BSides SP 2025 - Ransomware BSide Freakshow (Reloaded): One More Encryption - Cybelle Oliveira

We wake up early. I'm going to talk about ransomware, which is something I like. In fact, I like cybernetic misfortunes, and clearly cats. Please, admire. I spend more time making my cats than preparing the lecture itself. Well, who am I? I'm a specialist in Cyber Threat Intelligence. I like to talk about it, I've talked about it in many places around the world. And now I have a village inside Defcon called La Vila Hacker, which is for people who want to talk, people speaking Spanish and Portuguese. So, if someone goes to Defcon and wants to send the call for paper, it's open. It's very cool because, like this, We are a large majority in the United States, despite all the sorrows

in the United States, but it's very nice to have this village just for us. So, let's go. I was putting things, if you have time for me to say everything, We will know now too. This is the least. What am I going to talk about? About the whole ecosystem and some ransom groups. It was Grant Crabb, Jigsaw, N. Hansen and Chested Lock. Why am I talking about them? Because each one has a specificity. There's Lock Beat, there's Black Cat, but... That juice of gossip, it's gossip. Who works with... know that our job is to gossip and then try to put everything in the middle and try to predict what will happen. It's a mix of gossip with mother-in-law. That's what I'm

bringing here, the part of gossip, which is the most fun part, obviously. After all, these ransomware no longer exist, supposedly, but it is like this. You can come, you can come back, you can go again. Let's go. The ransomware ecosystem is formed by several attack chains, which is not just a person, that... That ideal that our parents had of the hacker in the basement of the house doing one thing, the whole chain of the attack. No. Nowadays it is super divided, sophisticated, everyone does a part. Everyone does, everyone wins. It's communism, everyone is doing, everyone is winning. It doesn't have to be friends, BFF, but we're doing it. I do one part, you do another, in the end, we extort the victims and earn money. Not

us, not me, them. Let's go. When the ransomware attacks, it would be more or less what happens when there is a ransomware attack. Go there, that 1.5, phishing, normally with a credential that was stolen, or to brute force, finally, enter the network, explore everything there, then there will be the payload, it will spread, lateral movement, persistence, there is the malware. Basically, for those who are from the area, I think everyone is from the area here, I didn't ask. I saw one or two heads saying no, but anyway. There's a whole chain in the middle. I'll enter your network, I'll attack, I'll play the ransom, I'll explore, I'll steal your data, I'll encrypt and I want your money. That's what happens. But in this whole

middle, there are many layers. You need to create a phishing, you need a cred... Now it works. A credential, you will enter and you need malware. But what happens? Each one does a part, as I said. That's why there is this ecosystem. Someone will develop a malware, will have the malware group, the ransomware as a service, will have the person who will develop the malware, will operate the malware, because, yes, it's part. Who develops it will not necessarily operate everything else, which has the control panel for the affiliates and everything else. Then there is an infrastructure too, because you need to hire an infrastructure. If you take anything, it's not worth a... It won't serve anything, an AWS. We'll want a bulletproof structure, that is, that supposedly

won't give our data if you beat the police, knock, knock, knock. It won't give our data. So, it supposedly needs. There is another technical infrastructure. There are the people who... The initial access brokers, that is, the people who will get... That's the boring part. To get access credentials. How will he get that? It's not our problem. We'll just buy... They'll buy these credentials. It can be leak, it can be that there's an insider, it can be that he... Anyway, he got there, he got into the network and got it in thousands of ways. He is the person or the group that was like: "Look, I have the credentials, I'll sell them to you." Okay. There are other guys, or girls, we

don't know, who are selling what? They are the exploit brokers. What are these girls? What are these people? Those who are selling those beautiful, tasty irondeis, that someone goes there and sells. "I found it, what do I do with it? I think I need money." We go there, sell it to him, buy it. And that good negotiation that happens. He is also in this chain. See that there are several parts. Every person has an affiliate. What is an affiliate? It's the person who goes there and buys the part for you. It can be enter, enter, enter, easy, you don't need... You don't need great technical knowledge. It's very easy to enter the world of cybercrime. Am I teaching something? No. I just played. I don't know.

I just played. Artificial intelligence... Anyway. and this group of people will also enter. And in this whole panel, because the Hanswer group will say, "Look, I'm selling you a full service, it's not just anything, there's a full service. Here's the beautiful panel that you'll negotiate with your victim, you'll explore, you'll extort and negotiate and everything." I'm losing, how am I going to negotiate? This business is not good. There will be someone here in this part of the group who will negotiate too, will improve. Well, get the money, what do I do with this money? Do I need to wash the money? Let's remember that it will not be the money, the physical money, normally in cryptocurrency, Possibly coins that have fewer traces, some

money from life, or if not, ok, bitcoin, but we need to wash again, we will put it in a tumbler, in a mixer, so there is all this people, of course, I don't know, a million, it takes money, but the good thing everyone wins in this thing. That's why I said communism, everyone works, everyone wins, everyone is happy here. And we can't forget the main thing, the victim, that without them, all our business wouldn't work. So, congratulations to the victim, this is very important.

Well, here basically what I said, what each one does, will develop, will manage, will develop and will create, the operator, his business model, each one has a business model, because these models are... It depends on each one, literally, that they treat it as a company, it's not anything, it's a company, in fact, it's taken seriously, it's not oba-oba, it just doesn't have the wallet signed to CLT because maybe It may not be very possible, but there's a whole nice chain to work. Look, you're going to attack the victim, but 20% of it is mine. It seems little, but imagine, you have several affiliates, 20% here, 20% there, it's a lot of money. There are some businesses that offer between 60 and 80% of the value of the ransom goes

directly to the affiliate, the rest It's a good business. Actually, a great business. There are also the affiliates. They have a list of what they have to do. It's not like that. I will get there and I will affiliate. You can do this, you can do that, you can not do that. There is a reason. You can't just go. There are some groups that say: "We will not attack hospitals, for example." I think it's worthy. An actor, which is ethical, after all, attacking the hospital, the place of little children, the cancer hospital, I think it's nonsense. I wouldn't do it. I don't do that kind of thing. But there are these ethics too. There are

rules that have to be followed. The initial access broker, as I said, will sell the credentials, how it will get in there, maybe sell some vulnerabilities too, but usually it will do that and the exploit broker, who will sell those beautiful exploits, you know, you say: "Wow, this is beautiful, shut up, take my money." It's that level. There are some who discover... This is a business model This is all offered. How do you know it exists? It is offered. Where? In some forums, usually in the underground. Normally. There is the Exploit In, the XSS, the Ramp, the Bridge Key. Go, go back, go back. Stop! Anyway, there are several places where everyone offers their work. I'm looking for a

job. Well, maybe there will be someone who wants to hire you too. Just so you know. You always need a pen tester. The exploit broker I mentioned. the negotiators, which is an important part, on the one hand, of the threat actors, and on the other, Poor victims. We need to negotiate. Some people are more difficult. Maybe they have a language that can hinder them. It's not fluent English, it's not Portuguese, it's not good Russian. Russian is not that easy. We need to have this person who will negotiate. Usually, they are class people, with patience and good will. It's not the first one who will start screaming, screaming, saying: "I don't want this shit anymore, enough, it's over." "No, I forgot that all this is being recorded." There

is also the money conversion, as I said, there is the laundering, you have to convert the money, cryptocurrencies have to turn into money somehow, just having it there, stored in a wallet, is useless. So there is this conversion too. There are attacks, for example, that happened in the Central Bank of Bangladesh, the money laundering was all done through... The word has escaped. The word has escaped. Casino. That is, money would go in and out through the casino. No place in the world is better than a casino to wash money. I'm playing. It's not a tip. I'm playing. I can't tell you to do anything. We arrived. We arrived at this part. We arrived at the Hanson. Well, I like cats, as I said, so everything will have

cats. If you don't like cats, you will like cats. Because cats are cool. I imagine my cats wearing some clothes like that. Anyway, Gant Crabbe. He emerged in 2018, he already emerged as a Hanson Air As A Service. He was, he gave a boom. Does anyone remember this group? No? He gave a boom. It arrived attacking God and the world. It was distributed by exploration kits, Malvertising, RDP Comprometido, Botnet, the basic. So far, nothing different. But Malvertising, which is a campaign that I will talk about here, more specific, it was... How can I say, remembering what is being recorded, so as not to seem too explicit. Do you know when you're looking for something that involves body fluids?

"Yes, I'm tired, I want to see a warmer thing." That's it. His affiliate program was also a good deal, 60% to 70%, and it has an OPSEC list. These guys have to think about OPSEC. Remember that. It's no use just getting there and saying: "I'll do the stop and forget that you have to get ready." I say that to my students every time in my classes. OPSEC is not just VPN. Let's think about everything. Anyway. They also offered technical support, the most basic. "I don't know what to do. Wait, I'll help you." It was a 24-hour technical support. This is very important. Sometimes you call the phone operator and there is no 24-hour support. This was one of the first ads that came up. "Guys, I'm here."

It was in the exploit. "I'm here, this is our job. Stick to us, let's see what happens." What were the characteristics of these guys? They started to implement and do things one after the other. From version 1, from version 0 to version 5.2, man, it was a year and a half. They did, implemented, gave shit, did again, sometimes from one day to another. The rescue they charged in Dash, which is a cryptocurrency of privacy. They were the first group to use not Bitcoin but Dash. It is not exactly the most known, the most used, but it is a cryptocurrency that can be used. You don't need to use only Monero. And his domains were very interesting.

It was always .bit. As if it were from bitcoin, via namecoin. So the resolution had to be... I'm hitting my mouth. Alternative DNS too. In the beginning people said: "Is that it? Because .bit won't work." Anyway, it worked. They just changed it. They just had to solve the DNS here. And the DGA, that is, they created a name daily, a new name for each C2 server. They created a name every day. What happens? It makes it a little difficult to know where the C2 is, what it lives on. They created a name. But they also called: "There are a lot of researchers, companies, this and that, looking at us." What did they do? They put a new name. the name of

these people: Bleep Computer, No More Ransom, E7, Emisoft, Fabio Wollster, etc. Every day was a different name. You say: "You're kidding me. We look at you and you look at me. That's it. Let's be happy." Another characteristic of them was this polymorphism in the extension of files. It wasn't that Crabby point. It was in the beginning, with C, with K. They were changing it and they reached the point with ten characters, that is, in the last versions. This also made it difficult to identify when rules were created. There are rules in our platforms, in our software. It will be difficult. Each day changes. Each day is a C2, each day changes. Then, the obfuscation of the code also via "crypter". That is,

let's obfuscate the little thing here to get a little more complex. Why? To make it simple, like everyone else? No. They also started the "fileless" execution. It's very difficult to say this word "fileless". That is, directly in the memory, with PowerShell, the exploiters. It's one of the characteristics. They did many types. There were many ways they acted. They were a very complex group. It wasn't trivial. And the process of injection hollowing, which is the transfer of code execution in legitimate processes. That is, let's get the job done. Let's do it. As I said, they are gossip. They are full of grace. Do you know when the mother says: "Stop with the grace, stop, you're exaggerating." They weren't even there. It's going to be hard to read

some things here. When one of the researchers went to analyze Mauer, when he opened it, "Hello, Marcelo." Because he knew the guy was looking. Where is it? There are others. One of the companies, MLAB, which is from Korea, managed to solve it in one of the versions, and say: "We found a flaw." Because they were also full of flaws, a lot of cryptographic flaws, of this and that. They created a vaccine . and the researchers discovered this. They said: "You won't do this." They made some changes. They were pissed. They are Russian. Here it is written: "You are all gay." I put you on my list of all gays. For now it's on my pencil. What

is this about the pencil? I don't understand. It didn't make sense to me. It must be some of their little joke. But anyway, each one is... They simply put these little jokes in places because they thought it was funny. But it's not fun. You open the thing and say: "Oh, my name is there. They are seeing me." What did they do? They took advantage of it. They are good at marketing. They took advantage of it. Man, how much is the place talking about me? It's on Bleeping Computer, on Amisoft, on Malwarebyte, on I don't know who, I don't know which researcher, everywhere. What did they do? They said: "Guys, look, we are a legitimate business,

very good. Do you see the people talking about us? For marketing people, you take everything that is happening and say: "Look, they are talking about us." They did that too. Come with us. We are good. See? People are talking. If they are talking, it's because we are good. Well, here is one... This was one of the latest versions, version 5.1. They announcing their service. Look, why do you have to buy our services? How do we work? It's nice. Their website inside Tor is no longer working. This is print from print from print.

Well, after I told you that Unlab, which is a South Korean company, launched an app against ransomware to say: "Guys, it will be fine. Yes, you download this here, this antivirus type for this malware, which will be fine. If it's infected, it will disinfect the thing." They got really angry. They are very, very angry. Here. They sent, they made a DOS attack on them. Madly. It won't happen, you don't do it. They wanted to attack this and sent to... for Blipping Computer, Katalin, who was one of the researchers of Blipping Computer said: "Look, we're not happy with this thing. So, publish it. We'll launch a zero-day against this company, against their version, Unlab V3 Lite." And they published it, they made the Blipping Computer guys publish it

because they were very angry with this thing. How dare you confront me? They did it against Kaspersky too. Here is version 4.2 and 4.3, which includes the Unlab exploit. It's hard to see, but it's here. The version 4.3. Here I can't read absolutely anything about Zero Day, which is here somewhere. Remember I talked about sextortion? It only appeared in their 5th version. In the last versions. They started in January 2018 and went until May 2019. It was very fast that they existed and stopped existing. It was "tapum". Their campaign, of course, was to go after those who had more money, but the thing is, let's play, there was not exactly a specific target. Normally, the United States, Europe,

Korea, they attacked South Korea a lot. But then came a time when you are there, looking for good things, looking for things to have fun before going to bed or during the day, I don't know, what do you do, what sites do you use? Anyway, look, people. I see you entered a porn site and I see what you're doing. I know what you're doing while you watch. That's what they wrote here. So, it's all filmed, the camera recorded, I want to see. So you have to pay me... It was a very low value in bitcoin, I won't remember the value, like 0.02, it was, I don't know, about $600 at the time. Today it's 0.2 bitcoin. "I'm not going to work anymore."

"Look, I see what you're doing." Bad news for you. If you don't want me to expose you, you better pay me. I imagine they do this in my head. "Look, I have your e-mail and your password." It's almost trivial to achieve that. But he said there were other details, other signs. It's a lie. They threw it, the guys fell. Because imagine, I don't know exactly the content that was seen. I know they were usually porn sites. I don't know what level, what type of pornography. We're not judging much, but we're judging. There are things we say, "Is it really?" It's all recorded here, your face, what you're doing at the moment, what you're seeing. Will you

pay or not? They say why this is important. You won't want your workmates, your partner, your children, everyone knows your perversions. You will pay. You talk to the person, you go there via "talks", They like to use the touch for communication within the Tor network. Let's exchange an idea, you pay here, look. If I'm not mistaken, the Bitcoin wallet, the number varied every day. Each one was one. So they did that too. This was focused on the United States. I imagine that according to the rest of his other campaigns, thinking, there are several, they have a political footprint. Like the United States... Why? The why comes later. The attack vectors. Again, this is one of their latest versions. The input vector is wide. It

can be of any size. RDP, phishing, some trojanized program, exploration kit, PowerShell, botnet. They used this specific botnet. It's old, but it was there. They left it free and loose. So, let's use it. It could come in any way. Their exploration chain is not so complex. In fact, yes, kind of the standard, but their way of entry was diverse. This also attracts the affiliates. They can do it any way. It depends on how much you have to spend on it. Why did I say it was a geopolitical issue? A guy said: "Gandesha encrypted my files." This is from a random person. He was probably looking at a pornographic site. Because it was from a person. and we said, "My children

are dying in the war, and I don't know what, a drama, I never had the memory of my children." The people were excited. We said, "No, for the Syrian people, we will give the decryptor for free, only for them, because obviously the people who speak Russian, this malware wouldn't arrive, it wouldn't arrive, his brothers and his people won't offend Putin. "No, because I'm in my land, so I'll keep the right thing." They were so moved that they released the decryptor. "I was wrong, I was a kid, I shouldn't have included... I should have excluded Syria from that too. It was bad." So, Syria started to receive... I think there were more than a thousand attacks

in Syria that were... "It's okay." They also did this when they were very poor. They didn't have much money, they were very poor. "500 dollars, it can be 100. Let's close the deal. Not for me, not for you. Let's go." They got tired. "I'm tired. I don't want it anymore." They also published: "Guys, it's over. Everything that is good has an end. Let's stop here at the peak." Their peak: "We've already earned a lot of money, more than 2 billion, according to them. In total, they divided it between the team. Again, everyone receives fair and honest work. Communism here." received more than 150 million each and started to apply it in legitimate businesses, they say. However, all of them... Some people were sad. "I think I'm

going to cry. It's great that you were part of our business. Thanks, Trude." It was like that. But what happens? The plot twist. All TTPs ended in early 2019. Who emerged in early 2019? Revolve. That one did a lot of damage. Revolve. That is, the people dissipated, they joined new friends, they will keep the TTP. When there are rebrands, usually one goes there, the other goes there, and the new friends join. Nothing dies, everything continues. We have this other ransomware, Jigsaw, which is from Jogos Mortais. I found this cat so beautiful. It was released in 2016, obviously, using Jigsaw as a mod. It spreads through phishing, malicious software download, like, "I want a game cheat sheet, I want to download the cracked version of

I don't know what." Anyway, that's the way it is. And that's how they came down. Simple. In 2016, things were much simpler. Much. They also, as incredible as it may seem, they look small, but they were big. They served as hands-on as a service, written in VB.net, only ran on Windows. The other was multi-platform. This is just Windows. They used cryptography AES, encrypting more than 226 files. It's a lot. They also changed the extension, but the extensions were always bizarre. FAN, Bitcoin, YOLO, KKK. It's not a joke, it's KKK from the white supremacy gang. They were the first group to have this routine of creating a copy of the user's archive, encrypting the copies and excluding the shadows. We're selling

our stuff. Here is the... That forum that comes back and forth? The Bridge Forum. We are there. It's a proof that not every forum is within the Tor network. It's open. Anyone can register and see what's going on, but you won't necessarily be able to buy or sell because you need to put some money, have a name. Anyway, look here, guys. We are selling. Come with us. Come to us, it will be worth it. His persistence, he copies in the directory as if it were a legitimate directory, also basic. Modifies the registration key, uses this morphine to block your code. This is one of his differentials. It ends up making detection difficult. He was kind

of a pioneer in some things. Here, I encrypted, it was already lost to e-boy. You'll have to pay me some money your computer was encrypted, but what did he do? These guys were naughty. They started a countdown, every 60 minutes they would delete the file, "You're not going to pay?" So, they made a psychological pressure, imagine, the guy from the Mortal Games said, "Are you going to pay? Let's delete it." "I'm going to restart my computer." No, it won't. Do you know why? Because if not, I will delete more than a thousand files, up to the hyper total in 72 hours. That is, I'll have to run now because I talked a lot, I have 10 minutes. Anyway, his cryptography key was embedded

in the binary itself, so it also made it easier for the... for people who did the reverse analysis. They started charging between 2 and 5 thousand dollars, because it's a service. So, a lot of people started copying and making a dump of it. Who created it? A Venezuelan cardiologist created it. Yes. This gentleman. You would say that he created it and his nicknames were always name of disease. I don't know what disease it is, but it's a disease. Anyway, he was arrested, he lost. His punk is that, imagine, every time you are encrypted, his face appears, Jigsaw's. Terrible, people, terrible. This one. This "Hanson" is... Isn't this cat very cute? "N-Rain". Look how beautiful it is. It was discovered in

2017. It is a "locker". It is not encrypted. It only locks. It only affects Windows users, which is .ez. With the rescue, 10 nodes. That's what you saw. 10 nodes. But it's not like that. They will demand that you prove that the device is yours. I don't know how. You had to send it. Kill yourself. Send it. What are they going to do? They said it was all right. Or not. I'm going to sell it. I'll do whatever I want. Send it in a good way. If it leaks, at least it's not that kind of crooked thing. Whether you are the toxic person, leak yourself. He was running in VB, also, extracting in temporary directory. But then, what happens? It's written like

this, when the lock screen. "Fuck you, damn it." With Thomas, the train Thomas. But then what happens? Start playing a little song. Let me see. In fact, it was a very simple thing, it was to click 1, 2, 3, 4, 5 to unlock, sometimes it worked, that is, it was very shit, this pseudo-handsware, very shit, you could put 1, 2, 3, 4, 5 or close everything that worked. But until you find out, and the fear of having your nudes leaked, I think you can hear. Well, This is from... of the total virus, when it was detonating the archive, so it was doing that. Like a basic detonation, but the important thing is the little song, which is

called... "You're gay, your father... Someone is gay, everyone is gay in this life according to them. Your mother is gay. Your mother is gay. Why? Yeah, well... Oops. Then comes the last one, because now I have to do it in five minutes. This "dereçante" happens. It was a vulnerability that was explored in this API of this male chastity belt, which was fastened. What is a male chastity belt? It's like a cage around your organ. Yes, they have It can't be hard. This is very important. It won't work. It won't work if it's hard. That's how it will work. What did it do? It locked. The idea was to lock the interface. As they explored the API of the interface, they said:

"Look, guys, the attacker used the Kimaster on the devices of the people who had it to close. It was done in Python. This code is distributed for those who want to play. No, it's open here in the VX Underground repository. There are a lot of things you can have fun here. Nothing too complex. So, the code of Maor written in Python and the Keymaster here, which I find very funny in this BDSM game, Master, Slave, anyway, I've already exposed too much life. Well, the ransom fee asking for 0.02 bitcoins, it was almost less than 300 dollars at the time, like this: "I have your cock now, your dick. So you have to pay me 0.022 or I'll lock you forever." That's what happens. Then

the method of unlocking. The company, a Chinese company, said: "Look, you can use a screwdriver, or to try to open the device manually, a 3 volt shock, it burns the device. And that's how it would be. The person who went to suffer the hanser, who said, he said he wasn't using it at the moment, he didn't need to take a shock or hammer, anyway. And that's it. I had to run. I could have told you more details because... Anyway, guys, I didn't have time. I talked too much. But thank you for listening to the gossip of Hansonware. Thanks. I'll stay here all day. I think it's time for a question, a question, something. I think it's time for one. No? Gossips? So that's it, guys. If

anyone wants to go to DEF CON this year, send the workshop to La Vila Hacker and thanks.