Incident Response Case Study – Living off the Land - Will Hudec & Shawn Newman

uh just round Applause for all the presentations so far they've been great I've learned a ton uh yeah lots of great speakers you know we're just thankful uh to be on the stage here so uh we'll get into this real quick here my name is will this is Sean we're from Fortress uh it is a security division of an MSP up in Cleveland Ohio that's right Pittsburgh you have a Browns fan that has infiltrated your conference so go Browns but why don't we go ahead and get into things here we're going to do a talk over a uh a pretty interesting IR case that we worked earlier this year gonna hopefully show you some some inside

details on a pretty unique situation so let's go ahead and move forward here so we'll go through uh just do some quick bios for me and Sean's you know who uh you're talking to here uh then we'll walk through we'll take a look at the victim organization I'll give you some details as much as we can about the victim that that this attack happened to and then we're going to go through some initial iocs that we were discovered uh we'll then get into our first phase of incident response once my team was engaged detection analysis and initial containment we'll also walk through some threat actor negotiations talk a little bit about what that process looks like

some key things you need to pay attention to when you're going through that process and then we'll get into some law enforcement engagement and the threat actor profile which we determined by uh through our friends at the FBI and then that led to some additional investigation which eventually led us to find the root cause of how this happened again you know this is an actual event that we that we worked we've redacted all of these sensitive information but hopefully show you some pretty cool things from uh a case that we have here so again my name is Will hudeck I Am the director of incident response I've been in the industry about seven years now

I'm cisp certified over the last I would say three to four years I've worked over a hundred security incidents ransomware business email compromise you name it I've worked it obviously this picture was taken before I worked over 100 incidents over three years as my gray hairs can probably also attest to so go ahead Sean hi I'm Sean Newman primarily my background comes from dot mil in the Intel Community primarily before I came over to Fortress I do threat actor negotiations I'm the guy that talks to the bad guy so that will get a little bit deeper into that but I guess my oh sorry about that I guess um so one of the biggest things

I've worked on is I've worked a lot with DC3 in the defense industrial base helps set that up and um and I helped establish the CNO capabilities for DDX the 21st century Destroyer okay and we'll have time for questions at the end but if there's any as we go along feel free to pop your hand up and we can we can have time we you know we don't think we'll need the full session here so want to take questions as we come along all right so the victim profile so it's a small organization about a hundred employees they had access to sensitive client Legal Information as well as piis as most organizations do the compromise

occurred earlier this year it was you know q1 of this year and it involved Excel trading sensitive data the threat actor then proceeded to attempt to extort the client so this is probably going to be a little hard to read this is the very first thing of how we determine what was happening you can see here the threat actor actually sent an email to a whole bunch of the organization's employees uh they were stating that they had access to gigabytes of their sensitive data all of those attachments there were a way that they were trying to demonstrate the proof that they had exfiltrated this data and you know again we can't get into the specifics of those screenshots and such

but essentially evidence that they had been within in the environment you know organizations get these types of hey we have your data threats all the time because of the magnitude of what this reached senior members of the organization all throughout this obviously had a very high lens from a leadership perspective and they you know immediately contacted us and contacted their their outside console to make sure that we could start understanding is this an actual threat did they actually take the data what evidence can we provide they make some they make some comments throughout this that state you know we've done this before we're a Professional Organization you can see some of the work we've done in the news

and you know essentially stating that you need to start communicating with us as soon as possible so that we can come to a resolution on this this data so this threat actor was very aggressive one of the most that we've seen I'm going to play this here in a moment but they were actually calling employees of this organization and most of them actually never picked up but they were leaving them voicemails uh threatening them threatening to call their clients threatening to expose the information and essentially demanding that they open up a line of communication so I go and play this here

actually we have files Ohio

thank you it's funny we don't want this to happen it was one of the last things they said there right it's like it's like the the bank robber holding the gun to the teller's head saying I don't want to take your money okay well you did right yeah they're very polite yeah um so obviously this was very aggressive um you know Sean I know with your background you know it was interesting that they didn't seem to use a voice Scrambler at all um you know it seemed to be just their natural voice so if you want to maybe speak a little bit to that so in cases like this um the first thing the email the reason

they sent out to a larger group is to create a mo like Warren emotion as human beings we're not going to act appropriately with emotion our client obviously did the right thing they contacted law enforcement they contacted their insurance and they got a third party involved also one of the motivations for doing that is they eliminate containment by sending out to a larger group the organization can't particularly say hey don't say anything because it went to so many different people so that also makes the organization have to do e-discovery efforts to figure out who did this email go to um the threat actors and and they up the Annie the reason that the calls happen

is in that level we're going through transition from having that organization transition all comms over to us there's a delay so they want to once again get you in that heightened emotional state obviously we're a third party firm so we don't and we have experience with this so it doesn't warranty emotion on our end and what and also what we do is we gather a lot of actionable intelligence as is going through um accent from the person that you're speaking to I've done over 500 of these so you can identify certain accents certain dialects word usage and also you can cross-pollinate that with the email and you can ascertain if the if it's one entity they did that threat actor

communicator on the bad guy side on the director side is it the same person that actually placed the call so you can you know so let's you do text-to-speech you can you can notice certain similarities or dissimilarities so now you know if you're dealing with a hacktivist is it Ransom as a service even though there was no ransomware is it or is it a bad actor cell and when you contact the FBI those are things that if you have that actionable intelligence they can respond more quickly if you're working with them yeah and and all of that part you know in terms of the experience that we have we try to see if we can find out

information based on on some of those same indicators as well um actually and and one of the other things I'll mention here uh at the beginning of the voicemail they actually called out the person by name obviously we had to remove that here but again just trying to put people into a heightened sense of emotion um and you know act uh irrationally uh potentially uh lashing out or anything like that so uh the other piece here that was really interesting with this uh this case and we'll talk about what we did for investigation but we didn't find any signs of malware this wasn't a ransomware we didn't see any sort of lock bits or any of the big actors or

even some of the smaller ones uh nothing was encrypted that we could tell all their systems were up and online um so so pretty unique you know typically we see this type of extortion come after a ransomware attack as a way to again heighten the sense of urgency

say that um so then you know our team engaged uh you know the first step uh for for any incident Response Team uh you know we deployed our EDR Tool uh we used Sentinel one uh our friends are here today so feel free to stop by and say hello um but that's one of the first things that most groups do you know any of the big players they'll use their their tool of preference whether it's crowdstrike or others uh to get containment within the environment so we deploy Sentinel one out for for two purposes one we want to contain the environment to understand what's happening if there is any malware that might not have been triggered by

their uh their antivirus that we're catching that um and it also gives us visibility into the environment which I'll talk to here in a moment uh the other piece that we performed as part of our containment efforts are pretty pretty standard as well we made sure all admin account passwords were reset that's priority number one and then obviously rolling into a full company-wide password reset just to ensure there's no account compromise that might be leading into this uh you know this intrusion uh the one piece here you know once we got into starting to try to determine how in the world did this happen what information do we have available to us that we can uh start to leverage to see

is this a legitimate threat um or are they just uh trying to to extort a payment even though they don't have this uh was logging and I know there was a couple talks uh today talking about the importance of logging and being able to preserve that we had maybe a couple of days worth of vlogging which will is important we'll get into it here in a mo uh more close to the end but heavily constrained by the lack of logging we absolutely could not find anything out traffic looked normal there was a couple IPS that looked a little suspicious but traffic was being blocked there so it wasn't in a big area of concern uh we started to step into our forensic

process uh you know using kind of two tools you know native Powershell scripts that we have for collecting forensic evidence and trying to do some live analysis of systems to see is there anything in the processes that are happening that seem suspicious any way they're trying to obfuscate their presence in the environment and then we also used uh through Sentinel one there's a there's a module called Deep visibility which again is is a way to just get you know do some threat hunting and see if there's anything we could find that's that's suspicious but uh once again we couldn't find any sort of trace of any compromise suspicious activity and we weren't getting pointed um in any sort of Direction so uh with

that we were we were forced essentially to open up uh threat actor negotiations so uh because we were so constrained we determined and and I'll let Sean chime in here he was the one who uh actually communicated with a threat actor we were forced to open up the communication see what they would provide us uh for that so I think Sean maybe we can talk first about some key considerations that you take into account when you first open that dialogue with the threat actor so if you're ever in a situation that you did that you have that you're forced to either buy time so just because you open negotiations does that mean you're going to pay the ransom we we run in a lot

sometimes you're just buying time for the forensics team to figure out you know is there a hustle payload there what types of data how much data was exfiltrated um but there are three rules you never disclose you're a firm Council or Carrier so you never mention those they know who they compromise you never want to reiterate that now when you are talking to the threat actor you do want to personalize yourself as a person so sometimes you may give misinformation this doesn't go my way I might get terminated you definitely don't want to ever sit put yourself in a situation that you work for accounts payable because accounts payable obviously has fast line to the money it also you don't

want everyone in this room is probably a technical folks I assume you also want to play really dumb like like SMTP what's that um you know what are you talking about what is this what does data X fill what do you mean you took something did someone email it to you you do want to ask this I always say ask the questions your grandparents would ask you hey you know to the threat actor because it lets them think that they're really positively in control before you take control back from them throughout your communication is more of an art than a skill the more you do it the better you get and the better you know usually

after a couple lines of dialogue I can usually narrow down who the thracter group is by how they communicate what threats they Levy and most of them just like telemarketers for any major company they run by a script so they have their own ttps and are all unique I know North Koreans tcps are totally different than Russian nation state foreign actors um what else do we have sorry yeah I think some of the other things here and I'll let you chime in again but again I mean these are very self-explanatory don't use any sort of email account if it's if it has to be done by email that they can somehow uh track back to you as

a person you know we want to engage with them and and build that personal relationship as crazy as that sounds without them knowing who you actually are so using things like burner emails vpns to obfuscate your actual location um and and then also making changes to that as well so it's not just about using a VPN you know you're coming out of California instead of uh you know Ohio but changing that around communicating at different times we want to make sure that we are uh you know using using that advantage to try to You Know cover our tracks in this as well because if they find out who you are there's a chance of retaliation and they'll come after you

to try to stop the efforts that you're doing for the client and then go ahead Sean uh so one thing about utilizing a VPN is they're smart so if you move your location I've had Thrashers say Hey you were in Miami this morning now you're in Colorado that's actionable intelligence you can give to law enforcement you know that they're checking now and you know in the easiest solution hey you know work forces me to use this stupid tool and I use it and it just picks somewhere so I might be in Tibet tomorrow I have no clue like I said I always talk to the threat actors though you're talking to your grandparents you know just play

very very stupid um and they will guide you through I've had cases in the past I've that I've played so dumb that they've given their whereabouts and we've caught the threat actor that they gave so much aggregate information when we gave it to law enforcement law enforcement gave it to the Canadian government and they caught the guy so if you guys everyone here as a phone if you Google it you'll know exactly what this thing was um you know so things like that those are really important to and also capture everything um everything that they say don't discard any legal artifacts make a make a copy keep a running copy in word um because you know obviously some of

these like Protime mail which is what is my favorite to use because and if they ask why'd you use first imail you know that that's black you're like oh it's just most secure email and it pops up number one in my Yahoo uh things like that those are things that you you're building their trust a little bit as well because ultimately if you do have to pay the objective is to pay the least amount possible to protect your client and protect their insurance carrier yeah and this last Point here is Sean already kind of mentioned the other you know as much as information as we can find whether it's you know again it's it's a little bit of an art to take some

experience getting through these types of cases uh but then you start to build your knowledge base and understand okay this this group we're dealing with right now they might not have the same emails or it might not sound like the same people but they're talking in the same way for another case so it again it just gives us intelligence as an instant response team to go back and see what T you know what ttps did that group use what iocs do we know that are out there for them and help us narrow down our investigation so we're going to get into some of the actual uh Communications back and forth so I'm going to go ahead

here um so the email on top was us reaching out to the threat actor there's a couple reasons why we would do this um one if we have to negotiate some sort of Ransom if it's a ransomware case we can't decrypt it's a business decision at that point obviously we don't encourage paying any Ransom um you're funding organized crime at that point but that's always a consideration if a business cannot continue to operate without getting into crypto and then obviously there's a couple other reasons you would want to negotiate so Proof of Life how can you prove that you have taken what you've taken which I'll have Sean speak to here in a minute you can see in the

uh the communication here we're asking for some files so we want them to validate that they've actually taken the data to know if that's a risk that we have to consider and then obviously the other piece is to buy time you know if we need to buy time to try to understand can we restore can we get back to business functions and ransomware or can the investigation pinpoint that they don't actually have data so we don't have to pay them so yeah good Sean um so have you noticed every error even in the emails that we send to the thracters the misspellings things like that like like so it should say this is but it says

his is um are all intentional um because going by the nature of the organization they would make someone that's in a key role wouldn't make a mistake like that so anything that throws them off balance if you're supposed to be the head of help desk you need to make or in this case I wasn't I was just uh you know just someone they nominated that wasn't at the top of the company so you have to make sure you sell your persona because you're personalizing yourself um this is very formal but if you were to solve the messages in between a lot of them were informal sorry I was out and eating dinner with my wife I missed

your message sorry for the delay you know because they did retali and say hey if you don't respond quickly so you by saying hey I have a life you're not really saying that but you're like hey I was out of dinner with my family whatever and I um I cannot disclose this to my family what's going on you're personalizing yourself so when you get down to the financial transactions they're there they know you're a person um if you ever get burned and they find out that you're an experienced Ransom negotiator it's full price no discount nothing you're going to do about it if they want a million dollars you're paying them a million dollars so the objective is to

be sure you your identity doesn't get burned or that you're not higher from the outside and sometimes that does happen believe it or not um I've dealt with threat actors uh I had a case with Maize and then I had another case with me and the next time I realized I was talking the exact same person and he sent me a back Channel email to that to the old email and once I read it he knew it was re-receeding he knew he's like okay I know who you are when I but even in that case you can recover hey okay you you know what's going on they only have X amount of dollars I'm not going to play games with

you now they had more but you're like this is all they have can they get more no they can't this is all they got it works yeah and so um from there you can see in in their response it was it was a kind of a unique situation generally when we ask for that proof of life like I said they'll usually offer up some files uh that they'll give us they actually sent us a file tree and let us select five of anything in that list so again just trying to prove that they had everything that they had so that text file is essentially the tree and we we selected five files which you'll see here in a

moment um you can see in in the the comments here you know they say hey we'll stop reaching out to your employees um you know at this time continue to communicate with us so that we can come to a resolution here quickly uh so here you can see on the bottom part where it's kind of mostly covered up this was again Sean uh he had sent the five files that he wanted to see so we worked with the client uh to understand what uh you know what do you want us to pick out of these five and something that they could easily verify was from their environment uh that they without a doubt would say yeah this this

came from us so we picked those five and you as you can see it might be a little tough to read but each one of the file extensions that we asked for so there was uh three PDFs a message in jpeg they returned and attached to us so at this point um we feel that they have the data that they claim to have you know it's you know without a reasonable doubt I mean we they've got it so at this point um and I'll play this here in a moment we we slowed Communications down because the client uh wasn't sure what they wanted to do they weren't sure if they wanted to continue to negotiate and

maybe make a payment to prevent possible disclosure or them continuing this this call this call Path uh they were you know nervous about how that would damage their brand and reputation obviously that's a big impact there so we slowed down and we didn't communicate as frequently as we were before and lo and behold they started calling again later you're not replying to us [Music] we are asking you to start answering the beneficial Solutions [Music]

and

um

so we'll be waiting on your email say thank you so once again they don't want to do this um so obviously there's some there's a higher threat there where we're going to start calling your clients we're going to provide them the data we've stolen uh one thing that I didn't point out before but in this email that they responded their initial Ransom demand was six hundred thousand dollars um and and you know I don't think they specified here but they might uh to be paid in Bitcoin um as as typical for for these types of negotiations so that was the initial demand while all this is going on while all this is going on in parallel

our forensics team is still doing their due diligence so they're still trying to make sure that there are that there's no hostile payloads so we have to slow down before we start negotiations because obviously you know if we anything can happen you know if we discover hey they said they took this much data and they actually took more data we find those kind of things then that 600 000 price tag starts to look pretty good but when we realize that they're honest in the data elements and the data sets they took weren't critical data then you know we have to actually start costing the data also in parallel will and I are also communicating with them because

they didn't do a business impact analysis they didn't do a datable classification so they don't know how much their data is worth and we're trying to rush a Bia an informal Bia process so we know what to pay you know everybody in this room will buy a Rolls Royce for twenty dollars but you know no one's going to buy a Matchbox car for twenty dollars but they're both cars so yeah so at this point um again with a with the lack of evidence we engage the FBI on the client's behalf we provided them what we had which was the email we also provided some of the communications back and forth as well as the voicemail

uh they pinpointed that it's and this was most likely and it turned out it it was uh this group called Silent Ransom group um so some of the things that they were uh most known for is this what's called this bizarre call uh essentially callback fishing method um which you can see there in the infographic on the top right the way this works is it's social engineering uh they re they uh initially send some type of phishing email so you can see down there uh the Duolingo and the master class those were two known ttps that they had specifically impersonating uh those two Services you get an email like that it says your accounts due give us a

call and it gives you some sort of customer service number if you have any questions when you call it's not Duolingo or Master Class customer service it is a threat actor group who then through social engineering techniques convinces you to install some type of application onto your device so generally what this group uses is rmm tools which again this goes back to the very beginning of what this title is It's called living off the land they are putting something into the environment that's not going to be caught by EDR it's not going to be caught by antivirus and unless you have good controls around what applications can be installed you're gonna it's gonna go unnoticed so this group has been

again you know that's their typical uh uh ttps you know following this process the social engineering through phishing through the callbacks and eventually maintaining a foothold in the environment through known applications um the other Intel that we found is that they actually generally do follow through with their promises uh when when you do pay um they've found that that you know they do provide the things that they'll provide which is a proof of deletion as well as a security report that's just called an unauthorized pen test right how did we get into your environment so um you know and we'll take a look uh you know kind of as this wraps up on some points there so

uh so with those additional ttps from the FBI we went back and started to search uh through the environment we started to look to see is there anything that matches maybe those uh uh the Duolingo or the master class are we seeing any uh traffic that you know could be in their email system um and then you'll see here in a moment but we've we've pretty much matched the exact threat threat factor that this group uses to to the client uh so after we found this we found phishing emails to a handful of users we also then found uh you know after narrowing it down some more Zoho assists you know an rmm tool that this group is also known to use was

installed on one of the uh users devices uh so from there um you know that's what they use to maintain persistence within the environment and ultimately what they used to extract the uh the data so again evading detection through social engineering and through using you know known good tools that wouldn't be caught by uh you know security controls so you can see here again these were the actual emails that we found uh in the environment of for for two of the end users uh match exactly the samples that we had from before uh so same thing you know we've we've blocked out some of the names and the phone numbers there but uh the same piece is there

with an installation of Sentinel one Will's team was really quick to ascertain that Zoho assist was the culprit because it gives a hardware and software asset inventory so Will's team was really fast to be able to say are you using they came over the laundry list of applications that could have been a problem they already spoke with FBI and they went through I think it was like six or seven applications our forensics team it came up with and they said we've never used that so we knew so we could pretty much pin down what machines it was installed on so hence you could ask for saying who patient zero is yeah yeah so and obviously the

root cause here is the dread of any organization what keeps us up at night what you know drives a lot of these uh these attacks is the end users had local admin privileges so they convinced them to download install this it went right in uh so we'll go through a couple more slides here and then we can get to some questions so kind of as a summary of what happened and we'll talk kind of two places here so just to reiterate again they were a victim of the Callback fishing attack eventually convinced them to install an rmm Tool uh to maintain maintain persistence because of the way that user privileges were set up they had access to all kinds of sensitive

information that they probably shouldn't have um and then you know they slowly extorted or slowly siphoned off information from the environment eventually to extort the the client so obviously from a recommendation standpoint we're going to get into the ransom here in a moment you know obviously monitor rmm tools within your environment make sure you're blocking those uh that you're that aren't in use controlling local admin rights is you know the very first step Access Control to sensitive information and good security awareness training making sure that people understand you know what's out there so I'll let Shawn Simon here in a moment uh so the two emails you see here on the left this is when we had agreed to a

payment so unfortunately uh the client felt the risk was pretty high I didn't want you know the reputational damage that would go along with this obviously they had to make disclosures no matter what but didn't want it to be you know on Channel 8 news broadcast all over the place that this was happening so they decided to make a payment um so that's them sharing their Bitcoin wallet for making the transaction once we made that transaction uh the security report is what's on the right there so again they got access to uh you know company computers by using a remote desktop software we found that um they bypass the antivirus got deeper into that again using known tools and

then they got access to the corporate data here's their recommendations regular penetration testing prevents certain types of attacks such as past the hash and then multi-factor authentication and then they also which we'll see here in a moment is pretty pretty interesting they provided a video of proof of deletion of the files so we'll take a look at that in a moment but Sean why don't you talk about the negotiation and kind of getting to that that final price so as we were going through the process to keep them alive you know the client basically keep negotiations moving so that they wouldn't publish their data what we did is we entered into basically sleep depriving the threat actor which also

means that we're also sleep deprived since I'm an army of One um so by keeping them active and constantly communicating with them because we're being compliant to what they want hey communicate with us we may managed to get the ransom I can't give the exact amount but let's say less than forty thousand dollars from six from six hundred thousand they were just ready to quit they were just they were over it and that's when you started as a thrasher negotiator you say hey part of something is better than nothing and because they knew at that point in time the client has to do disclosures anyway so what value is it really paying it so the thracters they're they're well

versed now granted by that time they pretty much know you're a professional and they know they know they know you know what you're doing so at that point um they became pretty compliant there's always a risk of oh secondary extortion like you pay them and then they come back and say no we want more money um that has happened that's happened to Will and I it happens to the best of us it you can't prevent it from happening but um but these ttps from this particular threat actor group the FBI had said that's not something that they ordinarily do they don't want you to publicize that they double extort because once it gets out in the industry

because if they double extorted us I would tell each of you each of you here if you ever hear anybody but they're going to double extort you uh it's that simple to get the information out there yeah and you know a reduction in in that much is pretty abnormal um you know we we see 20 to 30 generally but to get down that low you know uh credits to Sean and his persistence there um the last thing we're going to show you here and we'll have some time for questions generally we always get this promise for whether it's ransomware or other groups we we promise to delete your data they J they generally don't show that they've deleted their data and

obviously there's always the risk that they've made other copies so in this case they actually did um so I'm going to go ahead and play this video here

uh so everything there we've obviously blacked out so we can't we don't show any uh of the clients actual files but what they're doing here is they're scrolling through the various directories they're showing the files that they have you can see in confidential there's a significant amount there and then they're going forward and they're reformatting the disk to completely clear it out [Music] and then at the end they go back formats complete and they show ah it's gone abracadabra all right

so yeah that was um you know a pretty interesting case we worked you know we've seen a lot a pretty significant increase in this type of persistence in the environment uh using more known good tools as opposed to malware right they're trying to bypass our security controls EDR has been you know widely implemented with a lot of organizations now so they're trying to bypass in any way they can you know I've worked several cases just over the past I would say nine months or so where they've used these exact tactics to stay within the environment so with that any closing from you Sean any questions that anyone has

really it doesn't accomplish anything um they made good on their promise so they continue to have a reputation for uh following through so that might convince more people to pay them but for the actual organization there's always a risk they have copies so for the organization they still have to go through disclosure that the data was exfiltrated they still have to go through all those legal and compliance pieces yeah the forensics process served many other goals other than just containment over like analyze the you know like like get some sensitive refer to the decrypter to know like maybe in the negotiation process you could sort of lie or not about a third party that could competitively

decrypt s yeah you get it so yeah uh we will and I had a case um there are not every if you do have a ransomware attack if you hire a reputable firm we have hooks into other firms so there are firms that sometimes accidentally have been delivered at Universal decryptor example if you get hacked by Major McGregor I have a universal decrypter I can decrypt it so the cost benefit analysis of hey these people are gonna charge me fifteen thousand dollars to decrypt everything that's a reputable firm we don't have to deal with a bad actor um is obviously going to be it's going to work out a lot better for you but directors make mistakes I mean I got the

Mesa crypter because when they sent me the crypter to just decrypt those files they accidentally sent me the universal to crypter and I don't obviously it wasn't on purpose obviously and we've shared that with the FBI so there's someone contacts the FBI with a major Gregory case the FBI can decrypt those you can decrypt those files for them or deliver it yeah and there's kind of two pieces too with that you know part of negotiation in a ransomware case will always make sure that they can prove their decrypter works so if you're working with like a lock bit they'll say send us some encrypted files we'll send them over they send them back and they're they're

clean but in terms of the forensic piece really what we're trying to assess is I mean there's a couple pieces right and it's not only forensics but it's also the incident response and the recovery can we recover without using any sort of decrypter there's always risk when you're using like a universal decrypt or you're using some uh uh you know home built method to try to decrypt something that we might ruin files so our number one goal is to recover from good backups obviously that's the the best case scenario and the forensics is really to help them understand because if we don't negotiate and we don't pay they're not we're not going to know everything that they took

so the forensics is going to be uh can we pinpoint what data was exfiltrated so that we know our legal requirements to disclose and then can we pinpoint how they got in so that we know what we need to button up obviously in most of these situations there's a lot they need to button up but that's really what we're trying to do as as we're continuing with the containment and eradication sure sure

so you see a bit of both uh generally um in our firm you know we do security services but generally when we come out we we have a client you know at that point um there it's a little bit tricky because when it comes to insurance if they're making a claim they will not provide funds for betterment they will provide you funds to get back to business operational state that you were before so it becomes a tricky line to to walk understanding obviously they're going through a significant uh event you know there's probably some business downtime associated with it some loss of Revenue so um you know how do we balance out you know getting everything back back to the

way it was but then you know we got to have conversations about making sure this doesn't happen again generally when you go through a significant event you know I think out of all of the ransomware cases I think maybe one client that I had didn't become a client of ours or work with another firm and you know improve their security posture sure is there any strategy using what files um so there's kind of on our two two fronts on the um if we're trying to prove that decrypter works so that's a piece of the proof of life that they can decrypt files in a ransomware attack we don't want to use any sensitive files so we want it to be

like a picture of the building or something like that so that we're not feeding them sensitive information that they might not have had in the past on the other side for proof of life again this was a unique case because generally they won't give you a choice they'll just send you some files that they have and we got to go dig and see if that actually was the client's files in this case we wanted it to be since they were giving us the choice we wanted to be without a doubt yes this is our file it could have only come from us um and you know them proving just from us selecting files out of a file tree

obviously that they had copies of them I want all the way and back

I would say they're Dev like for this group when we contact FBI because FBI helped us come up like fill in some gaps that we had um this is definitely a sell um they were very organized and obviously like anytime you're committing a crime you're going to make a phone call you're going to be nervous um the director of comms were very pointed very almost articulate but for a non-english speaker so you um and sometimes you know I hate to say for like everybody you use words that they're they're American terminology that they are that they may not be familiar with um to feel them out like someone who comes from Croatia isn't gonna speak to

say it isn't going to understand the same American figures of speech of someone who's let's say from London um you know their their level of understandings differ so you have to use all that to your advantage but these guys were definitely a cell um I don't think that the at one point in time the emails definitely did not come from the same person even though it was the same email address um just how they punctuated things were a little unique um where it was just a little bit unique the one guy and then the next person uh the next person that was involved um they almost like they were in English like an American English native English

speaker like everything was um he used the term yaw you know and it was just something like I'm American I don't use it so when and they used it properly and it was punctuated properly so those are things you know y'all comma and you're like okay that that's a big one but those are things that you share with law enforcement hey we'll take a look at this because it breaks the mold um a lot of these cells will have someone who's American that lives abroad or on their payroll also you have to understand some of these people that are doing throughout your comms you have to figure out sometimes do they know that they're actually committing a crime

um I've worked with thracter groups that the person that's a thracter negotiator thinks that they're a consultant so one of the rules you never tell them they committed a crime you know so since that's one of the tenants you never say hey you did this to us it's always can you help us um but you know some directors they don't even know like they're hired to do a job hey these guys have an outage you're gonna get and you're gonna negotiate payment for us um we're their overseas were paid in Bitcoin um you as you get to know some of these guys it gets to be a little bit weird um and when it comes to you if it does

deal with a ransomware attack the Big Boy's so Nick lock that reduces Locker their help desk is amazing better than some of the ones that are here like if you have a problem with a SQL Server obviously they've been in your environment they've Recon your environment and I've had them tell me ahead of time you're gonna have a hard time decrypting this SQL Server use this instead of this do it in this order like they'll guide you through the process um because they know one day you're gonna sit up on stage you're gonna tell a bunch of people you don't know that this group has good customer service which is totally ridiculous but yeah and the way these

threat groups are and you know Sean alluded to it they're they're different organizations almost you might have the main you know sound Ransom group who are The Operators who are doing the infiltration and the exfiltration and then they have some other group that they Outsource their Communications to um you know one of the areas you know I know and I was surprised we didn't have much AI talk here uh here today but one of the places that chat GPT is being used you know everyone's afraid they're going to be crafting malware no they're using it to write better phishing emails they're using it for negotiations so that you can't figure out what group they're a part of and you know where

they're coming from it's going to make our job a little bit more difficult to you know moving forward but those are the types of things that they're starting to use it for yeah

so um there are it's called the ofax sanction list so there are known threat actors generally they're tied to terrorist groups or state-sponsored activities so Russia China North Korea um that are known that you cannot pay them you legally cannot pay them outside of those groups and that's why whenever we do make a payment we always collaborate with the FBI we check the ofac sanctions list we work with breach Council to also do those same checks we have to make sure that they're not on that list and then outside of that if they're not it's a business decision at that point will said these organizations have business plans like Conti they're all know fact-wise they migrated from

ransomware to becs because with becs you don't know who you're paying they have fallback plans and they kick in their playbook usually within you know 48 to 72 hours that they immediately migrated over if you spend a lot of time on the dark web or use any cyber intelligence like any threat intelligence platforms and stuff like that you start seeing these people that you identify on some of these forums that you pretty much are pretty sure who they're attached to um you start realizing that the things you're talking about has just changed hey you know can you do this on windows with a Powershell script if I embedded in an email well this guy works for

accounting why do they care about him that's not their attack Factor but so they change their tactics to mask and then they'll Rebrand just like a lot of our companies do rebellion and inner back in the industry as a whole nother name they'll change their uh their ransomware payloads they'll do those kind of things that'll come back as a ransomware provider I think after Conti who got put on that list about a month later there was a new group that came out called Monty who could that have been yeah um any other questions I know we're a little over on time but any other questions okay well thanks everyone it was a pleasure speaking today so thanks so

much the problem