Ransomware Response in Action: Lessons from the Frontlines

Thank you so much St. Mary's for hosting USA being for our diamond sponsor and then all the other sponsors on my back of my shirt right here as well too. Thank you for making it here today. Uh pretty excited about the next topic is about ransomware. Aroy Desai has been doing this for 5 and a half years. Let's give him a round of applause as he presents the Yeah. Uh thank you for uh attending this call. I welcome you with my whole heart here today. uh and hope you'll learn something uh today that you can apply um right away um at your work or your school. Uh so I'm Aishar Desai. I'm a senior uh digital foreign and incident

response consultant at AON. I graduated from UTSA. Um so I'm uh happy uh to stand here and give back to the people of the San Antonio uh city. Also yeah um one interesting fact about my work is um if you you may not have thought about it but this ransomware threat actors are humans. Uh so um there are seasons in this ransomware response uh in the business. So um when we have vacations uh these threat actors work uh and then uh after our vacations are done uh they take break. So that means we have to work uh during vacations and after that when the threat actors take their kids and wives to uh vacations uh we can just

sit and twiddle our thumbs. Um so the agenda for today uh is we'll go through the the overall anatomy of the ransomware how the ransomware attacks work. Um then go through what to expect after the ransomware attack and then how to respond and um we'll go through a case study. I will go through how what to do, what to expect while the recovery steps going on. Um so this is a ransom note for a MacOP ransomware. Um if you see this on a on a system uh one morning then uh you get to know that um your organization or you personally are a victim of ransomware attack. Uh if you read uh point three um this ru macop

ransomware group is pretty straightforward uh they do not care about you. They just want the money. uh few ransomware groups they pretend uh and they they have a they use a different language saying they care about you your business um and uh they want to help you um get you back um operational as soon as possible. Uh so different uh ransomware groups have different approaches how they how they communicate with you and deal with you while negotiations. Um so it all begins with alerts and nodes. Um there are like two types I can say here. One is pre- ransomware. Uh so at in this stage the encryption is not complete or like the the encryptor was

not deployed. Um or like the the normal one or like more common ones is the post encryption stage where you see the ransom note and like your organization is already um not operational at this point. Um so in pre-rank uh pre- encryption stage uh it can be uh like your EDR throws an alert for some tool uh or lateral movement or you're threat hunting and you find uh like a user is added uh to local administrator account or to a domain. Um it can be like anything while you're thread hunting or you get an alert. Um this is the ransomware keychain. So all the engagements I lead uh on the kickoff call uh I walk through these six stages.

Um so whenever you are investigating or inner ransomware what you need to know is how this attack progress. So first is initial access. They get into your network they steal credentials escalate privileges. uh then they'll move across the uh systems that you have install a persistence mechanism. So even if um like one entry is blocked or like closed then they have like other um ways to access your network. Uh once that once they move laterally and they find interesting data that is valuable to you uh they will excfiltrate the data using different tools and once they have the data uh they will go ahead and uh encrypt your data systems uh so they can hold you hostage and get ransom payments

from you. So for initial access um few common methods that we see are fishing, social engineering, uh fish everyone knows what fishing is. Uh driveby compromises you visit a website JavaScript executes on your PC downloads like stage two malware where it installs a reverse shell and that's how the threat actor have access to your like the patient zero. um search engine optimization. Um I have not seen this um recently but back in 2023 uh the second half of 23 uh we used to see threat actor pay for um like malicious website um pay to Google for malicious like pushing up the um malicious website up in the Google search. So um if your help desk um agent

just enter any desk or boomar then the malicious uh website uh like pops on the top of the search and then when the user clicks and downloads it that's actually the backdoor version of the uh real software the user was intending to install. Um and then the social engineering ones. Um so in like early 2025 uh we are seeing uptick in um email bombing attacks where the threat actor sends a bunch of emails. It can be like 20 30 hundreds. Uh then they pretend to be a help desk agent. uh they call the the uh victim the target and then they convince them that um I understand you are getting lots of email and I'm here

to help you and while they do that um they get a remote access uh session uh on the uh patient zero's laptop and then uh install uh like post um like the second stage of remote access to so they can do a quick session and then install any desk or uh in one of the case um I saw the the threat actor installed a chemo emulator on the system and they just ran a I'll say like a virtual machine of the on the patient zero's um laptop so that was pretty unique um then others um there are more traditional ways there are like exposed services on the internet like RDP so they can like brute force um the the credentials. Um

they're like vulnerabilities zero days. Um and then uh for insider threats uh there are few ransomware groups. Um one I can think of is log bit. So if you look at their u ransom note they shamelessly says like if you give us access to your employees network you'll get rewarded for that. So that's that can be a one way uh your employee may get um like they may want to give access to your um like employees network. Uh and then there are initial access brokers. So the role of initial access broker is to gain initial access and then sale that access. they they do not do uh any like malicious things other than just checking if they have access to the

network. Um and generally we see like um there is initial access broker checking the um the access to the network and then for a month nothing happens and then like 30 20 days later a VC thractor come in uh materally steal credentials data and then encryption happens in say like I've seen few hours to a couple of days or weeks. Um okay so we are seeing social engineering uptick. Um previously we have seen lots of compromised VPN credentials. Um like organizations still do not have MFA enabled uh on VPN. Uh but again that is a fact and we we unfortunately still see uh credential um like threat actors just logging in using compromised credentials. Um once they are in they need uh say

they they have access to patient zero. Um they can dump or they can um ask the um like the patient zero the victim to enter the credentials to some fishing page while they're on the remote session. Um they have access to their uh PC. So next stage is getting the um like the administrator credentials getting domain admin. So uh these two the mimikats and lazang these are the tools that I use to dump credentials. These are more common ones. Um and then um we have the next three uh nds.date is the database uh on the active directory that stores information about the uh users uh on the in the uh ad and then uh it also

contains credentials uh that the state actors like to um take with them. uh we are seeing lots of NTDS dumping uh nowadays and what this means is like all the uh users on your um AD are compromised and uh to get this uh fixed uh you'll need to rotate all the users credentials. Uh SAM database uh again it's where the the Windows u OS stores the user credentials locally on the system. uh LS memory dumping is another common way mimic leang I think both of them can dump the credentials. Um in addition to this system credentials uh I have seen the threat actors dump uh credentials from like stored in web uh web browsers. uh and um like lots of

time uh like system administrators they have like the credentials for VH or VMware stored in there and they they they get those credentials from the web browser and in the during the encryption phase they can once they have the credentials they can just log into um ESXi and then deploy ransomware um okay so again uh for the lateral movement piece here. Um generally they use RDP uh on Windows and then SSH if there there is uh Linux systems there. Uh there are these two projects LLB bus uh it it documents all the um like le of the land binaries like PowerShell uh cmd.exe exe like all the Windows native um programs that the threat actor can use to do different

things. Um and then um the other one GTFO beans it is similar one similar to uh LLBAS but it's just for Linux. Okay. The next stage is persistence stage. So again they want to maintain the access to your network. Um so previously what I have seen is they can there are all these different uh persistence mechanisms uh services auto runs registry keys startup schedule task uh most common ones I see is services and schedule task. Um so on my last case the thread actor uh created a schedule task that runs a Python script and that Python script was uh encoded and encrypted and it is to run the Python script. Um it used like AES

256 and um B 64 like combinations of different uh encryption and uh encode like uh encoding protocol uh algorithms to um decrypt the main script and the main like after nine iterations of decoding um it it was running uh a Python script that used to connect back to a server and give a like reversion. Um and then we have these uh more common uh so previously the thread actor used to use cobalt strike and their custom uh scripts but uh since 2024 um we are seeing more um use of legitimate remote access tools like anyday screen connect um and uh like the other example uh I explained earlier earlier was this um the threat actor

installed a a virtual machine on patient zero uh and I have never seen that like none of my colleagues uh has never seen that so that was really interesting uh that's the command it it was the emulator uh and then it runs that uh vinage qc 2 um image like that is the that was the uh windows uh image that had all the tools with threat actor tools and uh any disk installed on it. Um and once they had a working uh emulated um VM uh then uh they they no more need uh access to like the quick assist session that they initially established, right? So uh they can like just close the session get it

done get done with that and then come back through this uh virtual machine and u laterally um so for the data xfiltration piece uh they are interested in um like the juicy information it can be finance it can be your uh intellectual property um it can be like personal data anything that uh law requires or like there are notification obligations. Um so once they have that they find that they'll use different tools that I listed here SCP filezilla good sync. Um they use arclone arclone is very popular with the threat actors. Uh and then I have the mega sync is also a common one and um on on a case I saw a threat actor had access to a students

like a student's account um who was located in Italy and they were uh uploading all the uh like a client data to that student's uh one drive account cloud account. Uh here is another uh so this is a example of arclone command. Uh this is likely what we'll see. Um so they are excluding any file that files that are older than 3 years. uh we have target uh so they are targeting the HR um uh folder um on that server and then on the um threat actors infrastructure they are creating this folder uh 192 168 323 HR and then they're excluding all these file types here uh so generally they are more interested in like documents spreadsheets uh PDF

rather than getting your like backup files and SQL databases. Um okay. Uh so in addition to what we have seen earlier um in early 2025 uh we found this uh custom uh data transfer tool. Um so it was a ransom hub um matter and then we found this GUI based tool. um that you can just do clickies and uh it will excfiltrate data. Um so again this is something very specific to the ransom hub uh group and then there is this last stage of encryption. Um overall the goal is to encrypt as many systems as many f files as they can. Um generally they do not uh encrypt your whole file. Um they will only only

encrypt the headers of the file. So it is easier for them to um like encrypt lots of file in in a short amount of time. Um and then it again there is uh example there are few like command line based encryptors where you they just pass IP address and the drive letter they you want to encrypt and then again MacOP ransomware they have this GUI based encryptor uh where you can just point click and uh encrypt files. Okay. Uh once the files are encrypted um like the the majority game is done uh now like you need to understand that um this is a like a business restoration uh effort rather than a incident response effort. So you need to keep in

mind that this is a marathon and not a race. Uh so I have seen people go crazy on like the first day of the ransomware attack uh and then they eventually get tired and start making small mistakes. Um so like technically what I have experienced is once the encryption is complete you don't need to panic much uh from like securing your organization perspectives um because all you need to do is contain the network like isolate the systems kill the firewall like kill the internet and you can like take a breath because going forward you'll have to organize yourself get all the teams together and then start working on uh one interesting point here I want to

say is set up out of band communication channels. Uh I have heard about engagements where the threat actor um was monitoring the email chain uh and they also joined the like the incident response um like the the call that the client was having to discuss the response strategy. Um check your file servers. Uh check your backups. Uh if they are still viable then plug them off. Uh keep them safe somewhere. Uh you don't know like threat actor may come in and they they may encrypt uh your backup if they have not already. Uh you having backup safe is key. Uh without the backups then you'll have to pay the ransom and that's like next level headache. Um

once you have all the teams ready uh there will be likely uh like a third party incident response team come in and they'll guide you through uh the containment and then uh the the data collection part piece uh of the in investigation and once the investigation is complete uh and like the team feels that um all the systems are evaluated properly and like save uh then the network uh like the B then like the pieces of the business will start going back online um in like iterations. So it's not going to happen overnight. Um uh so when you do investigations uh you need to keep in mind this ransomware keychain. Uh we want to answer each and every stage of this

ransomware keychain like how the threat actor got inside the network. Then um after after getting in the network like what tools did they install? um when did they get access like how long the threat actor was in the network right uh what activities like when did they move from system A to system B like when they started excfiltrating data how long they were started how long were they excfiltrating the data like uh so you you need to answer mostly like you need to answer most of this like all of these questions uh but again you may not be able to answer all the questions uh around the investigation uh depending upon uh what u logs and evidence uh you have

accessible uh for the investigation. So we'll go through a case study uh here. Uh so this is a real case but I have just changed the names and the domain uh of the client. Um so generally it happens on Friday morning. Um because for the threat actors it's like end of the day Friday. Uh and that's when they like most on most cases that's when they decide to like encrypt and call a day and then enjoy the weekend. Um so in the beginning um like the the say you have 500 or 10,000 systems doesn't matter what thread actors are interested in is few systems where they'll get like maximum number of valuable data right so

we generally start with the domain controllers because That's the server that like almost all the threat actors will um like interact with. Um so you'll start analysis with the key uh infra like key servers. You can start with domain controllers, file servers, um any like ESXi hosts u that's host like that's running all the virtual machines on your system in your network. Um and when you start analyzing that those systems uh you will find that oh there was a remote desktop session from uh the like another uh server uh before um like NTDS. was uh like exported or dumped, right? So you will image or like collect triage from the next breadcrumb and then you go back to the like the like one

more step back and then you identify um like all these different systems that the threat actor touched and then you have a like a good timeline of what everything threat actor did during each RDP session on each system right. Uh so initially it will look like a puzzle um that does not make any sense much but when you put together a timeline then you'll come to know that uh we saw encrypted files on servers but then uh there was a type three network log on from domain controller uh seconds before this encryption happened. So when you look at the domain controller, you have the the the encryptor um file like the uh malware running on

the system. So when you do that again and again and again, you'll go to like the like the first breadcrumb, right? And in this case it was a threat actor coming in through a VPN and um the desktop- FD GB6G uh that was the threat actor's computer name. So uh when they come in through VPN u they they bring their system names inside. So that's uh what happened here. Um okay so uh talking about recovery um we see so again it depends upon your network uh there is no one one fit solution but overall um like thought process here is um like first getting all your uh credentials reset uh and then approaching the um restoration

uh strategy uh in like red, yellow, green buckets. Uh so you can do that both with systems and your uh network. Uh so red system is any system that the threat actor was uh like accessing the system like interactively accessing the system like installed malares, had remote access um remote desktop sessions. Um so those systems um like needs to be preserved and rebuilt before getting those back into operation. Right? Yellow systems are again uh ones that mean like you see maybe ransomware deployment but not necessarily um like the threat actor interactively uh accessing the system. Uh and then the green systems are one without any threat actor activity on them. Uh and that goes same with the network. Uh the red

network is uh the compromised network that's isolated. We have you have yellow network where you stage the um the systems that you are uh like deciding whether to move to the green network or just need to discard. Um and then the green is the clean network and that's the network where uh you'll be like getting all the green systems in and uh start your let your employees do their day-to-day uh work and get the business back running. Uh again, this is a opportunity um for you to build your or rebuild your network securely. Um and uh if your management was not um allocating you enough funds, now you have a good business justification and a chance to

do that. Um so uh you uh like this is a bit uh like legally tricky thing to um like walk you through here. So that's why you need um like guidance of legal counsel. um do not trust me on this slide. Uh like follow their um follow their decisions um and discuss with your legal council what to do with the negotiations. Um but you can either decide to communicate with the threat actor and actually pay or you can start communicating with the threat actor and then decide not to pay or you can just like go blank and don't communicate at all in the first place. Uh there are advantages of each one. Um so say if you do not have backups

available right and you need the decryption key then uh I don't think you have any option than to communicate with the threat actor and get the uh decryptor um to get your business back going. Uh but if you have um a good backups then you can either pay the uh sorry you can start communicating with the threat actor and in exchange what you get is uh most threat actors they will provide you a list of files that were exfiltrated by the uh by the during the attack. So now uh you are like on a day two or day three of the investigation and then you already know which files were taken or at least the

systems or the places where the files were taken right. Um and then uh the second one is data separation. So if you don't pay the threat actors in most cases they will u leak your uh like post your information on their leak site. Uh and then if you don't want that then there is another reason why um you your organization may decide to pay. Um but uh like at least starting the talks with the threat actor it will give you more time and uh time to like understand what's happening and it will give you time to like pacify the threat actor because if you go uh like all communications out and if the threat actors somehow still have access to your

network they can come in and do some more damage if they have capabilities to do that. Uh during investigation uh these are the common limitations we see. Uh there is lack of incident response preparedness. Um like security teams they may not know how to image assist or they may not know how to um like uh like do specific tasks that are assigned right. uh and then uh the asset management uh on the scoping calls the the ID team says we have uh 500 uh systems in total but it ends up they have more than that. Uh so having a good asset list will enable you to um get better visibility because you know how many systems you have in the network. So

you can check like how many of those systems do not have a EDR or you do not have visibility on like how many systems and having visibility is very important because threat actors like systems that do not have like EDR tools or um like the ones that are in like not monitored by the uh like the ID team. So they can just stay there, leave there and then come back whenever they want. uh security tooling, controls and visibility. Uh so also like um having logs um so on most of these ransomware uh incidents what we see is um like the the firewall logs uh uh like the the client do not have a logs aggre aggregation

tool and because of that the logs on the firewall and the VPN appliances they roll over pretty quickly and um like by the time we we are signed and start collecting the logs like all the logs on the firewalls are like rolled over and now we cannot prove uh or we do not have evidence to uh find out how many gigabytes of data was taken from the network. Um so um again um like having uh like all the logs or like logs from at least key servers forwarded to the log aggregation tools um is really helpful. Uh lots of clients they don't have budgets or they don't want to spend on um like the like the tools with features that have

like deep visibility in for example for Sentinel one you can just get like the lower end like the control license where you just see alerts and then if you pay for deep visibility then you you can see like all the commands command lines network connections everything uh going like the from the endpoints. So um having that kind of visibility uh into what was happening on your systems and network that that really helps with the investigation. Uh and then uh unavailability of robust backup mechanisms. uh on my multiple cases I had clients uh that had backup solutions uh on prem and when the thread actor ran the like deployed the encryptor it also encrypted their backups and even though

they had backups now they don't have backups um these are few common recommendations um having EDR coverage is important get EDR on each and every system um have a good asset um like inventory management. You need to know what's on your network. If you don't know what's on your network, you cannot get like you cannot you don't know it's on your network. So you don't install uh tools that give uh visibility into them. So that is important. um identity access uh vulnerability management. Again, these are like I understand these are more like I'll say like buzzwords and actually getting them deployed and have them like in integrated in your process and have have like work force to manage and um like

monitor this is difficult and expensive but again like these are these are like few recommendations in here um for 036 65 which is Office 365. Um we recommend to get EI license for at least um important users. Um that can be like sea level suit any users that have that manages like financial transactions. um because uh on these matters we see like threat actor access different emails uh after compromising their 0365 accounts and then if you don't have either the mail item access events in the um UL logs and in so you won't know for sure like which all each and individual emails were accessed by the thread actor uh and lawyers love this artifact. So, uh again

it's recommended to get E5. Understand again it's expensive but that's what it is. um having access control uh get MFA on anything and everything you can um disable earlier um these uh legacy authentication protocols were like enabled um on in 0365 but they have changed that I think in Jan 2024 uh they by default um keep keep like disable these legacy protocols uh geo fencing um the VPN um RDP um let me know like I think I don't need to go through the whole list uh if you want you can take a picture um I just have five minutes u but again like getting uh your uh IT team like security team trained uh getting them tabletop exercises so when

the real thing happens uh they are not like surprised and they already know um and like what to do and they have processes in places and um they're well prepared. Um okay. Uh so that's all I have for today. Um I have one bonus slide here. Uh since we have four minutes uh I'll quickly go through this. Um so >> do we want to open Q&A? Is that okay? >> Yeah. >> Anyone have questions? So have you seen customers do the processor from the encryption software and then pull the key out of that and start decryptting their files? Have you ever seen that? Uh no I have not seen that and generally it's like the uh

the public like within the encryptor uh they use like the public key right and that's used for encryption and we do not have private key but there like there are some uh flaws in the way they're encrypting or the algorithm and I've heard and like seen in the like the news and Google that people are able to uh like reverse engineer the encryption tool and get the decryptor out and uh like when you get into these kind of incidents it incidents it is also helpful to contact FBI because they may have like a decryptor for uh the ransomware group that uh any other questions >> so in your last slide before you listed a lot of recommendations on how to uh

react whenever a ransomware appears. So um who in a company normally comes up with the idea of policy on what to do whenever there is an incident? Uh so uh it it can be like in internal to the organization right so so the IT team say um the CISO may be the boss there uh or if you get a third party vendor like like the stro where I work um like they will walk you through what steps to take and then again it's what we do is recommend um whether you want to implement that except that that's like completely a business decision, right? >> One last question.

>> The last presentation. >> Okay. So, yeah. Um and again, uh this is like the security maturity model. Most of you already know this. I'll just skip for now since we don't have time. Thank you God. [Applause]

again.

[Music] This is the