Hold My Beer Ransomware Operations and the Race to the Bottom - Laurie Iacono and Dan Cox

without further ado hold my beer ransomware operators in the race to the bottom

okay hello everybody thanks for coming to our presentation hold my beer ransomware operators and the race to the bottom we're just going to give you like a sneak peek at what dan and i see every day working on the thread intel team at kroll so as an introduction my name is laurie icono i'm a senior vice president with kroll cyber risk i manage the day-to-day of our threat intelligence team i was formerly a program manager at the national cyber forensics training alliance and i also teach cyber crime at a couple of the local universities including university of pittsburgh and robert morris university which is where i met my co-speaker dan i'll let him introduce himself

oh hello i'm dan cox i've been with kroll for about a year and a half now it's i started off cyber security at robert morris i went through their masters in cyber intel and investigations and that's how i met laurie and then ended up working at crow and now do i do a bunch of ransomware stuff dark web research um really just anything that comes through we kind of do a mix of everything um so yeah lots of ocean research and lots of ransomware research so what we're going to talk about today is we're going to cover kind of like we are here like kind of the current state of ransomware as we're seeing it working

in an incident response practice we're going to talk a little bit about how we got here so some factors that we think kind of led us to this current state and then we're going to talk a lot about what we're learning along the way uh specifically what we're learning from some of the thread actor shaming sites which dan has done a lot of work kind of drilling into the analysis of those so talking about we are here you can see this navy line on this slide here this basically represents the distribution of threat incident types that we're seeing in our incident response practice that navy line is representing ransomware and you can see that that is far and

above the other lines on the chart that's because except for quarter one uh when we had microsoft exchange proxy logon uh ransomware is by far the most frequent uh threat incident type that we see in our ransomware cases or in our incident response cases and it's actually been like that since august 2019 so it's been holding steady for about two years uh prior to that time we would see a lot more like email compromise a lot more unauthorized access cases but starting in august 2019 we started to see a big rise in the frequency of ransomware and that has pretty much held steady since then like i said except for the little little uh skewing the results with microsoft

exchange earlier this year the next thing that we've been seeing a lot of in our practice is the use of these what they call double extortion tactics so the ransomware groups they're not just encrypting networks but before they encrypt the network they're going in they're exfiltrating data and then the extortion component at the end first of all they're extorting you know pay us for the decrypter but they're also saying pay us or we're going to post that stolen data on one of our actor-controlled leak sites basically and these actor-controlled sites these are basically like the ransomware gangs will put up their own kind of branded site where they're posting the victim data we are seeing in our

in the ransomware cases we see it crawl about 86 percent of them right now are associated with this double extortion tactic we did a similar analysis of this about a year ago and we were about 40 percent so the use of this tactic has about more than doubled in in a year's time and you can also see here the growth of these sites in 2021 the bars here represent like unique new sites that we observed during the year so there was a big spike from q2 to q3 of different groups adopting this tactic so i want a little i want to go into a little bit of flashback here kind of talk about the ransomware as a

service model and one of the groups that really popularized this model was gand crab ransomware here you can see their landing page they were very active from about january 2018 to may 2019 and this group um they kind of i don't know that they were the first to use the service but they definitely like really popularized it and kind of brought it to the mainstream a ransomware as a service is is essentially a model where the the ransomware operators kind of like outsource the distribution of the ransomware to affiliates then those affiliates get a a cut of the ransom proceeds so this helps those ransomware games kind of force multiply how many targets they're able to go

after because they're using this huge network of affiliates to actually distribute it when gan crab retired in may 2019 they made a pretty big post they like a retirement a little letter on one of the dark web forums and they claim that they had made 2 billion u.s dollars in that 18 months now this is a threat actor this is what a threat actor is claiming so we don't know how accurate that 2 billion dollars is but we know that it's fair to say that they made quite a bit of money in that time so if you remember that two slides ago i mentioned that it was august 2019 that kroll started to see so

many ransomware cases in our caseload so it's very likely that a lot of other groups at that time a lot of other cyber criminals saw how profitable this was and started getting into the ransomware gang game the next kind of flashback here this is the maze news site this site was one of the first of the actor-controlled sites so may's crew was really the first ransomware group to threaten this kind of data publication and then actually carry out carry it out and post data this site went up in may 2019 it was eventually they eventually retired in november of last year but the site was quite up for quite some time hundreds of victims um

you know they would definitely post after an attack if people paid the ransom they would take the data down actually they would remove it from their site we had unfortunately some clients that that happened to and we would see proof that they did at least delete it from their site another one of the groups that quickly adopted this double extortion method and and set up an actor-controlled site was the rival gang they set up their site is called happy blog so they were the second ones to kind of get into this method and they kind of like gave it a lot of personal flavor i guess i would say so they would kind of like write these

letters about their victims kind of trolling their victims essentially so we've seen they've went after a lot of law firms that had high profile clients so they've trolled everyone pretty much from like lady gaga to donald trump on their site this summer they're also the first of at least what we've observed of the ransomware groups using what we would call sextortion tactics they were threatening this one ceo that if they didn't pay they were going to basically post a dick pic they did not pay and they actually posted the dick pic i think my question as a cyber security professional is why the ceo of a significant company would have a dick pic on his work computer

but he did and they found it so that's the kind of things that these gangs are going after so obviously most people in this room are surely familiar with the cassaya supply chain attack that happened in july rival went on hiatus after that they came up for a few weeks the end of september but now they are down officially as of monday and last yesterday there was an article released that it looks like that was international law enforcement cooperation actually bring that site down so hopefully they've been disrupted i want to talk a little bit more i know i've been talking about the exfiltration and the actor controlled sites there are other tactics that we've definitely seen

them using during the negotiation period one of those tactics is ddos and i will say we've seen the threat of ddos be used so avadon here on the screen avidon and suncrypt both of those variants threaten to basically ddos victims during the negotiation periods we haven't observed in our caseload that anyone's actually like had a successful ddos attack as as during the negotiations but it's one of those other things that they're threatening them one thing that we have observed quite frequently unfortunately for our clients is this tactic of cold calling the victims the dark side ransomware gang they kind of were kind of marketing this on the dark web earlier this year kind of how

you know we have this call center that we're using and if you're an affiliate of ours we'll basically you know have this this call center will be calling the contacts of the company to try to get them to pay the ransom and we saw a lot of that that happened to a lot of our clients almost like within days of that post going up on the dark web um another tactic that we've seen them use is emailing victim clients or basically like the clients or customers of the victim organization so you see here this email from the klopp ransomware group saying your personal data has been stolen and will be published we've seen them do this so a couple like i know the maze

team at one point they were going after patients at a plastic surgery center saying we'll share your before pictures they went we saw them go after patients for a rehab clinic we'll share pictures that are related to your drug use if your clinic doesn't pay the ransom and we've also seen another group actually go after victims of i wouldn't say victims it was patients at a celebrity hair club for men so they were kind of telling them we were going to show we're going to show the world that you guys are actually have hair transplants um so it just kind of shows you know how low some of these groups will go and trying to get their

ransom payment so we can't talk about ransomware in 2021 without mentioning the colonial pipeline attack and that was which darkseid was responsible for in the wake of that obviously everyone in this room knows you know how devastating ransomware can be but this kind of brought it into the mainstream all of a sudden the media was engaged and obviously there was a lot of law enforcement law enforcement scrutiny on some of these forums that had heretofore been kind of harboring some of this activity when it comes to the ransomware as a service ecosphere so they quickly kind of banned uh some of this activity on their forums now since that we've seen you know obviously it's a ban on a cyber criminal forum so

you know we will use that term lightly but they definitely shy away from using the word ransomware because they know how much attention it attracts um so we definitely see them using kind of code words trying to still accomplish the same thing and we've also seen a lot of the ransomware activity actually transfer over to a new forum that came up i think in like july a ramp forum and that one has a little higher bar to entry probably because they want to avoid some of the looky-loos that were coming into the forums in the wake of colonial pipeline so some of the other things that we've seen on the shaming sites since that time

first of all is that you know we saw that rise from q2 to q3 and more actors putting up these actor-controlled sites where they were dumping data we've seen a lot of actors pivot to just exfiltration so they're not even using a ransomware to encrypt they're just going into the system they're stealing the data and then they're extorting it to try to you know prevent some kind of data publication uh we've also seen a lot of doxing on the site since then so you know sometimes they get people get immune sometimes to like okay well so what my data's dumped um so the threat actors constantly have to keep ratcheting it up um so we've seen a lot

of our clients like sensitive data like plain text passwords has been dumped on some of these sites in the past couple of weeks we've also seen my let me see we've also seen some rhetoric from some of these groups coming out against recovery companies so recovery companies are basically third parties that some of the victims will use to kind of help them negotiate with that threat actor to try to lower the ransom demands and a lot of times that is successful and they are able to get a significant reduction in that ransom so some of the groups ragnar locker and grief this is just an example of them coming out earlier this i think it was a couple months ago but

they basically come out and said if you work with a recovery company or we think you're working with a recovery company we will just delete all your data showing they were kind of trying to play hardball with these groups we haven't actually seen them do that but it's just another threat that they have made another thing that we have seen as you can tell this is why we called it hold my beer because every day when we think that the ransomware groups can't top themselves dan and i are messaging each other the next day that we can't believe what they did um so this was one where lock bit ransomware they've been especially active after uh after the

dark side shutdown they started soliciting actually for insiders to help them launch malware so this uh image here this actually shows up after a victim has been encrypted the wallpaper will say all your files are encrypted and it will also put up a little advertisement saying that if you want to make millions of dollars you can work with us giving us passwords to vpn or rdp to help us get into networks so you know we're talking about insiders and they're going after insiders in our you know industry in the cyber security industry probably with that posting but now that this ransomware landscape is kind of spread out we've got all these affiliates we've got all these different

kind of pieces of the pie that are feeding into a ransomware as a service operation that means that there's more likely to be individuals within that ransomware supply chain that may be disgruntled and end up sharing information so this happened in august this was a disgruntled affiliate that was associated with conti ransomware he actually dumped basically a training manual that's what they give their new affiliates to help them launch ransomware and in that training manual there's a lot of technical details about the tooling that they use about how they move through networks that we were able to share with our detection and monitoring teams as well as our forensic examiners for threat hunting but for the purposes of this

presentation i'm going to focus in on what we learn when it comes to exfiltration one of the things they were told basically is that's one of the first things they should do when they're in the network is start that exfiltration so it kind of highlights how important that is to them as a part of these attacks and some of the things that they were told to look for are items related to finance accounting clients so as we said before they tend to go after clients and customers um they're also told that what's especially important for them to go after our documentation related to cyber insurance policies so it's lately that they're trying to look at a cyber insurance

policy see um you know what they may be insured for and use that as some kind of leverage when they go into the negotiations i have talked a lot about that exfiltration piece and then dan's going to talk a little bit more about those sites and what actually happens with the data

okay there we go oh yeah so looking at the different actor controlled shaming sites um i believe last night the most updated account that we had was 34.

yeah um there we go i just won't touch this okay was that better okay yeah so last night we had counted that there were 34 active actor controlled sites where they're leaking victim data and threatening to post different attacks onto their websites so there's on the sites there's always the large claims of oh we hacked x company and we stole two terabytes of data if they don't pay us in a week we're going to post that data onto our site i mean when you actually look at the sites every day and break them down you can see that that's not usually the case with the sites there is data posted to most of them and

yes it is normally a large amount of data but it really depends on the group if they're going to post that data when they will post that data how much data and then actually whenever you get into trying to retrieve the data there's a lot of troubles that you run into with that so for these different cases uh what we typically see is the post will go up about two to three weeks after the initial attack and then with that you'll have a countdown timer that'll start anywhere from four days to two weeks to a month that it gives the victim time to negotiate and decide if they're going to pay the ransom or not

if they do not pay they'll move on to leaking screenshots where like you saw with lori sometimes they contain plain text passwords they might be personal information documents whether that be passports driver's license of employees student records if it was a school different things like that and that's all in a push to actually get the victim to pay the ransom to remove the data from their site whenever you go through most of the different negotiating companies one thing that you'll see very common is that they get the negotiation extended and usually that just drags it on long enough so that they can keep working down the threat actors price and then after so long though whenever

the countdown does finally expire they'll release the data either all at once in one bulk download or it'll come out in different parts and we've seen the parts leak anywhere from over a few days to over a few months that that data will slowly trickle out and then eventually that data will get published onto their site so for most of our different clients if data does appear on the sites we do go out and retrieve that data and just a few different things that we've noticed with that is over tor the connection is always very slow and it's very spotty to say group does actually go out and post a terabyte onto one of their tour

sites it's very hard to actually retrieve that data set and then work with it you might be looking at a download that takes up to two weeks and your normal just person visiting these sites probably doesn't have the infrastructure set up and prepared to download any random victims data that they see fit that would take up to two weeks so then the data might not actually get published they might get to the screenshots phase and dumping the proof and then not actually move forwards with anything the different things some of the groups will post to different third-party sites like mega there's send space onedrive that they'll put the data on to and with that that actually opens the

door to where we can contact that provider and then have the data removed from the site and then with the groups deleting data occasionally like we just saw with reaval where their site was taken down that takes all the data links off with it and then so with that yes your data may have been posted to the site but looking at how long the data will actually stay live and how long it's actually maintainable is a very large statistics that we'll look into to try and help out some of our different clients all right this thing is let's try this way

nope okay so yeah looking across the different sites there's a bunch of different statistics that you can pull to actually analyze the group and it's slightly different than looking at their actual attacks whether that be their iocs or ttps that they're using on their attacks this is slightly different of their ttps into just their shaming sites and how that victim data kind of gets performed and may appear onto the dark web if they don't pay this ransom so some of the different things that you can look at some of the different things that you can look at is the actual victims that make it to the site versus the number of victims that actually have data

published with that listing there is the claim data that the threat actors claim to have xfilled from their network and then it's typically much less that they actually will post to the site um so we get to kind of see both sides of that we'll be looking through the network traffic to look at exfiltration most of the time what the actors claim instantly you can rule out that it's a lot higher than what we saw but occasionally there will be or you'll see them next fill maybe a terabyte and a half and that terabyte in half does appear onto the site like i mentioned with using the third-party providers to host this data there's different statistics that you

can pull with looking at how long do those links stay online before the third party provider would remove those and then what we've also seen is actors upload to sites like anan files where the link will actually expire after a set period of time so yes your data may appear onto the site but will it still be there in a week in two weeks once this becomes public knowledge and actually out there so with those different statistics we've kind of provided those to our clients just to give them an idea of here's the different timeline that we expect to see with this group here's what we expect to see with the data that does get posted and here's how

long that data is expected to stay online if it does appear

okay there we go oh maybe not okay as the different groups that we looked at just for this analysis was black matter which is the alleged dark side from the colonial pipeline hack we have defray 777 who's going by ransomyxx now they've been around for a few years now but more within the past year they've moved to the shaming site model hive is a newer variant that we saw at the beginning of the year they're pretty nasty they tend to whenever they get into a network they'll generate their own encryption keys and sometimes we'll notice that the encryption keys will get put into memory so that way then if the victim restarts the computer at all those keys are lost

and decryption would just not be possible even if they did pay the ransom we have freeville slash sadena this is with the cassette attack and like lori mentioned they're actually seized right now and looking for different models to move i'm in that group actually last week they were posting about that they believe their servers were compromised and then yesterday we found out that the servers actually were compromised by law enforcement and then we looked at vice society which is suspected to be a hello kitty spin-off and hello kitty has been around for at least two years now they have many different spin-off variants and each of their sites or each of their variants will get their

own shaming site but typically what we see with those is they're only online for about a month or two and then they'll pivot to using a different name but vice society with them has been active for about eight to ten months now and then we have zing walker which is suspected variant of matlocker zing lockers actually has gone down right now and believed to be a new group called quantum locker and they've kind of shipped it shifted their tactics over the different courses of their variants but through each variant like we saw with mount locker they would post a victim and then two or three days later the victim would appear on the next site

which would have been astrologer so the same exact victim same exact data as posted and then we saw them do the same thing with astro to zinglocker and then now zinglocker to quantum locker and then on the right there we just have a total victim count of what we scraped this was from i believe about two weeks ago for the active victims on each of the sites who can show me my water please

the powerpoint is on another level yeah yeah i know what is it pressing why am i doing that i have no idea is it the clicker okay oh no it's not that quick is it this quick

okay if we can get this stay on one slide there we go

all right so whenever we want to go pull the statistics different shaming sites we actually still had the rival site was still online this was only a few days before their operator stated that their servers were compromised and shut down their operations i mean as you saw on this last slide they had about 250 victims listed to their site but then whenever we moved to

okay there we go so you saw that they had about 250 victims posted which was far more than the second but whenever we look at the actual toted data that was live on their site there was only around 40 gigs which then compared to like zing locker with 1.3 terabytes where they only had about 20 victims so you can just see instantly the giant kind of variances between the groups on how much data they would put up per listing and how many listings would actually stay active i mean so whenever we broke that down for average per victim i can see with hive where they had please stay there we go they had 25 victims listed onto their

site but only 0.07 gigs of data actually ever was posted to the site um and so then if we look at the sites like blackmatter and zinglocker who are posting large zip files of several hundred gigs down to hive which might post a kilobyte a few megabytes there's just a large variance there and so then knowing that coming into the actual investigation where from day one you can say this is what we expect from this group um say it's zing locker we're expecting a lot of data exfiltration whereas hive we can tell the incident response team that there may not be as much exfiltration i mean they still look around but we're not looking at too much

of a risk to get onto the site let me try clicking is that the next one oh yeah so this is looking at the actual um victims with that are posted to the site versus the victims with actual data onto their posting so we have zing locker vice society and defray if you made it onto their site your data was going to appear onto the site compared to variants like reveal where you only have about a 25 chance if you get posted to this site is that actually going to leak and then moving over to the right side here the trend that we can see with the different groups is how long that data would actually stay live

so revo had about 250 victims but only 10 percent of their download links had stayed online and this goes back to victims ranging back to about early to mid 2020 was the earliest one on there up to several days ago before they were shut down they were still adding new victims okay and then so whenever we shift to i'm looking at how much data that they claim that they will be posting to their site from the claimed exfiltration to how much data actually appears on the site you can see on the graph on the left there just how large that shift is where groups like black matter are claiming that they have seven terabytes of information posted to their site

whenever you actually go through the information there's only about 760 gigabytes on there this does get to show with defray over on the left what they claim is what they've actually ex-filled so that is a great tool for our incident response team once the initial post comes up and they claim that they have 400 gigs of data we can tell the ir team you're looking for 400 gigs of exfiltration somewhere on this network then if you actually see with the hive one two they have very large claims on their website where some of the groups they were claiming that they had about 300 to 500 gigs posted onto the site but whenever we looked at the actual

data available it was only about half a percent of their claims so there's very little data available on the site versus what they claim to have ex filled oh it's just the forward button back one works fine um so breaking down where the groups are hosting these sites uh you can see on the left with the asterisks those are the actual third party providers i'd mentioned that will cooperate and may actually remove that data from their site once they notice that it is live and then if with the different groups you'll see them have different file servers so whether that be it's a section of their website that is actually hosting the downloads or a separate tour apache server

what we noticed with the tour hosted whether it be the apache or on their actual site was those were the groups that had the 100 uptime and very large amounts of data compared to your groups like hive would use sites like mega and the private lab and only post maybe a handful of the data that they claimed and then compared to the actual other groups where there's several hundred gigs there we go so this is kind of a breakdown of just all the statistics kind of rolled into one can i take that off to turn around there we go um so yeah whenever we look at the different groups um like you can see with defray vice

society and zing locker if you made it onto their site you have a hundred percent chance of that data actually appearing compared to looking at like some someone like black matter you only have about a 50 chance of that data appearing then one of the things that we really notice with hive was that out of their 25 victims roughly 70 had data posted but the total data that was actually posted on the site was only two gigs so out of the around 20 victims that had data posted that only amounted to 2 gigabytes of data which is very very little for the around 20 victims compared to with black matter with 26 victims we saw about 760.

um let's see yeah so just kind of overview of the different stats um black matter roughly ten percent of their claim data that was x field actually gets posted and that did line up with what we saw with different black matter cases as far as their ex-focus and then looking to the previous dark side cases we had before they're shut down one of the just really cool kind of stats we saw with that was the victims with data posted for black matter was rated around 50 percent that was exactly the same for dark side so just kind of just a odd ttp doesn't necessarily mean the groups are related but just goes on to pile on with

the rest of the information on the groups and then like i said with defray vice society and zing locker who use the tor hosted sites if that data does appear on the site it's going to stay on the site compared to with revo using the third party sites where most of the time they're getting taken offline or the links are actually expiring before the data is even up for too long and then just like with any threat actors that we deal with i thought it was going to stay like with any of the threat actors we deal with even if you do pay this ransom or your data does not appear onto the sites there's no really telling where

that data is who has access where it has been published online so this was from one of the chats that we had with one of the threat actors after they had given us data that a victim had paid for to have unlocked so of course we could easily have backups but we assure you we do not now they've kind of been joking manner whenever we showed the client these logs they were not too happy about that with the actor kind of making a joke that they still had their data backed up and the lawyers were kind of iffy about that going forwards but as far as the larger groups go i don't want to say that they're

trustworthy but they do kind of like to keep their reputation in line so say a large group like black matter a victim pays to have their data removed and that data is spread across the entire internet the next victim that comes along with black matter is likely not to pay because even if they do pay their data still may get posted somewhere online well i work for the last one yes sir so obviously the you know best uh you know cure for ransomware is prevention um because these actors are obviously very opportunistic they're taking advantage of everything they can do to get into networks um they're also you know taking advantage of security vulnerabilities that they observe

um so the biggest you know way to stop ransomware attack is to prevent it from actually happening um so these are just some you know controls that we've observed in kroll as far as you know things that people should probably be doing to have you know increased cyber resiliency i guess they would say multi-factor authentication um the majority unfortunately of our of the ransomware cases that we see the majority of those people do not have multi-factor authentication across the board maybe they have it at like a part of their organization but that seems to be a huge factor for these groups obviously they go after a vpn so vulnerable vpns if there is a patch to a

vpn appliance that you're using you should definitely be updating that because we do see those actors uh you know trying to exploit those open rdp that is another one that they will try to exploit we recommend everyone have some kind of endpoint detection monitoring to like catch some of this like precursor malware before it actually goes to a full ransomware attack um and then we also suggest that everyone you know have some kind of a plan uh in the event that this does happen do you want to talk about the other ones yes there's some of them well just a few different things to go along with those in case of an attack does happen

you need to go through your different backups kind of have plans have different training into restoring from the backups so whenever these ransomware groups come in they may get into your network encrypt your backups delete the backups or just kind of lock you out from those so having it's just me whenever i stand up here so having just a different kind of awareness and ability to go through that can definitely save you a lot of money and time recovering from those well your access controls constantly reviewing constantly updating and managing those compared to what you see in a few different cases where an actor gets onto a network whether they create an account escalate privileges onto a account that

was already created companies not knowing about that that actor might be on your network for several months to several years then with your email hygiene and security culture your number one threat is always going to be the end user at their desk so kind of just constantly promoting with those letting your different coworkers know what is going on with the landscape what is popular right now and then having the actual controls built in to back that up so whether that be an outlook with the reporting phishing button whether that be the tagging all external emails in outlook or even just going through and teaching your employees here's what not to do if you believe that you received a phishing email

and then i just want to touch on like lori said with the multi-factor and vpns so even if you have those implemented we have seen many cases where those are bypassed just due to them either being implemented poorly or improperly or not patched one of the largest ones that we see was a 2018 vpn vulnerability where actors have gone out and scraped these credentials and posted them all online and this has been out for three years and we're still seeing companies come in that are still vulnerable to this and still have the exact plaintext creds that were leaked for their vpns and then infrastructure and segmentation kind of limiting just how the threat actors can jump around your network and

separating those whether this be they get into a marketing computer versus one of your sales people's computers and then getting into being able to spread across the entire network so having the different monitoring across the endpoints and then being able to actually identify and stop this kind of attacks are critical to you just not having your company be shut down for would be two weeks to four weeks during the entire attack anything else gonna go with that does anybody have any questions for us [Music] is everybody ready to go for lunch we can see the boxes back there all stacked up awesome thank you everybody [Applause]