Inside Ransomware - Martin Lutz

everybody good afternoon so I know I'm standing between you and the coffee break so I'm going to make it as exciting as possible and uh so I'm going to tell you a story today it's not going to be about me it's going to be about somebody that I know I changed the name of that guy but I know that everybody likes fairy tales and stories and so I like telling stories so I hope it's going to be very exciting but another before we get into that story as I said it's not going to be about me but the first slide is about me so my name is Martin Lutz I'm working for axos it's a from my point of view a

very amazing company because it gives young potentials like me I consider myself at least one uh the opportunity to grow I'm a deputy teso and I'm also responsible for 10 countries right now and uh making that uh making it possible that cyber security becomes even more popular so today as I said not about me it's going to be a story about Hugo Hugo is uh a virtual name I made it up but nonethless the story that I'm telling you is is actually a true story and so I have to start it with a disclaimer because what I'm going to show you can be used can be used to do bad things but I only going to share it with you

because I want to raise awareness for the topic and so as a that the story is about Hugo Hugo lost his uh job he used to work in marketing some years back and uh unfort fortunately he keeps on applying but he doesn't get a new job opportunity so he has a family back at home he needs to feed them and uh so he's really really desperate and in the evening he sits down with his friends they drink a couple of beers and uh then they start start talking about many different things they also start talking about ransomware so ransomware uh crypto tyana and uh once your data is encrypted right by a hacker group then you only

get your money uh your data back once you paid the money and so he goes to bed very drunk like it happens too often with most of us right next morning he wakes up and he thinks hm ransomware I work in marketing I cannot code but still sounds like actually a good opportunity to make money and so in marketing he's a very creative guy so he does his own analysis and he thinks about okay actually the costs probably quite low to build my own ransomware company secondly risk is low to be caught so I was uh we're also working with the police in Switzerland so I'm based in Switzerland and uh so the the guys or the threat actors CAU

that encrypted companies in Switzerland last year was 0% so you can see the chance that you will get caught quite low but outcome could be big and so he's desperate he needs to feed his family and so that's why he makes a decision okay I'm going to build my own hacker company and so as I said he's a creative guy first thing he sits down and he does some brainstorming he does a mindmap and he thinks about what what do I need to build my own ransomware company first of all tutorial because he doesn't have a clue about anything that is around ransomware he needs a MW code because he can code he needs a victim a good victim

he needs to find an attack Vector he needs to think about moneya laundering I will come to that later and of course he needs to stay anonymously because he doesn't want to get caught he doesn't want to go to prison he just wants to make the money and then feed his family during his research he found a very good friend that seems to know everything about ransomware and this friend is called Google so everything that I'm going to show you is within the first three links on Google right so it's nothing new that I show you so he starts talking to Google and Google tells him look if you want to build your own Ransom company it's very easy take

it easy you just need to go into the dark web that's the first step how to get into the dark web very easy just download the tour browser right like any other browser just download it then use the search engine so by the way I put some mistakes into my presentation that you can can just copy it so D.O you will not find uh any Ransom code but nonetheless there are many other search engines in the in the dark web and look so Google just tells him just put in ROM as a code or ROM as a service and then just see what pops up and one of the things that hugle found is common Kon

was taken offline by interpo again there are many other options but common is an amazing tool it's a ransom Ransom as a service platform or used to be one but as I that there many many others and uh so pretty much you buy The Ransom Cod you don't have to code it yourself which is super amazing and all you have to do is just pay $165 then he can ad administer three customers right because it's victim from their point of view or from his point of view it's customers it has many other benefits uh it's multilanguage so you can attack like your customers in many different regions so like in German region and english- speaking region

Russian speaking region whatever and it has a very good function which is automatic decryption meaning that once the data is encrypted and the your victim your customer paid the ransom uh The Ransom then the decryption starts automatically which is very amazing because you don't have to think about anything you don't need to understand what the tool does you just have to execute it you just have to use it so first thing done or actually first two things tutorial Google Hogle has this ransomware code so next thing victim how to find the right victim and everybody that thinks a little bit logically can think okay you need to find a successful company but also a company that has maybe not the best

cyber security functions and features and measurements and so if you think about it what about attacking some companies that were very successful during covid like food delivery for example because they grew very very fast and highest priority of course is availability but not necessarily cyber security so this might be a very good victim to attack and so having that in mind he found one certain company it just that doesn't matter for my example what kind of company it is but the CEO of that company let's call him John Doe so next step finding as much as information about Shon do as possible how do we do that very easy we just follow manual on YouTube and we're going

to install maltego Mal maltego is a open source thre intelligence tool so um with the purpose to gather as much as information as you can get from the internet and uh all you have to do again just follow the menual because hugu does not know anything about coding what he finds out so he puts John do into the maltego tool and then he's going to find out like what kind of social media does he has uh what what kind of um other email addresses sometimes you also find phone numbers so you gather a lot of information and the next step you really have to break it down in terms of Hugo to understand how can I use that data to

create my threat or create my uh attack vector and there are four things that he founds out first of all chund do is very active on Twitter meaning he found out that every week chund do is posting something but during June he's not posting anything which means maybe he's on vacation second thing he checks also his Instagram and while he's not posting on Twitter he's actually starting to post pictures about boats on Instagram so likely he's going to rent a boat when he goes on vacation so third thing he just saw on Facebook Hugo no joh do just bought a new uh a POS meaning business is going quite well so it's a good victim to attack last but not least he

also saw that he is a member of milon Moore mil is a frequent traveler program and putting all that information together he found his exct Vector meaning he's going to build an email that's potentially I mean might seem like it's coming from miles and more he's going to send it to chund do a little while before he's going to go on vacation and making it seem like there's a super nice discount for a boat right if you went a boat 30% discount so that's just a tech vector but how are we going to make the next step now so what is what is the how are we going to execute the the uh attack Vector in this case we're going to send

an email as I already mentioned we're going to attach the ransomware file that was bought in the dark web for $175 but how do we do that again how do we actually include the ransomware code into an attached file and then add it to an email very easy let's ask Google First Link at least when I did the presentation was this one create an obious gate virus inside a Microsoft Word document you can also do the same with PDF uh then you just have to like do it a little bit different but in my case the easiest thing was to do it with word and uh all you have to do just follow your manual need four different

components you need Microsoft you need Kali Linux I mean uh social engineering toolkit which is pre-installed in K Linux is a social engineering toolkit or like a penetration testing toolkit which uh we also used previously uh Apache web server also pre-installed and you need the Met framework sounds very complicated but you just have to follow the manual you don't have to understand it that's the thing but there's still One Security measurement from Microsoft which is from huger's perspective quite quite annoying which is called macros macros is very annoying because if you want to execute ransomware code then macros need to be enabled and in most cases at least it's disabled or should be disabled so ask yourself please don't

click on activate micros if you don't know what's actually inside but uh so hug go is very creative so he thinks about certain ways to increase the probability that John do once he receives the file is going to click enable and I was leading uh two different Security operation centers in my past so do Telecom and the one from AOS 2 and uh so two examples that we've seen quite often to increase the chance that somebody clicks on enable macros are these two so either you find out what kind of antivirus system your victim is using and it just make a screenshot inside and say look uh your antivirus system protected this uh document C please click on enable to see

the full document or second uh version that we see very very often you just like uh right there the following document has been secured to view the content click on enable uh macros and uh the rest of the texting will just make a little bit but it's just a screenshot so once you enabl you will never see anything else but the the ransomware but these are just two examples that we see like 50 times a week so putting that all together so we have the email from Mil and more so we put even though we can't see it down here I wrote Feelgood weeks 30% discount if somebody clicks on the the words document uh as an attachment and uh here

you can also see that I added the word document Hugo edit it of course and now we have everything together so but there's only one thing missing if we want to send it to chundo it should not look like it's coming from Hogle right it should look like it's really coming from miles and more and there's one thing that you can use which is called email spoofing email spoofing is an avability in the side the SMTP protocol so simple male transfer protocol and uh with that you can make it seem at least the the emails coming from from Miles more it sounds very complicated but they are tutorials for everything just go on Google and follow the menu there are uh

certain um email servers where you can actually send the email from as an T to go is one that we see very often for email fishing because it doesn't uh really check where the email is originally coming from but uh that's that's one of the most common common ways having all that together so just quickly summering up we have the ransomware we have the document attached we have we did the email spoofing and now we have all the presents or that small present to be sent to our victim Cho all hugu has to do in the next step is just wait just wait until John do is finally clicking on that email opening a work document enabling the macros and

then what happens is this one so all the data is encrypted and you can see your files has been encrypted by Hogle please pay 3.3 Bitcoin and only then you will get your your data back of course in my example what would it be without John do Pang of course he paid and H's very happy now he got all that amazing Bitcoins but he still has one problem now he has Bitcoins and he cannot spend it as easy as Euro or dollars or whatever currency he wants to have so thinking about moneya laundering very interesting and so easy so first thing go on Google how to uh launder money with cryptocurrencies that was the second link that popped up money

laundering by cryptocurrencies all you need to know is a little bit not too easy to understand that's why I made it easier for you there actually only four steps you have to follow so first of all you have your your bank like the the wallet right the Bitcoin wallet and after that you want to anonymize it so that nobody can actually follow your trace and there are different versions how you can do it so um most hackers use um mining Services uh sorry mixing Services one of them is trash um tonado docash was taken down again I use old ones but there are many other ones and what it actually does it splits the Bitcoin wallet into many other Bitcoin

wallets then it like uh transfers it to other cryptocurrencies like uh Monero ethereum whatever then they transfer it back to bitcoin and back to one wallet and of course they get a commission of five to 10% it depends on which mixing service you take and then you have pretty much anonymized uh Bitcoins but still you have Bitcoins right there's one trick that you can do you just go to an unregulated market and start gambling like online casino right there are many platforms out there and you just uploaded all your Bitcoin amount that you have and start gambling and after I don't know you spend 1K 2K 200 whatever you want to spend and then you say okay

you want to withdraw that money now here comes the big clue you don't have to withdraw it in Bitcoin you can withdraw it in any other currency and so you just put your bank account in there or if you want to make it even more secure you just open a bank account in British Virgin Islands and start selling roses we've seen that many times before like one rose wor 100,000 surprisingly somebody from Saudi Arabia buys that that's just an example right and that's that's how you can make it even more secure but nonetheless that is a very common way that we see very very often and uh that's a way also that was working in my example for hugle and as

that hugle is not a rename but the person exists out of U yeah because he was desperate needed to make money he built a ransomware company and now he has 20 employees it's not in Europe but uh he's uh from Congo to be precise coming back to my story Hugo is very happy because he can feed his family he can feed his kids and he had so much money he decided okay I will just buy my own Island so he bought his own Island and so sometimes in the morning when he wakes up he's a little bit scared to be caught by the police and then he realizes there's so many other Islands out there with so many other Ransom work

companies I will never be caught because I'm a small fish in a big ocean happy end two more two two more sentences two more sentences before I'm going to end right so happy end really happy the bad guys is one not too much why not happy because it's not the typical fairy tale where the bad guy wins right but it's just the fact that most hacker companies that we see at least I mean they're different kind of right there's State actors then there's the big threat groups the uh threat actors but most of the attacks we see are actually desperate people trying to make money especially when it comes to scam and those things are actually quite

easy to prevent and so one last slide before I'm really going to end which is some recommendations that we always give cyber security is is like a process it's not something you install a fireable then you're secure that's just not the case even though many vendors uh say that but it's just not the case so it's com of different things like uh most important two things back up back up back up don't activate micro macros if you don't know what's behind but of course many other things firewall is just still an very important thing but also other Solutions can very much help like EDR Solutions micro segmentation um email security gateways so it's a combination of many different things but

one thing that I want you to take for today the biggest vulnerability Is Us so it's the human right and so if I want to tell you something then it's be aware because you could be the reason why your company is going to be attacked in the future that's it from my side thank you very much I made it in time right perfect so if um you said it's very low risk and no CH not much chance of getting caught also said that he uses Google a lot is the risk so low that somebody can safely use Google instead of using tour and duck docko to hide the searches I mean that kind of really that

low risk from my point of view yes it is because um I think that the internet is like back in the pirate days and most of those Hecker groups that make deals with the governments which which is as long as you don't attack any companies inside our country and do it outside the country and spend the money inside our country you're pretty much safe and uh we see that actually quite often that uh whenever there's a hacker group active they never attack anybody inside that country but only outside and so if you stick to that I I fear and I I I wish I could say something else and my answer would be different but I think the risk

is quite low yes thanks for the advice of course any other question do first of all thank you it was a uh great story uh I have a question regarding the uh EMS that uh were sent by Hugo uh would have been easier for example to use some other format like PDF or just not to enable macros just to avoid that step yes I mean there also an option with PDF right and PDF uh um there's like one very common uh um exploit that is used which is called rope return oriented programming it's like uh U an exploit that is used for Intel CPUs and 99% of the CPUs is still vulnerable to it and so that is also

something that we see quite often that these PDFs are used and then they enable like if there's a picture inside then you can also like execute the um the executable um the the exploit or if there's a link inside they they also use that to actually start the the execution of the exploit so there are different ways um we also see in PowerPoint presentations but most common is still PDF but just in my example was easier to show it with with word thank you Martin I don't think we have any more ah uh okay yes thanks for the great talk it's not really a question but I I spoke with carlsburg and they send you a

really nice email for a 50% off of beer can you please click the say link I will get it for you thank you this is the last question so have you seen this landscape change with the age of llms and and and models F freely available out there have you seen these um malicious actors be they be them small or large use llms instead of Google to to actually uh create this whole process and manufacture a well an exploit look at that so we've seen slight increase of uh attacks and they are becoming more sophisticated because I mean the fishing emails in the past they were not too well written right and so um they use often uh AI to uh write

those fishing emails or prepare those fishing emails but you can even use it uh to start programming ransomware for example I mean there's there's one common tool that is used very often which is called warm GPT I don't know if you've heard of it it's like a commercialized jet GPT for for attackers and you pay I think $100 a month or something I'm not too sure but uh also like our threat Hunters they also use it if they uh do the penetration testing and stuff so it's quite it's quite scary but we always have to be aware if there's a technology I mean Defenders use it of course AI but attackers can use it as as precisely and so we seen um

a small increase not as much as I expected but the sophistication and the preparation of the text they are definitely becoming better and better thank you all right thank you guys it will still be outside so if you have any any other questions just let me know so the other questions that's