Who Let the Dogs Out? When PUPs Become BlackCat's Best Friend Ryan Rath & Matthew Boyle

[Music] our next two speakers are Matthew Bole and Ryan wrath Matthew Bole is a manager of incident response Consulting at Manan and a part of Google Cloud he is a cyber security professional with over 18 years of military and National Security experience he is a subject matter expert SN in incident response penetration testing secure architecture malware analysis and virtualizing training testing environments Ryan wrath the co-speaker is a senior incident response consultant with Mandan and also a part of Google his cyber security Journey started after his 10-year service in the US Marines he has LED and assisted in over a 100 incident response investigations tackling a wide spectrum of threats ranging from na nation state actors and ransomware events to business

email compromises and election protection engagements Ryan is currently a consultant at ment a project a project manager for Google space and a lead instructure for threat space Please welcome Matt and Ryan with who let the dogs out when your pups become Black Cat's best friend all right hey good morning bsides thank you you all so much for having us out here uh I'm definitely very glad not to have to follow Bryson immediately so thank you all for joining us uh I'll turn it over to you all right uh that's loud uh like Ryan said happy to be here glad everyone came to our talk glad I'm not directly following Bryson uh so just a brief overview of

what we're going to talk about um we'll probably hit the BIOS extremely quickly since uh we had a great introduction there um just go over some overview of what black cat Alpha V is and what pups are just so everyone's on the same page we know there's a kind of a wide variety in the community of uh seasoned experts and novices so we just want to make sure we're all talking about the same thing there uh then we're going to go into the fun part that you're all here for uh talking about some more stories from incident response cases that we worked and then uh talk a little bit of prevention and detection uh we'll share

some indicators of compromise or ioc's that we've uh that we can share uh little overview on the war stories in the ioc's obviously our customers relationship is confidential so we're going to have to be really careful about what we can and can't talk about and how we talk about things but uh as long as you uh bear with us we'll definitely make it educational and hopefully entertaining for everyone my bio uh background in the military just like uh Ryan uh came to mandant about seven years ago I've been doing in response threat hunting since then so always a blast yep and I just passed my three-year Mark here at Mandi super super glad to be here um ready to get

talking this is it's a fun talk and definitely we'll answer as many questions as we can but unfortunately can't share too much all right so what's uh what's black cat and uh at least off of uh Ryan and I talking with people beforehand we have to make sure we emphasize the Cat part because uh uh at least with me it sounds like I'm saying black hat and that kind of confuses people but black hatat uh uses Al uh ransomware or used to uh before they got rolled up but um they do ransomware as a service uh they have initial access Brokers that give them access they run their Mal whereare they extort Data Theft as well as uh charge

people to get their data back so uh they're particularly um forceful with that um we've had C customers where black hat would call CEO spouses at 2 in the morning and threaten them that they need to pay ransomware it's not it's not just a out of the box ransomware go to this link pay us type thing they're really forceful and kind ofh go that extra mile of um Vengeance yeah they they really go said that extra mile to make sure they get paid I mean they've been noted to release very unfavorable things to people who are going through an incredibly difficult time in their life um so to try and use them as leverage to get paid is probably

one of the worst groups that I've seen personally so kind of to duvail on what we were just talking about with um uh FBI law enforcement getting involved and being able to um shut them down we've seen this before with other ransomware groups where they just come back a few months to a year later as a different name new updated software so uh great that uh we were we the government was able to uh uh shut them down but uh I don't think that's going to be the end of R somewhere I I don't think so I'm sure everybody's kept up with the latest Saga of what's going on with black hatat and uh you know the FBI take down of their

infrastructure but as we've seen time and time again they they tend to shift and adapt and crop up in other ways so we have no doubt that we'll be working with them again cool and then uh like I said just to get everyone on the same page what is a pup potentially unwanted program uh for anyone that's been a sock analyst in the past uh these are those annoying alerts of like okay why do I care maybe it's a um adwar or something that that's annoying to a user but uh my antivirus keeps popping on on these alerts and stuff and and in the past yeah that's fine we ignore it have them uninstalled maybe don't take as much um uh action on

it as it's needed but uh we've seen an uptick is with a especially with black hat using those lower level of things that would alert to um get initial access gain entry into the network so just trying to bring awareness to that and let people know that they need lost our slides this will be fun pay more attention to it I know there's alert fatigue and and dealing with alerts that are um a lot of false positives or or maybe not that high level of fidelity so uh just something to look out for all right so we're going to go ahead and get into some of our War Stories so over the last 12 months uh we've had

three incidences that we have worked um and they all kind of followed a similar theme with a similar threat actor OB you're talking about black cat uh but we've seen them really leverage malvertising campaigns and running them through through uh back door administrator programs so we have the trojanized rofus which had the vdar data Miner also packed in with it a trojanized advanced ip scanner as well as that drop the reverse shell and then the trojanized wire shark that was really heavy on pow shell excuse me python exploits using that to laterally move uh interesting thing about the wire shark from the time that the administrator downloaded and executed wire shark the threat actor was in their

environment Within 20 minutes actively Hands-On keyboard so that was it was pretty astonishing to me to see how quick they went from somebody random downloading you know a trojanized version of wire shark to being Hands-On keyboard laterally moving collecting credentials oh yeah let's go ahead and what's that malicious advertising campaigns so essentially they would pay advertising for you know their spot at the top of the search yeah we go a little bit into detail on each of those too so uh um I think the last two also combin that with typo squatting so slightly different spelled name or switching like a one for an L Type Thing uh to to make it look like it's the

legitimate site so all right so a little shout out to one of our teammates Nando uh he likes to give pres presentations too so yeah if anybody doesn't know Fernando Tomlinson he he speaks quite oftenly he is a fantastic speaker I got I'm a huge meme person kind of got squashed on my ability to add them but uh and volunteered for me let me use them as our meme in this one so thank you to Mando go ahead awesome cool so uh as Ryan was talking about the first case was uh a um domain admin downloaded Rufus to make bootable images for systems and uh searched up Rufus clicked the first link that happened to be an ad

instead of the legitimate link to the um true source of the we or of the uh software uh downloaded a zip file that was infected or the binary inside of it so that's another uh tactic we've seen where um the malor will be put inside of a zip file so when uh it gets extracted it'll lose that zone identifier saying that the file was downloaded so a lot of antivirus will flag off of that uh this one particularly also was um very large file so um most antiviruses cap how large of a file they'll actually scan uh normally around 25 to 50 megabytes by default a lot of them let you make that larger obviously that's a performance

trade-off you got to deal with there but uh in this case I want to say that the actual binary was about 500 megabytes so most AVS wouldn't even look at it um in this case it did flag as vdar the local team did some remediation and uh Unfortunately they changed the user's password and uh he had not been he' not used his domain admin account on that system so he thought it was okay but the uh the malware actually stole his cache credentials from uh his web browser for using the web login through RDS to other system so uh they caught it they did some remediation but they missed his domain admin account uh yeah so thear Steeler grabbed all his

info from the browser very unfortunate um they they thought what they did was the correct actions to take for the mediation they changed all of his passwords so they thought um and in this case there was kind of a an extra hitch so the company uh that the system administrator was working on was an acquired company and they had just established a two-way trust between that company and theirs uh naturally you can see where this is going to go uh grab the credentials they forgot about that one specific account and of course that account was it came them the URL to their RDP login site that they had forgotten about for the acquired company um so the threat act knew exactly where

to go and with what credentials we saw them do a test login pretty shortly after the initial inection um and this was all looking back so they did the remediation and everybody forgot about it something happened and then we came back in and uh fortunately through the documentation we're able to find this event and be able to trace it back U so some of the things we're talking about around these through that lens uh but we ended up seeing them do a test connection then they went dormant for about 30ish days uh and then we see them logging again straight to the environment and they immediately start attacking the entire domain both uh both domains y so here here's the um example

of sorry oh this is the next one sorry we we have attack path diagrams for the last two but we did didn't have one for this one so this is the next uh engagement awesome so this one's the same song in dance uh this one happened to be with Advanced ip scanner um it ended up coming from can read that the typo squaded domain yeah the ADW ance you know pretty low bar um actually this one I'm not familiar if the user actually typed that in or if they ended up pulling that from I believe that that was also malvertising malvertising campaign yeah and that one came in an ISO so zip files and isos are are the

the trending theme Here for when you're getting malicious copies of your server just for uh you know as Matt said earlier it does not give it the mark of the web so it doesn't actually it doesn't pull additional scrutiny down from security device yeah go ahead yeah

uh so it's more so for in search engines so uh you can you can pay to have your company promoted uh Bad actors are also able to eventually get through there's tons of scap guard in place but when you talk about a scale of the entire world economy essentially anybody can purchase an advertisement and have their ad placed for their specific markets their specific places uh you know that that's probably Millions on a scale of millions a day for new requests so uh they they'd have lots of automated processes um thre actors have also found a way to you know use redirectors so that way it goes through a few different channels before uh so when they do the initial search of

the submitted URL link and the the website that's all good and then as soon as their ad goes live they'll switch their redirector over to their emergency so yeah anytime and if anyone has any questions we'll have time at the end too but uh feel free to ask them in the middle so we're all here to learn share uh real fast to go back um the timeline there um from when the credentials were stolen until they were tested was two months a month later and uh we hypothesized what happened was an initial access broker sold those credentials to The Ransom of the service they tested them validated that they work um were around in the network for

about a month uh stealing data to be able to extort the company and then a month after that is when the encryption started that was our older case uh some of the newer ones like this one and the next one uh you'll see that that Dell time the time that the attacker is in the network shrinking because the longer they're in the network the more chances they are to get caught um but also kind of uh the um Advanced state of the actor is that they know how to find what they need to find quicker and excal it out of the environment so in this case uh the attacker was there about a month before

they started encrypting and uh once the encryption started is when the phone rang for us uh go back to Bryson's talk he said that it's 4:50 on a Friday normally by the time they call the incident responders and it's 7 o'clock on a Friday so I Tred sleeping on Fridays not because I'm lazy but because I know the 4:30 call is coming always always Happ and here's our attack pack uh diagram and it shows um normally we'd have the date time stamp and all that but uh to help uh with anonymity here we're just talking about from Day Zero when they got initial access uh to day one when they started doing lateral movement um in

this case uh they also had ransomware that was their main ransomware worked on Windows in this case they had esxi ransomware that went through enumerated all the devices on their um esxi server deleted all the backups and then encrypted the uh the running or the the or powered them powered down all the systems and then encrypted the hard drives so um they had no backups or they had backups but they deleted all the backups yeah so this is a fun slide I'm sure everybody has been aware of you know the esxi targets that the thread actors have been going after and uh that that's that has become such a problem that we are we have at Mand we have lots

of hardening guides uh that one is probably one of our most popular uh hardening guides that we can provide customers uh everybody has an esxi environment for now um but you know it it is just such a heartbreaker to hear when we going to a client like oh yeah they got a esss side box and they were able to encrypt it and remove all of the backups were cool did you have them off site no they were all locally on box and thator so uh you know it's always a pretty hard story to one we hear quite often and again to just kind of bring everyone on the same page esxi is a virtualization server uh from VMware

lets you uh run servers virtually on on the name host so basically all of the virtual infrastructure for this customer was all the backups were deleted and all the servers themselves were encrypted and as you can see they started exfiltrating the data 21 days into the attack and then didn't start um actually encrypting the servers and getting uh all the ransom running until 17 days later yeah we can start to see them get a little noisier as well as they progress is we caught them trying to deploy a beacon payload to one of their systems you know and that's also the same day that they work and and as far as ttps um the uh in this case they used

they heavily they had heav heavily used CIS ball toh stage all of their tools so they put um a python interpreter on CIS fall they put all their code on CIS fall and then now that way they could use schedule tasks they could use um rpcs to have all the systems reliably be able to call the code without having to drop the code on every single system and then be give more opportunities for detection yeah so the last one we're going to talk about was a wire shark instance uh see I don't I think it was downloaded in a zip file as well uh they this one was the one I was talking about earlier where it was pretty crazy that

they went from downloading the wire shark copy within 20 minutes they were back the active the attacker was activated hands- on keyboard within the network um with this it was a python reverse shell that they were running in this one uh I didn't work this case unfortunately sounded like a fun one um but I was always curious if they uh you know because python doesn't come installed by default on those systems so I was I never really got the link there of how they were able to get that effect they uh they bring at least in the these cases they brought their own um portable version and like I said they at least in the last one I think they did on this

one too they placed it on CIS fall which is a universally accessible um location uh and as you can see in this case they they use typo squading again where wire shark has two hes instead of one uh unless you're unless someone said hey what's wrong with that URL and you had to go look at it and try to find that you're probably just going to like glance over be like oh it says wire shark and go ahead and click there and download from that thinking it's the legitimate source of the software and uh to harp on the uh the dwell time in this case from initial access to when encryption started was only 10 days so

if you think back uh to the first case uh that was a pretty long chain where it was about four months if you look at all the activity put together the last one was about 38 days uh in this case it went down to 10 so they're they're moving a lot quicker yeah and so this is the attack path for this engagement that we were working uh we can follow the numbers there one two three um so we can see the user search for wire shark downloaded it uh and then let's see yeah 1450 so they downloaded at 1424 at 1450 is when we start seeing lateral movement across the NW uh that one kind of astonish me just

in how small and how quick that dwell time was uh you know most most security organizations especially when it's administrators running some of these things socks tend to oh yeah that's the system administrator he knows what he's doing probably fine looks like it was just wire shark must be wire shark so yeah that's one of the things we see quite commonly is system invers who are compromised they get kind of an extra pass from sock teams uh don't do that if if you're on the sock or if you're going to be working in the sock make sure that you scrutinize every alert for the best of your ability don't hand wve it just because somebody's doing something weird

or if you got you know pen testers in your network uh those are always fun accounts they do do weird things but they also download things from the internet to run your tools which is where we start to see some of these uh engagements pop off for us yeah and uh kind of to tie the theme across all three uh in in all all three of these cases it was someone with either elevated permissions CIS admin a domain admin um downloading software off the internet without validating that they had the legitimate copy go ahead

I mean there is uh with these it was also the legitimate software so it would drop the the uh the payload in the um the first case it was viar it stole the uh credentials sent them back in that case not only did their antivirus detect that but also uh their network monitoring saw the connection sending the data back and it it just wasn't properly remediated uh on on these cases I'm trying to remember what alerts they saw but um it it just didn't hit that threshold for them like like we know that the fight's real uh or the struggle is real um there's alert fatigue there's a lot of things going on a saw uh unless

you're seeing something that like say Cobalt strike or someone dropped your uh your nts. it kind of depends on how fast someone reacts to something but uh and so we do respond to quite a number of the zero days out there that you know they're on edge devices like Devonte right nobody can really defend against that well um but for things like this it is it is a lot of the sock personality and security team uh you know depends on their level of visibility how far they actually want to work it's that trust that they have in that system administrator like oh it's just you know Adam doing Adam things um it's you know there's so many variables in the real

world that when you get out there it gets messy quick and uh yeah some sometimes things get through and it is unfortunate this is lot of the

result yeah that's a good question I actually I'm not familiar with what they edrs they had in these cases but yeah that that was real familiar with the first one but um that was that was a lot of hours um um I think I I don't remember if they I think these were the last two were smaller environments I don't even know if they had like a legitimate sock or just someone that was kind of like oh you're also the guy that looks at alerts when you're not being a CIS admin or doing whatever your three other jobs happen to be so like definitely no victim shaming here we understand that um that there's a lot of long hours and

difficult work involved so uh uh just trying to help share information so people know what to look out for kind of see a trend of what's uh what's going out there in that yeah and that was really how this talk was born as we saw this was three in a three in a you know not in a row but three in a very short time period of window where we see malicious advertising campaigns lead to a rans more event and sure enough once we peel back some of the ioc's uh you know our Intel team is amazing at being able to correlate some of the things and then also do their own stuff but they

were able to correlate all of these activities back to the black cat threat active group specifically so thanks for your questions so going back to um prevention and detection U number one don't download or execute anything that that you aren't 100% sure is exactly what it's supposed to be um and and I know that's hard and and unfortunately the the people that uh that should know better tend to be the ones that have the ability to do this so like someone that's a system admin or knows the guy that's in charge of the web fire or or the web proxy also can get some special help making his life easier or her life but in the end kind of bites them and

then so the second one is my favorite lowkey favorite recommendation to make for companies uh I can't tell you how many business email compromises I've worked in the last few months even where this is com to an issue where uh you know malicious Javas SC Javascript file was downloaded in a zip file uh and then immediately from there Windows automatically has it linked to run JavaScript with Ms HTA uh that is a very powerful way to get initial access it's a very powerful way to maintain persistence um but in Windows in a simple G that you can push to any device with relatively low impact obviously every environment is different uh but if you unlink those to their appropriate

program so HDA and JavaScript file if you unlink them from automatically opening in MSHA if you have it open with a text editor say or or you can have any other program open it if you want to create a interesting detection rule in your sim so you can see when users start to click on JavaScript files that would have been opened by MSHA uh it's something that's so the barrier to entry to get that set up in your environment is pretty low and I think the cost reward to having that implemented is pretty high so it's a great recommendation that I like to make in all those cases and most organizations have it implemented before

the end of the day when I make it so um yeah and and definitely the the the really nice thing about that a lot of security is tradeoffs what what works uh in that case I I can't even remember a an environment where that broke anything important and it's easy to put in an exception if there's like one host that doesn't odds are if someone's supposed to be running JavaScript locally which I don't know why they would but uh they probably also are like oh it opened in the text editor Let Me manually run it through the executable that it should be running and they're back to where they should be anyway uh uh another important

thing is to understand the Baseline of your environment know what RDP uh lateral movement type stuff is normal in your environment uh that goes into like um dual use Technologies like PSX lots of lots of environments use that natively but so do attackers so just trying to figure out how to um look at those living off the land binaries and uh know what that fingerprint looks like in your environment maybe set up a policy say if you're running PS exac it has to be in this folder it has to be this version of PS exac and then you can more easily um alert on things that are different

yeah there's a there are also we're not we're kind of tool agnostic here but there are definitely web proxies out there that kind of that look for those um type of squatted domains look for newly registered domains if you're trying to download wire shark from wire shark and it was registered a week ago that's probably not the legitimate website since it's been around for a hot minute um so there's a lot of creative uh Solutions there yeah and then so for ISO files that's one of the ones that tends to trick quite a number of users both some that are technically apt and those just general users who have no idea what an ISO file is uh but so that once you

click on that then it mounts that drive and pretty much you can do quite a number of more things so uh downloading ISO files is something you should alert on uh hopefully it does not happen that often in your environment so any alerts that you do have uh is something that your security team can evaluate quickly just kind of s through sure hey this is good this is bad this person shouldn't be doing it they did that type of stuff cool and then uh as we talked about before indicators are compromize uh just kind of going into that uh those long those 32 character strings on the right hand side are 5 hashes those will

help you uniquely identify files uh you could look that up in virus total or your uh resource of choice there uh if you ever find a file it it would that's like my first goto is hey let's look up the reputation this file let's look and see if it's one even out there uh and then two um what are various AVS think about it what do um um what's the community think are there sandboxes that have run it give you more details uh as far as the URLs those are the typo squatted domains where were Advanced and spelt with a W instead of a V and wi shark has two h's so uh we had a lot

more ioc's that we couldn't share because um uh the way alv which is the malware black hat runs is um custom built for each customer so if we gave you those hashes you'd know who you could know who our customers were if they uploaded that to a to yeah that was a huge bummer for me I'm a big share just kind of brought up that way like I need to get all the data all the pertinent data out but unfortunately had back quite a bit and kind of in aside there um the progression of Ransom where from a few years ago when we started taking cases like this on um unfortunately the attackers have gotten a lot better

they've learned proper crypto uh it used to be that there was a decent shot that uh the keys were with the the encryptor uh with our reverse engineering team they could reverse engineer the keys be able to save uh save it um some of our customers or maybe the the keys were stored in memory uh they've gone full um best practices unfortunately on on encryption now where they're using public key uh or um encryption the private key never leaves the um attacker's hands until you pay the ransomware so unfortunately uh being able to um save a or save a customers is coming a lot more difficult one thing to note with um some of the recent

takedowns that the FBI has been able to do in some cases they were able to get like the master keys when they they took down the uh threat actors so we have had situations where we're able to go back either if it happened during a live investigation or after the fact we can go bring those uh decryptors back to their customers so so it's not all Darkness there but I wouldn't I wouldn't bet on it or hope for that cool so any questions okay

good so I would say uh one what so we like to focus on the incident response side of that so we're not necessarily privy to whether they pay but sometimes we find out um I would say just anecdotally from when I we do know they paid they almost always I can't think of a time when they didn't get a legitimate decryptor that actually gave them their data back uh unfortunately the one of the things ransomware gangs are best known for is their customer service because if they don't give the keys they don't get your data back no one's ever going to pay them again so uh uh it's actually kind of um shocking how good customer service

a lot of the ransomware organizations provide and provide providing Keys once they get their big payday so you have a part two

that I'm glad I don't know about yeah that that one is is more obusca from us um we sometimes we don't even find out until later through our own investigation that oh my gosh all of a sudden all these files are back on the server so we really are pretty separated from some of those negotiations as far as whether they pay I and then we have a decent healthy mix of customers that have or don't have cyber Insurance are using their cyber insurance or not um but and and I guess it would depend on on nor normally the whether they get paid back by their provider probably months down the line and we're we're already three or four

cases past that so we tend to stay out of those things and just stick to the forensics and the fun stuff at least for us yeah go ahead

yeah like if they were trying to specifically Target domain admins type of thing or somebody you know so for the Rufus one I mean nobody most normal users have no idea what Rufus is or probably would never need to use it so I think that's part of the the reason that they're targeting some of those you know administrator tools specifically uh so that way they can try and catch some of the system administrators actually download yeah I don't I don't think we have not not not that we know of but we part of what we do uh when we're investigating something like this if we find something like a malvertising campaign we'll either report it

ourselves or have the customer report it depending on what the situation is and what makes sense but we'll definitely make sure um that the companies involved know that that's happening and that they could do their own investigation to see if there's a trend or if they need to cancel certain accounts or not let certain accounts or or a combination of indicators there have um advertising campaigns in the future so there's definitely a huge effort to try to cut down on that from the industry side and and there's definitely sharing that happens where um at least within Mand when when we find that we definitely make sure that the right people are informed so that they

can PR protect the rest of the community having the same thing happen yep course all right we got a couple more minutes do we have any more questions yeah go

ahead so I know that the process that they do is very intensive and they the problem with Google at least has it's been explained to us and I think you know it's it's pretty straightforward is its scale it's when you start to see that volume of advertisement request that volume of uh stuff you can you can put out a big net and you can hope to catch as much as you can I think it is hopefully going to start getting better uh you know we've since joining Google I know I've had a lot of really good talks with different teams on what we're seeing uh some of the ttps and the strategies uh so I think they're taking

a lot of that feedback with those individual security teams that manage those products and I think they are also improving uh you know also AI detections are getting much better that's becoming more integrated in some of the processes so hopefully uh that will help us be a kind all right one last round for questions yeah go ahead yeah

yep yeah so can't recall I think it was the wire shark one um but that that did the same thing where it dropped a bat file and then that's what they were using for their configuration now wearing the back um yeah it's I think that we got that file so that system must not have been and one one thing on a lot of the ransom the difficulties on the ransomware uh investigations is especially with the the one where the esxi server had all the backups deleted and then encrypted uh a decent amount of that activity happened on the actual virtual uh servers that were encrypted so uh it's a bit of a struggle sometimes to uh be able to

tell that story and figure out what happened in these cases we got pretty lucky that that um uh one that that the the situation played out the way it did but two that uh we have some topnotch uh incident responders that were able to find the smallest of uh breadcrumbs and pull it back yeah and talking to the the viar stealer uh you know so that was we were in there it's a fairly large environment client was melting down everybody was freaking out uh there was very hard long conversations to have with the client on what needs to happen there's a big organization so doing anything new jerk was not not an option U so to be able to

go through and deal with that and then also try and figure out the initial access piece so that way we can make sure that the threat actor is not going to come back uh we normally don't get that level of ability we we absolutely try but this one was a great you know a great instance where one of our Intel teams was looking through past incidences in Intel and he found that one event with the viar stealer that they thought they were remediated weren't even thinking of and then boom that was their entry point yeah and if you recall that was three four months before we were there so being able to um find that was kind of a a lucky lucky

thing on our end very you got a question

yeah and it for expi a case yeah I mean it depends on what the threat actor is trying to do um well two things one we've seen where that was the initial access Vector so that that makes a lot of sense there uh unless someone's trying specifically to steal email or find something that can help laterally move or um use that to Pivot to um make um better fishing campaigns if it's a very targeted Act uh normally unless that was their initial way in I I haven't seen them specifically go for an exchange server uh unless it made sense for their their their what they're trying to their end mission that they were trying to achieve

uh now if they happen to just encrypt everything in the environment that would sweep up the exchange server or if they were doing the esxi thing and your Exchange Server is virtual then yeah it would still get impacted that way yeah and so you mentioned something about the threat actors going to their ESX and spinning up a VM doing their stuff on there that's a trend so I've Got Friends in other regions uh that that is common standard operating procedure start up a virtual session they'll bring in all their toolkits they'll work on that especially if that image is uh you know one specific instance it's kind of an old older esxi nobody really paid

attention to it so it didn't have a good image on it so it didn't have the crowd strike it didn't have some of the other Telemetry tools it didn't it wasn't managed very well their golden image wasn't great the thread actor took advantage of that set up camp all other activity went to ransomware and then their environment is gone as well so that that's a pretty big Trend that Mak lot last six months even yeah go

ahead I mean I I wouldn't say they were Target I think that that was just kind of like they were C black cat was casting a net or whoever the initial access broker was was just trying to get whatever they can get and this is what they happened to get that day numbers game yeah yep it's a numbers game all right all right hope we have no more questions thank you all so much for having us appreciate you attending feel free to reach out if you guys want to talk after [Music]

[Music]