The OSINT Output Hosted by Tim and Chris

Living A.N.A.L.O.G. – Ransomware (Episode 10)

Oh, right. The acronym (Applied Nostalgia And Luddite Opinions on Gadgets)

Here’s a problem we didn’t have in the 80’s, well we almost didn’t have it. 

In 1989 Dr. Popp (check the episode for my favorite joke here) thought money was cool and hated AIDS. And how did Dr. Popp address this issue? This dude formatted, labeled, looked up WHO contact info, enveloped, addressed, and stamped 20 thousand floppy disks to send to the AIDS researchers. 90 reboots after upload the files became encrypted and Ransomware was born. For $189 in cash or a little tech know-how (the key was in the code) you could get your files unencrypted. Or like most people, you could just delete years of research and start over. Dr. Popp will always be remembered as the father of Ransomware and a dude who wore boxes on his heads and nose condoms…oh yeah and a butterfly sanctuary. 

Now for a brief history following Dr. Popp’s lead.

  • GPCode (2004): Among the first global ransomware plagues spread via email, GPcode’s evolution toward strong RSA encryption signaled a new era of mathematically unbreakable digital extortion. (In 2004, I used my first Bluetooth headset attached to my indestructible pre-paid Nokia. And realized that I had taken the form of what George Carlin called “NAssholes”)
  • Archiveus (2006): This ransomware was among the first to use 1,024‑bit RSA encryption, virtually impossible to crack without the key. Unusually, Archiveus demanded “payment” in the form of purchasing prescription drugs online and providing proof—no cash or crypto. The story has a twist: security researchers eventually found the passphrase hardcoded in the malware, freeing all victims. And everyday attack had the same code to decrypt (ah, my first year in the Navy, man that was a weird choice)
  • CryptoLocker (2013): One of the first to use Bitcoin for anonymous payments and uniquely-generated keys per victim, forcing each target to pay or lose their data—ushering in ransomware’s modern business model. (The year after I met Tim. I spent most of that year in a far off country with little green, I came home and just stood in a grass patch outside of a gas station near the airport, first grass I had seen in quite a while)
  • NotPetya & WannaCry (2017): These attacks made headlines for their sheer scale and impact. NotPetya was designed for data destruction and leveraged stolen government exploits, while WannaCry’s global rampage reflected the rise of ransomware-as-a-service and the exploitation of neglected vulnerabilities. (Hurrican Harvey, geeze what a sight. The following year, I chaperoned a trip of teens to go work on community projects in some Texas areas affected by the storm)

We’ve traveled a long way in Ransomware world. Seemingly, every year something new comes out along with Ransomware developers paying decent money for bug bounties in their Ransom code. From mail-ordered malware to file-locking automation, every era introduced new hurdles for both victims and investigators. History proves: ransom tactics adapt—and so must we.

Double and Triple Extortion (side note: Double and Triple Extortion is how I feel whenever I deal with Insurance Providers)— It Gets Worse

Encryption is just the beginning. Modern groups up the ante by exfiltrating sensitive data, threatening public leaks (double extortion), and even launching DDoS attacks or targeting customers for yet more leverage (triple extortion). Check out Datknet Diaries Episode 159: Vastaamo to learn about how shitty this is and how it gets out of hand. (https://open.spotify.com/episode/2GrOQ1x3KKPStBhpTKlpFx?si=vx7p232GSXKH2rLLKoAwkw)

My Takeaways for OSINT and Cyber Defenders

Track leaks and forums. (Listen to experts and people smarter than me)

  • Track leaks and forums. Attribution can hinge on a stray username or linguistic habit.
  • Don’t rush to pay ransoms—demands escalate, and payment is no guarantee.
  • Patch, Patch, Patch, Patch. Only trust software from reputable, official sources—betas from sketchy sites are a massive risk.
  • Test your backups before disaster strikes. The “3-2-1” backup rule (three copies, two mediums, one offline) is your friend.
  • If handling ransomware samples or dark web dumps, use a virtual machine or air-gapped system—curiosity shouldn’t cost you your main device!

Check out Mitre (https://attack.mitre.org/) for updates and new techniques.

Now let’s talk about that b-ball player.

Daniil Kasatkin, a former Penn State player amd Russian league vet, was arrested in June 2025 at Paris Charles de Gaulle Airport, at the request of the US, over suspicions he played a role as a negotiator for a major ransomware group. While both news coverage and OSINT researchers point toward the infamous Conti crew, US authorities haven’t officially named the group in filings.

Open-source reporting suggests Kasatkin was considered a “prime negotiator,” bridging victims and the ransomware gang during extortion attempts. In a move that sounds almost cinematic, his lawyer argued Kasatkin was so “useless with computers” that he couldn’t install apps or handle basic programs, and had only recently acquired the possibly compromised device involved. I’ve walked enough friends through BIOS to know how real that can sound—and just how suspicious it might look to investigators.

Wrapping Up

Episode 10 wasn’t just about ransomware or oddball suspects—it highlighted the weird, complex intersections between people, technology, and criminal opportunity. Whether you geek out on sports, cybercrime, or the twisted evolution of digital threats, OSINT can reveal just how strange and intertwined our world really is.

Kasatkin’s lawyer could have easily made some of those same arguments about me.

— Chris St. Germain

Source List

Daniil Kasatkin Arrest and Ransomware Allegations:

Conti Ransomware Group Reference:

Ransomware History (AIDS Trojan, Archiveus, CryptoLocker, NotPetya, WannaCry):

OSINT Techniques Using Leaked Data:

Best Practices for Ransomware Defense and OSINT Analysis:

Leave a comment