Fernando Tomlinson - Ransomware Playbook: Illuminating Artifacts for Enriched Analysis

all right it's 12:30 so we're gonna get started back up so we can keep everything moving forward thank you hope you enjoyed your lunch um I made the announcement before lunch but I haven't heard of anybody collected it so if you're missing an iPhone they did find one it's at the excuse me at the registration desk I have the uh distinct privilege to introduce our next speaker uh Mr Fernando Tomlinson sorry I can't talk he will be speaking on ransomware playbook Illuminating artifacts for enriched analysis and I appreciate everybody being here and I will turn it over to Mr Fernando thank you all right I just want to make make sure everybody can hear me perfect in the back all right so let's get into this uh so a little bit about myself Fernando Thomson as he mentioned uh technical manager at mandiant uh subsidiary company of uh Google uh prior to that retired US Army right here from the home of cyber uh cyber warrant officer signal warrant officer uh couple tourist to Afghanistan did a lot of great stuff while serving if you go to Army cyber you'll probably see a room uh as a more associated with me uh but nonetheless also an adjunct cyber security Professor teaching a number of cyber security related topics uh it's an opportunity for me to give back because I didn't start here I had people that were in front of me and which I could see learn from gain insights from to kind of help build me up so I think that's incredibly important to be able to do that for others uh myself and a few other people uh namely Pete the Georgio who you see out there another guy Alex durus uh we run a platform called under the wire a training platform helping people learn and really get comfortable with the language of Powershell uh we were joking the other day we started that back in 2015 here we are in 2023 uh it started in the parking lot uh of a building in mcdill Air Force Base off the CD and uh now it's grown expeditiously so uh and a number of sites associated with me all over the web uh but enough about me because that's not what you're here to hear here to uh hear me talk about you're really here to hear me talk about ransomware um so let's start with some stats right uh if you're not familiar mandian produces what they call a m Trends report and they produce this every year so the one that recently came out a couple of months ago was for the year of 2022 and what we've noted based upon the analysis and investigations that we've done is essentially 70% of the ransomware cases we have the entity was notified by an external Source right 30% of those entities were notified from an internal source what's really intriguing or maybe a little bit comical in some respect is uh another number that I don't have up here because of that 70% that was external notification a good grip a decent amount of that was the threat actor notifying the client right which is a little bit more concerning in some respect but looking at who's impacted here well we could look at another publication and this is coming from our friends over at the FBI from their internet crime report so when we look at all of the defense industrial base um there were 16 sectors in which that were impacted by this and really for the year of 20122 over 2300 complaints to the FBI cases if you will that were associated with ransomware now that should seem like a lot to you but the more staggering number is the number that we don't know about and that is the true cases that have taken place where people don't report it maybe they've reached out to a mandant maybe they've reached out to another company maybe they've suffered in silence for a lack of better words and tried to get over it as quickly as humanly possible that number is more staggering also this is really talking about us it isn't talking about other entities around the world this ransomware pandemic or epidemic however you want to look at it isn't just a US problem it's a world problem if you will so these actors some of the most heartless people I've ever seen in my life right like they could care less about what you are going through and what your organization is going through and they will hit you at any time and it doesn't matter what's going on right so here's an example where literally this is me I took a little PTO uh best way to decompress here is to go to Vegas so my wife and I literally just landed turn my phone on and uh ended up picking up a ransomware case for a rather large company obviously can't can't talk about it here but I had to take a break sit down and actually gather what was going on and and start that investigation now this is not within the last uh 45 days so um you know some of you have seen the news and stuff and it has nothing to do with that uh no no it does not it was not a local company in Vegas uh but um I I shared this photo uh one because my wife was not happy and she snapped it um but two I think it it captures a lot one it captures the company two it captures Vegas but really I'm really trying to highlight that um these actors they don't care and when you're in this field right um as a firefighter if you will in the digital sphere um you have a responsibility to to respond now looking at this these threat actors some of them are uh a little bit more advanced than others but largely speaking the ground soldiers if you will those individuals they follow a Playbook every now and then they may go off script but for the most part they follow a Playbook and when we look at the Playbook definition here uh from Webster uh is telling us that one or more plays in a book form all right yeah I think we got that a notebook containing a diagrammed football plays right player plays I think we got that as well a stock of usual tactics or methods and really you know when we rack and stack which ones are most applicable to what we're talking about today uh it's really going to be three first and then maybe two in some form fashion really maybe all three now because we have realized that there is some form of Playbook now we want to get a hold of the Playbook well when they're smoked they're sure to be some fire to follow so let's fast forward here to the kti leaks right um it was a bad time for them it was a good time for us uh because while they were going through their mess and things were starting to appear on the web it was a great opportunity to confirm some of these hypothesis and thoughts that were already kind of flowing if you will and this is a actual manual now it's been um you know translated to English because it wasn't in English uh but it speaks to really the process that one of their uh actors would follow is part of an overarching campaign I mean step one here if you will find the company's website why do we want to do that well we want to figure out if the juice is worth the squeeze here are we talking about a mom and pop that isn't going to be able to pay right are we talking about a potential company that has I don't know DOD level attention probably don't want to mess with that one either we need to figure out how do we get somewhere in the middle where it's worth our time and effort and there's some form of payoff so let's do some research now further down in this manual is more information for us more information that we can certainly glean from and while I don't have the whole manual here um which I would recommend you go download you get it off a quick and easy Google search and just just read over it right it's actually kind of entertaining and some of it may look familiar to you based upon what you do in the world already um but a little bit further down we have a portion where it's talking about uploading data because the name of the game is double extortion and in some respect triple quadruple extortion right gone are the days where an actor is just holding your environment for ransom right and you'd pay a fine or not a fine you'd pay uh a fee if you will and then be able to get a decryptor and get that information back um because people are starting to do backups and that's debatable but people are just less inclined to to pay in some respect organization dependent so double extortion I'm going to steal your data right and I'm going to either release it or sell it or or whatever and then that starts to get people's attention a little bit more now in my experience I've seen still people don't want to pay um for for for data that's been taken as well but how does that data get out the network well there's a number of different platforms that um that's been observed by myself colleagues and really other people in this space that are notorious for data exportation and even when we look at the kti elite guide it talks about using uh Mega uploads right and it talks about AR clone and I don't know about you but you know I've been in this space uh either it or cyber for over 20 years now and I haven't been in an environment yet where I've seen in a legitimate manner Mega or ar clone used not to say that they aren't ever used legitimately I would just bet my left pinky toe because I think I could still walk without that um that if I were to see them in an environment there's a good indication that there's some maliciousness proba happening so in the guide itself it is telling these actors that's what they should do right and it goes on and it names a couple of more as a Defender as a forensicator as somebody who responds to these types of events this is a gold mine right this is like the the welcome to the team book if you will so fast forting a little bit and again I can't stress how much you should probably look at that that guide in this entirety and some of the other documents but fast forwarding a little bit here um you know I think this quote is like key right if a picture is worth a thousand words then a video is worth a million and the reason I bring this up right now is because when we think about this for those in this space uh engagements clients what have you they tend to reach out to you Friday afternoon Friday evening right I I think it's Monday something potentially happens Tuesday they identify it Wednesday Thursday they try to figure out what's going on and then Friday it's like oh yeah we probably need to call somebody and it's like Friday evening um but nonetheless uh was working a a case where um elsass was being dumped uh there was another instance where ntds.dit was being dumped active directory database they called us in and um they they had some technology that we were able to utilize to get some metadata off a machine we tasked that technology to get that metadata for us so we can start analysis and it was not retrieving that data in a uh timely fashion that we felt was indicative of a good platform if you will we talked to the client we asked the admin did he have a way to access the method or access this this system if you will in a uh abstracted way um to reduce really any potential um harm and he did it was a virtual machine they were able to use exxi log into that cluster and then from a console perspective pull it up so we wanted to get on teams and share screens with him so we can help him understand what the problem was so we could get the data when we did this and he logged into exxi and conso in somebody was already logged into the system and we're like do you guys use net scan in your environment he's like what thatat well I know you don't use it because nine times out of 10 it's going to be something that a thread actor is using to be able to um uh do Recon in your environment so you know me being the person that I am I started recording right so for the most part this is a snippet I tried to block out stuff that's not important here of about three and a half hours where we were watching the threat out there live in the environment right I had never seen anything like this before I've done a lot of things in my life but I mean they're using net scan wasn't shocking because a lot of ransomware cases do that um they're looking for open shares they're in here looking at particular users changing passwords for a user inl test DC list trying to figure out what trusts are out there in the environment looking at group membership up above that's kind of blacked out this is all standard TTP now at the time we didn't know this was pre- ransomware because all we had was the dip was being dumped Els ass was being dumped but we're watching this after and we're watching it live and there's no better evidence than this well you said in the report that they did this and they did this where's your evidence well let let me show you the video right so three and a half hours we watch the ACT to do that at some point in here we also watch the actor uh up top there top right you kind of see top Center I have en circled p the thread actor was looking for fils that contain the word pass why do you think he's doing that homie's looking for passwords do you think he found some well there's a lot of things that came back that I blacked out now talk about an uncomfortable conversation because um the client is sitting here watching this live with us and they're like oh John Bob credit card information why is that on there I'm like I don't know what's funny to me though is the thread actor is skipping over stuff like that what he's looking for or she they are looking for are particular passwords for a different network based upon a trust so they're trying to laterally move they're trying to established their position in the environment and as we talk about really the methodology and stages of a rental wear campaign they were very early now fast forwarding upon this a little bit again this whole thing is like three half hours we see them lay down any desk right any desk is a legitimate tool used for remote access uh you probably seen me talk about any desk in a previous talk at another time but nonetheless they had a portable version of any desk they used it they connected it to any desk or to the system via any desk and then they brought over a file called ubvs doz and really what that file is when expanded is is a program called Universal virus sniffer UVS Universal virus sniffer and when you look at this tool one of these freear type tools it's claim the fame is that it will help you rid a system of rootkits so on surface level it seems like a tool that a admin Defender somebody would be able to utilize to get rid of root kits on their system perfect well let me show you what the thread actor was actually doing well we'll come back to what this looks like in here a minute but what the threat actor was doing was they were looking for security tools on the system treating it like a root kit and they were neutering it well that's not what the program is made for but by golly that's what the thread actor was doing which really spoke to why we were not able to SE the system and that security tool I mentioned earlier we couldn't get the data that we were looking for because this threat actor was starting to neuter that communication to their security uh application if you will now this comes up right and uh I'm not the smartest person in the room but I venture to say that this is not a actor of of us descent right I I'm going to you know if it this is what I should have been doing in Vegas putting it all on black 18 right this is not an actor of us to right um so this was great though when it came time for report writing because this was the biggest screenshot I could have ever done with red arrows all over the place um but this isn't shocking right you start doing ransomware enough you start getting a fill for some of these things but watching the thread actor live was super enlightening for the those three and 1/2 hours now in the end what's not shown after this is the thread actor started using the admin who was helping us he started using that person's account and if there's ever a time where you might have felt violated I think that's a time where you really feel violated this person was an Enterprise admin we're watching this it's all not really fun in games it's never fun in games but the thread actor opens the shell run ass puts in this guy's thing he's like oh he's using he's like wait that's me he's using my stuff he starts hyperventilating like really all right and he starts to cut this connection off from the threat actor that's fine we don't own the risk that's a client decision thread actor knows something is now going on thread actor skips steps five six seven and jumps straight to nine right which is really Smash and grab if you will and they launched their ransomware that was the very moment we realized this was a ransomware case and because we were right there on the ground of it actually happening we were able to neuter that and the uh Avenue in which they were able to get in the impact to the business three machines one of which was a DC that's neither here nor there the business at large could still go on now that's a that's a a luck thing if you will but really being able to identify some of the things that threat actors do on a regular basis was was super key and me my co-workers still joke about that to this day that was a Friday night as you could have guessed all right so looking at the methodology at large right like this is a methodology I wouldn't say like this is um the only methodology if you will so all the way to the left we have the thread actor uh they're going to get initial access some way somehow it could be through fishing could be a zero day um pick a zero day out of this summer it's been a hot zero day summer for sure um or end day at this point cuz a lot of them are still legit and organizations because they're not updating or what have you um or what I've seen over the last 90 days with two cases I was working was an admin would be searching for a legitimate admin tool they would go out to the web and download it however they were not downloading it from the legit place one of them was a malicious Google ad that redirected him to a site hosting uh that that binary another one was a typo squatted domain that kind of looked like it um but nonetheless when they downloaded that binary it gained a foothold in that environment credentials were exfilled and uh there was a period of time where the thread actor didn't do anything and then they walked right back in the door with the credentials and uh it became a bad week uh they're also going to look to compromise the domain so how that's done well going to try to get to the DC as quickly and as humbly possible uh to certainly dump the DI um dumping credentials along the way uh that's where the credential theft actually comes into play uh the other aspect is are going to look to do reconnaissance what else can I gain access to be it from the perspective of gaining a foothold there or being able to identify poti other networks that would be worthwhile and we've seen some of that firsthand with net scan um as you've seen in the video and there's there's several other tools that are kind of like that that provide the same capability and are notoriously used by thread actors uh and then we get to the point of data Discovery data stage and data extration and in circle because that's where I'm going to focus a lot of my next part of our talk here but they want to discover d data they want to Stage it and they absolutely want to exfill it why cuz that's the next part of that double extortion right I can't do the double extortion if I ain't got nothing to to to you know really threaten you with if you will and then after that there's some form of rans aware deployment um and then you know that's that's when it comes to light Something's Happened and they can actually have that conversation about uh those forms of extortion that are definitely happen but let's focus on the three things that we have uh Circle right so Discovery Stag and exfiltration this is not an all inclusive list but this is like a n