White Phoenix: Beating Intermittent Encryption

Like I said

is one of the same. I do and represent a team of about three vulnerability researchers and malware reverse engineers. So we do all those applications, operating systems. Also, I do a lot of breach analysis and so we dug deep into the recent Octum. All the stuff that happened to MGM recently, very applicable to Andrew's last talk. His audio works correctly. I was watching my movie for like the 10th time. Anybody watch Office Space? Damn customers, so the engineer's skills. Can't you understand that? Yeah, that's what I do, folks. I take the really highly technical stuff, dumb it down to the level I can understand, and then I try to explain that to the executive board members and stuff. So that's what

I do for a living. News and podcasts and stuff. I also attend a lot of security conferences. So Black Hat Lash, RSA, Gardner, all that executive stuff. Also, I get to work and contribute to a lot of open source tools, which... show you today that I'm super excited about go through our agenda today the first thing probably something you already for many conferences we're gonna go of ransomware where it started we'll touch on ransomware as a service like Andrew was showing just earlier and then we're gonna talk this new tech actors are using this is a method called intermittent or partial encryption the most of the larger malware groups are starting to incorporate and I'm gonna tell you why these are

the guys Microsoft team. Yeah, we're gonna break these guys down and I'm gonna show you how and what they do. F files in particular. Me showing off the tool call. And I'm gonna show you how files that hopefully we can actually from these ransomware events. Then I'm gonna show you a different type of demo. Okay, it's something nobody's seen besides DFW. Nobody in the world has seen this demo. So, let's jump in and ransomware. All right, show of hands, or who knows, when was the first ransomware? So, internet. A gentleman by the name of Joseph P.

as part of the package materials for this AIDS conference, okay? It would have the auto-exempt file, lock the machine out. One check, $89 to the PC cyborg. Obviously pretty easy to track. So, it's an Amsterdam. Track down this guy, Joseph, to trial for extortion. What's crazy about this, he found an incompetent for trial. So yeah, first instance of actual. So let's fast forward to the age of the internet. The different styles that. So the first one, style of ransomware. Very, very simple, folks. This is one of the very first ones. This is Winlock. Pop this script. This is porn, actually. Basically, scare you by showing you porn. For some of you, no. You just had to send a text message

for $10 and send you the code and you get your... And just boot yourself into safe mode. Fucking the first, like, generation of ransomware. Let's fast forward to mid-2020s here. Now, actual encryptors on the machine. Instead of just locking you out, one of the first ones here, GPS. it was actually more difficult to recover from these events. Alright, so decryption. So being types and styles of encryption. The first one was symmetric, or literally what I'm saying. That's what the symmetric. In this circumstance, RSA 1020 was strong, and that's how you would recover from these encryption events. This was when the concept of cryptocurrency and specifically this is all. So it's secure. It's somewhat instantaneous. Government or

Pseudo-anonymous. This is really why it was so attractive to ransomware. They're trailed. Because previously you were writing checks or sending gift cards, cryptocurrency to exchange this for extortion and ransomware. So huge proponent of cryptocurrency. If it wasn't for cryptocurrency, we would not have ransomware to this day. So you got your pros and cons. So let's fast forward. We're going to move to ransomware as a service. talk was all about from the perspective of Ransomware. Today's organizations, even smaller organizations, they outsource to SaaS services. So in the circumstance of MGM, the group that attacked them, Scattered Spider, they're a bunch of script kid 2 year old kids really. I can say that. Outsourced their technical negotiation process,

the link site on Tor, outsourced to these ransomware as a service people. All the resources the typical script kiddies and malicious actors can use. intelligent enough to create this, you just have to be malicious enough to spread it. And what's really crazy, Ransomware as a Service allows these sorts of Ransomware as a Service providers will target specifics. So there's certain actors that focus on, what's really scary is there's a lot, there's several that actually focus on SCADA, ICS environments. So that's really scary. warehouses and manufacturing, these are targets just as much as like enterprise corporations now. So now that we have ransomware as a service, we've got secure encryption, currency, this is kind of the new tactic that

we're seeing now. This is a double extortion and just the additional urgency. So what they're doing, they're not only, but they're also leaking the files to their Tor or Onion websites and shaming the people. So basically you get your files unencrypted, sure they don't get leaked out to them so that's double extortion yes triple extortion best examples was the pasta moment so the actors started targeting the victims the patients of the clinic so they were actually exposing their therapies so you know you talk we're gonna link that so it's absolutely going downstream so fantastic one of the things we do with dha is called troll mode so i love that so again just ask the

question so again like i said hurting the reputational damage of these organizations

So this is where triple extortion. So again, reputational damage, double and triple extortion. Yeah, it really, damage is done out. So let's fast forward and talk really, really scary stuff. Ransomwares in the wild today are really stepping up their game. We're gonna be talking, like I said, intermittent or partial. They do this is because it's fast. What actors do is they partially write. So instead of encrypting them, doing a whole lot of disk write, partially, parts of it. And so it goes, because it's going so fast, for the incident response. So it's faster, it does more. So again, more files. About this, which again is really, really scary disk. There's a lot of disk writing, all right?

So a lot of ER solution, the hard drive is really detected, right? So yeah, avoiding detection and also demonstrating a new, it changes the signature. You're absolutely, change the encoding or the encryption of the source code so you could read the variable. That would just stay in the same. Generous, crazy AI tools, the actual is actually changing. So this is kind of read a polymorphism. So yeah, it's not just the encryption or encoding, the actual code itself is changing. So like I said, it changes the signature. So many like AV tools, your print to determine if this file is malicious or not. If it's changing all the time, you can measure again. So this is why encryption is so freaking scary. Here's the biggest actors

in the industry today. Black Basta, Dark something, Black something. We'll get to that in a second. The biggest one in the industry right now is these guys are the worthy of the ransomware events. Hundreds and hundreds of victims on their website. So again, these guys are the most successful. They're the most sophisticated. We're going to show how they're sophisticated. And that's because of some switches and chains. Actually six different styles that this Alpha Black Cat is capable of. Alright, so I mentioned a couple times MGM Resorts. This is like the Lex Underground said that the corporation was shut down by Isn't that crazy? A bunch of script kitties call this, social engineer them to buy pay.

They jump into the instance, jump into that, and just throw black. So being encrypted with Black Cat. System after system after system go down. So think about it. The booking systems, the hotel dinner reservation, the slot machines went down. My God, this is all because of this particular style of ransomware that we're going to be discussing. So this is where I'm going to try to keep people as I understand. So there's six different encryption modes. The first one, well, actually, let's jump into this. This is a file that you have on an operating system. It consists of the same, similar. And in this circumstance, rather than have partial encryption, we'll do it out in chunks. So you've got this chunk,

this chunk, this chunk. And so the way it works is it encrypts a portion. So let's go back and just kind of look at that for a second. You've got your header, multiple chunks. So that's why it's so much funnier.

So let's jump into Remember what I said partial part of the file configuration the second style just that that's how they operate so full encryption it writes really hard this encryption mode two writes really really you recover from this is a encryption mode three dot path it takes the pattern and it takes 20 different chunks okay it doesn't matter the size 20 chunks this is surprisingly the fastest configuration It doesn't care about that breaks that it considers that part of the chunk and then just all right now the smart pattern you have 20 20 chunks Okay, and the smart pattern you have as many chunks as you want So you have your head chunks and all right

so now we have encryption mode again. This is the smart pattern They take a step back some encryption modes This is the 20 this one's actually 10. It's been a long time since I've given this presentation But yeah 10 and then 20 the smart Advanced smart path. This is again number of chunks. This is where the attacker can define the number themselves. If that makes sense. The sixth and most common is a combination. So files under 10 meg. Your medium sized files. 10 meg to 10. This is where that again advanced display. So the ransomware actor says I want five chunk files. This is where you use that super fast dot. So the large basher hopefully writes.

So now let's jump into for example actually looks like. So like I mentioned, your format is the same as most of the others. You have your header. All right, so we're going to focus on this, okay? So text, video, audio, there's different styles of objects. There's thousands of thousands of objects within. So you've got your object and all this encoded. We can start taking some text and it's fairly hard to, you can see this is an example of a simple text. All right, so take a look. This is an example, which I don't just suffice to say that we certain objects if they're exposed partially there's exposed Objects. All right, so that's where white Phoenix comes

in. So we wanted to change up the ashes white Phoenix comes up So Phoenix see here recovers data encryption primary supports PDFs Which is why I kind of dove into because file formats like office files way certain docket PowerPoints and stuff and they say exactly the circumstance I thought to say somebody reached out to me. I was asking about that So then we actually spent some cycles and actually were able so yeah office file PDF or visor files So pretty cool stuff. So again got your encryption potentially, so that's where Phoenix comes in So here's my so up here files. This is the PDF using as our demo here. So take a look at this rather large 374 page PDF. Now let's kick

off Black Cat. We'll specify our decryption key. We're going to walk down just one folder here. So watch this. It goes from PDF. All right, now it's encrypted. So I'm just going to rename it. Spoiler, no, you can't. So we'll click it. It's correct. So now let's specify the folder. Watch what it does. Go down the screen. All the objects with So let's do its thing. Once it finds the objects, it tries to read images, text, video, these sorts of things from that. Once it finds it, decodes it, it writes it. So now that it's done these images, you have all this text. Take a look here. Many showcase schools provide support. Many showcase schools provide support. Text. An image here of a

child on a laptop. Scroll up. You've got a child. Pretty cool, right? So that is our Linux demo. But wait.

I'm sorry, the live demo. You're supposed to provide a sacrifice to the live demo gods before the demo here. Stand by, folks. This is my virtual desktop here. Don't look. They gave me a VM because they don't trust me with it running on my own machine. Why don't we go full screen, buddy? Come on. Let's try one more time. So, I want to show you this. I, guys, am a pretty dumb guy. I like the time. So, what this is, we created our own website that allows for you to upload will decrypt it on the back end. So file here, let's see, encrypted dotting. I'm sure that I'm not a robot, which is still, all right. Did I miss any more motorcycles, folks? All

right, let's see. I swear that was it. Come on. God, this is so tedious. This is what you get for live demos, folks. All right, so let's separate the files. Why not, right? I don't know what this is. All right, so, oh, email field is empty. This is a cool thing. We that information, just marketing made us. So we'd rather respect your privacy. So, take a look at what it does. The 30. These are Israelis that write this, not me. They don't know English as well as we do, but you know. Take a look, there's a capitalization error. Yeah, what, question? Yeah, okay, so like I said, when intermittent or partial encryption works, it's partially

writing. So when you're partially writing, there's certain parts of that that are potentially recoverable. And so if you know how to potentially read those portions of unencrypted... And so... What the hell? So let's take a look at what we got inside our zip file. And if you guys have any questions at all, I've heard in cats and stuff, so come flag me. We're happy to chat with you. Alright, so we've got a ton of text. We've got some images. Let's take a look at some of these images here. I was really hoping to rig roll you all. So yeah, we were able to recover some images. So... So this just goes to show that in

the event of a ransomware, you know, you have the potential to recover some data without having to restore from backup, pay the ransom. So yeah, now you see my joke here. Intermittent encryption is partial encryption. There are parts of, like I said, the way the files are in blocks of text that you can potentially recover. And so that's what White Phoenix does. You run it from the shell, you run it from the website, When you are encrypted, you don't have to lose hope. There are ways to actually recover. So if you want to learn more about this, you actually can in formatting and stuff. Ari Novick wrote this whole thing, and he's an incredibly smart guy. And so if you want

to download the Kick the Tires, we do have the GitHub repo. Stay tuned because, like I said, that website that I showed you. So hold your horses, all right? So my part of the presentation. Questions? Like I said, now is a good time because we've got to fill some space. Bob, what do you got?

Well, that's partially where, this is partially where it works. Because what it will do is it reads the whole file, whether it's encrypted, whether it's partially or dot patterned. You don't have to do that because the application does that thing. And it will encryption method and then attempt to recover. Yes. What's the minimal and maximum percentage? It's the quintessential IT response. Does anybody? That's right. So what we've seen mostly is what I showed you in the, configuration six pattern that's usually the easiest most fast method to get by the way she's given a really good do I really how much time do I have so I've been going like 30 minutes but anyway my point

is is that most often what we're seeing in the wild is that smart configuration mode so files under 10 meg fully encrypted 10 to 10 gig that's where it does the smart pattern and anything over 10 gigs uses that dot pattern does the application white phoenix any more questions

Oh, so as far as in success stories? Alright, so this is... So we actually have... ...called a research evangelist that, you know, shares this sort of stuff with you. Pissed me off, folks. Okay, Dallas, Fort Worth. Do y'all remember when Dallas got hit by ransomware? That was the plain ransomware. You know what they do? Partial freaking encryption. Alright, I read... Crickets. Didn't hear anything. So... this is why I'm here is to get more people to adopt this, learn about this style of encryption and hopefully recover because there really aren't a whole lot of people using it. Yes, you can get parts of VMs, but you can't get the VMs. So it's kind of crappy as far as the capabilities from the ESXi perspective.

So there's limited functionality in the ESXi. We haven't, I only learned about that like three days ago. So I don't particularly know the recovery capacity of that. So stay tuned. Hit me up sometime. We can talk on like X, is that what they call it now? I'm still calling it Twitter, but they made me change that. But I don't know how much it's actually an ESXi file, but the researcher was super excited about it. Yes. It would be great if because of the fact that there's parsed that we don't, chunks of cover. So I can imagine spitballing right here that potentially we could have like chunks of a file that is like encrypted, can't read

it when I don't know something. So no, I totally know what you're saying. Yeah. Knate those text files into a single show which parts are could be readable. Dude, this is an open source project. Why don't you take that on? Let's work on it together. So this is something about open source, folks. It doesn't just have to be of Israeli researchers on this. This is a community project. So if you want to contribute to this, if you want to start can that master recover document. Let's party, folks. I have a question. Anybody too shy to ask a question? That's okay. I'm an expert in cats and stuff, so chill-out room, that's over in the back. That's where the chill-out room is. There's

coffee for around the corner. There's hardware hackings.