Advent Of Cyber 3 - Day 16

Posted on Dec 16, 2021
tl;dr: OSINT

The happy festival company has some ransomware issues, and there’s a note that reads:

!!! ВАЖНЫЙ !!!

Ваши файлы были зашифрованы Гринчем. Мы используем самые современные технологии шифрования.

Чтобы получить доступ к своим файлам, обратитесь к оператору Grinch Enterprises.

Ваш личный идентификационный идентификатор: «b288b97e-665d-4105-a3b2-666da90db14b».

С оператором, назначенным для вашего дела, можно связаться как "GrinchWho31" на всех платформах.

!!! ВАЖНЫЙ !!!

when put into google translate, it says:

!!! IMPORTANT !!! Your files were encrypted by the Grinch. We use the most advanced encryption technology. Contact your Grinch Enterprises operator to access your files. Your personal ID is “b288b97e-665d-4105-a3b2-666da90db14b”. The operator assigned to your case can be contacted as "GrinchWho31" on all platforms. !!! IMPORTANT !!!

We can’t do much with the personal ID, but the contactperson should be possible to find out more information about.

one favourite tool for this is sherlock:

sudo apt install -y sherlock

└─$ sherlock GrinchWho31     
[*] Checking username GrinchWho31 on:
[+] CapFriendly:
[+] Coil:
[+] Facenama:
[+] Fiverr:
[+] Keybase:
[+] Reddit:
[+] Tinder:
[+] Twitter:

there’s some false positives but on reddit he popped up:


and keybase


and twitter


where twitter is the answer for the social media platform we’re after.

cryptographic identifier for the operator: 1GW8QR7CWW3cpvVPGMCF5tZz4j96ncEgrVaR which stands on the twitter page.

platform for the crypto-identifier:

bitcoin address: bc1q5q2w2x6yka5gchr89988p2c8w8nquem6tndw2f presented on the page.

the bitcoin address can also be found on github:

in the previous commits on github, more information can be found:


Operator’s personal email:

Operators real name: Donte Heath