AoC3#16: Ransomware Madness OSINT

After the non-challenge day where the Grinch had the day off, today is all about open source intelligence.

This challenge starts with a whole bunch of useful reading about OSINT, including Google Dorking, Clearnet / Dark net sources, as well as some standardised OSINT models.

We’re then given a block of what looks like cyrllic text:

!!! ВАЖНЫЙ !!!

Ваши файлы были зашифрованы Гринчем. Мы используем самые современные технологии шифрования. Чтобы получить доступ к своим файлам, обратитесь к оператору Grinch Enterprises. Ваш личный идентификационный идентификатор: «b288b97e-665d-4105-a3b2-666da90db14b». С оператором, назначенным для вашего дела, можно связаться как “GrinchWho31” на всех платформах.

!!! ВАЖНЫЙ !!!

I dropped it into Google translate and found it was indeed in Russian:


Your files have been encrypted by the Grinch. We use the latest encryption technology. To access your files, please contact your Grinch Enterprises operator. Your personal identification identifier: “b288b97e-665d-4105-a3b2-666da90db14b”. The operator assigned to your case can be contacted as “GrinchWho31” on all platforms. !!!


I was able to browse to a few social media sites and drop that username in the URLs. It didn’t take long to find the correct account (some spoof ones have popped up).

The topmost / pinned post contains a few details needed for a couple of CTF questions.

I then grabbed the Bitcoin address and struggled to get the challenge to accept it. It turns out I was copying the Bitcoin URL and not the link’s actual text. As it was all hex I didn’t spot they were clearly different.

Once I had tracked down where the Bitcoin address had been leaked on, it was a matter of looking through previous editions of the content displayed, to see the true owners email address and name.

With that, the OSINT component of the Advent of Cyber 2021 challenge was completed.

The next challenge, day 17 – Elf Leaks – awaits!

Leave a Reply

Your email address will not be published. Required fields are marked *