____ _ _ | _ \ _____ _| |__ (_)_ __ | | | |/ _ \ \/ / '_ \| | '_ \ | |_| | (_) > <| |_) | | | | | |____/ \___/_/\_\_.__/|_|_| |_|
Title:Report - Tugamer89, Ransomware Operator
Created:Aug 6th, 2024
Created by: DeanonINC
Views: 227
Comments: 0
Username: Anonymous - (Login)
Please note that all posted information is publicly available and must follow our TOS.
Today we will talk about Tugamer89. Tugamer89 is a ransomware operator that has caused quite a few problems to some companies, just to be safe I took some screenshots from his BreachForums account that prove his malicious activities [breachforums.st/user-Tugamer89]: https://ibb.co/gMkT6xq https://ibb.co/qkP9r9z https://ibb.co/8g6Tdrc Tugamer89 has always used his ransomware to extort money from his victims, the source code of it is available on his github: https://github.com/Tugamer89/RansomTuga. It's time to investigate starting from his Github profile. Analyzing some commits like [https://github.com/Tugamer89/Basic-Calculator/commit/9ce94b71251541d9a05b3400c812b29a69e6680f] You may notice that the email is masked by the platform's privacy system: From 9ce94b71251541d9a05b3400c812b29a69e6680f Mon Sep 17 00:00:00 2001 From: Tuga <61603718+Tugamer89@users.noreply.github.com> Digging into the commits of the repository of his ransomware project called RansomTuga we find this: From fcb80b8b8f5646d80097ae551469026a1c93b25e Mon Sep 17 00:00:00 2001 From: Tuga <saya.simo05@gmail.com> Well yes, it looks like Tugamer89 forgot to cover his tracks. Let's analyze the email now: Checking the data leaks in which it is present we find something very interesting indeed: username email lastip regip Tugamer89 saya.simo05@gmail.com 95.74.56.107 87.5.122.19 These data are present in the database of breached.to, the first version of BreachForums. More evidence that confirms this: https://ibb.co/PwyS4pj In his application to become a member of the BreachForums staff, in particular in the second question, you can notice the piece that explicitly says he was an active member in Breached.to. Let's continue investigating the email saya.simo05@gmail.com: Doing some research I found his Gravatar profile linked to it: https://gravatar.com/sayasimo05 - by the way he uses the same alias and profile picture, a very miserable opsec. He does the same with his Google account: Avatar: https://lh3.googleusercontent.com/a-/ALV-UjXZ6UMuyVCo7Hf3ss_oTLyjJj1Aue0dknomW_ZxsMeqobr5AAyF ID: 105453839300115011704 Google Maps: https://www.google.com/maps/contrib/105453839300115011704 The Google Maps profile is really the key part in this report, because we can find some very interesting reviews: The first image where he reviews the school saying that it is the best in the neighborhood: https://ibb.co/gPqPLhn The second image https://ibb.co/25kJsr5 where it is located in a park with the same zip code as the school. I think it is clear that he attended Lucarno Mermi middle school in Via Mogadiscio, 67, 16141 Genova GE, Italy, and that he lives in the same neighborhood as it, in fact in the second photo you can see his position in the Parco Giochi Di S. Eusebio in Via Val Trebbia, 16141 Genova GE, Italy. I think Tugamer89 lives in a very narrow range from his school. The school is a key point that confirms his approximate age linked to "05", translated "2005" easily found in his email. saya.simo05@gmail.com registered on: > academia.edu > adobe.com > deezer.com > dropbox.com > gravatar.com > instagram.com > picsart.com > pinterest.com > spotify.com Also found connected with skype with the name: "Il Simo Saya" and ID: 'live:.cid.4a281b6ffe22d273' Phone number linked to email ends with 99 [*** *** **99 / assuming it's his real phone number, being Italian the prefix should be "+39"]: We investigate IP addresses 95.74.56.107 & 87.5.122.19: 1st IP 95.74.56.107: { "ip": "95.74.56.107", "country_code": "IT", "country_name": "Italy", "region_name": "Lombardia", "district": "Citta Metropolitana di Milano", "city_name": "Cagnola", } }, "is_proxy": false, "proxy": { "last_seen": 0, "proxy_type": "-", "threat": "-", "provider": "-", "is_vpn": false, "is_tor": false, "is_data_center": false, "is_public_proxy": false, "is_web_proxy": false, "is_web_crawler": false, "is_residential_proxy": false, "is_consumer_privacy_network": false, "is_enterprise_private_network": false, "is_spammer": false, "is_scanner": false, "is_botnet": false } 2nd IP 87.5.122.19: { "ip": "87.5.122.19", "country_code": "IT", "country_name": "Italy", "region_name": "Liguria", "district": "Provincia di Genova", "city_name": "Genova", } }, "is_proxy": false, "proxy": { "last_seen": 0, "proxy_type": "-", "threat": "-", "provider": "-", "is_vpn": false, "is_tor": false, "is_data_center": false, "is_public_proxy": false, "is_web_proxy": false, "is_web_crawler": false, "is_residential_proxy": false, "is_consumer_privacy_network": false, "is_enterprise_private_network": false, "is_spammer": false, "is_scanner": false, "is_botnet": false } } Well both IP addresses are not masked and both point to Italy, in particular the second one ["district": "Provincia di Genova", "city_name": "Genova"] Which confirms my previous theories. Returning to the email saya.simo05@gmail.com we find this: [Saya, Simo] Doing some research I noticed that "Simo" could be the abbreviation of a very well-known name in Italy, Simone. As for Saya, it doesn't seem so Italian for a surname, so it could be fictitious or something Americanized of "Saia", an Italian surname. Further evidence confirming his Italian origins can be found here: https://github.com/Tugamer89/RansomTuga/blob/master/RansomTuga/RansomTuga.rc Conclusions: Tugamer89 despite having committed cyber crimes such as destruction, data exfiltration with the related blackmail, did not think about covering his tracks. Let's recap by saying that Tugamer89 is called Simone/Simo, he was born in 2005 and attended the Lucarno Mermi middle school in Via Mogadiscio, 67, 16141 Genova GE, Italy, most likely he lives in the same neighborhood in a very narrow range that goes from the school to the Parco Giochi Di S. Eusebio in Via Val Trebbia, 16141 Genova GE, Italy. - Report developed by Deanon Inc.