Clearing the FOG: Unveiling the Latest Ransomware Trickery

good afternoon welcome to the 1330 track we have our speakers Sam and Bobby with the title unveiling the latest ransomware Tri Sam security researcher for security and Bobby is a principal researcher at security

all righty uh hello everyone um so today we're going to be talking about a new Ransom group called po or POG ransomware uh but before we get started uh like you said my name is Sam Mayers I'm a security researcher at Beasley Security in my free time I run a nonprofit called uh clear search which is a CTI kind of empowerment uh nonprofit where we give pretty much a giant data link to researchers to help them do their research and I'm Bobby I'm the principal security researcher on the buy security team my background is in mostly malware analysis but also I work in the soft for a lot um all right so this is going to be the

agenda so we're going to talk about a little bit about fog ransomware as a whole uh the locker itself and a little bit of analyst uh ttps and ioc's uh Aira and and fog and how they kind of overlap and then just some closing thoughts so fog ransomware began at the beginning of May 2024 to about mid 2024 uh so far as of 1022 there was 32 publicly known companies that were attacked via their leak site uh but um and then the main industry is the US uh there's a couple other Industries you see Canada Australia mainly targeting the US um and before we came on stage I realized that there was a lot more hits

so I needed to update my slid so now there is 40 as of 1025 uh still us kind of growing a little bit more uh in the percentage and then I lied again uh so now as of the 30th there's 45 So within a week they hit about I don't know I think it's 13 companies and that percentage of the US went up 10% uh so they are very much targeting the US um and then I love looking at the industries uh so this is what they claim uh it's really a disgusting graph uh but their Industries when they claim the company so it's a lot of overlapping and doesn't really make a lot of sense so

I've condensed it a lot uh they're mainly targeting uh education the first uh articles that came out about this it was very much education based that's what everyone was saying we're seeing more of a trend now towards U manufacturers uh as of the last couple of hits a lot of manufacturing in different Industries not one specific manufacturer so you know okay so yeah but there's plenty of other Industries like food and beverage and Service as well that is getting H so now I'm going to talk a little bit about the kill chain of kind of how we have came across and one of the IRS we had for fog Grant somewhere so we have the threat actor and what they did was

they use compromise VPN credentials and usually they either get that by either an info stealer and they buy it off of the info Stealers or they br force it if your bpn credentials are very after they use a technique called pass the hash which they use to gain administrator account controls and then establish RDP to Windows Server after that uh they use RDP SMB and PS exet to spread throughout the network and kind of discover what else is there and then they disable Windows Windows Defender because they don't want them Windows Defender to recognize they download the ransom they download The Ransom and they deploy it they use a power Powers shell script that they use and it pretty much uh

encrypts hypervisors v vmdk files which are virtual machine disk files they uh Delete Vim backup storage they encryp both local and uh Shar networks and remove volume storage copies okay and I'm going to speak to you a little bit about the locker analysis So within the context of R randomware whenever we talk about a locker the locker is the actual file that does all the encryption of your valuable data so whenever a hacker breaks into your network and is able to um spread around all over the place what they'll then do is after they um as s after they turn off your defenses that's when they bring the locker program in deploy it everywhere and um then drop

the ransomes um and as we mention so we started our following of fog because of an incident case um an IR team that we support um they had a fog case and they reached out to us they were like hey we've never heard of this Ransom our group before what do you guys know about them and when we did our Googling we were like there's nothing known about these guys like they're brand new there's no information no nothing so we had to quickly figure out a way to start tracking these guys and see um you know learning about their operations and everything so this talk is a little bit about how we built that process um soon

after the case happened uh a company called arctic wolf released a Blog about fog um and it was a pretty good it's a pretty good blog it has a lot of um had a lot of good thorough information on their operations they listed a lot of samples um and uh unfortunately for us all the samples that they had um there was only one available um publicly available Environ total um which doesn't help us very much because we still need we need a lot of samples to study but you know we'll take what we yet so we grabbed the sample um and we the first thing we took a look at was do other researchers recognize this as fog or do

they know that this is a fog Ransom More Sample the way that you can see that is in virus total are any AV companies tagging this with f rans and um a good thing was we found that about a month after fog debuted people were already starting to tag them as fog which is helpful for us because then we can go in virus total and search on that tag and find more samples to study um so we did that and we found seven more samples um okay so this graph is a little weird looking I know um basically what I'm showing you here is that between May and now we've been able to find spoiler alert about 20 samples of f

that's it like which is weird because most other ransomware operators there's a lot of samples out there because they're operating a lot but fog is really quiet we don't know why but they don't operate a lot you know people like uh or groups like ransomware or Ransom Hub and lockit you'll see waves where there'll be like 30 infections in a weekend or something but with fog there'll be nothing for about you know two or three and then there'll be like seven cases which is it's a very low Cadence but they're there um and then again this talk my section will be how we got from Seven samples to he okay so the first thing we need to do

is we needed to look statically at the samples to see if there's anything that you could notice about them on the surface to do searches right um the article article that they wrote about him they describe this system they have within clog it's debug log system and basically what happens is when you when you when you're um affiliate and you download the sample to a Target Network that you've broken into if the fog sample start isn't working right if it's breaking or whatever there's helpful little debug log statements that they put on the system for you on this for the operators and the weird thing is is they didn't try to hide any of the

logging statements so you can just search samples those loging statements so we did that the other thing we did is we checked to see Its Behavior um and the way it behaves in a sandbox because you can search those in virus to I know you probably can't this is a section of code from fog I know you probably can't read it it's not that important really all you got to know is on the right side there what's happening is at the top fog starts running it unpacks its internal configuration it reads it so it knows where it needs to go what it needs to do um it's got its keys in there and everything and then it starts doing bad

stuff on the right side there will start killing Services um killing processes all that kind of stuff on the left side what we found out is that um for fog when you're running it if you don't pass it any parameters it just exits out so On Any Given sandbox if the sandbox doesn't know to pass it parameters you won't see it acting like ransomware like fire toal um but what is helpful is that even though it won't do anything like Ransom wise it won't encrypt any files it will drop that debug log file so that's a good indicator you can search that behaviorally and makes for a good threat hunt and for a good search

indicator virus so with our static search on the left side and our Dynamic search on the right side we built those um into searches and bu total and we got up to about 19 samples so pretty good um and I want to dive into one of the samples that we found that was kind of actually an interesting case so one of the samples that turns up when you search for fog on behaviors is this ZIP file the zip file has a fog Locker inside of it and it's next to a bunch of other weird stuff um you'll see a fire eye which is a security product but then you also see caon Cod sector and Aquarius backup

those are actually file transfer utilities and backup utilities and that's common for ransomware actors what they'll usually do is when they get onto your network they'll want to take as much data as they can and then exfiltrate it um and bring it to their attack servers so they can double extort what they'll do is they'll deploy the rant someware and then say you need to pay us this Ransom money and we'll unlock the stuff for you and then after you do that they may also say you need to also pay us this Ransom or else we're going to leak the data that we stole from and so that's what you're looking at here is basically the thread active

tool set that that was capture um you also see an ntuser.dat file um I'm not a pentester but I took a class once and I think I learned that like the N user file it's got Recon information in it you can use it to enumerate and look at information about users on a Target system the other thing that we found um they install in the start menu something called Advanced ip scanner the reason that that kind of like pequ my interest is because when you read the Arctic Wolf article they mention a tool that they use called Advanced post scanner this thing is named the same and when you look at the web pages for both those

products they look the same so this is really starting to look like a case file for an IR case for a fog infection it's basically like the digital equivalent of a crime scene right um and then within virus total this thing was uploaded from Brazil on 726 now what's very interesting about that is that we've been tracking the cases for fog at least that have been publicly reported and there's none from Brazil so this um the other thing too is that the zip file it's um the name of the zip file matches a company that is a software services company in Brazil so we're pretty sure this is the case file for a fog infection case that ended up

not being public so we didn't want to dig too deep into because this is someone's private data but anyway interesting finding right okay so we still needed to really study Deep dive into the study and see if we can figure out more um about uh the sample itself at a code level at a binary level I apologize but it's about to get nerdy in here um okay so we started off with the seven samples that we had now there's a really cool feature in virus total that my colleague Sam showed me that she um that you can go to virus total and say Here's seven samples can you show me the similarities across all seven and it will try to do things

like it'll say hey here's a pattern of bites that show up in four of the samples or here's a pattern of bites that show up in five of the samples um what was really cool is that it showed us for these seven fog samples here's nine bite patterns that show in all seven samples very super interesting for us and I'm sorry these slides I'm not about to draw 120 arrows and circles going everywhere but you can kind of imagine what that graph was supposed to look like right every every one of those bite patterns showed up in every single one of the samples so they're important right so we needed to understand what those bite patterns were so when we

looked at them some of them are not important some of them are just strings some of them are data structures that are not actual code but four of them work and the interesting things about those four bits of codee is they always showed up really close together and again they were in every single fog sample that we were looking at so we're like well this is this is code and it's in every single sample so it's probably important let's make a signature and see what happens right um we also needed to go into that code and see what actually it was doing so it turns out in any given font fog sample there's a section

here of code and it's the same code that I was showing earlier this is the code that um starts the program unpacks its internal configuration reads it configuration and then starts doing bad stuff that part where it's unpacking the configuration it's not too complicated it looks like this and there's a section of code that looks like that and that is where those four shared code um code bites are so that four that those four bits of shared code it has to do with its unpacking its internal configuration and that's important code for any given ransomware sample right the configuration is what tells the ransomware sample here's your encryption key to how to lock all the files here's

the um here's the uh files that I want you to Target here's the um file extension I want you to leave once you've encrypted a piece of uh a piece of data right and so we made a signature out of that and we tested it out and to our Delight it fires only on the executable signatures right the signature does or only on the executable files which is good it shows that the signature is effective it fires on all the fog samples that we know about and it doesn't fire on anything else so the signature is safe um it doesn't produce any false positives now what this means is that this signature that we made out

of those four bite patterns it can basically function as a fingerprint right you can use that to sort of identify hey this is definitely a fog sample and then something really weird showed up when we ran it um in virus total it fired it pulled up one more sample that was file named um unlocker do out right and this thing is the um so whenever you get Ransom what will happen is um you'll your files will get encrypted um a note will get dropped and then the operators will say all right we've locked all your stuff give us some Bitcoin and then we'll unlock it for you if you pay usually what will happen is

they'll send you um either the unlocker file itself or they'll have someone um run it for you to unlock your data and we've um this signature pulled up uh an unlocker and um we were wondering why we didn't see it earlier in our searches it turns out that the unlocker has the same debug log functionality but it has less debug log statements so we had set a threshold of 60 earlier that's why we didn't see it in previous search also for Behavior wise it drops that debug log that the other sample does but it prepends the word unlocker to the front of it that's why it didn't show up in the other sech the dynamic search but

the fingerprint signature worked for it the other thing that's interesting too is that um so other AV companies when they look at this sample the unlocker they flag it as malicious but they don't flag it as fog so right now we're the only ones that are recognizing it as a fog samp so we're excited about that okay and then that fingerprint um what's neat about it is that we are it's still catching stuff like uh a week ago it caught another unlocker and that unlocker um there's some information from it here it was uploaded from Ireland and again we're watching the leak sites there's no reported sites from Ireland so this is another unreported case well likely what

happened is they paid the ransom got their unlocker and they never showed up on the leak site so um so it's a good uh it's a good way to monitor okay okay so we have a process now um we got a way to look for new fog samples find new um samples that are showing up understand them all that kind of stuff um the case that we worked actually also had a Linux sample in it which is very interesting too um and that Linux sample it ransomed an esxi server which can be really scary if you're in it because esxi servers those are typically what you're running all your VMS on so usually what happens is

an esxi server will have like a web server on it a file server and all other kinds of servers well ransomware operators have figured out the value of that kind of server and now what they'll do is they'll get on that server and Ransom all your VMS on and so we had a sample of that that type of uh that type of locker okay so as review like the way that we're going to approach the L lanux sample is going to be similar are any AVS tagging it is there any static things about it that we can use to um find more of them um is there Dynam Dynamic behavior that we can search on

and write signatures for and then is there any way we can write like a code level fingerprint um signature against them okay so with a Linux sample um again like luckily a couple AV companies were tagging it as fog so that's good unfortunately when we ran the search um we only got four samples and that's all we can find so far so there's not a whole lot of known about um the Linux capabilities of fog ring there um it has debug log strings in it as well um but there's not a whole lot of them and when we signatures based on that it only found those four it didn't find this anymore for Behavior the Linux sample

has even less behavior on um in a sandbox than the windows sample does um and we found out it's because uh there's a there's an embedded password inside the Linux sample if you don't pass it the right password it just shuts off and even though it does have a debug log it does not drop the debug log um it its default behavior is to log to the terminal not drop the file and so there's no Behavior to to look for whenever you're threat hunting for a sample um if it hasn't been executed okay um so we had to sort of uh study a little bit more about it and um figure out if there's like a better way to um you know

understand these samples yeah so this is this shows where it's only logged to the terminal and not to apply okay so now I'm going now uh because I couldn't find much from signature analysis or from static analysis and dynamic analysis I had to again do um the binary dive and so we started off with the same thing we asked fir total hey can you show us similarities between all these three samples and it gave us 20 patterns that showed up in all three so I was like oh awesome but when I went in and looked at them none of them were code it was all data so it was no shared code between the um the three samples at least none

that was easily um viewable uh by a static analysis so I had to basically throw all that away and I kind of freaked out a little bit because I only have I only have three samples right now and we need to understand like you know this link noware um but it's okay right f it we're going to do it live we're just going to take these samples we're going to toss them into Ida we're going to put on our big boy pants and uh and analyze it and see if we can analyze it with understanding right okay and thankfully uh so again they don't try to hide too much of how they operate right um and

funny enough like if you use Linux utilities a lot of times if you just run the utility but you don't pass anything it'll give you usage strings and the fog sample does the same thing if you run the fog sample it will tell you hey you didn't give me enough parameters here's the parameters you're supposed to give and you it shows you like what the functionality of the fogs Linux sample is and funny enough too it also gives you um build data so it'll tell like the fog creators built right into the command line they'll tell you when that build was built and it's helpful for us for tracking you know the growth of samples and change of samples

too um also built within the were um the embedded esxi commands that it's going to use to do Recon so um you can see there it's going to run ex CLI storage file system these are basically how it's going to do Recon on your system before it starts raning everything there um and you know these are indicators you can build threat H softare knowing that these commands will be run on a fog L SLE okay also um we found within there this is the list of targeted file types so these are all the file extensions that fog will try to Ransom if it's executed on okay and then while digging around there was one section that was interesting so

um you'll see here that set in code position this is a section of code where once it finds an interesting file that it wants to Ransom it will set a position in the file and then it runs this little Loop um this little Loop is basically pulling in a bunch of bites it's shifting them and then it writes them out to the file again um that's where it's all the shifting is happening um and so because all the samples had that little loop I was like well maybe that will work as a as a fingerprint signature as well so we tried that and it pulled up another unlocker this time it was the uh um the Linux unlocker

which was kind of cool that's a nice finding um so we we uh we needed to study why all these um why all four Linux samples had that specific Loop in it that does a bunch of bite mess ups right and this Loop exists within the function that encrypts your files so it has something to do with that um and I need to go into a little bit of how uh ransomware authors use keys right so public key cryptography um basically what happens is you uh to encrypt stuff with public key youve got a private key and a public key you encrypted your private key you send out your public key and people can decrypt things with

publicly ransomware authors the way that they'll use it is when they are getting ready to Ransom a Target they'll set up the unlocker with the private key they'll send the locker over to you um The Operators run it on your stuff using the public key and they will encrypt all your stuff you then have to send them Bitcoin and what they will then do is if you pay they will run the unlocker on your on your system to unlock your files everything's good and the reason that's done is because in this stage right here once they've locked your files um there's a chance that some researchers can look at the algorithm you use to uh

uh to encrypt your files and just reverse it and unlock all your stuff that's a lot hard hard if you're using proper public key cryptography um and it's interesting that ransomware operators use this in their software because um you know it's a fairly simple system but it's easy to mess up when you implement this and if you're a ransomware operator and you don't Implement your public key cryptography correctly all kinds of stuff happens to you researchers will study your stuff they will bust you up and they will like embarrass you by releasing decryptors on their own and this happens with actual like quite frequently like a lot more often than I thought these examples are

all within this year um most of them but these are researchers that studied the cryptography implementation of a ransom operator and reversed it so they could write unlockers and so in the window sample you can see them using public key cryptography this is um this is their uh the library functions they're use for encrypting um you can see them here referencing RSA public key which is you know it's a a shared key photography um but what was interesting about the Linux sample is that for some reason the Linux sample it doesn't call any crypto functions which is really weird for us to see um this is the roof or this is the process tree that does the um the

encryption of your files and within that process tree this is the only thing that's doing bite munding for whatever reason there's no calls to cryptography libraries within the um within the function called it in cture files so what that tells me is that um I think that their Linux Locker is not using proper cryptography they're just munging your bikes with a loop so all we have to do I think if I'm correct is we study this we see what they did manipulations to encrypt your stuff and you just reverse it and you got an unlocker and I don't want to jump the gun like um that would be a huge finding and we don't we

haven't verified if that's exactly what's happening but it looks that way because again the Linux sample does not pull in crypto libraries which is really weird for um for a locker sample to do so that's going to be future work for us um those samples are uh are those three samples are public though so feel free to download them yourself and verify our work to see uh you know maybe we can make a de so back off to all right so uh there's been a couple of Articles recently about the overlap of fog and Akira Akira is another Ransom group I'm not going to go super in depth with them but there is a lot of overlap

with them but there's a couple of differences that show that they are two different groups um fog started this year Aira started last year fog's really targeting like I showed for us education manufacturing Industries where Aira really does not care they will encrypt anyone pretty much in the West in any industry uh as long as they can encrypt it and get money they will um fog exploits compromised VPN credentials where Aira exploits VPN vulnerability a little bit of a difference that people have been kind of seeing it kind of just correlating together um and then fog really just gets in EN Crypts and tries to get money where kir is very popular with double extortion trying to pressure

and any other tactic they can doing that and then obviously different uh extensions when they actually encryp the files uh but recently we've noticed that they both have been using two similar CDs as well as their both uh financially driven uh like most ROM groups um and then the those two CV are two VPN or not VP excuse me uh two vulnerabilities on the front ending of your infrastructure so the first one is uh the sonic wall which pretty much just leads to unauthorized access and then uh causes your firewall crash sry um and then the other one is Bim it just allows you to pretty much get rce on system and then they get in

uh so two very big vulnerabilities that came out this year and obviously they're still using it so people have not patched their stuff so please patch your infrastructure pretty please um but this is stuff we're still seeing daily that they're using these two cves um now some ttps for fog itself um there's some really interesting things that fog does this is a pretty graphic but I'm going to quickly run over it because I don't want to bore everyone with minor attack uh but they get in they use validated uh credentials buying it like I said before they use a Windows shell script to run uh commands through they create local administrator accounts if they can if not they will use pass

the hash to try to get into administrator accounts they validate accounts delete files encrypt files and then like I said before they use cash the hash which is just an unauthenticated way to get uh passwords and use it as clear and not having it clear text kind of just using the hashtag imprinted or unprinted and then they disable when just toor they also use NTD for credential dumping and other credential dumping techniques and brute forcing uh they do a lot of network scanning they really are not good at getting in at one place they don't care where they get in so they use a lot of like Network scanning and Port scanning kind of figure out

where they are in the network and then kind of move laterally from there and then use RDP and sndd like I talked about before uh for lateral movement as well as a couple other lateral movement tools and then like all ransomware groups they stop services and then either encrypt like they are doing here and then make it so you can recover your data so something interesting with bog is they really only use open source tooling uh so so any of these tools you can just search them and grab them yourself they don't really have any internal tooling that they're using uh so they use psct which you know moves laterally and a lot of Brands andw

groups use that they also use metaloid and those Network and Port scanners like I talked about a second ago but what's interesting is though both the network scan and port scan are two different softwares and companies but they have very similar websites uh I haven't had a chance to really dig into those two tools and kind of see what they do differently but they seem very similar uh besides obviously my working for very similar in name and whatnot but they seem to be just kind of copies of themselves on their websites uh and then they use this open- Source script called uh VM get credentials and so you could just go on GitHub and find it but it's

just a way to get a obtain password run VM backups and replicate credential managers so that's a way that they use to get passwords so uh their Ransom notes at the beginning the first month or so we were seeing healthcore your files. HTML what's interesting is you really don't see HTML as a ransom notes for ransom groups uh you really see. txt I think they kind of realized that after a little bit and uh changed Theirs to REM me.txt so now you're seeing that kind of standard all over and then on the uh right hand side you'll see the actual ranting bu one of our IR cases and pretty much go to this tour link they

say that they're foged and then you enter this code enter a chat room and then communicate with them and try to either negotiate or just pay the ransom out right so their file extensions like I was saying before is do fog or do flock do flog was what they did the first month or so as well when that that HTML uh reming was uh but now they've kind of just changed uh fog and then on the right is their name and shame site um that's where you kind of can go to their tour site you can download any victim's data anything like that you can just go uh there right away um and what's interesting is they spelled it's wrong

and it's been there for a very long time and it really annoys me but it also makes me really happy that they can't spell simple words right and that just makes me feel better with my English um but yeah so that's just a screenshot that I pulled recently of their uh tour s so a couple things um why should any of you guys care um I'm going to assume most of you are not in the education sector uh but Ransom as a whole is hitting every sector maybe not fog specifically is hitting your sector but every sector like maying a sector I can tell you probably a group that's part of uh so we really need to pay attention

and kind of realize that this is an everyone issue this is not just f um um and then what should we do about it let's stop paying randoms uh I know it's very much easier said than done uh and not a lot of people like here everyone here will agree but maybe upper management thinks paying might just get away the issue or other issues about reputation and things like that uh but they use that money and they're kind of like an organization or a company they have employees they have servers they have software when you pay them they upgrade their stuff they buy more servers they buy get more employees they pay their employees they can upgrade

their tooling us paying them increases that happening more and more so if we stop paying them first they'll not be able to do that because they can't sustain and can't keep paying their employees pretty much but also they'll realize there's no money in this area so why don't we do something else like we've seen in other ways so the best way to get rid of rans ransoms is stop doing it but also education uh the more we talk about it the better we can be about it a lot of Ransom grps Fear fishing other fishing attacks or there was a talk earlier about sish things like that that is the best way to do it is teach

people both Technical and non technical how to kind of stop being that entry C and that's just through education and then lastly there's much more investigation and threads to follow up on there's so much we did not go through we've only been doing this for a while we're a small group uh so there's three of us on the team so there's so much more to go dig down both in this box sample but Ransom as a whole and how to like kind of prevent it uh so yeah you want anything yeah and part of what we wanted to illustrate too is that um so again fog is a really quiet group there's not a lot known about them and

we needed to learn a lot as much as we could and so this was just sort of a description of how we came up with a process to um uh you know to track this group and there's a lot of new ransomware groups that are constantly showing up like every every month or so like we keep hearing names in the past two months or so that like we haven't heard before be like this new brand new ransomware group has shown up on the scene and so having a way to really quickly like um gather as much information as you can about them because the other thing is it's like you know these are hackers they're not

they're not exactly forthcoming with information but coming over the process to gather that information is um important for us so that's kind of what you this whole process work so and then if you go to this QR code uh type in that URL if you don't like QR codes that will take you to our GitHub which we have all of our ioc's and the Yara rules we will have a blog post coming out on Monday unfortunately we going make it on till Friday but we'll have we've went way more into depth a lot more analysis a lot more information about fog itself um on our blog which is coming out Monday or and we share the ioc's now um

and stuff like that so does anyone have any questions

seriously

yeah so there's two parts of that one we have not done a ton of research on that yet so that's something that we've been wanting to do for a while uh so we will definitely be digging into that but the other part to that is um the US government put a bunch of sanctions on ransomware groups recently so if you pay like lck B you can be like in trouble with the US government so what these groups have realized is organizations are not paying anymore because they don't want to get in trouble they pay and now they're in trouble or they don't pay they're not in like it's a you know kind of a mix so what they do is they

make these new groups that are not named in the section list and they're just kind of acting as these groups now we haven't been able to verify it that's kind of our Theory because now all of a sudden these groups are very similar techniques to other bigger groups and other organizations um but yeah that's something that we're scking into now and then that also goes into something that Sam mentioned you know these these groups um they have limited resources and they need stuff to get done like they need to pay people to run their infrastructure and to write their code and um there was actually a really good talk at uh deathcon from a guy named

John bagio who he infiltrated the lock group and um you know he was watching their their Communications and kind of their sales pitches and all that kind of stuff and um he actually saw a lot of really weird things like um there was a while where they didn't have a developer for their main Locker file which is kind of crazy to think about like you've got a ransom more group and they don't have a main developer and they were actually advertising for developer um and then there was like you know other scenarios where um I remember there's a in one of his reports because he was watching them for several years um there was a company

that actually responded to getting locked um Ransom by locki by dsing them I think the company was in trust um but in trust DS their leak site for a few days oh was it you guys I was going to ask because I was at your talk and it was a really really good talk thank you by the way and so John deio reported that after that happened all their Affiliates some of their Affiliates lost on money because they could they couldn't sell the leak dat because you were losing they were there was no access to it and what was great about that I mean to that question right like the quality of their operations you can

hurt their operations if you hit them in the right ways and that was a perfect example of how that can happen

yeah I I would go with the Dos because that's yeah yeah yeah for sure we'll we'll keep that with us so but you know um to Sam's point where you know when you pay ransoms you give these guys resources to be able to continue their operations and they need those because there's you know they need Developers and again like you know that thing that we found in their Linux Locker where it looks like they're using their they roll their own crypter which you never are supposed to do that um but you know I don't know maybe they didn't have enough resources to properly write it we're g to try and bust them up on that any

other

questions one of our folks happens to be here Danny you know um my guess from working on is that school districts don't put a lot of money

and sorry to call you out B but you are like in the front lines for that stuff on you have question awesome thank you so much guys [Applause]