The Invisible War: A Look at the Ransomware Battle

go to those things that they have in place uh for recovery uh ransomware authors uh likely would have already uh attacked that and or minimized it okay so let's take a trip back down memory lane memory lane in the sense of we recognize this 20 21 um we didn't just wake up yesterday and all of a sudden there's a ransomware attack so where did this all really start well the first instance instantiation of ransomware was the aids attack this was back in 1989 uh by dr joseph pop right and it was really based upon um hiding misleading people into thinking that uh what he was presenting was truly what it was and it turned out to be something

else and what that was talking about the aids pandemic there was about 20 000 copies of a floppy disk that contained a survey uh talking about information about um aids and what have you now upon the 90th reboot within this uh or with this this floppy drive it then replaced the autoexec.bat and while it's not being used in modern versions of window windows that's vista and newer the autoexec.bat essentially at the time was used for startup programs and trying to depict which order that programs or files were actually located so how this ransomware worked is it essentially hid the directories renamed files on the c drive so that way when the auto exec got back you can almost think of it

as kind of like an index or in some respect uh couldn't find them thus the ransomware was actually in play now at the time they termed the fee a license fee and it was either 189 or 378 but as we look at technology at the time they wanted you to send this to a po box in panama and it wanted to be a cashier's check or international money order right so automatically we see that for that time p.o box probably made sense cashier's check certainly makes sense but we may not see that type of tactic being used today now this guy was ultimately arrested in the united kingdom and he tried to claim that the money

that he got from it was going to be used for aids research which it was not so while my newton nature this was the first uh instance of ransomware um and then as we moved on we had cryptocurrency uh and again we're not talking about everything that ever happened but just kind of hidden some big gates here cryptocurrency kind of came to light around 2008 and that's when you know we started hearing about bitcoin and although um not everybody fully knew about it then but as you know now what's significant about bitcoin is what it's anonymous it's secure it's not regulated has all the ingredients for extortion of sorts so guess what we started to see we started

to see people um wanting to leverage that in some respect so that brings us to reverting revoting was first seen in 2012 and it exploited a vulnerability in the browser and when it did so it presented a page in which made you feel like it was legit so in this case this is showing like the fbi crime center a crime cyber crime division rather and is telling you you know you've done all these things and all the other stuff right and in some cases people are like holy crap i messed up because typically this ransomware operated based upon a vulnerability in their browser but redirected from adult sites so if somebody you know they felt like they

wasn't really supposed to be there and now they're getting this fbi cyber crime division thing they just wanted to go away very quickly so this ransomware requested a payment of 300 and at the time it was a money card that it wanted so to try to instill fear in the user it actually tried to import impersonate law enforcement it locked the user out of the system and then guess what later on within the ransomware it also tried to steal um passwords and what have you now this was all easily to remove once you fully understood it it was simply a registry key that uh could be removed but again when we talk about lockers versus

crypto if you will this was one of those lockers well we're just trying to prevent you from actually accessing it and guess what there's multiple versions of it so here's another one nsa internet surveillance program right prism if you will again try to instill fear in the user so that way they feel inclined to pay the ransom okay we had crypto locker in 2013 and this one typically spread through through email and it seeked to or sought rather to encrypt user files there were about 70 types that it actually looked for and this was kind of where we started to see the first instantiation of using crypto um or crypters if you will um for

locking access to files and at the time it was 2048. now it used the dga in the sense of uh who it talked back to or where you should send stuff and at the time 250 000 is who it uh affected and that was large in scale and even today in some respect that could be considered large now this thing propagated over the game over zeus botnet but it was taken down just about a year or some change later by the dog doj and those keys were recovered but we noticed that this one is starting to talk about bitcoin bitcoin we'll start to see that common theme throughout 2014 we've seen torrent lockers this was

mainly in australia new zealand but it spread also through email it sought to harvest email email contacts if you will on a system in which it was infecting so then it would look to propagate to people on your contact list up front it also looked to get rid of those volume shadow copies so even when you've realized that the system was being encrypted your initial source of backup was already going to be removed at the time demanded 500 in bitcoin but guess what um had to be paid within three days and each person received something different so uh we start to see that a little bit more customization in this tesla crypt 2015 common theme email vulnerable servers

this one 185 extension types which is um over double from the previous one this one also sought to go after uh files or items that were linked to games so if you were a pc gamer again if i'm writing ransomware and i'm encrypting files on your system i want to encrypt the things that render your system inoperable i want to encrypt the data that's most important to you and in this case if i'm on a pc in which somebody's playing pc games if i can affect that data that may be the very thing that they most care about this ran some 550 in bitcoins and guess what if you didn't pay it was going to

increase to almost double that a little over double that after a week now in 2016 they moved on they'd be commissioned suspected they just went on and and worked on different uh different variants of uh ransomware but uh a actual key was released of sorts from those people but um it's kind of interesting where people are doing this for financial gain and as they work on different projects we see stuff like this where like hey we don't even want to manage this anymore we're going to go ahead and give everybody their information to get their data back but essentially have no fear we're working on other stuff so i'm sure we'll meet again all right so we've seen locking in 2016

this is where we started to see office products being used and what's interesting here is that when you look at the the snippet there or the screenshot we see in red text enable macro of the encoding is incorrect right this is one of those things where even if you had your system set up to where macros was disabled by default they just put some some googly garbage there to make it look like it's almost encrypted and the reason why it's not showing uh in the correct sense is because macros is disabled and if it can get you the user client side to actually enable macros then the code that's underlined within that docx can actually

execute all right again they're looking for the user to actually interact with it and and they're gonna they weren't getting a lot of people at the time right so this was distributed via a bot net in at the time over 5 million devices now what's interesting is it did not affect russian machines based upon the language back so if you're doing um some form of analysis if it's affecting every other language but it seeks to not affect a specific language then that leads you to believe um or leads you to think uh a particular place of origin the ransom 5000 or 10 000 it varied a little bit but what's very interesting is that this specifically targeted

users unknowing how macros and and how the office products work so even when defenses are in play hey go ahead and allow us um in right and a lot of people were were running um we're victims of this all right so when we look at this timeline it's going to spread through an email hey i'm going to send you a document person is going to open that thing person is going to be tricked to open or enable macros a binary is going to actually be downloaded right because within that office document it's essentially code for a downloader and once that macro is enabled then it's going to actually download the payload payload being a ransomware and

then we're going to actually encrypt the machine okay so we see the ransom letter that's rendered for it very interesting ransomware is going to give you some form of a letter they're almost entertaining in some respect all right so petya 2016 this one sought to rewrite the master boot record right so when it initially affected the machine it uh infected the mbr it forced the reboot and then it triggered essentially the mft um being encrypted as it was doing the encrypting after the reboot it had a fake check disk that was running making the user feel like it was doing some form of repair to the machine because something happened but instead it was actually encrypting the master

file table so this blocked access to the whole entire machine not just specific files on the disk as previous um ransomware had done the ransom in this case was roughly about 300 and it certainly varied and looking at the the target list or who was affected most we see ukraine was affected substantially more than everybody else won't go into a history lesson about kind of what was going on during that time but this is certainly interesting all right so we had wannacry come in 2017. this was super huge and will forever go down in history much like a lot of other ransomware attacks um but propagated being smb exploit so uh eternal blue um and i think we got a slide actually

coming up about it a little bit um but that's how it uh propagated throughout systems using s b v v1 and exploit or vulnerability within it and we're talking billions of dollars in damages primarily windows 7. luckily there was a researcher who was doing analysis of the code realized that there was a kill switch domain in the code um and then when it registered it so then we were able or the world was able to kind of neutralize uh that attack but this kind of goes down in history as the biggest outbreak um in history when it comes to ransomware again what's interesting the price hey i want you to pay and i want you to

hurry up and do it now so if you take advantage of the introductory price if you will 300 but if you don't take advantage of it uh six hundred dollars um within three days so again the quicker they can get people to pay the better for the ransomware authors right the longer people have to think about it the more options they start to realize they might have right so if i can impede on your your thoughts and your feelings getting you to making a knee jerk reaction to go ahead and pay and get this over with the better i'm almost making you or they're almost making you feel like you're getting a break all right pay me now

300 if you don't pay me now it's gonna go up all right so wanna cry breaking it down 17 0 10 is eternal blue so taking advantage of uh smb v1 they're able to access the machine they set up a fake process this fake process downloads a number of other things and then essentially the data on the machine is going to be encrypted it's going to end in wn cry for one prime what's really significant here is this smb vulnerability was huge and it's still huge in my opinion um so combining the payload the ransomware with that delivery mechanism allowed it to just go out and hit machines as opposed to emailing it right and waiting on people

to open the email execute the thing that's attached there or navigate out to the link this was essentially um scan and export scan and exploit if you will so that's what had it or enabled it to be a substantially large intrusion all right so ryuk seen it in 2018 still very prevalent today uh like actually within the last actually today today still very prevalent um targets organizations with critical assets because again if it's a critical asset you're not going to want to leave it offline for a period of time and they want to be able to impede on that because it's critical you're there's a high likelihood that you're going to pay it so the ransom is somewhere between

100k to 500k and the delivery is going to be through fishing emo tech uh trickbot emo tech trickbot you typically see those together and we're talking about downloaders and um trojans that were essentially a repurpose of malware all right um when we see ryuk emo tech trick bot it's typically done in the fashion of an assembly line right so there's people who might be using emo tech to gain access once that access is given it's passed over to another group of people who might be using trick bot to do um expansion lateral movement and then they're going to utilize trick bot to actually download uh ryu right so very criminal focused very criminal in nature

and this actually kind of depicts that uh phishing email some form of office document um powershell is gonna go out of course download emo tech emo tech is a stage one downloader is then going to um do a number of things but largely is going to grab trick bot trick pocket that's going to set the stage for uh ryuk and that communication back to the c2 server ryuk is going to be that payload so we see a daisy chain of sorts and likely highly likely not one entity that's doing all three parts of this highly likely it's a multi-tiered entity where it's like an assembly line now there was an intrusion that was responding to that

actually this whole scenario kind of played out and we've seen where emo tech trick bought ryuk within an hour to two they've encrypted a large portion of uh of an enterprise but in the instance in which i responded to uh they were still in the aspect of trying to laterally move but they had not executed the youth payload they certainly had dropped trick bot but not executing the ryu payload so the organization actually pretty got lucky in that that respect all right maze ransomware first seen last year excuse me the year before last 2019 emails exploit kids post-op compromise it's targeting nearly every sector of the industry what's interesting about this is they've they've taken shaming and organization

to a new level these actors maintain a public-facing website and you're either going to pay the ransom and get the key to get your data back or they've already stolen the data and then they're going to release that data for people who don't want to pay so you're either going to pay and they may give your data back and really sure your data or you're not going to pay and then we're just going to essentially blackmail shame you what have you right this is taking ransomware to a whole new level all right now while we talked about a number of ransomware variants from 1989 up to present we just don't have enough time to to talk to them all there's always a new

variant coming out there's always you know an instantiation of something being built right so when we look at how many variations are there there's a lot so back to really the talk the talk again invisible war we're looking at the ransomware battle what's war versus battle all that good stuff well i look at what webster says webster says wars essentially engaging in the war is a verb they talk from a noun perspective a state of armed conflict between different nations or states or different groups within a nation or state when we look at battle bird fighters struggle tenaciously to obtain achieve or resist something now a sustained fight between large organized armed forces now while these aren't necessarily these

ransomware authors they're not necessarily armed in the sense of um kinetic weapons as we would see it they're armed in the sense of malicious code and the people that they're attacking are now being succumbed to that and they're being forced into a long-term war and in some cases individual battles and this as you see 1989 the present has substantially just grown and it continues to get worse and worse for every new technology we have digital technology then becomes another instance in which somebody could have used it and take take control of it so knowing that we're engaged in conflict every day i go to work i'm trying to defend my organization just like as you go to

work you're trying to defend your organization in some cases we'll work together to defend against the actors what does this really mean for us what are these numbers well from the fbi we see this 2015 as far as back as i can go for the fbi 8 000 complaints with nearly 275 million in losses all right and then we just fast forward to 2019 467 000 complaints with nearly 3.5 billion in losses now their 2020 report hasn't come out yet it typically comes out around the middle to the end of february but i i if i were a betting person i would bet that that number would not have decreased but instead increased based upon what i've seen or

what we're all seeing from 2015 to 2019. here's some more staggering numbers from soho from the perspective of 2020 members so when surveying 5 000 cyber professionals 51 of them were hit with ransomware 51 of 5 000 cyber professionals who were surveyed were hit with ransomware wow 35 of those businesses right it took them seven days or more to regain access interesting the average cost on a business 133 000 now depending on what organization you work for that may or may not hurt and i shouldn't say it may not hurt because it's going to hurt in some respect there's some organizations that cannot um they don't have that and that will essentially take them under

phishing emails from 2017 have increased by 109 and it's only going to continue to increase and of all the rent i'm sorry all the malware attacks 56 of them over half were based on ransomware 99 of ransoms were paid in bitcoin now this is all based upon what we know because not every organization is just running to the mill to publicly release that one they were hit with ransomware and two uh what the ransom wasn't really three whether they paid it or not all right so here's some more stuff average incident took about uh 9.6 days now in cases where people paid the ransom the decrypter was supplied 94 of the time 94 of the time you mean to tell me somebody

infiltrated my network encrypted my data we made a conscious decision to pay the ransom so we can get the data back in six percent of the time we didn't even get the decrypter what are you gonna do about it right further data successfully recovered 91 of the time excuse my double duh there would they decrypt it so we have people who paid the ransom gotta decrypter and then of those people 91 of the time they decrypt the work you're not gonna go back to them and be like hey man um i tried it it didn't work can you give me some more screenshots can you rdp in and walk me through this process right so you're already playing with fire from

the minute somebody gains that access and every new there is a new organization that falls victim to ransomware every 13 seconds right and as i talk about not everybody's running to the front of the line we're trying to get on the evening news to tell us about the ransomware attack um less than 25 percent of people actually report them um above you know regulatory uh guidance or what they have um reporting requirements right in the sense of openly coming out and saying it all right so when we look at united states industries and we're just talking a little bit from from 2020 we're talking 960 66 organizations 11.7 of those were state and municipal governments and

agencies 79 were healthcare providers healthcare why healthcare let me think about healthcare at large people are probably going to die okay yeah that's all i can really think about from that perspective and then when i think about it from 2020 we're already dealing with this pandemic right so that's target infrastructure 9.3 of them were universities colleges school districts that's my new when i think about health care now the outcomes substantial emergency patients had to be redirected to hospitals i don't know about you i look at the news and seems like every night i'm hearing no more emergency rooms here we're going to lose out uh we got a couple of beds left here and then we're dealing with stuff like

ransomware when that comes into play holy crap medical records were inaccessible in some cases permanently lost surgical procedures were cancelled 9-1-1 services interrupted badge scanners and building access ceased to work schools could not access data about students medications or allergies that is cold-blooded but from a person whose main purpose is financial gain criminal financial gain they care less about it that seems more like a you problem versus a them problem let's look at a particular a couple of uh instances so from state governments we have telemoc county in oregon january 2020 ransom of 300 000 they paid it it affected all their internal systems uh san miguel county new mexico in february 250 000 they paid it

affected their networking and their backup servers city of florence alabama ransom of 378 000 they negotiated it down to 291. listen to that 378 000 they negotiated down to 291. either way that attacker is winning what was the effect what was affected right the city email system was shut down recovery costs and loss of business although they negotiated down to 291 000 exceeded 17 million exceeded 17 million right city of lafayette for 45 000 they paid it they failed to recover using their backups i explicitly say that because they initially did not want to pay it and they tried to recover but this goes back to just good old it when i'm doing backups we probably need

to make sure backups actually work we need to probably make sure that although we think we're doing backups that backups are actually done right all those basic hygiene type stuff were failed in this case the attacker didn't even try to delete the backups um because they did not have backups they were a little bit in a pickle and they were forced to kind of do this this affected city email and phone services huntsville right uh i don't know what the ransom was affected schools around the city all right compromise various uh data all right this is big this is hitting right there at home for you guys um hall county georgia unknown ransom ransom disabled databases with voter

registration information right again you just gotta hit a person or an entity at such a time where it's a no fail mission or their bottom dollar the bottom business objective is on the line right you're taking advantage of people's misfortunes and that's what ransomware is all about all right so still looking um at some some examples here's some private sectors healthcare some education and this isn't necessarily just the us so we have travel x this actually started in uh december 2019 and kind of just took the toll to april so ransomware of uh 2.3 they ended up paying that that was not the initial ransom this is what they negotiated it down currency exchange was

crippled so again talk about forcing people uh and forcing their arm now the result of this is they were forced to cut over a thousand jobs right following the incident but i guess they're surviving i i don't get to see all their their internal stuff but certainly it affected them if they had to turn around and uh and cut jobs um so we have a law firm initial ransom of 21 million right we got all these lawyers and they're talking about law and ethics and everything else meanwhile they're like standing strong so the ransomware attackers guess what they said cool story bro um i'm gonna raise it to 42 000. i don't actually know if they paid or

not um but the actors the ransomware actors still trying to force the law forum's hand released data about um celebrities that this law firm was uh what was caring for or representing we have columbia college unknown ransom amount right this actor was going to sell students information on the dark web nobody wants that uh university of utah 457 000 they paid it it affected two percent of their systems um but 457 000 and the school um and i'll misquote them here but they said something to the nature that while two percent is small they went ahead and paid it because they didn't want to stretch it out and they didn't want to take the chance

of other things happening that's an interesting approach i bleeding on my hand a little bit and i don't know if i'm going to die so i'm just going to go ahead and cut the hand off or attend to the hand and not saying that's wrong every organization has to make those decisions i don't envy them and this is what we publicly know not necessarily what is fully true uh in nature then we have university hospital i didn't get the location in germany i don't even know what this ransom amount is but it affected 30 servers crash systems the hospital was forced to turn patients away and as they did so enroute to another hospital a patient

actually ended up dying actually ended up dying right so when we talk about and they express a little bit of remorse but when we talk about ransomware and people not really caring it's all about financial gain we see it in play okay so you may be listening and you're like man this is this is bad ransomware is bad but i wish i had the skills to develop it and if that's you okay there's other people out there for sure and for those people there's this there's ransomware for the less skill right so there's open source ransomware essentially that you could uh fork and actually download and use and then there's ransomware is a service so

we have uh uh stuff like uh philadelphia where they actually have a youtube video we have gang crap which was substantial um they have since kind of died off we have net walker who has ads for specific skill sets almost like you're managing a data center and you need you know maybe a person who does servers you need a devops person you need a net engineer if you will they have ads out there for specific skill sets for different parts of the intrusion vector or the intrusion um phase if you will for ransomware that's interesting then you have a state right so satan's kind of like a choose your adventure when it comes to ransomware so

you can pick the amount you can put your bitcoin address in and you can talk about a number of other things but hey guess what because that ui is being provided to you uh the authors of the program platform if you will they get to keep 30 right off the rip right so again ransomware is so accessible now thus far we've been really talking about it from a windows perspective from a windows perspective so you're like man i use mac i'm a mac fanboy and that's okay i'm actually on a mac right now so you know stay strong but it isn't just a windows problem right we're incorrect in that um so here's some other

um quick examples of ransomware for other platforms so there's linux encoder which kind of targets web servers and they charge one bitcoin per file as we know uh when we look at web servers traditionally it's going to be some form of mix from a mac perspective there is patcher this seems to mask itself as a patch for popular applications the ransomware is like three hundred dollars and then there's um key ranger this is baked into an affected version of transmission you think transmission is kind of like a peer-to-peer uh they actually compromised uh this certificate so they were actually able to sign uh their compromise version uh based upon that stolen certificate there's ios ransomware which

isn't really true ransomware but it certainly meets the intent based upon the definition and this locks your phone based upon compromise credentials for your icloud your simple locker that essentially um encrypts your mobile device because we know at the core what the android operating system is and this is going to communicate to some c2 uh via tour services so essentially go through toy now if that's not enough for you right and you want a little bit more there's this there's ransomware of the future the internet of things everything is plugged up everything has a presence on the interwebs and while it provides some level of convenience it doesn't necessarily provide the same level of security

right and also when you look at things like intrusion detection systems or ips's how often are you actually seeing that traffic are you regulating how often when you're patching your operating system are you even looking for patches for some of these iot things are you using iot things that are even still supported by the company all right um and if somebody was poking at it would you be able to see it now this is what makes iot awesome right because as we look at this we're talking pacemakers insulin pumps automobiles your house everything this is an awesome attack surface to then be able to pivot so within uh defcon 24 the future of ransomware is really now

because this is happening now right um defcon 24 somebody was able to compromise a thermostat right and they presented a message they were essentially locking it out until that ransomware was paid they were also able to affect and change the temperature now this was all at defcon kind of know what happens there but this is not so uncommon where it's a one-off instance right then we have stuff like this we have smart tvs underlying us os if you will is android so somebody was able to actually compromise a lg tv present a ransomware message blocking them locking them from actually accessing their their tv as is the ransomware was for 500 people who were infected were trying to

reach out to lg for assistance lg is like hey i can help you but it's going to cost you uh 340 before we give you the reset steps so you're sitting here like i can pay the 500 or i can pay lg 340 to then get the reset steps um and if you're using an lg tv you're probably like why would you even charge me lg i'm just not going to go and use you anymore so guess what happened lg actually provided those reset steps so that way uh people didn't have to worry about it they they knew um they were gonna start to lose customers all right and then we have a pen tester

at avast that actually was able to gain access to a coffee maker now some of the effects that could trigger the coffee making to turn on the burner okay it's a little bit scary dispense water spin the bean grinder be repeatedly right nobody wants to hear that and they could display a ransomware message uh essentially to stop this they had to unplug it now you can barely see it there uh but essentially it's saying hey you want your machine back here's a big link for you to go to and then from there it would have instructions on how to actually regain access to the machine all right so when we talk about the uh future of

ransomware and we see a couple things happening now the use of iot is only going to continue to grow by 2025 we see those numbers substantially larger in some respect and we can continue to see them grow we are in a digital age where everything needs to be plugged up for accessibility convenience um you have it and the targeting of those machines are only going to get worse specifically when they provide some high level form of function in an organization or have some form of data that affects people's lives or their bottom dollar now not even talking about it from a ransomware perspective there's also the aspect of gaining access to an iot and then pivoting into an internal

network or other aspects of the network so iot at large is kind of concerning for those two reasons all right so now if you're like man this is a lot i've seen windows i've seen mix seen a number of things iot holy crap uh we're screwed uh we're not really screwed right um we do have to go through the five stages of ransomware all right um if you're hit with it so first one is denial right you're into now that you were actually even um a victim of ransomware and then once you've come to grips with that then there's anger right you're you're you're pissed that you were even succumbed to that and then you start to

to realize okay well being mad is not gonna help me get my data back if you will so i need to figure out how to do that and you want to bargain right with the individuals or or figure out how to do that and if that doesn't work or even if that does work there's still depression that sinks in because now you're trying to worry about the business you're worried about your job or even if you didn't actually get the data back um all those things are are hugely important and even if you did get the data back people are certainly going to have questions into your security posture of how that happened okay and at some

point you're just going to accept it and um largely pay that that fee or not pay that fee all right so here's some mitigation techniques um from our friends at the fbi and scissor and largely speaking they're not things that we haven't heard of um they make sense but largely people don't do the most common things and this is why we find ourselves in positions we find ourselves in so we want to be able to take regular backups we don't want to store those backups on the same network in which we're backing up we absolutely want to test the backups to make sure that they actually work we want to not click links that we don't know about i know we

all know that if we're in this profession it's us trying to prevent um people with our organization who don't necessarily um know that or can't see the signs so we want to be able to filter or identify when such things have happened we want to ensure that uh if you're using on-prem services that you you have some form of defense and depth that gets a little bit crazier when we're talking about the cloud but we want to look at application control least privilege all of those things that make it a little bit more difficult even if somebody did click a link for malicious code or malicious logic to actually execute we'll want to prevent people

from reusing passwords or even just changing it from password01 to password02 we want to largely enforce it to be a lot stronger than what it is and and rotate those things quite often now when we look at keeping our operating systems up to date we want to do this from a trusted source do validation and we don't want this to be a manual process uh because that induces human error and in some cases humans just decide not to do it okay from a mitigation detection standpoint we've got a couple of things that are out there there's no before no before it's a free ransomware simulator for windows 7 and newer and you can download this executed on

your machine and based upon the security posture of your machine it will come back um with a number of scenarios and tell you how many files would have been encrypted had it been malware um and then give you some recommendations of it so there's nothing better from a simulation standpoint than this and at the time of this uh this recording if you will this this presentation 16 scenarios so they continuously are trying to add to it then there's no more ransom this helps with the identifica identification of ransomware not all the time when we're hit with ransomware uh does the ransom note say hey we're uh you know john bob or whatever or would this

or even looking at the extension for the encrypted file to be able to tell so no more ransom helps with that identification and in some cases there's decryptors they have roughly 120 or so decrypters uh that are available and this is maintained by over 100 entities so while i might be um in the military and you know there might be certain people who might target the military there might be other organizations that target other aspects of the government or other industries but largely speaking when we come together we can um combat this together all right so we also have id ransomware it helps with the identification of ransomware just like the previous one and they have roughly 800 ransomware

variants there is vaccine that that when we run vaccine it will actually look for indications of people trying to delete the volume shadow copy which is http of ransomware and when it does that it looks for the parent process and it terminates right so we're essentially uh twerking the ransomware attack in some respect a part of it by using vaccine now vaccine intercepts that but if we're legitimately trying to do something with the volume shadow copy it could mistake us as somebody who's trying to attack it and we need it to be running to then be able to to do that interception but it is a tool a capability to help us in our endeavors and it's

free it's a really good product project as well all right so when we look at the pyramid of pain we know when we're trying to do things based upon hashes those are trivial right iop addresses those are easy for an attacker or an actor to change but the ttps of how they actually do things that's tough that's tough for a person to change that's a genetic makeup that's a mindset that has to shift all right so that's where we want to attack it and the best way we can start to do that is to utilize some form of an attack chain and understand how these ransomware variants work and seek to get ahead of them to change their ttp's

all right so we can use something that's very simple as this or we just do something a little bit larger but largely speaking they're going to all need to have some form of initial access that may be hard for us to really get ahead of we do know at some point they're going to want to spread laterally why because they're not necessarily just trying to um special use cases trying to uh encrypt one system but really a subset or an enterprise of systems all right so as we as we bring it to a close here um here's some reasons why you should pay well the fbi has gone on record and said it is the easiest path to

recover essentially to pay uh you could get your files back and i put a maybe in there because recall when we talked about that percentage uh in the 90s in which it actually worked but there was still about less than 10 percent that it did not work for and in some cases it could be cheaper in the long run than what it would be to rebuild infrastructure bring in people investigative stuff um cost to the business right so a couple of reasons why we should actually pay now conversely here's some stuff or here's some reasons why we should not pay sizza and fbi clearly say no right yes the fbi clearly said yes it is

the easiest path on the previous slide but fbi has also clearly said no so there's some uh some contradiction if you will and it seems cheaper but it really is not depending on the business and not really depending on the business brother um disclosure is not cheap right there's a target on your back you pay once you'll probably pay again um when when when you're hit with rent somewhere that doesn't actually tell you how somebody got in there so if you don't ever plug those holes you still become a victim later on and because you paid once um somebody's gonna come back to you there's no guarantee that you're even gonna get your files back

we talked about this with that decrypter um not working or even them not providing that ransomware key and at large the big reason is because the criminals they're going to win right we're feeding into what they're actually so uh that brings me to the end uh i appreciate your time i'm fernando tomlinson and this presentation is at my website as listed there uh i i do do some development um although we didn't really talk about any of my development in this presentation but if you're interested in that i'm a big person on github and if you want to connect with me like-minded and just want to converse i'm on twittersphere so with that i'll pause for questions if there's no

questions then i'll uh pass it back over to the moderator