Under the hood of an open source ransomware observatory: Ransomware.live - Julien Mousqueton

of the day we have Julian who's come all the way from Paris for us. He uh took the Euro Star over and struggled with the trains and we got her in the end. >> Thank you. Take it away. So yeah, Will and the team asked me uh to talk about one of my personal project who is online now for almost more than three years. It's called ransomware.live live and uh the goal of this presentation will be to show you behind the scene scene sorry of what I did and why. So first question does any of you know this website quite a lot. Okay. So, let's introduce myself. First, small disclaimer. I'm French. Sorry for my English.

Uh, so I'm Julia Musketto. I'm CTO in Cairo Security for company perhaps some of you know it, Computer Center. It's a UK based company. Well, very small, 24,000 people in the world. and I'm in charge of the cyber security for our customer in France and uh our French speaking country and uh I have some specialties. So I'm the owner of somewhere.live. I will show you today. I'm also monitoring the next generation of Etiak in a university in France called Echolysis in French 2,600. and I'm also a reserve officer for the cyber unit crime of the national police for Paris and Paris area. So most of my job is CTI and incident response basically and other things but I'm in.

So we'll do a quick introduction why the project how it's appear then a walk through of the website for the wh and perhaps also for the people who know it but don't know all the things we can find on it. Then the behind the scene and some well first I wrote fun fact but talking about on ransomware it's not always fun moreover for the victim. So I remove the fun so it will be some facts. So why on somewherelive? Uh this is only an example because it come from uh Dell technology website. I don't want to blame them because all the vondor at least most of them use this figure. Cyber attacks occur every 11

seconds. I have a problem. What is a cyber attack? A ping could be a cyber attack. Fishing is a cyber attack. So, doesn't mean anything for me. Then this figure, $6 trillion. Great. I have no idea how much it is. I will never earn that on my life. I have no idea. So, basically, it just blew my mind. So I decided in 2021 I need my own figures to understand really what's happened. Cyber attack is so huge. So I decided to focus only on ransomware which is a start and 2000 then 2021 it was really the beginning of explosion of ransomware attack. So that's why I begin. So first I check how can I do

it? Luckily ransomware gong are proud of themsel. They publish their victim usual most of them at least. So you can find onion website of the ransomware gong the list of their victims. So I decided that it's a beginning. So I wrote a small Python script we publish on slack at this time uh the list of victims the date and the ransomware group. Then I talk I talk about it because it was only for myself. I talk about it with my team and they we decided to get more professional exactly the same but on teams. Then I have I share it with other people and say yeah that's great you have intel you have information but how can we use it? Do you have

history? Can you make statistics? So on and so forth. So I met a guy or I met virtually met a guy. I wish I could be to New Zealand. Uh which is Josh from New Zealand who is a owner and developer website called Ransom Watch who basically do the same as I did but in a website. Uh so we talk a lot. I help him. I make some uh development for his website. But at one point uh he didn't have enough time and I want more and much more. What I wanted I I wanted the description because ransomware sometimes give description of the company or what they did or what they stole. So I wanted this

information as a proof because in our job we need to prove everything. I want a screenshot. Um luckily I have some at least more than 200 now negotiation chat from run somewhere group. I want to publish them to make people understand what it is, how it is a negotiation and how it's happened. Very interesting. I won't go back on it because uh we talk about it at the first keynote about info stealer. We've got also information. It's good also to know if the victim has lots of info stealer logs publish or available somewhere. I want to add TTPs. Well, I know you know that security it's a lots of work. So, we need to make

automation. So, I need an API too. So, that's all the idea I got in my mind. And uh even if I'm not good, I decided to create this website. I didn't expect at this time he it will be so big as it is now, but at least I do it. So version one in 2022 was mainly a fork of what did Josh as you can well cannot see well but I had the country I have screenshot but that's all I use the same uh framework he use and well I was not happy it was not what I want I'm not a developer but I know what I want so I decided to make my own

version two as you can see on the top it's not not allowed it's just it didn't work for mobile on mobile. I'm not a web developer. I'm not a developer at all. But so I have lots of complaint about people who say who told me, "Yeah, but we check every morning in the train or in traffic on your mobile." Yes, it doesn't work. Okay. So I use my uh let's say spring break, not the same as the US uh to build a new website which is the actual website. So I suggest let's go through it so you will discover. So basically as I said it's a website important free yeah no need to sign in

got few admies now some vendor who sell exactly the same uh as I said it works laptop mobile tablet or even TV on my log I see some TV screen think use it in a sock or somewhere but funny to find uh So this is uh actual website I change it. Uh so as you can see you have some figure which in real time and uh you've got the card for victim. So let's zoom on the card. I won't go through everything but basically on a card you got most of the information on the victim and what information I got could be mistake. uh I have to say it at least two times in the presentation I use open AI for

the country when I didn't have it I cannot guess it and also for the activity sector but the rest it's mainly from uh in intel I've got from somewhere and trust intel so for stealer I talk about it rock uh was uh nice because they left me access for of the API. So I can have in I won't publish login, password or URL, but at least the figures. So for example, for this one, a French company, you can see it's a nightmare and it's not a surprise they got uh eat by a ransomware. Also, I decided that okay, that's great. I have victims, but perhaps you need information about ransomware groups. So I decided to make one pages for each

and with the most information as possible. Uh sorry it's my ego will say the next sentence. It's an English journalist who say I'm the ransomware Wikipedia. I didn't say it but so that's my only ego sentence. Uh so basically you've got intel about the ransomware. So if I take the example of Acura so you've got the their known website you can find if they are online or not what kind of website because run somewhere have what we call data leakit DLS but they also have chat server file server administration server yeah it's huge so I list them make a screenshot you can see also uh the favicon could be useful sometime just go back to the Oz CTF I saw some of

the challenge about that and uh the target uh targeted top five targeting activity or countries well it's always US but well yeah I mean in Europe we are not far uh yeah it's some of my one of my friend asked me yes but I'd like to see how it's happened in time if there are more activity during some times of the year. So I use uh the GitHub idea uh of the time map and I use exactly the same for number of victim per day or from somewhere. You can find some funny fact. You see someone somewhere who never work during some uh holiday for during holidays in some far east country. No name but

that's strange but that true. uh didn't work during some uh special uh holidays or bank holidays. So you easily you can see it. So that's why I publish it. Then thank you will uh I get some uh tools used by ransomware during attack in during the killchain. So will provide them on the is GitHub and I use them. I also got some from uh this SC ransom not they publish all the ransom not so I got them uh also thank you will again that's two times only uh he published also some vulnerability exploited by ransomware so I publish them in different way but by ransomware then you've got we talked about it this morning to the TTP's matrix from the

ransomware and also all the negotiation chats So from one page you can have most of the information about run somewhere uh what of uh my friend which is a I don't know if you can call it a cyber journalist it's a it's a valerif he publish in French sorry but he publish a a feed where there is all the victim you can find in press so I publish it only the description is in France in French Sorry, but all the link in the language of the article. So it could be any language, but it's also interesting. And on the website, I try to map also the victim with the article press so I can have an idea of the actual real

attack date. So with all this intel, which is great, I can make statistics. We can see that uh well it's not sure you can see well but basically in orange it's this year uh purple it's last year and the strange blue it's 23 so yes it didn't decrease as you can read sometimes in some article or press no it's increase also on the the country by the victim sorry by country could be very visual to see where the most country well we know it's US so no need to check but for other and if you click on it you will have all the victims for this country so I try to make this website the most

useful for me but I think for you too also so I talk about the ransom not so it's still that scaler sorry give us lots of ransom not so I it's open source too but I extract from them well it's not really IOC in the proper term but information which could be useful from this ransom note could be uh email address talk uh ID session ID uh even sometime PGP key so you can find everything so I just extract them for you at the and Yavar rules. Uh there is one backup company uh who use uh now a lot in their software Yara rules. So they asked me if I can add the Yara rules for run somewhere. I try to keep

it up to date, not easy because it changed lots of time, but you can find them at least an idea of the Yara rules. And uh what I also do because uh I don't trust myself you can see on the the green uh tag on the top it's valid rules. So I validate them before publishing. So sometimes they are not validate perhaps I make a mistake but I leave them for knowledge or education purpose but I know that this one will works. Not sure it will detect but at least it will it will work.

So as I say I got some IOC I got also lots of ash from ransomware. So I make a page if you search for no actually if you just search for run somewhere you will get these things. Someone asked me what if it could be the reverse search on the ash finds the ransomware not not very complicated. So I will do it one day soon I think at seca technique matrix. So I took all the tactic and the procedures they use put them here and when you click on a ransomware you can see in yellow which one you use. I do it more for educa educational purpose because it's not really interesting in this way but

everyone can find something interesting somewhere. So, but I use it for my student negotiation. That's my favorite part. So, you can see 240 as I think yesterday or two days ago a negotiation chat from 24 groups. So if you click on so yeah you've got the number of message first colon initial ransom if the the negotiate the price negotiate and unfortunately for the victim if you see the you cannot see well but the green round with a bitcoin symbol mean they paid and to make it more easy to read I do like text message in the way just so you can read it easily. uh very soon for people who have a chp license I put in ch all of them to make

some simulation I know they already have some but didn't please me I rather say it didn't match the reality I know so I tried to do something and I think it will be soon online so you can train yourself to negotiate the way I did it you will lose spoiler alert [Laughter] So as I say automation it's important. So I decided to uh develop API around it. So as I also said I'm not a developer. So there is well even have a v1 but forget about it. So there is a v2 API which is still used by lots of people and lots of application. So I cannot remove it. But I developed an API I call pro. I didn't want to go to the

V3 V4 V5. Um, which is free will be forever free despite the name pro. Why? Because, uh, I want the only things you have to do is just to register with one email to get the token. Why? Just to have the information and can I can inform you if there is very huge change uh because I cannot change things in v2 which is didn't please me and doesn't work well. But since people use it, you will see I'm have some example later of application we use it. So that's why same I I I was obliged to put a a limitation of call because there is some people who just ask for example the ransom notes every second. Yes.

So I was uh trying to understand why the CPU go up up up. I understood. Uh so if you want the API just an email no password it's passwordless you receive a magic link you just click and you arrive here you've got the IP token with that where you are and also some statistic about what API you use. It's very simple but at least you get the information. So that's all for the walk through. So lots of information I know. So now let's have a look how it works behind the scene. very simple you will see. So I use uh I'm French so I use OVH cloud French company on an Ubuntu server. First it was a 5 server.

Yes, everything was on a 5 server but people begin to use it too much. So I grew 15 euro server virtual and uh now because I got something like last statistic was 10 million API call per year more than 5,000 unique user per day. So I go to a physical server €22. Yes, very expensive but it works. Why I also need this? I need the memory because everything is in piton. I said I'm not a developer. So I use some script in piton and no database full JSON file load in memory. So that's why I need memory. So why no database? Everyone as well not everyone but lots of people ask me this. First I remind

you the project the first project was on GitHub action so serverless then I don't want to have to administrate a database I'm not a DBA and moreover I want the server lighter as possible no need of try to do a SQL injection on JSON good luck so that's one of the reason and of course store because I need to go to the ransomware group website then for the website and the API. I discover some flask on PTO and really I discover I told you I'm not a developer but very useful. I can use template because first version the HTML code was in the Python code. I know it's horrible but so now it's externalized and it's

easier for me. Then I have to use OpenCV. So, OpenCV is a library to uh to detect things on picture. Why? Because my new friend from the Netherland cyber crime police sent me a message once and told me, "Yes, that's you have a great website. Thank you. But can you remove the ID of our citizen people?" So I say yes but so I was thinking for a few minutes and I told them if I blur the picture is it fine they tell me give us an example. So I throw them an example and they say yeah it's fine no problem. So that's how I did. Now it's a little more improved. If there is face, it only blur the face,

not the text. And for ID, if I found ID, unfortunately for now, I can only blur all the picture. But I tried to improve and to check how can I do this. Then yeah, second time open, no way out. I cannot sp I have a job. I cannot work 24 hours on the website. So I need to find an easy way to get information. So we will see later which information but you will see it's not a lot. Then engine on the top just to publish the website. Then as I said I use Zer for the ransom notes. my my friend Valerie from Magit for press and also he is doing something very interesting. He just uh get my the

victim from ransomware.live live and check the real date of attack and uh give me back the information. So automatically I update and you can see on the website there is two dates a discovery date it's when I discover it and the potential cyber attack date because it's we never know exactly the date but at least we've got it then will sorry third time at last now almost almost uh for the vulnerability and the tools used by ransomware and of of course it's rock for the info stealer information. So not all the project is open source for now. Only the let's say background part is open source. The website is not uh because it's not ready to be

published. Honestly, I will be really honest. But uh if you have some idea, don't hesitate to contribute. I don't ask you to be a coder. You see, I'm not at all. But even if you have idea, most of the idea and the feature you can see of the website come from information from uh users. So I will pass very quickly but what you have to understand it's there is two big step. One is scrapping. So I'm checking all the ransomware group website checking them and uh getting the HTML code and then I pass them. So I know it could be confusing but it's yeah it's a lot of things to do. It works every hours actually.

So I will pass that example of JSON but pro you probably all know what is JSON file. So I won't pass quickly on it. There is two huge connector. One is for Azure Sentinel. Well I won't spend lots of time because I just use it and make again statistic. But the second one I like first because it's a French company. No, it's a very great product open and uh what I like with them it's you can do a connector yourself and they help you to just to correct it and uh and actually I didn't do it. It's someone from UK we do we did it. So they and they continue they maintain it for for you after. So it's very

interesting and it works pretty well and sad since they use the V2 API that's why I cannot remove it. Well, there is also some payable product. I won't make advertisement for them, but just to know some figure actually. Yes. So, 100 more than 100 parser for 278 groups because some are disappear. So, I don't maintain the parser anymore. 21,000 victims. Uh, and that's the point. It's at one point people talk about the website and I didn't expect it that much and it's uh I saw the every time there is a huge uh article of things or people you use me an analyst use the website I see the traffic and uh I don't first I didn't

understand I have to check the log to understand why and I have also need of um support tools because at the beginning it was just a form with email and I was not able to manage all my emails. So now there is a tools just to manage the support. So last time we'll promise thank you for the community all the community. So some people but also everyone who give me information sometimes I receive message of people who just oh we just discover this new ransom group with or sometimes just the name bit complicated but sometimes they give also the website so I can make a parser and the scrapper. So sometimes I have this question

perhaps you have it how much it cost. So you see the server €22. uh I didn't thought about it but live domain it's expensive but it was the only one available at this time on one somewhere and uh around yeah 20 perhaps 40 this year because there are more victims euro of openi API call and which is priceless my time mainly for coding and also analyzing these things And also I discover new things lawyer. Uh quick statistic 80% of takedown requests come from your country. >> Thank you. So it's the last time I come. I I won't be able next time. >> From which country? My country. >> No, no, their country. No, no, not

yours. No, yours. I'm fine. And mainly from one office. I'm I have no proof but I think they are checking the website and if they know some big name they just call them because it's impossible they have all this customer and I have one in France with but this one needs me to have a lawyer so I receive yes take down notice which is not a big deal I can do it but it's when they ask money again uh for yeah that's a problem now so what's next so for bside I decid I decided that next is today Yeah. And today it's three new features for beside. First one, when I've got the domain name of the victim, I get intel

from the domain name. So I get the MX record and more the text record which is the most important. I I can guess from the text record the SAS applica or cloud application they used. So you can see it. Second one, not big one but uh on ash files you can see a small e code next now and you go to this page which is a summary of v total and if you click on the you go straight to the v total pages and last one my the one I prefer now I get intel about the website technical information so on the website it's only nink and php version very easy but if you use the API you have all the

information even the cookies the track track track tracking they put inside you have all the information so I decided and you are the first one to know it I will have a normally a linking post in one hour will be published about it but I wanted to for you so one minute left no one one minute is enough so three figures which is fact not funny fact 30% 30% it's my estimation of the number of victim I have in my database. How I know it I have lots of report for different government around the world and I compare year by year and it's around 30%. So basically when you see I think now we are around 5,000 this year for this year

now just three times for the reality are you agree uh >> yeah% >> 7 to 10 same is an estimation of people who paid could be more could be less depend of groups but it was uh in the light last bit leak files and chart we discovered it's around this figure and it's exactly the one I've got And last one 8 to 12 is a number of percentage of victims who had login and password leak in infostal logs. Doesn't mean they use it as an as initial access but it's huge because I usually say we just need one. So thank you. I hope I'm in Yes. Thank you very much. [Applause]