GF - The B-side that no one sees: the ransomware that never reached mainstream popularity

hey everybody thanks to be here at this time almost 6 600 p.m. I know everybody want to party thank you my name is Cel uh I know it's not so common here Cel I work with cyber threat intelligence in Brazil uh wow I talk about talk about this later uh of course my first language is not English it's Portuguese so if I say something weird please let me know because this way I can learn uh well let let's introduce him thanks well my name is Maro I work in cyber threat intelligence as well but in UI for U for different companies so I'm glad that you are here today thanks for taking the time to attend in this talk

and I hope you really enjoyed it and if you want to make a lot of money in Ramson War this is not the place so if you want to get up and leave it's that's totally that's fine that's fine don't worry we can talk about this later after this you know but you can DM me on talks yeah it's recording right now it's better not okay so uh again what's me again so the name of our talk is hands somew bide what the hell is going on here no here the uh because besides so we remember what music disc so uh in every slide there is a different uh name of songs mostly I like so for this and

uh well uh we'll talk about some handware that's not the biggest one like babuk or lock beat or others we want to talk about um this not so famous you know uh like that never got there some look like a handsome act like a handser but not exactly handsome and others has a very cool names for this this one we choose what isse okay okay hackers with tech problems happens all the time sorry okay so as I say my name is cben I'm from Brazil uh uh I explain what I do for people oh I work with cyber threat intelligence what is this it's like a Gossip Girl of mland I have to see uh a lot of this Grace what is going

on and tell to my boss okay this is happening and now I have to do this this and that basically is this what I do and now hey well my name is Maro I'm not well known for my job in the Ramson Waring like interviewing groups and the like I'm mostly known for researching North Koreans AP groups I actually once stole a sample from a North Korean campaign and I it was named after my first submissions and I actually started working more on that part of thread intelligence but I'm from Argentina I work in uru and I'm currently leading the bit quel team which is the first Latin American threat research team focus it on web threat

threats trainers organized cyber crime APS targetting crypto space and so on okay um I love cats for this there's a lot of cats that's the explanation behind the cats also um the mainstream Ramson World strange that you will see name it here if TCH wants to cooperate uh exactly what we are going to talk here I want to make a difference between organized ransomware ransomware groups Ramon War a service commodity Rams onare or in simpler terms uh Ramon War for rent and even not Ram someware data extortion or other kind of uh Data Theft actually you will see these names they are probably ring a bell in your mind log bit we ended up with Operation

Kronos and certain skish against law enforcement agencies black cat who just pick it up the bxs and ran away with a lot of money from Affiliates Rebel County n Walker Eastern European Legends actually babuk and Rook actually something that worked pretty well at first on the Ramson were scene but had certain failures that prevented them from the crypting victims that PID the rsom so that basically was the end of it and after that uh source code for a builder of of babuk was licked and lot of groups started building Rams someware a top of babuk which was actually flowed and was enabl to the creit victim files creating a new strain of different Ramson wereare bands that were not

actually up to the game to decrypt uh whoever victim paid for the Ramson war and we have other ones like high which just uh was disbanded a few months ago by society which is still on the large but this is not about them but about other groups that actually didn't make to the headlines so the first one of course I love is hello kid because I love cat so oh my God this is not cooperating sorry guys I don't know what's going on okay caes okay so what happened with hello kit uh are no because they hacked this company and leak the Cyber Punk uh cyber Punk and Witcher 3 uh few years ago so was a big scandal at that time

because oh my gosh okay uh oh my gosh what happened you know this supposed to get a lot of money with these games I don't I don't play games so for me it's whatever something just something else and say okay we want your money because uh really the the cable is not cooperating uh and this handsome note said okay it's a big pond so I want your money or of course we release this H or sell for your um for the other companies and things like this so I need your money pay me now okay you have TW 44 uh 48 hours to pay me and they say m so what happened is they try to sell

xss is a Russian Forum say okay I'm selling this uh city project red uh I don't want so much money that's it who wants please let me know but the thing is uh uh the competitors uh uh companies don't want to buy because it would be illegal for them to release this so they no no no no I don't want to buy can be a big messy because there very famous games I guess who plays this and let me know so um not so sure about this and then the guy say okay now I got an offer so is uh I sell I'm s satisfied with this and this condition they will not distribute our around so okay no one

need to now uh to get uh uh okay this working okay okay so they saw soell but uh what happened later FBI accidentally revealed the hello kid handware gangs operated with this and wow what's going on now they okay this is hard here the cable is not

cooperating okay this is all log bit's fault yes you have this on

the yep um so FBI found while it they are investigation during investigation they found this hands someware and of course is zip it all the hands onare uh the hands is zip it so they say okay if uh FBI found this let's release everything the the games some Cisco they lick it and of course they the car uh the car cold you know of the hare I mean so it's everywhere so people could copy and use reuse like an open source basically for everyone and then they thought hm who is goie now the guy who supposedly you know uh was the big boss of this hands someware was one of the nickname was gie and say okay I don't

want this anymore so I will Rebrand myself and be now cookie hello cookie and because these games um they uh was found recently I guess in the beginning of this year they released everything and compile the games for everybody to play so the guy say okay it's here this is the password because um these files was um locked with passwords is a is that sucks because of course the company when they develop this game they lock it with password so now they have all the passwords everything and is released and of course the guys from ux uh VX underground say Okay nerds go ahead you can play now someone compiled the game so you can play that for

free but then he Rebrand this hello kid for gie and now okay I looking for someone to you know to operate with me but calling you know you must be ability with people speak English because are we going to do some kind of you know you call for people ask for money and you must work do some o syn as well it have to be very good in upset so we need this so if you don't have a job we can always looking for in this forums because as have a work for everyone it's easy pay well sometimes they pay with some you know part of uh percentage so it this is good okay now another handsome Ware uh

Cuba well some uh very specific of this hands someware they have just one file without at additional libraries uh the samples with that was found the time tape and they always change the time stapes so what it's 2020 but now is 1992 what the hell this is very good actually I think it's very smart because if the time they changeed the time stamp is H it's hard to make like a a reverse engineer you know to find something but uh this encryption is good as well because it's hybrid encryption so it's hard kind of hard you know to break this so this is the main uh the main different things they have the Cuba hands someware but there is

more so of course there Castro and CH they are from Argentina this is weird people uh sorry argentinians and but when they leak uh they leak the uh oh sometimes I forget I have to translate in my mind Portuguese to English and sometimes to Spanish they leak the files uh if the company don't pay okay this is for free you can use as you want very beautiful here as you see very uh artistic you know like uh painting like this I think it's beautiful but I also have a paid content uh you can pay for this not anymore we try to found this online and and it or website but we couldn't but then what they did okay we are tired of

these name so now we are via is vendeta they we brand but the mod operandi is the same but what we found the first name of Kuba was codra but then they Rebrand for tropical Scorpio not happy with this now they are Fidel and then Cuba and now V is for Vendetta but not they don't exist anymore maybe they Rebrand we don't know what name they are using so but they use the Hong Kong back door and all the the information is sell on Industrial spy Marketplace that don't exist anymore but this industrial Marketplace start to oh okay I want some money as well so why not not we go to the hands someware too

uh we are attack uh using hands someware but uh they still use um the Cuba uh Mower and the Cuba handome notes and then the industri of spy now officially is a handware group they are threat actors and then they Rebrand for the new one for and they name it underground but Hong Kong Hong Kong back door uh became a thread too and then they you and they use this Hong Kong back door and is using as well underground uh trctor I mean everything is connected we can do this like forever uh I think all the trade actors are connected we can find this really really easy because uh the same mod zandi the the code is similar how the incpas are

similar so kind of and as you see every slide there is a different name of music that is connected to with the name of homare this is a I don't know what the B is from but is in Spanish and talk about Avana so now it's you talk about Hitler yes this is the name Hitler is yeah when I go to the darkest part of ramsen and even it's like bordering with not ramsen at all there was a Ramon were now named after the infamous dictator Hitler uh and it actually was a pretty weird part of the malware history and of the real history as well but Hitler Ransom war was Germany based it contained uh

strings in German but actually the infection chain was pretty pretty RW pretty uh dull it was a bad file with then executed a BBS script then ran an ex an executable file and then another executable file F absolutely messy noisy and easy to catch but here's the point this rware ask for payment not in crypto but in bod the phone phone cards and there's a specific strain that ask for another type of phone card as well the point is that it does not encrypt anything it actually renames your files it tries to take down the extensions so you end up with a file not being associated to anything to be open it with even the executable files then

display a fake window saying something like I can't find the file and you're wondering like what the hell what what does this Windows come from and that's when the behind the scenes the script runs and changes your extensions it just messes up with your extensions places a I think a 24hour countown and then ask for the bodafone code in order to restore everything if not it acts just as a simple do wiper actually uh this one Wonder four people have three versions run sonir with n misspelled which is the first one Hitler two which is actually called K xpi and the third one the final one which is wonderfully called Final Solution so uh this is des speakable

from every single point of view here you can see the infection chain you have the actor a bad file with a random name the BBS which will send the fake alert Roar the Ramon note which is actually an executable file and you can see traces of Visual Basic everywhere like super basic and then the wiper which masquerades itself as Firefox here you can see the complex engineering behind the Ramson word it's just a bad file renaming other files and then if you don't pay it will just wipe everything that's it now we're going to move to another type of Ramson workare uh you may remember that that the first minutes of this talk I wanted to make a difference

between Ras Ramona service or Consolidated Ram someware groups organized cyber crime Ram someware groups and commodity Rams someware commodity or take at Ramon War it's a kind of Ramon war that you rent you just buy a version you rent a builder for an specific amount of time to be us it you're just part of a scheme but not as an affiliate you're just a client you have the right to download the software to make certain modifications and to even to receive updates and even professional support 24/7 so you're basically buying a product a malware product the difference in the in this scene is that you will have lot of offers from different developers and Builders some are better

than others some are just trash but we will start with some of the cases that make it almost made it to the history like heras as you can see this is a little bit more elaborated than the last one we saw an HTML uh ramom note asking for crypto it's a little bit more developed but actually Hermes was sold on forums publicly it uses just plain RSA encryption and encrypts everything with HRM extension the infection chain is super simple optionally you will have a micro enabled document and where do you find this kind of documents in fishing then it will download an executable file which will encrypt everything and drop the ramom note pretty simple so far but

then Hermes was first associated with Lazarus group at first and it was seen in a Taiwanese Bank attack which was pretty successful some years ago but then it was found that Hermes was been on sale for a long time on forums so it may be that just Lazarus had a hold of a sample b a sample stole a sample or actually it's not it it's hard to believe that they had put it up for sale and it was labeled as a ryuk predecessor this is interesting here you can see certain um similarities between the two made by checkpoint Labs but there are two main differences here not on the code on the operation you can find heres

if you back track into history to 20 17 uh and and around you will find a lot of uh victims of Aras big business small business simple Mom and Pops shops that should not fear Ramson water at all and then if you go to Ryu you will find only high-profile targets or mostly high-profile targets why because of the difference on the operation model on the left you can see how a Ras program works some details more some detail less it it's not this is not a Bible this is not holy word so some things can change basically when you join a Ras program you will have uh a support team a dedicated League site dedicated

Developers for the project dedicated cryptographers whatever you want it depends on the size of the project then you will have a victim you will have your own builder to build your own Ram onw Trin which is tagged what means to be targed that if it leaks somehow they will know it can be targed back to that that affiliate in particular this is used mostly for security for obsc reasons let's say that you are part of a rush program and you encrypt someone then you ask for payment you will have a unique crypto address be Bitcoin Monero whatever you want you receive the payment the victim pays to the but it doesn't pays to the affiliate that

account is not under the control of the affiliate but under the RAS administrator program control once the once the money is received a share will be sent to the affiliate this is how a organized group works now do you remember what happened with black cat they just pocketed 20 million 20 grand from a victim and run away and the affiliate said they just scammed me the affiliate said that because the affiliate didn't have the money at any point of the process it was meant to receive the money at the end of the transaction it was the last person on the chain and didn't receive it a single time that's how black cat set up their exit

scam then you have what we call uh let's say a commodity ramare take out for R Ramson War you have a ramare developer that can sell you the source code can can sell you a builder that can rent you uh the product for a specific amount of time and then you are in charge of everything of everything in the operation you just go and encrypt somebody you uh have on your Builder most of the time you have all the options to set up the ramom node the payment address even the icon and extension that you want uh to encrypt the uh the files on now we have Chimera another commodity Ramson as you can see again we have a

more developed Ramson node asking for crypto not for B ofone cards again super easy encryption super common to to use again the infection chain is super simple it sends it can be sent via fishing emails on a macro it will download a x file that will uh in just two libraries and then execute the encryption it was believed to be the first one to threaten people to liak their files online double extortion method It is believed to be the first one and it's the first one to use bit message as a c server and when it started uh offer in an affiliate program the share was 50/50 which is not commonly seen today it's most around

7030 as you can see this is the infection chain only one of the files contains encryption mechanisms which is codeo and then the magic happens now back to you with Tesla well Tesla uh he was first detected in 2015 so kind of a long time ago no because uh the way he attacked is different from the other ones they is a they generat a neutr with a unique Bitcoin address and the private key every time they encrypt it but the encryption scheme has based on AAS as very good encryption algorithm and every time the M exeed executed I sorry I'm too tired and I forgot English the word is in English uh so as different um

encryption different key different everything but they don't encrypt larger files just small ones and they uh they commun they communic communicate via public Tor web service to your C2 and that of course was located in t browser and they delet the shadow copies but the thing is what they encrypt games you know the young people who play games on computers like Steam uh people uh they use a account this kind of thing they uh they target not people on cyber security big companies but regular people that don't know nothing about uh this cyber security so can you picture like 15year old guy playing games and then what the hell is happening you know what is this I don't

know what what how to do but it's very value you know the passwords save it g games or pictures in their computer so or what else a teenage can have there or even grow ups or whatever so they pay it's like back in the time one Bitcoin is like $500 something like this is not that much in that time but it's not so it's not nothing you know $500 for something you don't supposed to do but first they um they use Tesla Crypt and try to copy other Crypts so this is first one is the F they they uh they have many many many versions of the same um this handson note many many they

try but the first cry encryption was really weak they have a hole in this uh how to decrep the file so of course our researchers found this and thought for everybody okay is to decrypt and then lots of people didn't pay but the group say oh there's something wrong here let's modify this because we have to be stronger you know uh improve or secure it because even thre actors have hold in their security and many many have upsc fail so for this we can find this thre actors oh so here Tesla uh and then they change for the script note mode for HML page no but they also uh uh the mimic crypto wall 3 3.0 that was a big thing

that back that time so everybody was super scared with crypto wall and say oh if we pretend we are there so it be people will be scared and they will pay us anyway but just a silly thing just to you know to fool people this is um the aext easy super easy but they use flashh and Java of course this is uh there's a lot of problems with flashh and Java uh for a long time everybody say don't use this because because I have many many Falls and they use a exploit kit Nam angler angler I found out is a real fish very it's ugly fish terrible fish and this is was uh the thing back then you know the

very good exploit kit and then and was one of the first to use zero days this is really important because they can use this as a very simple technique but they could use zero days too so wow many uh lots of groups start to use this exploit kit and others you know but this was the main one in 2015 this uh this group this threat group uh don't didn't last much but they had a big was a big chaos among the people you know because was a regular files for not for it's nothing just pictures that has sentim sentimental for uh for everybody or save games or you know things like this um this is the

master key the researcher found say okay you can use this to decrypt but only 50 people uh person could crep this and of course they they lost a lot of money and they Rebrand and Rebrand again and again and again to have money of course this one this next uh hands someware is they act different too uh as you can see all the these handware groups they have very peculiar method you know or in this code or in the who they target so for for this they are very fun to research actually uh Koger um ker just attack Kap only this that that's it nothing else just Kap they looking for um show them what's uh

exposed to internet and F and try to see oh let's explore this vulnerability that back then time was zero day so they start to explore this over and over and over uh just this HBS 3 just this for now and but what they what they did they uh encrypt using uh seven zip I mean it's very how why this was simple you know they um they put this in the zip archive and that's it they have the um the password and say okay uh you pay me and of course I give you the key but we never know what really happened uh and then the H on no they put okay you have to do this and that to

transfer money for do this is very important so uh they found the zero day start your attack and but take a little longer you know for Nas found this and patch or at least mitigate this to and of course no one you know mitigate or patch and that at that moment we know how this works you know uh who works in companies we know not always is easy you know to do something in production pets in production so yes so when you check in Shan that time many uh over uh well a lot of people you know was attacked um and they conduct this exposing was worldwide mostly here in North America and in part of Europe but there is Nas

this is very widely used this equip equipment Nas and and Kap um they oh and they search for this sport for for3 this is important too and 88 8080 open and other instance as well uh here how is the encrypt is so we need enter the password for the Crypt and then okay now do put here the the transaction that you paid for this and voila it's done this is very unique you know and not so handsome uh what happened is they different in many many ways this is my favorite for some reasons they they name is Lalas like uh the bads but is in it's like female you know Lalas uh so like the bad woman something like this

supposedly uh they come from Latin America supposedly we never know why uh they actually they incit the files they ask for handsome but but they don't want the money for themselves okay we like money but the world is a full of billionaires they don't care about the world the world sucks people is starving they are destroying the worlds so they target only countries that rich countries not Latin America or Africa as a continent nothing you see United States um uh Europe Russia and places like this they target many many uh type sectors that's okay uh but they also only attacked uh Zimbra the emo that's it they export some uh some cves but in Zimbra only in Zimbra so their

encryption is a kind of military hard to decrypt as well as you can see here so here is the they explain uh your Firs have been encrypted with a AES military GD encryption they explain how they do this how you can recover uh how you can contact them blah blah blah blah the same of every handware group and they they have this they still have this uh the blog on T and T browser uh they they attack last year so uh defaulters that is uh they attack this theyr many many companies and there's uh I think there 200 companies and then this is very specific compan Agricola the San Felipe uh Fort Hollings collection agents and harita

group uh what they say here oh we offer a simple deal you pay to get the decryptor and everybody is okay so uh don't ignore us uh we want your money uh or we publish this you know all your or files what we if we lick it from then for to journalist for your client for everybody you know they are blackmail of course because a handsome group there's some some of the the companies they encrypted and uh some of the files you know you when you go to their blog you can see uh like many uh data email password contacts Lots you know big big big huge files and they have a statement this is

so cool because they have this statements uh we are bad but we can be worse uh while I was researching about this uh I found out in Mexico there are a lot of uh very badass woman cool that's super cool and they well there's a lot of problems with um killing woman and things like this in Mexico and they they always go uh kind of Riot say okay uh we want uh respect for women this and that we are we are Mal I mean we are bad but we can be worse than these so maybe they can come from Latin America so there's a lot of activists in Latin America I know personally some not

from Las malalas but personally I know some activist from Latin America from Brazil and other countries but okay and in this in this statement they say a guy I don't remember the name here from us oh we are Lo losing your war on terror so of course they losing the Cyber War they are hacking this see they uh they praise the hacking but not the way to explore uh not just the company because they against not this a specific company but against what this company means you know some companies destroy the world you know uh nature and things like this so they are really angry about this and say okay join us like Anonymous join us

to you know let's start a new world it's better for us and they say okay so you are willing to pay for this hackers that money goes to then to be rich but not for us come on what what the hell please pain us and uh you can uh when you pay you uh you want to give this money for some uh some organizations now most in Africa because it's a very poor country um they for this they don't attack um Latin America and Africa or the other colonized countries no so they want Target rich countries because have money and Destroy more the world and so this is unfair they think it's unfair of course it's unfair because lots of

people starving and dying and the climate change blah blah blah we know this and that sucks so for this they do uh they hack um they but the companies don't pay nonprofit uh motivation CED I mean activism they don't want pay so uh okay [ __ ] that doesn't doesn't matter you know but if a luck bat okay give me your money they will pay they are willing to pay this this is terrible you know oh so so far they uh they had some attacks last year not now so let's see what's going on now with this these attacks uh personally I think it's cool but it's not so cool for companies of course but why they do this like a

hobing hood you know W there are some little not many know groups that really act to do the good for the world and they say okay we are still learning we want to attack big companies because they have much more money we are attacking not so big ones once one was in Argentina Moto gave some uh interviews there you know to talk about this handware how they attack so that's it I like them don't please don't judge me but it's good for the world good foris it's not good for the world but it's good you saying it's bad or goodis ask someone who died starvation the former Soviet Union no I'm not saying this I don't we talk later we

talk later about this better okay um this last group Everest is a group that I've been tracking since let's say since the beginnings they were one of the first ones to Target my country Argentina and they did it in a very specific and interesting way I have a a good history of covering thats and and actually it's pretty fun to see transformation from their beginning to where they are now it's actually pretty interesting I think it's one of the most interesting Evolutions I've seen in Rams someware because when you talk about Rams someware Evolution you think of a group becoming larger becoming you know more sophisticated more Builders more targets uh for your builds we now

include this hypervisor we now include this operating systems We Now cover Industrial Systems but not Everest Everest actually started with a Rams someware that was more like a commodity Rams someware you see people being encrypted with files having Everest extension and then I even had clients of mine telling me I think my antibirus sucks and that's why like why I have this Ram someware here that encrypts me with this extension light I don't know one two three but then it says it's Everest RAM somew and it's not Everest and then something rang a bell on my head and I say maybe maybe Everest was a commodity one or maybe they were just selling their source code renting a

builder or whatever I seem some pretty weird things happening on the a side um the infection change was super variable actually you have different uh things that were like third party sourced or outsourced like msf Venom payloads Cobble strike beacons being used as common and control servers which is not so common on W establish a dram someware groups and then over the time you will see them using third party applications even super widely known Port scanners and that was pretty weird for a Ramon War group you either have your own tools or leave off the land you know using whatever the host has but using specifically open source or third party tools was not you know your daily

bread um now after some time ever started threatening companies that they were going to sell their access to other groups acting as an IAB if you have never heard this before Everest was one of the is now one of the best establishes aibs this means initial access broker somebody that sells you your access to a company I say I want to access a Latin American Vintage they might have an access for you remote desktop protocol bpn access whatever you want an admin poral that was forgotten open to the public and they have a login they were able to sell it to you a cookie whatever you want you want to set a foot in they can sell that to you and

that transition was so smooth was so uh public at the time that it was incredible it was the only group that I've seen going back from ramsen war to data extortion and initial access uh broker and most of the people think this may be a downgrade this it's like you stop it doing ramom and sending things but actually it somehow works for them for example um they slowly starting offering at first Argentinian data and say if you don't pay we'll Leck up but the argentinians say we were not attacked then how can you not notice a ransomware attack you're are either lying or the actor is lying but if you read between the lines nobody mentioned

Ramson War nobody mentioned encryption at all they just lay low stole the data stole as much as they could and say okay it's now time to monetize this let's cash out guys they went cashed it out but people at the Argentinian government the victim say we will not attacked or at least we haven't noticed an attack and then over the time they switch it to this this is a post on the blog this is a great opportunity to monetize your corporate access sell it to me I will resell it for a higher price and they will give you a cut a share and then this is what I was talking about just a minute ago they

just uh I will translate you the the the things that are in Spanish don't worry this is the Argentinian Ministry of economy and then the Inta which is the National Institute of AGR agricultural T and then the Argentinian government $200k and the Argentinian say don't pay this this is a scam we haven't been at attack this isn't something that they told me it was told to the media clarine is the biggest media in Argentina and they asked me actually about this case and we were talking about this they say we are not aware of an attack I spoke with Everest and they told me yeah the attack is real and we can show you and they showed me that

they had access to a citric instance the government responded back that citric instance is not public went back to Everest and they told me yeah we know we have the VPN to access the citric instance we can s it to you as well if you buy two of them we make a cheaper price so if you believe that going from Ransom War to data extortion is a downgrade these guys can truly show you otherwise and even sometimes you have offers that you can refuse on your life and Argentina you know hyperinflation everything melee you know we have uh we are currently on an economic crisis and these guys know it so they put up Black

Friday super offers flash sales buy now you have 24 hours you can buy for half the price super cheap and like they are pretty well at marketing pretty good at marketing actually and this concludes our talk um before going back to the questions uh if you want a conclusion from my side at least is that you there are two things that you can avoid on life taxes and Ramon War maybe you can trick death you can cheat death but r tax you won't be able to get away with so it just happens it's not a shame if you suffer a Ramon war attack go for the full transparency before somebody goes for the full disclosure speak up say

this happening to us we just [ __ ] it up um if crowd strike cool [ __ ] it up the entire world you can with your company it's not a shame it happens to all of us to the best of us I hope you enjoy your talk and I leave you with my partner now uh any questions something oh before we go or you know how you can find us and as I said there is a name of music over the slide so if you want to see you know we prepare this and apple music and Spotify if you like it it's cool it's pretty cool you know lots of songs that I like so that's it any questions

something critics my hair is good

okay thank you gracias um I I have I want to know if you have any direct contact with the thre actors Behind these uh threads any one of them maybe uh Everest and any one of them if you have any direct contact with the guys behind this threat yeah absolutely actually part of the thre intelligence job as far as I can see some companies frown upon this so I I want to off all disclosure with that part of the threat intelligence cycle for me is talking to them if you see them as you know the the loit Marin chain kill chain they are my enemies they are the the adversary you have lost at the first seconds that you step in

you have to not that there are people Bad actors but at the end they will speak up I managed to interview lots of Ramson War groups in the past they on my GitHub I publish darkbolt which is uh they are ex lock bit Affiliates I managed to interview by society which is actually uh well it's pretty well known uh when they just first started before they started targeting universities and the like I started speaking with them and obviously you do not uh share or back what they do but you know that at least you can see some point in what they do how they do how they act and how to protect yourself because they are

open in telling you we we attack this kind of doors and you know that if you have that kind of th you have to be aware um we also speak with data extortion groups which are actually they like to lay low than the ransomware groups they are not so open to speak and they will give you an insight on how they work what they are looking after and especially why you might be a Target that's the most important things for your organization for your threat profile will I will I be a target of these guys and why and talking up to end up front sometimes can give you lot of insight lot of things that you won't see on the media on the

newspapers because obviously uh they need to sell headlines thank you for the question and and and Bas in the IAB initial access Brokers how much of them are from Latin America it's full actually a thread actor which uh was called curious Jackal you may know him by Kelvin security probably you have heard the name before in Venezuela uh well that was one of the very first and the most uh I I don't know if Advanced is the war but the most spread ones I've seen that guy had literally it was Disneyland for Bad actors he sold anything you wanted I don't know how he managed to get everything you want access to finet he had access to

hospital he had access to government he had um I think he was one of the first on establishing an i cycle on Latin America but then you have for example in Mexico uh threat actors that started um let's say from the ground not not not not in a bad way right like Mexican mafia they started from the ground and now they are selling yeah we are selling kintana ruul government dump and access you say wait the next day we sell full tribunal de quentas from this full access and database and we can create an account for you and in Argentina specifically this is a problem because they will sell you access to uh the jails the jail system you know you

can see inmates you can see officers you can see uh when they uh move an inmate from one jail to another to police system access to hospital stic in my T I actually cover a lot of that kind of activity in Argentina and urugai only but sometimes I go a little step away from to Latin America and mostly because uh for example they explore of course some vulnerabilties but remember Latin America is a poor count are poor countries so it's easy to you know you work in this company take this and you know to uh to infect the servers oh I give you like 10 gr that in Brazil for who gets uh minimum weight is too much

you know and so I give you this so you give me access and then they escalate so it's super in Brazil I can say this from Brazil is super easy to do this it's just hey how are you doing that's super easy okay what about dtps because you know it in in in in latam we don't have it uh we don't have dtps about our trade actors that's actually very true actually uh before Kelvin Security First Market was wred the first one to have technical ttps detailed attack chain victimology and everything was crowd strike which is absolutely has nothing to do in Latin America don't have office doesn't have uh big Partners exactly the um trying to acquire that

requires sometimes introduce using new ttps for example I I will give you two examples one worldwi one from Latin America what C said it's something that happens a lot in Latin America I say okay bribing a user to forget a VPN on a pen drive to send it over email to forget it in a slack chat send it to yourself or send it to a channel and I will grab it you you won't have a problem and most of the time they don't have a problem actually and that's something that we have to change uh I don't mean to punish every uh simple mistake but sometimes these mistakes lead up to full encryption of your

servers and that dtp is something that we were pushing for you need to and they say no that's covered under Insider threat yeah but Insider threat is super wide you have to that that's the the idea behind ttps to go as much specifically as possible but it's not politically correct to say John from accounting solid access so nobody wants to to be the finger pointing to John and also we have another TTP uh from North Korean State actors which is the fake job interview they will just set up a fake job interview with you it's actually what I covered in the what I say when I stole the sample the sample got to us via fake job interview and they send you

a challenge and they say this challenge does not work see why what the first thing you're going to do to execute it exactly on line five you have the malare and it will be stuck at line 10 you will fix line 10 we'll run it again and would just be get stuck at line 20 but aside from that the fake interview they say no that's false under social engineering no the hell it is it's something fully new they setting up employers they set they are um um I don't know the world uh they are like [Music] um I don't know the exact world uh they are trying to post as companies to Poe us recruiter

so this is not simple soci engery impersonating exactly that's the word thank you so that's a new TTP but you have to do a lot of work to get that DDP accepted as such they say no that falls on S and Engineering no it doesn't it's something more different it can fall under s and Engineering but setting up a fake entire job market and then fishing for somebody that's super a the super State sponsor thanks for your question thanks everyone just just quick just quick here and uh about the cold like for example in Latino America they are super stupid you know it's a specific from Bank mower they are all the same they are cop and paste like oh it's not

working let's change one line of the banking mowers all the time they use delie and they attack the same way it's amazing you know some like estat they are big huge I I think we talk about this yesterday right uh I guess they spend like a million emails every single day DGA so every span is different H totally different the every m is different so this TTP is very specific for Latin America and here in like Russia or Europe or United States is completely different if it's not working okay let's start again but in Latin America we are very resistance you know oh it's not working let's change just a little bit and keep working and working

and this is I think it's amazing because how it's possible this works you know how because we know how work it works and how they attack what they do you know they fix stupid things uh overlay all the time this is the basic of Latin America do overlay Spen overlay so it's beautiful uh I think is that's it guys she means she means that the actors are more persistent than Advanced thank you everybody thank you thank you very much