Stephen Semmelroth, Adrian Tilston, and Sean Eyre - The Business of Ransomware

to our speakers [Applause] hello good afternoon and welcome my name is Stefan summerroth I'm the senior director of security at about Communications uh been in security for quite a while responded to my first incident in 2001 hacked AOL Instant Messenger encryption three different times on three different versions before I went to West Point electrical engineering went to the Army infantry Ranger school Afghanistan deployment switched to the Army cpb here at Fort Gordon uh medically retired started a company sold that company and uh just moved to another position right now where I focus on enabling cyber teams all over the country all over the world to find the best products in order to bring them in and solve their own

problems um also not here today is Sean ire he came down with covid similar background West Point Computer Science and Military Intelligence Army cyber here started a non-profit so if anybody wants to volunteer and give back you can absolutely do with that with Sean we'll give you his contact information after and Adrian tillston how's it going my name is Adrian a very similar background West Point Computer Science very excited about backtrack when it first came out and introduced medicine point to this young man when he was a young shining buck and these days since I got out of the army after doing infantry and Special Forces stuff I was a government contractor writing uh offensive security

software and then built my own company doing cyber security Consulting and v-sizo stuff and then most recently that company was acquired and now I am the Cyber practice lead at a place called resource of who helps basically take that same experience and help you build cyber cyber programs for the companies because I think everyone in this room can agree that it's actually really hard so if you do happen to see Sean please pack a limb because out of the three of us he's the only one that hasn't sold a company yet so case study Adrian and I get to come in and talk with clients all over the world all the time from every vertical to every

location whether it's financial services companies Consulting companies oil and gas companies you name the company or the level small on mid-sized business to mid-market to Enterprise and when we come in we get to try to help them build their security postures go find the vendors that can actually solve their problems so the case study that we're looking at right now is one that we see all the time and both of us know this company because we're actually Channel Partners we get to work together and work on the same problems so the drive into Augusta yesterday we drove together we worked on a presentation on probably less than we should have because we were working on clients so this is one of

those clients Adrian who who is this client what do they do yeah so we're going to be as Anonymous as possible but everybody keep this as part of the introduction to how we'll frame the rest of the conversation so let's just say that somewhere out there across the country there's a small business who needs assistance in some way with like operations payroll et cetera et cetera right so let's say that a different company this our actual case study company has built this awesome system and they're going to help train Affiliates that will go out and bring this new capability to those local businesses so there's like a commission system and everything and they've got everything built out they've built all

their in-house Dev teams so no real contractor base but they do it all hiring W-2 and they have all the capabilities that you would expect from like startup mid-market where you're doing business development market research and kind of have all that broken out so really quickly uh it's a little bit important to talk about the background of this because they're rapidly growing worldwide right so there is some they're seen as the market leader there is some huge publicity both in the United States and in Europe uh last year it's estimated because we only do estimations because we can't talk about private companies and Insider knowledge is but they did about 180 million in Revenue and with only about

six million dollars in operating costs and that's a pretty amazing profit margin right so if you were called to evaluate this company for some type of investment or public offering and you were part of the company that's got to come in and do some type of assessment uh where would you start audience participation just shouted out anyone asset inventory thank you what was CIS control one asset inventory right there there you go any others all right so let's let's keep this case study just in mind as we move forward right because this organization is going to come back to play later so what we're talking about today the first step is know your enemy and

that means we obviously need a Sun Zoo quote we'll get to that in a second but then we'll look at some actual ransomware notes from Conti we'll take a look at Conti's business model because this talk is the business of ransomware and of course the actions on the objective what do you do when you get the call when you get the call hey we're under attack what do we do because everyone in here will at some point get the call and it'll be your job to respond to stand up and to help lead either your company or a partner company through a time of duress so what do you do let's answer that so back to Sun Tzu this is the original

Mandarin as far as I can tell and it effectively says if you know your enemy and you know yourself you need not fear the outcome of a hundred battles so that means we'll build a table because that's what we do right if you know yourself and you know your enemies you're invincible if you know yourself and you don't know your enemies you got a 50 50 shot of winning and if you don't know yourself and you don't know your enemies You're Dead on Arrival so for those of you that are of the older generation you remember Rocky IV he puts Drago's picture on the mirror and looks at every day when he brushes his teeth we're gonna do the same thing

threatened formed intelligence absolutely understand your enemy and I can tell you and I know Adrian can as well many times when we show up to an organization and we start asking them about their posture where are you at what are your goals what's your vision for security how does security enable your company to go to market and win they don't know what they have they fail at CIS control one of inventory so how can they possibly become invincible if they don't know their adversaries they don't know their enemies and they don't know themselves so 2022 Verizon dbir the data breach investigation report phenomenal output for anybody that's in here that has not read any of the dbirs strongly recommend

go read them pull them up they're written for executives which means they're written for kindergartners so they're really easy to read so when we look at them why do breaches happen what are the motivations behind the actors that are actually conducting breaches 88 of all breaches that Verizon looked at were motivated financially for dollars eleven percent were from Espionage so for this group you're probably going to look at that quite a lot as well but for outside in the commercial space 88 is financial and then there's some other things that go in there so obviously if 88 is financial that's where we're going to look right now and who better to look at than kante

so here's the fear I know Adrian's gotten this call many times I've gotten this call as well the cios in the room the directors in this room have gotten this call you're sitting in traffic you're driving and your phone rings so since you're a good participant you keep one hand of the wheel and you swipe and you answer and you can hear someone's voice trembling on the other side of the phone as you imagine them you can see them shaking because of how much their voice is scrambling and they can't even describe to you what they're seeing what's happening at the company and eventually they say just open your messages and look at the picture

so you pull over you hear the sound of gravel underneath your tires on the side of the road and you pull up the picture that they just sent you and it's a picture of a locked desktop it's a picture of an actual Conti Ransom note that they just sent you thank you to sentinelabs for providing this let's jump into the actual con uh the actual ransomware note all of your files are currently encrypted by Conti strain as you know if you don't just Google it all of the data that's been encrypted by our software cannot be recovered by any means without contacting our team directly if you try to use any additional recovery software the files might be

damaged so if you're willing to try go ahead and try it on some data of the lowest value make to make sure that we really can get your data back we offer to decrypt you two random files completely free of charge you can contact our team directly for further instructions through our website as follows you should be aware just in case if you try to ignore us we've downloaded a pack of your internal data and we're ready to publish it out to a News website if you do not respond so it'll be better for both sides if you just contact us as soon as possible now that's a sales note if I've ever seen one

hey look you're a proof of value we'll give you two files for free to prove that we're honorable thieves and then oh by the way we've got to help desk because we really want to support you through this process so let's peek behind the curtains how do we know this information in 2021 a disgruntled employee a disgruntled County affiliate leaked the gang's whole Playbook the whole Playbook translated from Russian into English it's out you can just go download it it's their entire play-by-play Playbook all of it easy we can read it now now we know it it's not us sitting in a room thinking about how it's happening it's not the cuckoo egg it is actual how they operate

and then oh by the way after Russia invaded Ukraine um kind of a bad leadership decision in my my opinion like hey if uh we're gonna go align with Russia and a bunch of our devs are in Ukraine we're kind of pissing off our employee base maybe we shouldn't do that but they did uh Conti came out and pledged support for Russia and then the Ukrainian side of the house said that's not cool screw you boss and they leaked 170 internal chat messages out to the internet and all of those have been translated to English as well so this isn't theoretical this is operational it's actually what happened and you can go read it too because it's

there the links are in the Articles all you got to do is go take a look at them so who are they as we look at the ransomware market itself we've got our professional criminals and we've got our state-sponsored criminals professional criminals lockbit owns 38 of the market of ransomware but they haven't had 170 000 articles leaked so we'll come back to them Conte owns 20 of the market they're the second biggest market share owner of the ransomware market and we happen to have a ton of their data so it's ripe for picking you also see reveal And Hive and then of course state sponsored which as far as we know Conte is not necessarily

attached with Lazarus black shadow these two sorry groups are also really interesting because they target their own people in order to generate the revenue to continue to operate they eat their young very nice very nice yeah so we're going to look at Conti and we're going to look at initially whom not what or how this is a Microsoft publication that looks at the healthcare industry some of the larger threat groups that Target the threat industry we will come back to RDP Brute Force I promise but first we're going to look at whom so they have an ecosystem Adrian tell me about the ecosystem so this is one of the greatest decisions that they've probably made and the

differentiator that separates them from someone sitting in their basement in their hoodie which I actually enjoy in my basement my hoodie and separates them into like an actual Professional Organization they have separate companies that they're enabling you can see Conti all the way up in the top right as the actual operator right but as you start looking at the left it's a separate business entirely an initial access broker all they're doing these this organization is going out and trying to find some foothold doesn't matter what it is they can use RDP scanning and try to look for something compromised they can try to buy some credentials off the dark web maybe for your organization maybe for like a third party organ like

a third uh like a supply chain type organization maybe someone that you've allowed into your network that you're not really tracking as well as you should um or just you know pretty much anything you can imagine right all the fun stuff they're going to take that information and that initial access and that foothold and they're just going to go right back to the affiliate of Conti themselves this is the person who is going to expand that access and start executing all of the actual like they're the ones who push the magic button that says encrypt right so they're the ones you got to worry about we bring this up because it's a process it is a legitimate business transaction

just like Contracting a separate company to do some type of initial assessment I don't know like a pen test or a risk assessment and then taking that information and doing something internally with it deciding and now actually executing your full roadmap and your playbooks that you have inside internal to your organization right so as they do that they're going to develop persistence because it hasn't already been created but what do developers and these types of organizations lack the experience in negotiation maybe the development experience if they're actually going to be using I don't know like some type of exploits to advance their movement throughout the network all of that is created by Conti they help negotiate all

the payments so the ransomware is a service affiliate doesn't have to they're really taking all of the strengths of all of their organization and leveraging that through the affiliate model and just getting a commission from everything it's it's pretty slick so when I first saw this model I took a look at it and I was like yeah that makes sense of course it makes sense to Outsource to another partner who's gonna then Outsource to another partner we see that all the time we saw that you know in Army cyber we continue to see it in corporate environment but as I looked at this a little bit closer I realized that this is the channel sales model

this is what we do on a day-to-day basis through through effectively brokering to enable companies to come in and win now the question then becomes if this is what they do to attack are they better at it than us they're definitely more well-funded are they better at it than us and who is going to win in this model before you before you do it who in here has like a good percentage for some type of sales funnel right what's a good conversion rate anyone 10 okay 10 is pretty damn good if you have a 10 sales funnel I would like to hire your organization to build mine right now anyone else okay yeah so depending on what you're

selling it can be anywhere between like one to two is like a good conversion rate or if you're like doing some type 5 to 10 right so let's so let's look at their funnel so Katie will give out a list that says hey give us 2 000 or I'll give you 2 500 potential Target organizations 2 500 of those the access Brokers will take a look at it they'll still skim through the list maybe they'll do a control F maybe they'll sort alphabetically they'll pick 60 organizations to actually maybe start to Target out of those 60 organizations they target they'll successfully compromise 20. and out of those 20 they hand those off to conti and Conti says oh great 20.

I'll pick one so looking at this from the perspective of like what is your actual conversion rate right if you're into sales if you've done any type of research right the the top one is like looking at crunch base it's like looking at pitchbook right you're just kind of looking through like who's actually available we'll try to see like what companies are out there that might be great targets or opportunities for us to reach out and then you start getting into like 60 organizations actually got sent emails and out of those 60 emails 20 of them sent something back saying we would love to buy your product right now that's the equivalent of what's Happening Here

that one that gets compromised isn't the real Victory because there are 19 other ones who are banging at the door saying please take my money I would love to buy your product one third like 33 conversion I think that's pretty good yep and oh by the way this is just one org there's all the competitive all of Conti's competitors are doing the same thing and they're in those 26 actual organizations as well so Conti gets to sit there and go hey who do I want to give me money today is it you is it you is it you is it you or is it you give me money so let's look at their actual Playbook

this is the first page of Conti's Playbook paragraph 1.1 company Revenue search Google dork Google company name plus Revenue now the interesting thing here is that says Revenue it doesn't say profit profit is revenue Minus cost it just says Revenue and then they say okay now that you know the company's Revenue why don't you go out and take a look and see what other information you can get owler Manta Zoom info DNB and Rocket reach they misspelled rocket reach so those are the same tools that your sales teams are using the exact same tool so I beg the question again is your sales team better than Conti are they using the tools better than Conti's using the tools and

are you incentivizing them correctly to go out and help actually protect because if you truly believe in the product set that you have the services that you have are you doing the right work and going up against Conti to go protect your clients or not because everyone in this room is Mission focused okay so now that we've gone through this let's take a quick look at what this organization looks like right so local businesses lack refined tools to actually accomplish their goals uh the pla there are the platform empowering local businesses with support software training maybe a help desk pricing right who who is this uh this is actually Conti right so this is not like

some mid-level organization that's built out their organizational structure based off you know like mergers and Acquisitions over time and PE firms and operating partners coming in and Advising them no this is like the criminal organization that is trying to attack and lock down all of your networks right now so it's funny because as we look at it when we go out and talk to companies like this and help them with their security pipeline their programs it is exactly organized the same as Conti this is Conti's organizational chart so let's dive deeper into their org chart so on the left we'll come back to r d and HR in just a minute on the right their business development team this is

where they have actual ransomware negotiators and we'll give you towards the end of the talk actual negotiations a screenshot of negotiations going back and forth this is where they have their Acquisitions teams that are going out and looking for new malware sets or new C2 Frameworks or other actual pieces of crypto ransomware they're going out and acquiring the software and the tools and other businesses in this space other Mafia groups that can come in and help mature their organization Finance you can't have a criminal Enterprise without money laundering so they do of course they do and transaction management of course we already talked about their affiliate groups now let's jump into r d and HR

so as we jump down into it here's their actual handles so the top we have the big boss Stern so Stern when you go through and you look at his chats of the 170 000 chat messages that were leaked Stern is all over the place this guy would believe him to be a guy is out talking with other ransomware groups all across everywhere potentially talking to nation state actors talking to everyone he understands the market he sets the vision he sets the revenue targets Etc the CEO going out and networking with all the other rest of the industry yep what do they do they fight up and out then we have salamandra in HR salamander is really interesting because

in HR his job is to go out and identify more people to come in and do the talent management piece so he will go post legitimate job descriptions on legitimate websites do legitimate interviews and then eventually pivot to the dark side when he thinks he's found the right person in order to bring them in the organization um once he does have someone if they don't have quite the right skill set but they've got right the mentality obviously you got to train them up right so he hands them off over to Twin on the training organization who trains them puts them through an actual training pipeline and then once twin puts them through the training pipeline he hands them off to

either a team B team or C team so if you look here you'll see that a team has one leader and B team and C team both have two because they're these orgs independently these units are large enough that they probably need two liters but Rosetta is kind of a jerk huge ego and honestly not a boss that I want to work for but then again it's the mafia so who you're going to complain to not salamandra um and then underneath of them they've got their own Developers they each have their own pen testing Crews they each have their own ocent teams their own admins and here's the part that I find really interesting they

all have their own QA they've got really strong QA because they want to make sure that if they encrypt you and then you pay them that they're actually going to give you a decryption key and it's going to work the nerd inside me wants to look at their CI CD Pipeline and just kind of see how bad their unit tests are because I have to imagine they can't be that good but good enough to work and of course reverse Engineers now we haven't talked about blockchain with Colin yet um or the blog with bio so Colin basically runs all the crypto ransomware development itself so the encryption keys that they're running back and forth that the dev teams use in their CI CD

pipeline to go out and deploy so he's very focused smaller team blog with bio bio runs the blog they call it blog internally but this is their marketing arm this is where they go through and when they do extract data they publish it out to the internet uh this is where anytime that you see a contia Rebrand Kanti shut down they did a thing they retired bio does all that marketing and then they Rebrand to something else and they stand up again and they do or they pivot or they do a divestiture or maybe they go acquire somebody now they're calling themselves something else bio runs all of that Wicked smart on marketing so any I know we're talking to

mostly Engineers don't hate your marketing team they do good work they keep you employed actually so who's a Target if you have Revenue you are a Target this is not about targeting a specific company because it's some political act right it was we go back to that reasoning for ransomware attacks 88 are all just financially motivated you're not special I hate to say it I know you love your company but you're not really that cool if you make revenue and you have some misconfiguration in something right who in this room is a hundred percent certain that their organization is a hundred percent free of all misconfigurations on any public-facing nodes anyone great I do not have to buy anybody a

beer that would be the first time out of all the time to done this that someone actually raised their hand we got there's actually I like the big Chuckles in the back but that's why you have to prepare that's why you build your security program because if you have Revenue you are now a Target so who's actually getting hit who are the targets by the market as we look at it we'll start off with a big orange one Healthcare so if you go read the reports the industry reports like the dbir Health Care you see huge expansions in the healthcare space but there's something that you've also see in healthcare where you see the highest

percentage of Security leaders in healthcare saying we believe that we are good that tells me that the ego inside of Health Care is higher than the actual performance and ability which we'll get into in a couple minutes uh media and entertainment who remembers the Sony breach yeah huge right so that hasn't gone down um again thank your marketing teams for giving you a job um energy we're going to see energy continuing to go up we're starting to see new policy and regulations coming out all over the world that are driving things to like you know Continue to update the iot and scada devices that are part of your delivery and energy systems um but they're also we know that they're

weak and the bad guys know that they're weak and it's a play they know they can't do too much in oil gas and energy because then they'll start having five eyes Partners come after them so they just have this little heartbeat that goes back and forth now Financial was going down Financial was going down because the finance industry is ahead of the game and they're mandated like by law to be profitable so they've got the dollars to invest in security Etc and they don't want to go to prison so they were going down why it's going back up again is because of cryptocurrency exchanges because the crypto might be damn good but if the exchange security sucks the

crypto doesn't matter place your money accordingly this is not this is not legal advice um the other thing I want to highlight in this one is that sliver the kind of the brown sliver higher education specifically because we're in a higher education institution right now when we look at higher ed bad guys can wait as long as they want because there's only two weeks a year that are important to higher ed one is in the fall and one is in the spring finals week universities get hit during finals week so if universities get hit during finals week you know they're going to pay because they have a responsibility to their students who are paying a ton of

money to go to school so they're going to pay the ransom and we're seeing institutions close their doors that have been open for a hundred years because they didn't invest into security I'm not telling them to go spend hundreds and thousands or millions of dollars in security what I am saying is Advocate to build the right Security Programs idprr I think we all know that there are steps that you can take in your organization that are Baseline steps that cost very little money right just segmenting your network is appropriate actually having role-based controls and like leveraging any type of multi-factor authentication in your existing systems doesn't matter what they are just doing some basic stuff can reduce that East-West movement

once they make their initial footprint right and that kind of comes back to the hiring and talent piece as well so obviously sponsored by security Union Doug Burks great product freeware Etc almost every bootcamp Camp insecurity is teaching security Union so a great great option for everybody in the room if you're designing a program design it around the systems that are both free that you can go just go to a boot camp and hire people straight out of because they're already learning the tools that you use pick the tools that people are learning and then you've got a whole Talent Development pipeline you don't have to go and try to find talent because they're right there

more on that to come so let's talk about the Pyramid of pain there's a couple of them and you've already seen some today in different talks the big one is give us dollars right give us money we ran some of your stuff and what we usually see in the news media is hey we locked your computers up with crypto ransomware give us money but that's just one piece of extortion we're seeing double triple quadruple extortion all across the industry so it's not just hey we locked your computers remember the ransomware note we also extracted your data and if you don't pay us we're going to leak it out and everyone will get to see it and it's

if you're if you're a healthcare organization and you have health like personal health information the leak of that is going to come back and bite you even more when you start getting penalized and find and your customers start going away because their information is not safe right so sorry Benji red doesn't even take a drink Oh no you're good um now there's a couple other pieces here that we're seeing uh this next one is not specific to Conti yet that we have seen or that we know of but if you have access to all your you know an organization's computers and you get access to an executive's computer and you get access to their webcam and you can pay somebody a couple

dollars a day to just watch the webcam footage and see if anything weird happens and then you can blackmail the executive as well what better leverage than hey Company please give us your money hey we saw what you're doing on your webcam and you should really approve that expenditure or we'll release that too so we're starting to see that more often and then all the way why not kick a dead horse when it's down right DDOS cheap fast easy just kick them hey pay up we're going to shut off your ability to go to market and make new Revenue so bad guys are smart they're Wily they're well funded and they just want to take

money they'll do whatever they need to to get those dollars great we talked about who let's talk about how so initial access Adrian walk me through initial access let's let's just throw out the RDP stuff right up right off the bat right like you probably shouldn't be running too much RDP especially uh with like wheat credentials and you know we'll move on um but like vulnerable internet-facing systems how misconfigurations of normal Services whether that's something that your Dev team stood up in a test environment that happens to be publicly facing that is going to be leveraged to get through the rest of your organization or it's like someone in HR or marketing who's clicking something

that they probably shouldn't I am guilty at least historically of blaming the human uh for clicking on phishing links like how could someone be so stupid and then I personally had covid and was laying in bed and was super exhausted I had a fever of 103 and we had a lot of brain fog I had a splitting headache and I like leaned over and had this email and was like wow that's weird for those of you that are in the dod back in the day on-prem Enterprise like Outlook would have this limit of your mailbox size and so once you actually hit a certain limit because people are sending like 25 megabyte files you end

up getting an alert saying hey you're not going to receive any more email if you don't clear out your inbox and I got one of those for my Office 365 account right that's that's not a thing I think we can all agree that like I'm not over my storage limit but for a split second that was all it took for me to click on that thing luckily I have other process in place and didn't actually input my credentials on the splash screen that came up later but it happens right and so process is in place to identify that inside your organization that are free right and have your playbooks I know there's a lot of conversations that

we've talked about actual incident response while we're here right that's all stuff that you can do for free you don't even have to spend a lot of money on a solution for that you can build your program to help that um and that's why we're starting to see like underwriter scans right and so in cyber insurance has anyone here in the commercials world like has their cyber Insurance gone up in the last year because like depending on who you're talking to the amount of increase is anywhere between like 50 and 400 percent depending on what they can actually attest to with decreased coverage in their renewal right and so when you start reading those pieces

really carefully you realize that you may not be covered but that's like a whole nother separate conversation yeah so we're actually seeing Underwriters uh a number in the space some of the billion dollar evaluation Insurance Underwriters doing attack surface mapping and scanning prior to even giving you a quote because if you do have 15 vulnerable RDP sessions if so facto what the hell does the rest of your network look like okay and then we get to how pretty standard stuff what's easy run Mimi cats use Cobalt strike make a new account Playbook hasn't changed oh my God security changes all the time it moves so fast can you keep up with security can you keep up it changes nah [ __ ]

don't change hasn't changed in a long time we just replaced like metasploy with Cobalt strike that's it the process doesn't change because people don't change so if we were on a red team engagement we were attacking somebody like a corporate environment here in Augusta what's the first thing that you're probably going to do you're going to VPN and put a pop here in Augusta and you're gonna go buy some creds so that way you can log in local coming from a local node to look normal because that's what persistence is it looks normal the goal is to look normal and if the goal is to look normal it's going to happen very very fast because

you can automate all that stuff so let's look at the timeline dark Trace one of our partners love them they do great work and they put out great content so this is an actual example of Conti ransomware um initial true intrusion August 1st proxy shell vulnerability boom got in August 13th 12 Days Later SSL connection to an external endpoint C2 cool August 14th one day later lateral movement August 14th zero Days Later data X fill August 14th zero Days Later data encryption so what happened between those 12 days of initial intrusion and C2 communication was that just a timer that was waiting or was that the amount of time it took organizationally for the the access

broker to then get that information over to the lateral Movement Company to their third party to then go through and then hand off to Conte you start looking at the organizational structure the timelines start to make a hell of a lot more sense another case study right so this is the Health Service executive of Ireland uh and so if you are not familiar with it Conti hit them and shut down the entire system and generally Conti for public affairs reasons doesn't usually want to hit hospitals because there is no better way to have the strongest nations in the world start looking for you than to start shutting down like critical infrastructure like hospitals every people to die right every hospital in

Ireland but even like Affiliates have problems so if you take a look at this one just with initial infection right of like March 18th and persistence achieved on the 23rd from like a red team or like bad guy perspective right that's probably the initial access broker who is trying to send out some type of fishing campaign throughout you know the entire organization of every hospital in Ireland and all of a sudden finally get to call back and finally checks that or has worked through all the rest of the callbacks in priority order and is compiling his list of targets to send because once they establish persistence they don't actually see any additional movement until the 7th of May when they

compromised the first server after that now we're starting to talk about the actual affiliate getting in and expanding their access Hospital C identified malicious activity Hospital a communicates alerts of malicious activity the attacker browse folders based in the actual HSC infrastructure itself right attacker compromise six voluntary one statutory hospital this report is publicly available and it's a great report but this is over 4 000 locations 54 acute hospitals and 70 000 devices right so in the end the only way that they were able to recover from this is because Conti realized that they had really screwed up and gave them the decryption key our bad sorry guys here's the decryption key at that point the only way that

Ireland and like called the military called Interpol could stop it was shutting off all of the I.T access for every Healthcare facility in Ireland in the middle of a coveted pandemic talk about like if that was a private company right lost Revenue because it took four months for them to decrypt everything with the decryption key and with the Army's help so for those of you out there on the Army in the cpb be ready to just start running some decryptors on I don't know like critical infrastructure if it happens here you know so one of the interesting pieces during this period right they're out for four months the doctors went back to paper the nurses went back to paper a

clipboard with a pencil like a neanderthal drawing on it and saying hey do surgery on this leg and then walking it with the patient and giving it to the surgeon to make sure they could do the work and to be even more scary how many of you those have actually had operations like major operations or sicknesses right so like I have and I definitely did not go to the same uh like X-ray place or blood work none of those were in the same place I went to like blood work here I went to get my x-ray at like this other lab that was outsourced blah blah blah and then I showed up for my actual surgery at the hospital where the

or was so imagine your X-rays and your lab work having to follow you from three different locations so you can get into the room with the surgeon to cut the right leg okay brutal so we talk about changing our mindset it used to be oh we could keep them out we've got a firewall and then everybody said it's not if it's when that's old too zero trust assume compromise because the bad guys are already here once you realize that they're already here then you architect you build you deploy you maintain with a different mindset because your mindset's changed and you continue to move and this is not a New Concept John kindervag wrote about zero

trust decades ago Google adopted it a decade ago they're already here they already have persistence because oh by the way when you talk to CEOs one of one of their biggest fears you sit down you ask them they're like well it could be a new competitor ending the market uh it could be a supplier variability it could be the demand Market but I'm actually really scared about one of my sales team leaving and taking their whole roll of decks and all my clients that's an Insider threat bad guys who are already here because they're already here they're already inside and they're a threat bad guys are just an Insider threat this is what we're fighting

this is what we're finding because this Ransom note could also just be a picture from a competitor on their LinkedIn where you just realized that one of your sales or marketing or developers and Engineers took your intellectual property with you it doesn't have to be a ransom note it could just be a LinkedIn update we promised we'd show you some actual negotiations but look there's lots of words on a slide suffice it to say that bad guys are jerks there's no honor among Thieves they just fight back and here's the irony um is anyone there to help us we want to have a conversation with somebody but if only with somebody that's going to be

professional we gave you the price it's reasonable and offensive huh offensive yeah this is coming from a bad guy that's attacking you and then when you come back and say hey could we get some help they call you offensive talk about the Mind Tricks there's some Jedis up in here so escalating what happens when you do get the call when you do get the call you don't have to be an uh a Jedi Council level incident responder to be able to help someone just ask questions I don't recommend making statements during an incident response I recommend asking questions have you talked with legal oh shoot I haven't looped legal into this okay just wait on that you know get

one look at your plan have you talked with marketing I need to talk to marketing about a breach well you might because if they don't have themes and messaging that they can go to take to Market to inform your stakeholders you could potentially avoid all sorts of legal repercussions or lawsuits or et cetera et cetera Etc okay so let's call incident response oh by the way do you have your instant response and Disaster Recovery plans available yeah we do hold on I'm just impressed I actually had it printed right so then if you don't if you don't have them you don't have them updated that's that could be fine but you actually has to have them and follow

them and then you decide when you need to deviate from them because there is a thing called failure to follow in the insurance industry and if you don't follow your own plan you how prudent were you really being and then by the way since incident response might be coming have you prepared to review logs how long can you get access to logs so obviously the goal here there's a million incidents that happen every hour those Innocents get triaged and some of them become incident become events become incidents the goal is to keep the breach Square as small as possible keep events to incidents and keep or keep breaches the incidents and instance to events so what's the actual cost

you do get Ransom your company gets Ransom and they pay it maybe that payment is probably only 15 percent of the total cost of ransomware tax we're on the East Coast I'm sure you all remember Colonial pipeline why did colonial get shut down their scada system didn't get shut down the oil delivery system didn't get shut down their financial team got shut down so they couldn't take new orders and if you can't take new orders how can you deliver so that's where the vast majority of cost comes from is the inability to go to market and here's a future this isn't science fiction anymore Conti actually targeted the Costa Rican the Costa Rican government they shut them down they deployed

ransomware ah okay that sucks here's the part that really hurts as Conti came in and they said you're going to pay us and if you don't we're going to support a coup against you not science fiction anymore non-state actors driving potential government changes right we had that slide about Knox state sponsored how long until like new opportunities become available to those states that are sponsoring right it's not theoretical anymore so who gets hit do you got dollars you're a Target um so we take a look at it Conti ranked in 77 million dollars in 21 months from ransomware um almost 2 000 Bitcoins depending on on quantity and dollars they do all right don't go join them by the way this is

not a marketing campaign for them this is to inform you on what they do how they operate so that way you can look yourself in the mirror and say are they better than me or am I going to be better than them in order to protect my constituents and like Stefan said it's it's a competitor mindset right if you are part of a business and you are analyzing all the competition in your market and you're trying to do your actual like business continuity plans not necessarily focused on like cyber right but new competitors to the market changing landscape of like legal regulations why would you not view someone coming in and stopping your Revenue as a potential competitor right take it

just as seriously at the board level as you would any other Revenue affecting object right so make sure you know yourself and make sure you leave time to know your adversary and your enemy because if you want to not fear the outcome of a hundred battles you got to know yourself in your enemy otherwise You're Dead on Arrival thank you very much um Steph morals is Adrian tillston unfortunately Sean ire couldn't be here um we'll go into questions before we do want to let you know that we both have job openings right now and the Army cyber Institute up at West Point is also hiring uh bachelor's Masters and PhD levels so if you're interested in those

doing they're mostly sysadmin development type work they are hiring let us know we can go help you uh what questions do you have how can we help we also have prizes so I think I think the two guys that actually helped us while we were going uh we'll get to unless there's more questions but I'll say shirt color

I have the question was for Conti did their training model modules get leaked not that I have seen it doesn't mean that they haven't been it just means that I have not seen them did you have a follow-on question okay great question so it's a combined public and private effort across a joint multinational Force um that's kind of a who was that out of an answer right is

yeah so the question is uh generally who's responsible for going out like if we know the exact stakeholders with Stern and salamandra and Schwinn who's who's going out and targeting them to take them out I say take them out right I mean is take them off the market um so generally Interpol but Interpol just came out with an article they said publicly I think it's four months ago now I'd have to go back and look at the date Interpol said we cannot arrest our way out of this problem because the financial numbers are too high that's the first point so there's they're like supply and demand this the demand is very high for these people and

the second part is because of extradition so if you look at Conti remember the vast majority of their playbooks and the messages were written in Cyrillic so russian-speaking adversaries and uh we're not really known for having a great relationship with them between five eyes and Russia yep yeah either protected actively or at least have a tacit Blind Eye great question

yeah so the the book that I generally recommend reading about that problem to dig deeper into that is called hack 99 and it starts taking it starts by looking at intellectual property loss as a case study with China and it also looks at Europe a little bit as well so it's a it's a former FBI investigator that was looking at a lot of these problems in the beginning in the nascent state of this and trying to get uh bureaucratic momentum in order to actually take bad players off the field

um

uh and unfortunately that means everyone in this room will be employed for quite some time back to that competitive landscape International

uh the question is about money laundering so um the vast majority of the uh of the inbound dollars come in through Bitcoin um they are starting to shift a little bit but every time they shift the currency they actually have to switch their help desk processes in order to coach their the people that they've attacked on how to swap money around and then they throw it into they generally do a like they'll come in through Bitcoin they'll spin it through a couple other cryptocurrencies and then output and then they've got like banks on the mend that they'll they'll launder through as well so to that end um I forget rip saw I think a recent

cryptocurrency that was just completely banned because there's legitimately no legitimate reason for its use other than anonymizing input and outputs and identities of where money's coming in and going so it's purpose is to anonymize you Start Tumbling all that stuff tumbling what I I don't want to go too far into it because I am not that knowledgeable but like General concept is you throw a couple Bitcoin in with some other people that are throwing in Bitcoin and then a bunch of different addresses get moved all around all over the place you can't track those transactions across the blockchain anymore um and so there are like Technical Solutions to how you actually money launder through different transitions um

I am not an expert but that's generally how you can if one were to want to money launder that is like one way super hypothetically speaking yep what's that we got exchanges are also being cracked down on that's like one of those pieces now so yep four more minutes yes sir tornado cash thank you the tumbler oh the uh uh the really cool they're really cool article about tornado cash probably the best name of an article recently was called ofac around and find out [Laughter]

how good are your backups laughs okay so I mean then you start elevating your yeah desirability uh ego definitely plays A Part they're not generally attacking people for political reasons but like fighting with Russia right that's that kind of goes down the ego Road pretty quickly too and effectively if if we go that route what we're basically doing is endur inducing the prisoners dilemma in all of our on all of our peers and it if if 10 of us say we're not going to do Bitcoin payments but one does the market is still there and we will continue to Tumble so one really funny thing um that kind of goes along that line was at the conference um two like a week and

a half ago was someone actually asked the question like would you spend fifty thousand dollars on a tool or some piece of technology or do you spend fifty thousand dollars buying Bitcoin now knowing that you're gonna get hit later while you know bitcoin's a little depressed right so like we know we're gonna get hit we'll get a deal right now right let's let's hope that we can hedge this against the next three years and it'll go back up um yeah maybe consider that as part of your holistic security program but not the program of the overall cost

yes they're doing their good work and let's give them their 15 points yeah so the question was um of because ransomware the payment itself is only 15 of the total cost um what else effectively what else can you do in order to drive that down yeah so the other a large portion of the other 85 and I forgive me I don't have these precise numbers um is that loss of the ability to go to market so when you so like if you're a b2c company and your platform shuts down and the customers on the seaside can't access your business then suddenly you can't have transactions and you don't have Revenue coming in and it's that

lost Revenue that drives up the up the cost so much and and also just thinking about it from a different perspective like once you've been breached how much do you trust your infrastructure right like well we think they came this way we think this is what they did this is what the logs say is that is that truly the only place that they went do they have persistence in a different system because you're going to get hit multiple times with ransomware now right like you paid 500k and you're like too good we'll just detonate another one right so rebuilding your infrastructure also comes into that cost because how much how much does everyone in this room

make right you start costing up counting up labor hours and overtime labor and over time incident response hours for Consultants to if you're I assume not many people in here have an internal incident Response Team um that is like the able to go through that level minus maybe the cpv yeah and if we if we ask the question do not raise your hands on this but if we ask the question in here of who's on an incident Response Team many of you would raise your hands and if I asked the follow-on question who is the incident response team because there's no one else almost everybody would still keep their hands up right more questions

when was the last time you tested your backup process how long does it take you to actually Implement your like a backup on a system A to Z including all your configurations for all your network interface devices right because you're probably going to have to make sure that there's no additional I don't know Access Control list adjustments right something letting you through the firewall so you got to rebuild all of those configs how long does it take you to I don't know with like the Irish HSE 70 000 endpoints they had to decrypt it because I don't know what the backup process would have taken but probably longer than the decryption you know and specifically if

we're looking at a little bit tighter perspective I believe it was lockbit I was falling asleep I was reading the article because it was bedtime but um they were building new tools that specifically Target like veeam veeam as a backup engine and so when you like you bad guys will go to the same conferences and so when they walk in everybody's like oh I'll just restore from backup and I actually I did I rehearsed my backup and we did we tested and it was great bad guys sitting there going huh I guess I gotta detect the backups more how long ago was that backup created did you because I mean like they were there for eight weeks

right with persistence on endpoint so like it's I if I gave you the statistics the standard deviation would be stupidly large yeah I'm sorry so I mean it depends how big you are and it depends like what you're recovering um I hate to give the consultant answer but that's what I'm going to double down on because like HSC with the decryption stuff took them four months with the army right so like think about your organization and so let's let's use a specific example here and uh one of our our co-clients who shall remain unnamed they haven't basically an iot flat Network that has zero backups and if they were to put their entire team security and it

and sys admins and help desk on just building the backups it would take them about six weeks just to build the backups one time not to mention all the operating maintain that goes along with that because they didn't get it baked in from from they didn't bake in security originally so as we look at it just goes on and on and on kind of like my answer right now which means we are done I believe so the next speaker can come up is that correct all right thank you guys so much appreciate you coming in I hope you learned something if