The Current State Of Ransomware

thank you very much for the introduction welcome to my talk I hope everybody had a good and refreshing lunch break so you're strengthened for the crisis that just happened as you can see besides Munich has been hacked and the date the hackers are um want $250,000 Us in Ransom to uh not publish the data of besides Munich but unfortunately this is not real but let's see how we got to this place where we are now let's do a quick uh overview over the mbare history quick show of hands who of you remembers this one yes of course this was 200000 the year 2000 I love you warm it was written by a Philippine computer science student just um a Visual Basic script in an attachment of an email which once opened would send itself to everybody in your outlook address book and thus spread around the world this one was not created to make any money of it this one was created out of pure curiosity and curiosity was also what drove the security researcher during that time they were very eager to hunt and find New pieces of malware to analyze but this quickly turned around the hunters became the prey and the malware is ever increasing and getting more Danger ous and more complex every day fast forward to the year 2017 to the um most prominent ransomware uh sample here this scary red box appeared on many screens and um and it demanded $300 us of Ransom this is called the rner cry ransomware it was based on a zero day exploit that was stolen from the NSA by the shadow Brokers hacker group and published to the internet Microsoft released a patch for the vulnerability but not everybody uh reacted and applied the patch it was 59 days between the patch and the outbreak of Warner cry so nearly two months where everybody could have reacted but nowadays the attacks are getting even faster and quicker the ransomware gangs are moving quicker and quicker every day fast forward to this year the move it case I'm not going into any technical details here I just want to show you how fast the ransomware gangs are acting now on the last of May a patch was released by the vendor to fix this vulnerability but later after forensics of affected systems we found out that at least 4 days before the ransom gangs were already attacking and exploiting this vulnerability to steal data from the companies but let's take a look now at who are these Ransom gangs and how are they operating they are highly capable organized crime gangs which have developed a ransomware as a service business model imagine it like your favorite cloud provider where you just rent software as a service or infrastructure as a service and you pay per the minute or per the gigabyte you can now rent ransomware as a service and these gangs they have they act like huge tech companies they have leaders they have developers they have system administrators they have negotiators they have help desks even HR departments and you can rent all you need for a ransom attack from them and all they ask for is a share of your profits usually around 20% this is an example of the now inactive Cony group that shows this share splitting it's even fully automated into their Bitcoin wallets when the victim paid the 22 Bitcoin Ransom it was automatically split up in 2080 20% for the ransomware gangs 80% for the individual affiliate that did the hack but who are these uh Affiliates and how do the how do they work together with the ransomware gangs this is a recruitment post from AOS Locker they're looking for Partnerships for their locker and look what they offer they support Windows Linux esxi they assist you in negotiations the the builds are configurable and they even provide you with storage for the data that you steal from the victims I especially want to point out the last two points dos attacks and calling services nowadays in ransomware we speak of a quadruple extortion scheme so the meaning the people now have four different ende to extort money from their victims the first one is the one they started with encryption they encrypt your data you don't have access anymore you can't work anymore that's why you have to pay but nowadays people have learned to do their backups and can recover from this very quickly that's when they started with the second um extortion mechanism exfiltration they now steal your data and want to publish it on the dark net if you don't don't pay third lever they have to extort money from you is they will send you dos attacks effectively hindering you on the successful rebuilding of your infrastructure and the fourth one they now recently um announced but fortunately I haven't seen that in a real case if you have seen it come come and see me I want to hear the story is they call your customers and tell them hey company XYZ has lost your data we hacked them they call your competitor s and one offer to uh sell the data to them this is pretty interesting let's look and at some other examples this picture was placed on the wallpapers of a victim's uh computers saying yeah your your data has been stolen and encrypted but would you like to earn millions of dollars come work for us all we need is just um just some credentials or you just need to open an attachment to an email simple as that and you can earn a lot of money then let's look another at another example of the lock bit group they have like really extensive documentation on how to become an affiliate and how to act as an affiliate they want you to deposit one Bitcoin in their wallet as a kind of advanced payment for the renting the uh ransomware Services they want to see your profiles on Hecker forums they want to see proof of previous work and and you want to show you uh the bill the balance of your cryptocurrency lockit also has a really high um Quality requirements for themselves they want to improve they want to be the best how does that show you're allowed to work for other gangs on the site but they ask you to report it and they want to know what you like better from the other gangs so that they can implement it and get better in their ransomware offering they even have rules for their Affiliates maybe you've heard of them you're not allowed to attack H hospitals except for plastic surgery you're not allowed to attack schools except for major in universities and I want to point out a interesting wording Choice here they're not talking about attacks they're talking about surprise audits so they they don't see themselves as hackers they're surprise Auditors or surprise pentesters another fact you're not allowed to attack uh critical infrastructure well you are but you're not allowed to encrypt critical infrastructure you're more than welcome to steal data from critical infrastructure and even if you're unsure if something is critical infrastructure ask your help desk they will help you decide if you're allowed to attack next thing is you're not allowed to attack post Soviet countries because that's where most of the people that develop it and work with them come from that's something you see at almost every game and they really mean it they're really sincere about that that uh we can see that in one example siik kids.ca it's a children hospital that was recently hacked by a lock bit affiliate we formly apologize for the attack on siik kids.ca and give back the decryptor for free the partner who attacked the hospital violated our rules is blocked and is no longer part of the affiliate program so they hold their rules up and there's we've just seen four examples of ransomware gangs offering a ransom as a service offering but there's so many gangs that somebody even built up a magic quadrant with all the big names on there Cony klopp doble payer blackbuster just to name a few but let's see a real life incident now I've pieced a real life incident together from beginning to the end I I took some examples from various uh real incidents so please keep that in mind when the ransom uh varies or the designs vary it always starts with the initial compromise and I don't need to tell you how many vectors of in initial compromise there are email attachment USB St something is always happening but the important thing here is this one happens weeks or even months before an encryption then they move around your network discover different hosts escalate their privileges to administrators something you could have noticed then they look for interesting data in your network and steal it and exfiltrate it to one of their servers something you should also notice I mean look at the graph pretty obvious something is going on here that may not be wanted but you didn't it's Friday night 9:00 p.m. you're having a lovely dinner with your family you have really good pizza nice atmosphere your phone rings a colleague sends you a screenshot if you see something like this it's too late your data is encrypted and you have a huge crisis at hand now all the file types have changed there's a recover. txt file telling you what happened this txt file is a so-called Ransom note that's where the attackers say hey this happened we re encrypted all the files with strong algorithm do not reset or shut down and here's some information on how to contact us this information is usually via email talks chat or nowadays even as an interactive web page now if you open the web page you're greeted with this a $14 million us Ransom but don't worry it's only $9 million if you pay within 7 days you get a discount there's even instructions on how to get the crypto currency there's a life chat for support and negotiations and there's a trial decryptor so that they can prove that they can decrypt your data but it's not always as professional as that sometimes the first level agent that you speak to on this chat doesn't even know who you are who he's talking to and he asks you to please introduce yourself because they don't even know who they're talking to why should you communicate this is the point where the communication or negotiation starts there's many reasons why you should negotiate first of all it is to get some valuable information you need to know what data they have stolen and how critical that data is and also it's a good point to start talking to them to buy you some time and Goodwill for Recovery or whatever happens when you rebuild your infrastru structure first thing after that is you usually ask for a proof for your data so you want the attackers to tell you this is the data we have and you usually get it they provide a file list listing all the data that they have stolen from you but sometimes it's different yet we cannot provide the person who has access to data does not contact for the reasons unknown to us but it already was I think will appear in the nearest Future this is the first level guy can you send files for test interpretation did you estimate mashaba how to you this became a running gag in our office did you estimate mashava anybody here knows uh what mashaba means okay took us a while to figure out it's Bulgarian for scale or impact let's look at this uh post from V's underground why is stuff like that happening they ask the lock bit group why there are less victim postings on their block on their block recently and the responded they're currently on their holiday enjoying a nice summer weather or something like that and it's a in other words it's a real um quote from a recent case make a decision faster our team is going on vacation another example from the negotiation where you can really see the first level and the back end guys um working together we asked for uh Ransom demon and he just asked his back end bro how to decrypt and how much the backend guy um responded with a rather extensive message like yeah we're sorry to attack your company we want to solve this case please buy half a million US dollars of ethereum and here's some test passwords to show that we have actually the ability to decrypt you what do you think the first level guy is now doing he's waiting for 2 days to forward it and just forwards it with one comment I have reply very professional cust another negotiation example you can't pay that much amount of money and you ask for uh you you give them a counter offer of little less but the attackers did not like that our analytical Department analyzed your financial documents and appointed the amount of money you're able to pay without any problem and this is kind of the scariest part right here they know exactly how much money they can ask from me they know exactly where the pain tolerance is for what you can afford sometimes it's also like this your order is very little business we don't care much and here again you see the wording Choice it's not an attack it's an order you ordered U surprise pentest remember but sometimes there's also easy cases where they just want .16 Bitcoin so uh 44,000 this is usually where your incident responder tells you yeah just go pay that guy get the decryptor it's much cheaper than anything we can do but the case is not over here remember they hacked you even if you pay this Ransom and you restore your all your files you still have to find the initial hole and fix it because other otherwise someone else will come in and encrypt you again for maybe a bit more than that what Al what also do you get when you pay you get a really extensive penetration report of what happened yeah we sent you an email with a exploit was open by user Citrix username password cve local administrator blood hound and found login data for domain adment they found passwords for different resources like backups mimik Cuts RDP and the keypass and they got access to your antivirus server and there's even some recommendations on what to fix to go forward download daily updates install kasperski antivirus and change all the important passwords once a month it's pretty good right pretty good penetration test you even get a list of servers that were infected so they know your infrastructure better you that better than than yourself and the last thing they provide is a proof of deletion they will use S delete and send you um one or two days later the deletion logs what do you think of it do you believe it would you go to your customers and guarantee them that none of their data will be ever leaked from this can you trust the criminals it's a hard hard decision to make at this point the case is closed for the ransoming they've got their money they deleted the data nothing more to do the only thing is for you to rebuild your infrastructure your business and the trust of your customers and your business partners so let's next look at some points and what we can do to avoid this from happening we have two sides we have pre preventive measures and reactive measures of course you should patch all your systems even though I showed you before an example where patching would not have helped patching is still a really important thing you should patch patch regularly patch quick patch your systems close the holes Harden your infrastructure I guess everybody knows at least one of those CIS benchmarks Microsoft Baseline Securities um or the active directory tiered Administration model implement it make it as hard as possible for the attackers to laterally move in your infrastructure or even get into your infrastructure especially for active directory I want to point out the really good tool and if you only take one thing away from today I want it to be this ping Castle is a auditing tool for active directory it will give you within one or two minutes a really extensive report about the security configurations in your active directory there's lots of recommendations in there that will help you um make your domain more secure another thing is pre prepared for the Emergency nowadays it's not about if a Cyber attack will happen but rather when will it happen so plan plan accordingly what can you do if all your systems are down how do you reach your employees or at least your it employees make a plan make it offline available important because and everything is down if you pulled all the cables nothing more you can do backups this is kind of a really complicated topping in a ransomware scenario I want you to critically think about if your backup is secure from ransomware can someone in your network with domain admin privileges delete your backup because attackers will have domain admin privileges at some point if any part of your backup infrastructure is connected to your active directory it's lost in a ransom attack and will help you nothing but also backup will not save you backup will help you restore the files but what state of backup can you restore you want to restore yesterday's backup remember they're already in your infrastructure for a week or or months even so when you restore yesterday's backups you will also restore the access for the ransomware guys that's why I always say like you need a lot of visibility into your network visibility will help you on both sides preventative to see the lateral movement to see the initial compromise but also it will help you to figure out when things have gone South when it all started when they came in what's the last clean state of your infrastructure I hope I gave you a good overview on how the current situation is and you can uh got thinking about some strategies on how to avoid this if you have any more questions feel free to contact me or maybe find me later in the afternoon or right now thank you very much Sebastian thank you very much for the very interesting and very entertaining talk questions from the audience yeah okay thanks uh thank you for the great talk it was it was really interesting uh my question is have you seen cases where a ransomware attack you know big noisy kind of attack was used as a cover to put something more stealthy by by an advanced attacker thank you not yet those are usually um different groups so I you were rather saying something like industrial Espionage I guess something more stealthy no because the ransomware gangs just want their money it's a good it's a very interesting point but we haven't seen haven't seen something like that okay there's one more uh two quick questions in one but short one uh in terms of uh threat actors uh ransomware has a service has it uh let's say help to the democratization of uh cyber crime in the sense that it is more easy now than let's say 5 years ago yes definitely it's basically in the dark net you can buy initial aess you can buy vpns or some someone who already has a foothold in Network and then you just need to buy the ransomware and deploy it yes it really made it more easy and the second question you already spoiled about quick comment about the access Brokers yeah exactly the access Brokers yeah short one first thank you for a great talk uh quick question you mentioned the uh proof of deletion um what I didn't quite get is that something that you have to pay extra or is it usually in no it's it's included because because you mentioned the question uh whether you would trust that but like if it's included obviously you don't trust it but it's not really a choice you're going to get it and uh I mean that's all you can do at that point right exactly they stole stole your data they have it lying around at some server and you just get I mean the tool is that they offered is like s delete from s internal suet and you just get a lock file that says this has been deleted but it's not your infrastructure um this is more like a maybe a legal question than technical but in some countries where there are laws that forbid companies from sending money to those cyber terrorists so do you have experience in which um what companies can do or would do in such situations where the only option is backup maybe the backup is already rigged so is there anything that they can do I'm not a lawyer but yes you're absolutely right this falls under the financing of um criminal organizations and there are sanctions in the US and so on and so on and unfortuna