On January 17, 2024, a new ransomware group by the name "Going Insane" appeared on the cybercrime threat landscape claiming a victim in Thailand. Intelligence concerning this group is still limited with the actor's leak site being the primary source of information about this new cybercrime operation.
This post provides an analysis of the content of the website focusing on text and images. While these are not technical indicators, they may provide some contextual understanding of Going Insane's operations - what is the cultural background of the site administrator(s)? What language group do they belong to? What tooling do they use?
The analysis presented below offers a number of hypotheses that link Going Insane with a Russian-speaking group or individual. However, there is no conclusive evidence to support such claim which remains merely hypothetical.
Overview Of The Website
The website has been built using HTML and presents English-language only. However, whoever wrote the textual content is unlikely to be a native speaker. Few details are unusual and interesting:
The usage of the word "hosten" for "hosted" may be a typo, as unusual as it may be in such a central part of the website - right at the top of the homepage. Such a central area is likely to catch the attention and be reviewed easily. However, the site has not been edited. Interestingly, "hosten" is the correct word for "hosted" in Dutch language.
The website presents the image of a female anime-like character with a description of the ransomware features. These present consistent usage of the preposition "in" instead of a more appropriate "across" or "on." This is an interesting and unusual idiosyncrasy which, nonetheless, does not necessarily help to identify a cultural group.
The same paragraph presents an additional peculiarity; two sentences end by quotation marks that never opened. This may be consistent with copy-and-paste from a separate resource, potentially a text processor or a translator.
The website presents many visuals, all anime-like. Most of them are unique; a reverse search reveals only two of them have been reused across separate web resources. Particularly, the image of a cat that stands at the center of the homepage has been likely obtained from tides-of-the-ocean.deviantart[.]com. The second is consistent with a winged female sitting on top of the visitor count; this image was first published on February 7, 2008, on creathena[.]be, and has been around across various websites with multiple top-level domains (.gr, .ru, .uk, .com, .be, etc.).
YouTube Link To "fade awway°" Profile
The large winged female image referenced above is retrieved from a live YouTube video via YouTube API. This video and especially its poster are very interesting.
The video itself is a long musical soundtrack titled "Mental death // dreamcore mix | vol.2." The post is quite recent, it was uploaded to YouTube on November 5, 2023 at 13:05:02 UTC. The video was allegedly generated by artificial intelligence - according to what the poster claims - suggesting whoever created the Going Insane website must be one of the 27K viewers.
However, the YouTube account, leveraging the moniker "fade awway°," has quite unusual figures. For instance, this specific video - "Mental death // dreamcore mix | vol.2" has over six times more views than the second most viewed video (4.7K views). Figures go down to 169 units for the oldest video posted on the channel.
Such a large number of views is inconsistent with a small following base (392 subscribers). If the YouTuber fade awway° used a bot to boost the visibility of the video it is possible the actual "human viewers" of the video were many less than 27K. Under this hypothesis - which remains unverifiable - the creator of the Going Insane page may be perhaps within the YouTube circle of fade awway°.
The profile image for the YouTube channel appears to have been obtained from safebooru[.]org.
There are apparent yet generic commonalities between fade awway° and the Going Insane website:
Japanese anime themes are predominant on the YouTube channel as much as on the Going Insane page. However, this is not uncommon, particularly within circles of anime fans which the Going Insane site creator appears to be;
The timeframe of activity of the YouTube channel is recent enough, reasonably close in time to the development of the website, which is confirmed by the YouTube video linked on the website.
Russian Connection
While the YouTube profile "fade_awway°" claims an alleged location in Japan, the profile details offer a connection to a Telegram profile ("@fade_awway") with the Russian-language sentence "а может и радость," which translates to "and perhaps joy."
Other observations support the hypothesis that fade_awway° is in fact a Russian speaker; interactions with comments under the video suggest a Russian/post-Soviet cultural background. Expressions such as ":)" or ":(" are often shortened to ")" or "(", respectively.
Russian native language may also explain the unusual expression "spread in the network" provided with the ransomware description on the Going Insane website - "spread in the network" may be a literal translation from the equivalent in Russian "распространение в сети," which would use "in" instead of "across" or "on."
The upload timestamp of the "Mental death // dreamcore mix | vol.2," 13:05:02 UTC, reflects 4.05 PM Moscow Standard Time, which is a reasonable time of activity for an individual based in Russia. However, the same logic may be applied to cover a much larger geographical area.
Nonetheless, despite the commonalities and the unusual features the YouTube channel and the Going Insane site share, there is no verifiable indication of same authorship.