The attacker left a file with a ransom demand, which points to a site where they're demanding payment to release the victim's files.
We suspect that the attacker may not have been acting entirely on their own. There may be a connection between the attacker and a larger ransomware-as-a-service ring.
Analyze the demand site, and see if you can find a connection to another ransomware-related site.
Enter the domain name of the associated site.
- provided/
- YOUR_FILES_ARE_SAFE.txt - Demand note from the attacker
Hmm, looking at the demand note, we can see a site, lets go to it.
Not much here, lets check the network traffic and reload the site:
Interesting, so it downloads a file called connect.js then that JavaScript file calls GET to another site called https://xsafjadfhngjqmit.ransommethis.net/demand?cid=92807, that must be the other ransomware-related site. We can also see a parameter called CID with the value 92807, lets keep that in the back of our head for later.
Note: I actually saw some people do this in the CBC Discord, but it's pretty unnecessary, which was to go after the source of the site, so I'll quickly go over how you could do that for whatever reason you'd want to do that.
Lets take a peek at the source code:
Horrifying. Its obfuscated, lets run it through an online deobfuscator such as synchrony. It deobfuscates it pretty fast and we get this:
Yeah looks like it's intentional, lets submit xsafjadfhngjqmit.ransommethis.net.
Nice, we got the domain.
Nicely done! Looks like there is an association with another site.
Use web dev tools to see network traffic when you load the site to see the external request to the other site.