Uncloaking Cloak Ransomware

Thank you very much. Thank you. Um, who I am covered beautifully in the intro. Thank you very much. Uh, we can skip past that. I got 65 slides in like 45 minutes, so we're just going to bang them out. All right. Cloak ransomware. If you're not familiar with them, this is a group that came up in 2024. They kind of made some waves when they appeared. They came out of the gate swinging. They had like 20 victims or alleged victims and uh they had a rust based ransomware locker and so they kind of made some some headlines. Uh I wasn't really familiar with them at the time. This is kind of later in 2024 when I

start my research. Uh but started with a tweet. I saw this tweet from Dominic pop up and this tweet uh there was a number of red flags that appeared when you start looking at it. So typically with ransomware actors, you're going to have a Onionhosted data leak site, right? It's where they post their victim information so they can go up and they can uh try and shame them into paying whatever the ransom is. They can do the negotiations and stuff like that, but they can stay relatively anonymous. So seeing something like this, which is not a onion hosted website, uh, raises a lot of red flags that are interesting. And since it was on my radar from making

some headlines, I thought I'd look into it. So here we have a domain, we have an IP, and we have a open directory. So cloak.su, I mean, it would be a little on the nose if that was Cloak ransomware. Uh, but there's an affiliate folder in the open directory, so it seems like it is potentially related. So that's kind of where we start uh the adventure. So start with infrastructure analysis. One of the first things I'm going to do is look for passive DNS to see what historically has resolved to this domain. So we can see a number of different IP addresses uh over time. We can see that the most recent one was actually 80.76 and not 80.75. So I don't

know if it was like a typo in the tweet, but I checked for both of them to see if I could see if maybe there was two servers that were hosting this information. I start looking at 80.76 and I can see on the right side here the content of the open directory. So I can see some metadata about it. Uh and I start getting some timing of when this activity was occurring. So we have June 11th uh was the earliest file in the metadata that we can see. Uh and then we know on June 12th TCP 40 uh 443 started listening. So this is likely when the website went up. So it kind of helps

place uh the activity and understanding like what was happening in time and we can see the files. Uh there's not the content of the files but you know it provides just a little bit more information. We can look at how the website was actually responding during that time frame. So from the 18th to the 20th, this tweet was on the 20th. Uh you can see where it transitions from 300s or 301's 404s to 200s. And for a couple days it was responding with a website. So it could imply some kind of transition. It eventually falls off again. So by the time I was starting to look at it, uh it was not up anymore. Look at the certificate that was on the

site as well. Uh the certificate content is not really super important, but there is more dates here. We can see when it was created and it kind of places it so we can understand the activity that led to the site being created. So the open directory was gone. Uh I did scrape the website and I found a couple of other files that were fairly interesting. Uh the first one here, chat.php, again data leak sites, they frequently have some kind of chat website so that victims can log in, they can negotiate, they can talk with the attacker. Uh so in the chat.php, there was victim ID. So it's starting to add up that this potentially could be ransomware related.

Um it's still not confirmed or anything like that, but that's kind of where my head is. That's what I'm seeing at the moment. Uh looking at the domain itself and kind of looking back through previous activity. So whenever you're looking at thread actor infrastructure, if you ever see a ton of files and the only difference really is the extension and it's all these different kind of platforms, it's almost always crypto mining. Uh the idea is they have the same payload generated for multiple different uh platforms and then they can just kind of blast it out over the internet. You will see you know refrigerators get compromised, IoT devices get compromised, routers uh all kinds of stuff and so they have

different platforms for all these different uh these different things. So at some point this was hosting rebirth rem or rebirth reborn minor which is a a known crypto mining uh software. So, it kind of adds some malicious activity that happened. This was about five months before I started my research. Uh, and then we can see where it transitioned to this new website that Dominic had posted where it has the new IP address, the 80.76. So, we can actually take a look at the before and then the after uh because I wanted to know obviously cloak. Uh, and I wanted to know what was on it previous to this alleged uh ransomware website. So going back in time, this is what the

website looked like. Uh says Cloak number one no rule server provider. So this is a bulletproof hosting uh provider. If you're not familiar with those, it's basically free reign to do what you want. They're not going to look at the logs. They're not going to, you know, tell you not to do anything. Obviously, usually used for malicious activity. Cloak is a good name for a bulletproof hosting provider, right? You're trying to stay hidden. you're trying to hide. So, it makes sense, but it's not really a ransomware connection. So, at this point, I'm trying to decide, is this ransomware related or is it just, you know, happen stance where some bad guys both pick the same name because cloak

is, you know, pretty uh pretty normal. The new website absolutely looks like a an attempt at a ransomware website. You can see it says uh you know, corporations who choose not to cooperate will get exposed here. they'll publish their data. Uh, but it's obviously test data, right? And so you can see the chat at the top. That was the chat.php that I pulled down. Uh, it looks really bad. Like this is like very basic of a website. Uh, but the cloak data leak site that is already out there and known by people uh doesn't look anything like this. It has different logos. It looks It also looks bad, but it is a step up from what we just saw. But like in terms

of like data leak sites, like this one's pretty bad uh in comparison, but this was, you know, what people typically saw. So, we know the site had changed. We know it used to host uh some crypto mining. It used to host some bulletproof hosting. Now it's potentially a ransomware Oh no, the screen just went out. Cloaked. Uh, no. Of course. Try turning the button on the panel over there.

Oh.

So maybe we won't be rushing through the slides. Let me just unplug it. Well, I unplugged it.

[Laughter] All right. Oh, what the hell? Yeah. Do you have another computer. No, no, no. Uh, do you have another converter for HDMI?

Almost don't want to touch it, but all right. All right. So, got a couple of malicious activity, you know, indicators. Whoa. And, uh, we have two potential data leak site variants, right? We have the known one, and then we have what appears to be a work in progress for a data leak site. So, I start looking around for cloak.su, and I start looking for it within the content of files as opposed to the infrastructure itself, and I land on this document, how to stay anonymous, uh, by Sleser. It was a professional malware setup guide. So, it has RAT setup listed in the table of content, silent minor setup, uh, UAC bypass exploit. In the actual PDF, uh, which

was quite long. It was like 20 pages or something like that. Uh, he actually puts in here that what you're going to do is you're going to buy an RDP or buy a server that you can RDP into. You're going to host all your compromising files, your RAT C2, uh your panel for your crypto miner, and if you need to buy a website, go to cloak.sue. It's owned by him. 100% anonymous 24 by7 support. So already we have a potential persona um that we can leverage. So I'm not going to be talking about the attacks of cloak or how the ransomware works. This is strictly just a talk on building a profile for this particular threat actor. And the reason

that you would want to do that, it has a very small opportunity for value. But if you were attacked by a organiza or a ransomware group, understanding who is behind the ransomware group, understanding what their capabilities are, whether they're going to be truthful, whether you can rely on them to do what they say they're going to do if you pay them. These are all things that can be very valuable to a victim organization. So besides trying to collect like threat actor profiles like Pokemon, this is part of the impetus for doing this type of research. Uh but he does it nicely for us. He says that his name is Sleser. Uh he owns this website.

So we have a starting point to really kind of dive in on. He actually in another one he puts a nice little red box around a PowerShell command that you can see here which is downloading a file from another website a new domain that I wasn't aware of yet. This one was files.sleaser.cc. And you can see it just has like a random name. Uh and he's like kind of explaining what to do for this UAC bypass. So I start pivoting on that particular domain. You can see in 2023 there was two executables that I was able to identify or find and the executables were uh ultimately Amade which is a botnet kind of malware loader that you can download.

Uh and it's you know it's something you can purchase online. It's it's not uncommon. Uh so you frequently see it but we know at some point it was hosting it. We can see there was a hack.ps1 PS1 PowerShell file that I found. It had the same domain in it. It was again it was downloading it. This is just a download cradle for that particular file. Uh and then I saw something really odd because when you look at these websites, you don't typically see outgoing relations to these kind of websites. I mean, if you look at the websites, they all are the typical suspects. It's, you know, exploit.in, in uh XSS hack forums, sites that are underground that you typically

see thread actors talking on. So seeing a list of all of these sites linked to it, it was pretty pretty strange. And I'll I'll get to that in a second. And I haven't even started diving in on the accounts yet and the messages and all that kind of stuff, but uh that was a huge red flag for me to circle back to this. So going to the website, what does this sled.cc looks like? uh very basic website, calls himself a skid. It's a word I hadn't heard for quite a long time, but um the template of the website is very straightforward. You have something on the top left and then you have like a couple navigational links at

the top uh right and this template gets used across a lot of different websites that this individual creates. So it was a good visual kind of cue when I would see this same structure that it might be related to this guy. So looking at some of the pivots for websites that would redirect to this one, uh you could see that there was a sled.github.io about a year prior to me doing the research. So that's interesting. One, it could have code. We can look through the code. We could look through logs. Um definitely something to dive in on and look for. Um, and then I could also see when I would look for the sleser.github.io uh redirects from that, there was

another odd domain that popped up called WNET Studio. So, I had two pivot points that I wanted to dive into, two things I wanted to look at. uh WNET Studio again it looks like the the previous one uh goes through it's like a GIF that actually plays but it says like Redte teamer and a couple other security expert and all that kind of stuff. Um and then you have services, socials and projects at the top. So this website wasn't available at the time that I was looking at it either. So I had to go digging. Um, when I started looking for relationships to this particular website, uh, there was a hyperlink that was identified and it's actually the wnet

studio up there is the hyperlink in question, but it would take you to this URL, this monero.wetmc rpl.co/mro.bat. So, at the time, I didn't realize I didn't make a a critical connection here until I went back and I started doing the slides because this didn't all happen in order. And so, I was, you know, getting a piece of information here, a piece of information here, and trying to piece everything together. When I see it on the slide, it makes more sense. Um, this is a old structure for replet. Uh, and at the time, I wasn't familiar with Replet, but we'll we'll come to that. So on the website uh there was also a macro.exe file. This macro.exe file was

similar to the hack.ps1. Uh it downloaded blacknetrat and inside that binary there was a string that was super interesting which was a replet uh URL and it had at slesermonero. So again we have the cryptomining aspect of it. Uh but now we have another code repo. GitHub wasn't available, but maybe this one is. In hindsight, if I would have realized that the top one was an old replet domain, I could have just taken the WNET MC, moved it down, and probably saved myself many many days of research because he has his name plastered on this one. So, we'll we'll get to it. But, uh, looking at the replet, there was a lot of stuff that immediately jumped out.

You have at the very top two obviously related ones or interesting ones. Uh cloak affiliate and cloak management. Typically these types of ransomware as a service groups. They'll have the management side and they'll have the affiliate side. The affiliates will log in. They can generate new malware. They can you know do the negotiations with the victims. All that kind of stuff. So I definitely wanted to look at those. Uh, but I also noticed a lot of repos at the very beginning of this person's uh, replet. And if you look at them, they kind of tell a story in and of themselves. You have a password generator, rock paper scissor, a calculator, a crypto price checker,

right? Starting to play with APIs. All of this is telling me at this point this person probably didn't know how to do any coding. This is them learning and trying to build their skills, like figure out how to use it. Um, and then about a year and a half later, they have a management panel and affiliate site for a ransomware. So, it it seems odd, but it it it shows kind of the progression of this particular person's maybe like their skill set and stuff like that. You can also see their icon uh in their background picture. It's, you know, this happy face. It's got a bunch of like coding in front of it and pills and stuff like that. So, that pops

up a couple of other times. He likes to reuse his profile pictures and stuff like that. Uh, and also I want to point out before I go to the next slide at the very bottom there was a Monero uh folder. And to the far right, this little profile picture of a cat uh comes into play in a little bit. But uh first I'm going to walk you through kind of the affiliate page and then the management page just to see what we see. So for the cloak affiliate panel, uh obviously it has all the source code. This is a code repository. Uh wealth of information. You can start looking at it. I mean it says right in

the title cloak affiliate panel and victim list. Presumably it's, you know, ransomware related. Uh, welcome anon. Uh, you can start looking at this. I don't know if it ever actually made it out to the internet, but if it did, you can look at it. You can assess the source code. You can see if there's vulnerabilities or things that you could, you know, maybe monitor for or leverage in other ways for for research purposes. Uh, it dates the code. You can see here it was like the login.php PHP where it's, you know, looking for a particular password and the password's in the config.php. So you can start piecing stuff together. Uh going back a slide, there was also, I

don't know if you noticed, there's a victim's folder. Um so looking in the victims folder, you see a number of different text files. The text files are fairly basic. I mean they have IP address. They got a name uh if it was provided, host name of the system presumably that it was running on and an amount that is disclosed during contract or contact but it's not listed in this particular file. So I didn't go through and try and validate if these were actually victims or not. A lot of it seems like test data. So you know I didn't want to assume anything but uh it's certainly open for you know further research. No,

sorry. Try this again.

Yeah, it's definitely this. I'll try to run and get one while you present. Well, I need to show the slides. So, yeah. Yeah. Yeah. Let's hope they it works. You need a different dongle. Uh, if you have one, that would be fantastic. I was wondering if it was like just your USBC or USB port. No, I think it's dongle. Yeah, it's Yeah, it's HDMI to USBC. If you have that, you'd be a hero.

I'm going to go get one while you present. Yeah, good. Got it.

Is it USB or USBC? USBC.

I can try and plug that one back in too. Let me try a different port. Yeah. I just

Okay, appreciate it. Um, I think I'm going to try and do it without full screen. Well, because I don't know if the full screen is maybe causing issues, too. All right, that's what I'm looking for. Where's it at? Oh, there it is. I'm good for now. I appreciate it, though. Well, if it happens again, I have it up. All right. Thanks. I'm sure it will. So, cloak management panel. Uh, where were we? Uh, it was mostly the same as the affiliate. There was a couple of additional files that were kind of interesting. There was a git decryption key. Uh, which helps kind of build the idea that this is for sure ransomware related. There was a

license.bin file which was for generating new samples. Uh, and then config.php PHP again with a different set of credentials that if this website was live and they hadn't changed any of that kind of stuff, maybe you could leverage it to log in. Uh the victim text files were pretty much the same. They had a couple of additional fields and information, specifically what looks like a cloaked decryption key. So again, if these were real victims, this might be an opportunity where those victims could, you know, get a cloaked decryption key and then not have to not have to deal with anything or any paying. But going back to the overall replet and specifically the Monero one. So it was

in use for over two years. Um when I looked at the Monero repository, I found a bunch of the missing files that I wasn't able to pull off the previous website. Um, there was other intelligence that you could get out of here. There was a wallet address. There was a password. You can see them here. Uh, the password was Grognack, uh, which is a barbarian from Fallout if you're not familiar with it. Um, gaming related. Lots of this stuff is gaming related. Uh, wallet address. Searching for the wallet. I found a number of Monero minor configurations that were out there. So, this could tell you that either, you know, they were being deployed out in

the wild and somebody found it and uploaded it. Um, maybe they uploaded it, but it gives you another pivot point to kind of research the uploaders to virus total and uh you know what the what the what's actually in the configurations themselves. So, we know there's code hosted on replet. got a wallet ID, structure potentially of a Cloak ransomware and affiliate website. Maybe they're trying to rebrand or rebuild it, do a new one because like I said, the one that's hosted on the onion service is really bad. Uh, this one potentially could be a little bit better and some infected machine IDs and host metadata. All right. So, at this point, I started to try and do visual pivots.

Uh, looking at the structure of the website and seeing what other websites look the same. Uh, in this case, I found another or another domain, sleser.su, which has the same structure as what sleser.cc had looked like. Uh, this one says it runs the gold brute RDP brute forcer botnet. Uh again we have the profile picture with the you know pills and the coding and all that kind of stuff in front. Uh and now you can see like why there was the outgoing relationships because he's basically using this as his like link tree. He's got all of his uh forum accounts listed here. Uh we also get a telegram address. We get a Jabber address. Uh and if

you're buying from a vendor on one of these forums, it helps to have a reputation. So that is probably the idea behind creating something like this so he can somewhat, you know, prove who he is, prove he's reliable, uh, does us wonders because now we have everything right here to like start looking through and kind of piecing together conversations and stuff like that. Going back to Replet, almost done with it, I promise. uh looking at the Monero repo, if you clicked on that cat profile, you got redirected to this one, which was WNET. So again, going back to the WNET studio, similar kind of redirect from Slleser to uh WNET earlier, self-proclaimed gamer uh has the WNET website on here. So we

can actually now see what all of the uh socials and projects that they had listed at the time were. And these are these are not like bad guy websites, quote unquote, right? These are ones that everybody uses. GitHub, Discord, YouTube, Tik Tok, Instagram, Twitter, you name it. This guy's got it and has a WNETMC account for it. Uh, but with just this information, I was able to figure out who he was. So, we we'll come to that later. But uh putting all of this together is made much simpler when they list it all out like this. You don't even have to hunt for anything. Uh and you can see there's consistency in like the name too.

So for the projects they had listed some of the common ones Monero mining worm which we've seen a couple times already now. Uh a PHP website to sell files for Bitcoin with admin panel. sounds like, you know, the precursor to a ransomware data leak site. Batch file encryption tool sounds like a precursor to ransomware. Uh, and then a Minecraft texture pack because it's, you know, 2024 at this point and you shouldn't be using the default textures of Minecraft. So, uh, and I appreciate the side hustle, too. He's like, "Check out my Minecraft texture pack." Uh looking at the redirects for the page to GitHub, you can see some of these projects go to a new GitHub

account that we hadn't been aware of yet WNETMC. When you click on any of those, they will take you to the WNEMC, which will then redirect you to Sleser. So, not only did we find the old Sleser repo that we didn't have anymore or didn't have access to anymore, but we can like help confirm the WNET to sleaser relationship just a little bit more. Not that it was really necessary, but uh all the evidence you get, the more you can have uh the more, you know, solid and robust your uh profile is going to be for this type of individual. Uh, and of course the project's intended for testing, research purposes only. Um, this doesn't protect you. It doesn't

doesn't help you at all. Uh, but you see it quite frequently. It's always kind of funny. So, looking at the GitHub for Sleser CC, uh, a lot of stuff pops up. Again, some of the familiar ones that we just saw on the project website, you have Zcrypt for potentially the ransomware side, Silent XM rig, uh, for the crypto mining. uh this Satoshi box clone which is the PHP website uh and you have an anti virus bypass. Looking at the git logs for some of these repos really kind of helps again the Sleser and WNET connection. You can see the author of the uh changes that were committed was Sleser and then they were using a WNET email address.

And then just kind of one final Sleser nail in the coffin with WNET uh connection there. But on hack forums back in December of 2022, so keep in mind Cloak ransomware showed up 2024. This is a couple years ago. Um they said, you know, I've created a hacking group. Currently got five members. Uh you know, somebody supplied the servers. We're basically looking to recruit people who can help spread a rat. Uh if you have that, you know, here's our website, Onyx Security. Here's an address and you know add me on telegram wet mc or discord wnet. So definitely the same person definitely related. If you're curious what the onyx website looks like we have a fairly basic

website but this is kind of again the precursor to the other ones that we saw. Uh he likes his particular style. There were some additional commit leaks that we were able to find. So here, you know, we have the author as WNET. Um, and then we have a different WNET email address, WNET2B and WNET MC. Uh, we also have a new username, Astro, which comes up a couple times later. And then an email for Sleser.cc. I don't know if it's valid or not, but contact. So, all good stuff, but the real juicy stuff is looking at what was done in the commits. So in his profile page, if you start going through it year after

year, commit after commit, you start seeing him delete stuff, contacts that he has in there. And I don't know if it was a case where as he's going further down this path of, you know, botn nets and potentially ransomware and getting more and more, you know, into that side of the house. if it dawned on them that having your Discord and your Telegram up there and some of these other things is probably not the best idea. So, we tried to delete them, but we can still see them. So, these are all deleted. Uh, profiles, tons of wallets, couple of website links. We have a Reddit account. Just googling any of these kind of things, you'll get lots of results. Um,

this is one of the Ethereum wallet addresses. You can see these are all posted by Astro Classic. So going back to that new persona, this Astro name and [Laughter] thank you very much. All right, let's give this one a try. Um, but going back to the Astro name, these are posts that were basically like, you know, drop your wallet here and you have a chance to win um you have a chance to win whatever it is. Uh, NFTTS, you know, bitcoins, silly stuff like that.

Well, hold on. I've got one plugged in. Let me try this one and we'll see if this does the trick.

Okay. Um, looking for one of the Bitcoin wallets. we find Bitcoin talk uh forum post where the wallet address is being used to verify the individual and Bitcoiner Matt uh who signs his post as Matt. Uh so that's always nice, right? Gives us a good indicator of who they might be, what their actual name might be, especially for something like this because there's no malicious relation to this. like they're on a Bitcoin forum. They're talking about, you know, crypto stuff in general. And, you know, this is just a regular forum account they have. But, uh, and this goes back to 2020, so it's even a couple years before, um, some of that more nefarious activity that we saw comes up.

Uh, Reddit, wealth of information, tons of good stuff. Uh, everybody's got to post their battle station. Uh, this guy is no different. So, this is where he, you know, makes the magic happen. Um, this actually this picture there was a lot of things that I was able to pull from it. It doesn't seem like it would have a wealth of information, but the mouse pad that he uses, you can't really see it here, shows up in other pictures for other accounts. The background that he uses is a background that shows up on other websites that he has created. Uh once I was able to figure out who he was and figure out where he lived, looking

at the outside of his house from Google Street View, you could even see that the windows matched up, right? So there's a lot you can pull from these types of images when you find them online. Uh you really have to just kind of analyze them, see what you can see. Uh and then you get some more personal information, right? We have some potential locations, right? first time seeing Monero in public, Montreal, Canada. Uh seeing the exact same sticker in Montreal a few days ago. Uh his mom wants to kick him out and send him to a boarding school. Um you know, it it's life, but uh you you start to get some insight into the person uh and who they

are and what they can do and what their you know uh maybe their motivations might be. It talks about there's no dispensaries in Quebec. Um stuff like that. rolls his first joint, shares it with the internet. Uh, you know, it's don't make fun of his joint. It's, you know, it's everybody's got to start somewhere. So, you start piecing all these things together, right? And this one, he actually posts on his WNETMC account to Reddit a screenshot of Discord where it has the Sleser account. So, you know, again, at this point, we already know Sleser is WNET, but it just helps solidify it more. And you can also see other little pieces of information. You know, he's on Virgin Mobile. Uh, he

really needs to charge his battery. Uh, you could probably piece together like who they're talking to and maybe try and, you know, find that conversation somewhere. Uh, and also the profile pictures. Again, the cat from Wnet, but now used on Sleser. So, he really likes his cat. um you know, kind of just covered what we've already met or what we've already uncovered, speaks French, uh which, you know, Montreal, Quebec, uh no surprise there. Uh we have some, you know, life details. Um you know, brags about a lot of drug usage. This is like a small subset. Like when I said I had 65 slides, I that was me trying to like really cut it back

because this guy has just so much information on there and it you can really start once you pull on the string and you start unraveling it a little, it just becomes a title wave of stuff. Start looking at other profiles he has. So this was his uh Stack Exchange profile. Uh you can imagine the types of questions he might be asking on Stack Exchange. Uh how can I automatically encrypt all file extensions using my batch tool? Uh so this kind of like helps both contextualize and provide a time period for when this activity was occurring. Um where they were at in the process of it, what their abilities were. It actually had negative five like

down votes on it. Uh which I thought was kind of funny. Um you know, and if you read through these, it's a lot of stuff that is related to stuff we've already seen. um you know he's trying to do pi crypto could be related to you know trying to build some kind of ransomware script or something like that uh hiding parts of source codes so on and so forth. So uh I also find is Minecraft profile. This is a at this point I realized MC is Minecraft. I hadn't uh piece that together at first although the Minecraft texture pack should have been a pretty big tip off there. uh we can see some of his other account names he used. So in

this case, Astroclassic. This was again the one that we saw on Reddit and uh we saw on the GitHub uh commits. And he has even more socials linked on this particular profile. Uh specifically Steam, uh which was good because it, you know, once again helps connect some stuff. gamer. Uh, going back to the Grognack stuff, um, you know, the cat profile picture, he's at least consistent if nothing else. Um, which is great. So, you know, I I figured out Sleser and WNET are the same person and we have what looks like a ransomware affiliate setup and some ransomware tools or just general malicious stuff. But I wasn't really sold on the cloak connection, right? We know what the

Cloak Onion DLS website looks like and it looks wildly different from what this person is developing. So what is the connection there? I started looking at this late uh 2024 and Cloak, you know, like I said earlier, they kind of came out of the gate. They had like 20 alleged victims. Uh they were a rustbased uh locker, so they kind of made some news. Um and I was familiar with them, but I wasn't sold on the connections that I had built so far. Uh, and so I wanted to go back to the beginning like where did cloak come from? When did it start? Uh, I was only somewhat familiar with it. So I wanted to understand more so I could try

to piece known things to this individual. So I start looking at all those forum accounts. I start trolling Telegram channels. I start looking to find anything I can use to piece together who this person is. Uh you can see a lot of you know choice messages from them. They state they own a ransomware team. Uh they got networks to encrypt. Uh and then they also ask if anybody knows how to code in Rust and again research was after the fact. So I know uh cloak was coded in Rust. U you know we have an opportunity to make a couple hundred,000. Uh he talks about his gold brute RDP brute forcer. Um, so we we know it is

the same guy and it's just kind of, you know, another piece to the puzzle. So I find the initial announcement post for Cloak ransomware. Uh, this was on UFO Labs and it looks pretty straightforward. If you've seen one of these, you've seen them all. They're, you know, it's a an affiliate promotional type thing where they're saying, "Hey, we got a new ransomware as a service uh that we've created." In this case, a highly efficient Rust affiliate ransomware program and it has some basic information about it, right? It has was written in Rust. Uh it's a Cloak RAS affiliate program. Uh has some other details. You got to do an interview if you want to join with them.

Uh here's a talk ID. But as I'm looking at it and I'm like, okay, this is where Cloak is coming from. I notice it wasn't posted by WNET or Sleser or anybody else that I had seen yet. It was posted by this account, Walkstar. So, I'm sitting here and I'm like, "What the hell is Walkstar?" Like, was I correct in my assumption that maybe these are two different groups and they just had the same name? Uh, it would be, you know, as you're building this evidence, it becomes less and less likely, but it's always a possibility. So, you're always trying to challenge yourself and challenge your um assumptions. And so, in this case, I was

like, well, I got to figure out who Walker is now uh and see if there's any relation there, which it didn't take very long to figure it out. Uh, you start looking at posts from Walkstar, you see stuff like Sleser moved $600,000, Sleser made gold brood. Uh, he's not a Bitcoin miner. He's a top tier alpha male, which is definitely how you talk about people on the internet who you don't really know. Um, and then he's begging constantly to unmute this guy. So, I don't know what this guy is saying to get muted, but admins in all kinds of forums and Telegram channels are m muting him. And he pivots over to this Walkstar account

to basically beg for, you know, admins to unmute him. Says he'll shoot up an airport if uh he doesn't get unmuted. So, you know, I'm thinking, okay, this is probably Sleser. Um, looking at some of the information that Walkstar shares, you can see a lot of familiar stuff that we've already talked about. First, right, he used the cloak.sseu domain. It's the best for bulletproof hosting servers. So, a little double dipping there. Uh, pointing people to his business. Uh, it's from Montreal. His cat was on the keyboard and we know his love of his cat. Um, you know, he's the most Canadian Canadian. And I really love this this post on the ramp forum. Uh another person on it called him out and

was like, "Hey, aren't you this Sleser guy? Isn't this just another alt of you?" Like he's he's really bad at the multiple personas type thing. Uh and then he's like, "I have nothing to do with this user. Um I've tried contacting the admins. Um you know, they're not they're ignoring me." So uh spoilers, it's the same guy. But, you know, you start looking around and you start digging into all of their information, all of their their posts, and it does kind of humanize them quite a bit. You start to feel a little empathy for them. Um, in this these screenshots here, you can see that at some point on June 4th, he stated that he lost all his money. Uh, he got

scammed by a fake crypto. Uh, it happens to everybody. and you know, a rugpool. Uh, it's $40,000, he stated. Um, but you can kind of see what that has done to this individual, right? He's going from marijuana and shrooms to morphine. That's quite the the escalation in and uh, you know, usage of substance and you kind of feel bad for them because, you know, if you're at that point, it's it's really not a great place to be at. Uh, you can see they were also looking for work. they had posted some of their skill sets that they have. Uh SEO, search engine optimization, like if you want to rank your website higher. Uh he could be a server admin, system

administrator. Uh he can call your victims if you want. He could handle the negotiations for you. Uh you know, works with WordPress, social engineering, you name it. You know, he's open for new things. He'll do whatever you want. Um, and so I was like, okay, uh, kind of understand the person, but then I noticed, and if you take a look here at the timing of everything, so he loses his money on June 4th. June 9th, he's looking for work. Uh, on June 9th, he also posts that he's selling a Rust ransomware as a service. Uh, basically panel and malware. So he doesn't call it cloak in this but it is it aligns with everything that we

know of cloak right it has the rust locker and unlocker the PHP uh panel the ransom note and he you know as the time goes on he starts posting a little bit of additional information. You can see that the programmer he was working with uh is no longer working with him. Whether that's because they lost all their money or something like that happened, you know, it's unknown, but we at least know that he's probably not the person who built uh the Rust ransomware. I mean, we know that from the sale or the post a couple of slides back where he was asking if anybody knows how to code in Rust. Um, so this was likely the person

who who signed on to it. Uh you can see he was 14 days later after that uh saying the price was $50,000 that you know he'll accept payment in Bitcoin or uh Monero. He's got a possible sale in one hand and you know for all purposes it seemed like Cloak was dead. It seemed like they had kind of gone away. Uh they died out there. The victims started drying up. They weren't putting any new hosts on their or victims on their data leak site. And so I came in after this point when I was doing my research and I'm like okay well that was kind of the life cycle of cloak. Uh we were able to link it to

multiple um aliases multiple personas. Uh and we kind of saw the rise and fall you know of it and through this research. So as I'm kind of going through and I'm putting a lot of this together uh for a presentation. It's always good to like review your work, but it's even better when you're putting it together in a slide and you have to tell somebody what it is. Uh because you start to see things that you missed and I saw tons of stuff that I had missed uh in the the first run of a lot of this research. So where are they now? uh that replet site that I mentioned earlier uh WNETMC. This was like I said, it had his name

right here. And if you just Googled his name and Canada, like you got all of his other uh websites and profiles and stuff like that. Uh he had a new alias. Uh he's going by Troj. Uh a new GitHub with some familiar sounding services, right? Running hidden onion services. uh cross-platform Rustbased directory and drive encryption utility. It's a mouthful. Uh tool to overwrite the MBR. Um you know, he was in his second year of college. Apparently, he dropped out. Uh had to move back in with his mom who was charging him $100 in rent. And so there is like there's like 40 posts on Reddit that he made asking if he was the [ __ ] for not wanting to pay this to

his mom. But he also says he has like $300,000 saved up. So, I mean, you're talking about $100 for your mom a month, but whatever. Uh, he had a new website, this trog.github.io. Um, LinkedIn skills, you know, it mirrored the looking for work post that I showed just a few minutes ago. Uh, he's got his Facebook, tons and tons of other profiles. Uh, like I said, I had to actually cut a lot of this short because I was going through or collecting so much information on this individual. Uh, it just becomes it's not as valuable. Well, it's a fun story, but uh it doesn't really uh push the the value of negotiations with this individual, right? If you were

to engage with them, you're not really going to get anything more. So, looking at the uh replet for WNET MC just to, you know, make sure that they are related. Uh this one had uh some of the ones that we've already talked about and seen uh links to it and what his prices were for these. So Gold Brute he was selling for 150 bucks. Ztool 120, the Cryptominer 120. Uh and his malware spreading guides um 80 bucks if you want to buy those. Uh you can also just get them for free off Virus Total or some other websites. Uh 25, you know, high quality guides and methods to spread your malware. Um, so definitely the same

person, definitely the same account. This is what his website, his personal website looks like. Um, you know, I love the the pivot to the good guy. Uh, I strive to make the internet a freer and safer place on a global scale. Proudly live in uh Quebec. Got a couple of other links here. Uh, skills, Rust, PHP, you know MySQL WordPress. Nothing here is shocking. This all aligns with uh what we've seen and what we know about the guy. This was the uh one of the background pictures I was telling you about where the battle station monitor the background was the same as this post. So I actually found this through internet archive. I had gone back again what I was talking about

when you're rebuilding these slides, you're going through, you're validating stuff, you're you know challenging your assumptions. Um, and so I was looking at the his the historical representations of WNET Studio and all his other websites uh through the internet archive and I found this one on WNET Studio which again you know Stacy's from Quebec uh writes code and a couple languages that we're familiar with fascinated with blockchain loves Fallout uh Minecraft you know so on and so forth uh so definitely good connections there interesting stuff. His Instagram, he has a lot of pictures on it, uh, as one does. And you could see, uh, the picture on the left, it's actually impossible to see from your

perspective, but it says reseller area. This is probably, if I had to guess, where he's selling some of his tools. Uh, the mouse pad that I was mentioning from the battle station, you could see it in the background here. Uh, and then on the right, I absolutely lost it when I saw this. He was writing a document that says ransomware prevention and recovery as a service. RP ras a solution to ransomware as a service. Um so you know I I can respect the the pivot to uh protecting people now instead of doing other stuff. Um and that is it. So thank you guys.

I don't know how we are on time, but if there is time, I can do questions or I'll be around.