Digital Hostage: Navigating Ransomware Realities

so good morning everybody um oh actually good afternoon now just after the midday I'm lther bur B I'm going to talk to you about uh a couple of rasm cases that I've responded to recently forgive the title I I'm terrible so I have chat gbt to get make it for me so who am I so so my name is Luke I'm a principal consultant at unit 42 it's part of power networks um my history is pretty much in set Ops and inant response I've been doing it now for about 15 years um yeah couple oferts but you learn so much more on the job you a bit of a diverse background um working in customer side internal teams and

they're moving into the uh the dark Board of consultancy so we going to start off with a little bit about ransomware groups I'm sure everybody's aware so um has I guess is anybody in the room dealt with Enterprise R where that's not encryption of a single box you know being a victim of or responded to um you on one hand there's going to be more than that so you know these groups they are financially driven you they want to make money they want to disrup they want to exort and they want to essentially get a Payday that is not always true they are also used as a distraction for more sophisticated attacks or Espionage yes it's a it's on the lowest

scale but don't always assume when you're responding to a ranser attack that that was the only goal so you know especially when you certain Nation ABT groups they're interested in your intellectual property they often finish their intrusion with a rans attack to do quick and easy anti franics so this just a you know we've got a Blog and a report out that that's a could read don't think he behind a marketing wall um but but yeah that's a good read if you want to understand rans groups we have seen a bit of a Trends on the extortion tactics last year I can't talk my the amount of actual extortion inance that we responded to at un 4 2 was more than

where ones that had encrypt so just stealing companies data and then extorting them you releasing that um that that is often we see that in most encryption the threat of denial of services to encourage organizations to talk and pay the ransom and then ultimately harassment of company employees customers so that is you know a trend that we're seeing it's quite common the most most of the prevalent Ransom groups you change their name every you know exit scam and then a few months later another entity come up with very similar ttps to say Al we've seen Ransom Hub who were an affiliate of Alie you coming out and you it's it's something that we're seeing a

lot so two case studies I'm going to talk to you today uh Global Electronics manufacturer where they had over 10,000 endpoints the global footprint manufacturing was impacted everything was offline they were dead in the water all their backups were gone all Sur thought they were you they were hemorrhaging money they were in a bad bad way so they picked up the phone see if we could help second case study I'm going to talk about is a regional healthc Care Service I say Regional it was a hospitals Health Care Centers doctors within the European Union you know all Clinical Services were gone the the employees could log into their workstations and about 4,000 points impacted massive like impact to that

near region they had no Clinical Services they were down so that the the impacts of ransomware affects us all you whether you work in it or Tech this these are Big deals so you know that that was you know case that I run solely I was instant lead and on the the global Electronics manufacturer we part of follow the sun methodology where I ran the Eva time set so first case study what we do we need to understand what has happened what has already been performed so unfortunately in my cases in Consul we come in a week two weeks after the actual impact of the incident so we need to know what actually is impacting what

is offline what have you got available what's security tools what's your logging yeah and ultimately find out what the impact is this organization is losing over a million dollars a day you they weren't just affecting themselves they had Global knock on effects within the global supply chain for some rather large manufacturers who had to delay new products coming out you know it's things like that that people don't really you look into this was a massive incident that a company that I personally never heard of that they had so much scale and you the supply chain is you know really important to understand what that is what effect that has on your business so this organization being knocked out

had a massive effect on hundreds of businesses globally not just themselves they were you makeup of lots of Acquisitions so they they like to buy organizations merge them into their corporate network no no real due diligence you linking in a network they had admitted that they had bought an organization link them and found out they had a ransom attack pre previous three months before B so it's that doing that due diligence when you're on you if you're on a customer internal team and when you hear that they're going to link your corporate network with a new acquisition so be very careful every is fine you I'm not going to apologize I like Mees there's a few

my slides you know the organization operationally they were you running around with the ha on fire but security teams that they they thought oh to their backups and turn back on when they went to their backups oh can't ACC our backups so what we had to do for them is turn unturn every stone look at what they've got what we can utilize to help bring them back online but also how how the th got in so what would you do next after you had your scap B if you found back up did you recover which per an investigation just yeah fig that rebuild and you go on a merry way we talk to the r these are some of the decisions that

have to be made very early on I also like to caveat negotiates with the r does not mean you're going to pay them that is very [Music] important our curiosity would anybody here would they negotiate with the r

going moving on into the investigation we quickly identified that they had an EDR deployed to, 1400 emps you scroll back to my first slide on the victims they have 10,000 EMP points so they thought rolling out EDR they fine 1400 EMP points say all about the other 8 and a half thousands funny being the EDR actually did detect the somewhere didn't block it didn't stop it they detected it but no one Ed to respond or look into that they saw massive Gap gaps in their coverage not just on EDR in networking complete Network segments that they didn't even know about um so what we needed to do we need to you get our technology so we can get that

visibility of as much as we can enable us to collect forensic artifacts you so we can see what the hell is going on this quickly identified the six hosts obviously we to the ones the very existing are the detective around somewh for the bre Crums this identified six hosts that had some strange weird files that he originated from teams yeah teams in June of last year had a nice little I don't want the term vulnerability but by default external organizations could contact other business organization tenants um and this was a bit of a problem for not just this organization but for a lot of the organizations running teams so when when we looked into it oh

lo and behold we saw an external message from teams supposedly from the CEO okay what the B Buzz macroeconomic situation so they you they would do some down Downs scaling obviously employees are going to be worried about their jobs so they're going to you download the the zip important company changes you have a look see if they're impacted the issue with this type of fishing is from a traditional email fish you know security seams I'm sure a lot of you well ver can Purge those emails mailboxes you can't Purge this easily you try you actually or you have to ask the users to do it themselves I know of multiple organizations reporting you getting the 10 information from the

external message buts to Microsoft um you know it it was just it s there you hundreds if not thousands of users teams just you know waiting to be designated so that was a real issue what was in this Z file so we looked at the six hosts they all had the uh course company changes those it they downloaded to their uh to their downloads F fold let's take a look so we had a look in it you know oh it's Excel actually no it's not it's a shortcut so but to the most you know normal user you they don't know so they'll oh okay I just got open up something else actually what that shortcut and what's hidden is a

Javascript file like shortcut calls which in fact is encoded b64 but uh brings up the scripting language calls a hidden Parell window and then sets a scheduled task and it beacons out to a um from this instance a Ukrainian VPN no matter where it is in the world you it's sort of irrelevant but you we we we highlighted this and then saw that it P pull down another package yeah nothing to see [Music] it this was actually in fact the darkgate um we we we we put a Blog there was a number of different variants that that were released around the same time some VBS scripts some power shell a of power shell if you want to have a look

at the different variants blogs look there but ultimately this is how the access broker you go at hold within the organization so once they've done that you know they need to maintain assistance find credentials have a little explore you know the organization helped them because all they use is have local administrators on their accounts so you they they they ran mic cats didn't even hide it that's how Brazen they were um it was I don't know if it's the vanilla version you can download yourselves but it was it was called M which how that didn't get stopped they quickly found St administrator privil because the h of the organization like I said they were lots of smaller organizations

essentially munged together so there was hundred of doain administrator accounts and yeah they quickly elevated to that they used C strike to move laterally within the environment and they first thing they went to was the backups they started you destroying what they could deleting so that essentially they knew the organization could not recover quickly or [Music] then they went straight to the file servers they used arone to exfiltrate all that data it was this was you just giv them an offside backup like I said this was a I believe five and a half hour activity from the deploying the second uh malware from the darkgate to the privilege escalation to start of the day ation the next

day we're assuming that's when the data extion finished they started deploy the ransomware I'm not telling you what the ransomware is because this company's data is on

that that's said it started property gating flat networks helpless uh and you they started instantly seeing impacts of their organization manufacturing stops you know turning things off to protect some systems so it wasn't totally the rans somewhere that impacted them they were safeguarding some of their OT environment because guess what it was connected to the iting a containment so we needed to ensure that that threat actor was not still in the environment so when we en the eradication plan so we can do a secure recovery but then come back and Destroy even more we knew this would not be quick so we needed to you get with all their it team to understand you what they had access

to what we could utilize to help the recovery whilst we building a safe clean isolated environment and what were the Priority Services the minimum viable business to to get them back online manufacturing so they can sort of function as a company but we need to buy time for that because we didn't know where threat active was because their network was so disperse pretty much zero logging available to us we were having to do a lot of deadbox forensics a lot of triage analysis this is where we started thinking right we need to talk to the thir actor try and buy us some time because they have a counter going for the link so we entered the negotiations and

like I said earlier that does not mean we were paying we were reporting that we were interested in paying but essentially what we're trying to do is buy time sometimes we get some you know Intel nuggets from the threat actor because you they give away information you on some cases threat oh by the way we didn't exrate any data we prove that by the logs and that was another you that that's why it's so important you when you do enter into negotiations to document what your saying and what you're doing with other actor because some of the information they share is is Goldust so we went into the the cat mou said yes we're going to pay you know

that the figure that you gave was not you we can't do that what if he got proof of life so we needed to go through that you know Proof of Life service to essentially and also say oh you startop the timer so they yeah and they did they gave us you know a week before they restart the timer so we can then you gather Intel and help inform the recovery so when they do recover the services it's in a safe and secure manner so negotiate cheesy think uh Mees but negotiation providers some really important information that gave file tree we corroborated that with our evidence so another caveat when you're doing negoti don't always trust what

they say you know I've seen a number of their IR reports that they give out on the back end of when when payments have been made uh they generally about four or five good once you things so what we need to do Proof of Life Proof of Life delay that release and try and eek out of them what they have access to how much impact they've done you so that that is what the dialogue I didn't do the negotiations I'm not a negotiator one of our negotiators did inform that and feeding that information in back to us to the instent command so we can inform our investigation and our entainment in whilst we're doing this negotiation

we found a network that client didn't know about and also we found some asual backups that they didn't know about so what we could do is start you getting those and see what information what was in these backups to see if that'll help us there was some key information documents that they thought was lost so that changes the client's mindset as well actually maybe we don't need to pay if if we get to it those sorts of things that delay T enabled us to find information that they didn't even know about you because when this happens it be they were running around with a head on fire they just didn't know what was WR so we validated those backups you

know looked at them rebuilt them the whole you recovery took 45 days that wasn't every service that was just their key services so it's just important that actually when you enter negotiations with that doesn't mean you're going to pay there is different jurists and laws you have to inform you regory authorities and some jurisdictions you know and in the US the uh SP SEC you if you're thinking about entering into negotiations you have to you disclose um if you have North American colleagues you know on the on the engagement but it's it's that it gives it gave us that time and that Delay from their data being baked and released by the threat actor to uncover

some normal backups help contain you know eradicated threat act from the environment and is sure that when we rebuild and recover that they are in the safest possible manner so some typ of negotiation is on the table where a lot of organizations are like no do not talk to the threat actor it can you bring out some real good in nuggets moving on to the healthcare Serv again we need to know what the hell was going on what was the impact all the Clinical Services were offline they they obviously had some functionality so Emergency Care could still be performed because of the the processes they had in place they weren't relying on it for that but all nonurgent

care was was cancelled the issue was that none of the users could log in essentially when the FR after they detonated the malware other band someware they they change everybody's password they locked everybody out this was impacting everybody all their satellite sites again they didn't have you very good visibility they didn't know what was what when when we were talking to them on scoping call the that you know it was serious impact for this region you know it was you at government level you know it was you top priority they were flying people in from the mainland to help you from the government side again it was very because of the nature of the culture very relaxed and everything's

okay again what did you do they didn't have any you what we call bee or or backups but they did have take backups so we we got them to enact that they've never tested it so it was we thought they were going to fail so we started off that process as soon as we were early they took the decision from a governmental level they were not going to negotiate with the threat act so that was off the table instantly so we have to changed our mindset okay we'll monitor the league site for any any any drop of the the organization name they weren't mentioned in the league site so it's like okay we need to validate these

backups ensure that the th act be eradicated from the environment Le behold existing endpoint tooling was not properly deployed report only mode again half the network covered luckily it was our tool so we could easily help them push that out to everywhere and turn on some some some prevention close those gaps again if someone was monitoring the tool they would have seen the early Recon phases of the thread actor and potentially could have stopped the detonation of the ransomware because of the alerts that the the xdr system had had you Tri them because a lot of these organizations they didn't have a security team they just had it teams they thought just deploying the tool they were

safe so we helped them create a deployment plan to get to get the tooling out out to their satellite sites help me create a prevention policy and implemented that so we can then start highlighting what we needed to do where we needed to go where who we needed to deploy their resources on on on on the island basically we needed to see everything so instant wins when we got by visibility although a lot of the files had the you the TL the the extension of the ransomware actually when we looked at it there's no encryption it simply just renamed file we also identified quickly that there Mega sync um to do perform data exfiltration um the huge spikes on the

um the file logs and you they going to we highlighted staging server that they you know essentially they dragged all the data to the server and pushed it to [Music] Mega we saw they used up you know an old favorite of rans advanced ip scanner for enumeration um and they used RDP to actually move because everybody could RDP everywhere normal users you could a to whatever you wanted within this environment which is again another security control where organizations don't realize the power of enabling users to access everything we deployed our Fric module and then we started you know identifying you service accounts used being used for the RDP activity similar with this essentially following those break PRS

identifying everything as we go along interesting thing with megasync is if you come across the application if it's been used in elsewhere that is gold just if it if they haven't cleaned it up what we got was their username and password for Mega so we could log in and see exactly what they had exil trated also it found us terabytes of other organizations data so we were able to responsibly disclose to those organizations that they if they weren't aware they've had their data stolen but that was you know really you key for the organization for that report to the government what information had left their environment because we could see the data and the size but they didn't

really know what was stolen um so that that was really key because obviously healthcare service patient records actually there was no patient records it was just you lots of databases and things like that was exil trated so that they had a better idea of what they had lost then interestingly enough like I mentioned the government second isance resp he we thought great we can collaborate get the get this organization up and running and the healthcare services back online for the uh for the region so you helping the client get I have no adversity working with competitors or other ins sponsors because it's we're there to help the client get them online quickly as possible unfortunately in this case that

wasn't what they were doing they effectively were trying to compete with us redoing analysis weo over like in evidence that's already been done um not from this wasn't on guidance of the client you they were there thinking that we were going to work together you they started making assumptions on what patient zero was you know say where's the evidence can you we need to have evidence and PR this up they didn't use that they were steering the plant in the wrong direction so trying to get them to come online quicker when you we hav had we're just getting there but we had confirmed that threat Act was it you eradicated and we did not want to recover them too early

and you have their threat acts come back in this caused you immense delays then re reanalyzing stuff that had already been done we then had to reanalyze and getting on calls to actually disprove what they were telling the client on their status update calls and It ultimately it hurt the client at the end of the day we were there to help the client and that was not helping the client [Music] so we identified hundreds of compromised credentials from info Stealers being sold on the dark web about a month prior to so we didn't find a month prior it was being sold a month prior to the intrusion and once we had a look at the

the data that was in that we noticed some remote access credentials that we had tied to some of our earlier investigation of you how the actual thread got in so this is where we knew it just B some credentials came in realized oh I can RDP everywhere and then went on the merry way again using mimik app's credential gather gather on the stageing host is guess what say h didn't have any endpoint technology to point to it we then started seeing them Dro dware uh machine management tool to create further persistance within the environment um on one of the terminal servers so the the mega sync application was incured on this device it was you

identifying what data they touch what they brought in to the environment and they said luckily this this host was a treasure trok that's all they used they used it their Pivot Point to be everywhere in the in the environment because they could and they had no security controls on it soly going under the radar so buas following the evidence you're using facts to to prove what we needed to do move on to the next steps going through the the in response life cycle you know we identified the true source of of the intrusion you the compromise credentials we identified the stady case we identified what had left the environment all by using evidence to back this up so we can prove that this

was actually what happened after that the the other company we didn't see them again so they were sto stop work on this because they weren't there to help the client that is key it's Tim Ely we we need to help the client in need see this situation was really of high importance to this region so having competing it's just we're all you know investigators Defenders we should be there helping not you hindering we identified further remote access tool you know another favorite of rans edesk just the caveat you seeing every any desk on a host doesn't mean persistance you see if they've installed the service things like that that's you that's what we saw here because they you

they didn't get much um we didn't see much use of the dware but we did from the any desk because you again leave some nice logs for us to look at the ransomware was deployed via power shell script and then the thr to change all pions so yeah and they you they excluded all these fire tensions essentially they didn't want to kill the devices they wanted to you know essentially they deployed the rat via the um interactive message on the log on screen so every user knew that they impacted by R [Music] there so containment and Recovery when we were looking through the backups they identifies they actually got the you know the active directory on the take backer so though

it up a long time um we actually managed to get you know a good copy of the active directory so we can start rebuilding an environment in an isolated you know clean Network actually the green zone we call it so we can then start recovering Services services that they couldn't rebuild because some of them were you people had left and they they needed that host luckily there was no Grant so we needed to validate it before we moved it into this environment so essentially uh so coin my bosss a sheet dipping so it's essentially running through that house seeing if there's any artifacts left behind by the threat if there's any interactive access by to compromise the counts so we can

then once we've gone through that process we can move it into the green zone and essentially help them on their

recovery when we're in the recovery phase you know we identified that that impact so that investigation to was about a 10-day process um restoration took 14 days for most of the Clinical Services to come back on and that really you know ramped up once we had identified and confirmed that there was no threat act activity in the environment um the client themselves and the big sites they set the internet connection already before we landed so it was just selling the satellite sites so when we form that has to reset do p Coss tvt a couple of times it was in a secure manner that threat could not be in the environment and leverage you leverage passive resets which we've seen

in the past getting these Services back on mind that that was you that was the key importance that was what I was asked at every state of school in the morning and lunchtime and at night because when can we get Services back on it's it's a balancing act and although you see the frustrations of of know these organizations you me as an investigator has to take an empathy talk through why we can't just let them recover the services why we going through our steps and why it's so important to do that um what was improved through this process they user a lot of their user machines with o builds anything anything went so they standardized their you

their corporate workstation after this attack they of all the Legacy os's they ensured that their ex was deployed fully deployed across all their networks and and prevention mode where were required they also realized that having it deployed was not you the reasons so they brought in the 24x7 manage detection response service so they had the highs on glass coverage so when if this happens again to them they can actually respond quicker themselves and not have to wait for people like my colleagues to you help help them out again

so the key takeaways both cases they had poor security coverage they made the Assumption of we bought Advanced tools you know we're covered we're fine so making them understand that glad to say both these organizations are in a much better spot now and after they they take security seriously um again reme access privileg access no MFA flat networks um you know rdps everything you those sorts of things by telling them through the dangers and because they are you the victim they now understood why people have been you know been telling them for years they needed to rectify remediate this like said they take it seriously now so some of these tools like we get hung up on you it's important you know

but when they were going through this what we noticed is they wanted to make detections we need to find mimic cats we need to find end like know you need to look for the the procedure the tactic the TTP not just else you'll have like a million rules so it's just trying to tell them not to get hung up on the tooling because th like to change a tooling so it's just just to tell them they're important don't get hung up on them focus on the tactics yeah look out for MFA bombing you especially with the recent model Libra scatter spider you know case they love to absolutely Hound uses with with MFA requests you monitor the new MFA

enrollment those sorts of things that we've seen to bypass you these secure um controls that we're telling organizations to implement Sur tooling itoy fully and you've got that visibility I've said it so many times through my care you can't catch what you can't see so you need to en sure your tools that you spent a lot of money on are deployed adequately for you so you can then do that [Music] response so what I want internal teams and other consultancies whatever to take away from this is defense and depth is a really good strategy multiple layers of security controls essentially putting road blocks to stop the threat actor getting that access as quickly as possible you said it was five and a half

hours the first first case stud for them to get Don out then I've see it quicker um you think about the zero trust model you know it's not a civil bullet it's and it's a program can't just buy zero trust it's it's a journey um preparedness for an incident often not when they say we've got an in response plan first time they're enacting it because when we're on the phone to them on the scoping po or they don't have one yes it's great having a plan but please test your plans make sure they're adequate for your organization you know I think there's a talk earlier it's a response.com we've got playbooks that you can pick up and

mold to your organization ncsc you've got some really good information in exercising your teams exercise of the box is available so you can then tail up to what you need before you go out to your partners to help test with a third party to ensure your controls and your your processes are adequate you know it it is really important to continuously review and improve um I think he mentioned the talk ear is backups those people who got backups do they test them they actually test they work they doing that testing is really important so when you're in crisis mode and you haven't tested your plan I can guarantee it will not work again visibility your tax surface

internally and externally so you know you know everybody's worried about Shadow it so so you've got a holistic view of of what you're trying to protect um if you're venturing into the clouds you shifting your on Prem into the cloud is not the best practice but having you know having that cloud native approach looking at what what would is you adequate for your organization MFA 2024 I'm still about enforcing MFA it's it gives the an easy access to your your environment if you don't implement it I said earlier local Administration on on account of se you domain administrators surfing the internet reading their emails with that privilege use that LE privilege you there's pin things like that you can you

leverage intelligence um you know utilizing intelligence good intelligence don't just ingest resource feeds and think yeah I'm covering threat intelligence you've got to make sure it's Ade your organization else you just overwhelm your security you pointless alerting that essentially hinder and impact your teams that's from our report that I know is not behind the marketing wall so you can go and read our our report from thousands of cases that we we responded to from 2023 to [Music] 2024 thank you any questions and now [Music]

I sorry um thank you very much the healthcare provider sense why the second [Music] IR it wer UK provid it was it was part of the government so how it work in their jurisdiction the their essentially the client Commander was part of the government and he Rel [Music] that was exactly my

question perhaps the network a lot longer than the other one yeah we we I think it was say is Happ on Sunday I think it was three weeks we worked out from looking at when we found the credentials that were being sold um they were then dumped a week after the auction and then we saw some activity in in luckily in the log that we could get we saw some strange activity from that account about it's about three weeks but from the actual staging of tools that was very very quick they didn't do they they test their access and then they Dawn for coups um this is probably sound but uh looking at your key takeways most of

those are basic secur absolutely why in your experience response are see [Music] start it's it's it's just from what we've seen from the global cases that we respond to and I agree they are basic security the foundation of what you what we need to do at the start and a lot of the issues is emerges and Acquisitions with especially in the private sector of buying an organization and just rapidly pushing them into their environment they don't know what is in you what's enabled and they just don't know you know talking to a lot of students that if they're small teams they just don't have that visibility low budgets um and that is why we pushed out

as our 18 I agree that that fundamental Basics will we still

so [Music] protction leading to inability to yeah AB absolutely you we work with a lot of you mature organizations that have this well and like prly and we don't do a lot of reactive work with them so you because these Basics and that's you know rway groups that is what they're going to go for through so it's it's it's easy you if it gets too difficult let move on get get the next one you especially with the inter access broker ecosystem unfortunately said still banging on about MFA not being deployed privileged accounts being used over privileges it's just stuff that you when I first got into it we talking about it then doing [Music] years yeah still ruin my

[Music] weekends you beginning seeing Biv it away from the traditional kind of uh withheld access to the data to other forms of extortion what's the most interesting or nefarious and disturbing threat' seen in the ransom it's i' I've not seen in my cases person but I know of other cases where they they start harassing the the users especially when it's medical and that's where when they're harassing actual customers Rel medical documents I think that's low blow then these these criminal they they have no morals you they say they go after healthare that's you lost count enough you healthare oriz done response to um but that that's probably the worst um I personally I've seen more just they steing the

data that TRS trying to ex organization you the interesting one with say Al Fe when they went to the SEC things like that that's what you thought because they had to report that the organization they couldn't the um but yeah I think it's when they go after the actual end customers of the impacted organizations I think that's the the work think from enry

to possibly but they just realized that actually they can they get the same with less effort from them eles by by just purely stealing the data um you know it's it's definitely we see themes like I'm seeing more exfiltration and encryption again now on on the cases that we're we're working on um but definitely last year was s of just lot pure extortion cases um you know because they know that's what that's the value to the especially to the corers

of you know people now their back on yeah we we've definitely seen a drop off in payments because of better backup strategies in organizations and that's where I've think for actors have realized they pivoted again to do these other extortion tactics because ultimately they want pay get paid so um if they're just purely inflicting the data and people got good backups then there's there's no incentive for them to pay so that's why they steal the data start harassing them I've not seen many ds tax personally in my cases I've see them threaten it when when they get high rate with lack of payment but I've never SE [Music]

questions absolutely um M Scot spider they were you know I worked a number of their cases they love to get control of the security tools um on couple of cases they they like to mark their alerts as po security testing um no EDR there's they love getting access to edrs because of the command line option we've seen domain accounts created for the if command option privileges Tech get um but that you let's say if they if they have enough time in the network they'll they'll go after that try and hide their tracks um it's definitely we see so which is why MFA least privilege and how access your SK to is important as well very