono #leakurshit #cybersecurity #infosec pic.twitter.com/LF3vpfnJGN
— Memediant Threat Intel (@SASSnRaaS) December 8, 2022
The incident marks the fourth major doxing of a cybercrime operation this year after similar leaks exposed crucial and very sensitive information about the operations of the Conti ransomware, the TrickBot trojan, and the Yanluowang ransomware gang.
The first two leaks were driven by an anti-Russian sentiment as the Conti gang (which also managed the TrickBot botnet) showed their support for Russia’s brutal invasion of Ukraine. The reasons for the Yanluowang leak are still unknown.
However, the reason behind the URSNIF leak is much more mundane—and it’s revenge and your run-of-the-mill extortion.
2 hours to go. Last chance.only message on TOX pic.twitter.com/7rBZ46RznJ
— URSNIFleak (@URSNIFleak) December 8, 2022
The leak was teased over several days (on a first now-suspended Twitter account); they first leaked details of low-level members to show they were serious;
URSNIF member 1 0f 4 – This is Ruslan. He is admin for the group. Next release will be more senior and out in < 6 hours. pic.twitter.com/vcY411Il1k
— URSNIFleak (@URSNIFleak) December 6, 2022
URSNIF member 2 of 4 – Meet Borisenko aka mrgreen. Next release gets bigger. 6 hours time… pic.twitter.com/mFKLDnTrl9
— URSNIFleak (@URSNIFleak) December 7, 2022
URSNIF member 3 of 4 – Introducing sysadmin, Alexander Nikultsaev.
Our last URSNIF member, the big boss, is to come. T-minus 6 hours pic.twitter.com/OiANe2JLOM— URSNIFleak (@URSNIFleak) December 7, 2022
He might be shit boss, but at least he is smart enough to spend the money when he needs to.
No dox for CAP today.
— URSNIFleak (@URSNIFleak) December 7, 2022
And the URSNIFleak account stopped posting new content after the leader of the URSNIF gang (an individual named CAP) paid them off to keep quiet.
“I just made more money in a single week than I have made in years. Pay workers right and they wont have a reason to leak s***,” URSNIFleak wrote in their last tweet before allegedly closing the account.
I just made more money in a single week than I have made in years.
Pay workers right and they wont have a reason to leak shit.
Closing account
— URSNIFleak (@URSNIFleak) December 9, 2022
In another tweet, URSNIFleak said they decided to go through with the leak and extortion after reading statements made by the URSNIF leader in a recent interview with the VX-Underground project. What particular part, they did not say.
“The interview angered me,” URSNIFleak said. “He has been a bad boss for a long time. I have been waiting for the right time to release.”
The interview angered me. he has been a bad boss for a long time. I have been waiting for the right time to release.
— URSNIFleak (@URSNIFleak) December 8, 2022
Compared to the Conti, TrickBot, and Yanluowang leaks, less information was released in the URSNif dox, but despite this, nobody in infosec is complaining. More cybercrime leaks, plz! Especially leaks like these that show how URSNIF’s recent pivot to a ransomware operation was not as successful as the gang was hoping.
Starting to see a pattern in these chats, seems like incompetence is a rolling theme with Ransomware groups
#ransomware #leakurshit #URSNIF #hohono #cybersecurity #infosec #drama pic.twitter.com/20OcaGuGPy— Memediant Threat Intel (@SASSnRaaS) December 6, 2022