Inside The Ransomware Toolbox: How To Beat Cybercriminals At Their Own Game

get started then right hope everyone had a good lunch and uh get ready to listen to How about how to be a ransomware operator or the ransomware toour Matrix and the ransomware vulnerability Matrix and tools I've put together but before that I'd like to thank everyone from you know coming here today from bides London I've uh always wanted to come and present up here and it's you know it's a great experience to come and do it uh presented at a few conferences and you know this is definitely one of my favorite annual ones I like to come to so it's called to be here come up here and be on stage so a little bit about me

I'm a cyber threat intelligence analyst and threat Hunter I've also co-authored the cyber crime intelligence course forensic 589 uh with my co-authors um over the last couple years and that's now live I've also worked in the equinex threat analysis Center so if you've not heard of equinex it's the world's digital infrastructure company about 260 data centers worldwide and I like to do you know CTI threat hunting for them um so that's what I get up to in my sort of daytime and day job and things so for today I want to talk to you all a little bit about ransomware a little bit about what tools ransomware gangs use uh the threat of templated attacks and why we

see so many ransomware attacks in general um so I think some of the research I've done related to what tools are being used what uh is being what ttps are being observed during intrusions uh and finding patterns of behavior and Mutual tool usage and things um and also I'm going to you break down about the project that I've done another sort of side project I've created as well and then how to use all of this for threat hunting and threat intelligence and things so yeah Fair bit to go through got a bit of time um but let's start with the threat of ransomware I'm sure everyone is aware of ransomware and how you know it's bit of

a crazy thing but a little quote that I like to use is ransomware is the most profitable way to monetize access to any network so let's break what that means down a little bit so if you're a carbo box Factory or you're a bank a threat actor can still monetize your network in the same way whereas you know if you're a carbal box Factory you may not have you know bank accounts and and all sorts of other information sensitive pii but you do run a business and you do have machinery and and operations that are depending on it systems and if you can encrypt those then you can extort the the victim and get the money so it

doesn't matter what type of organization you are whether you're a school a hospital or whatever ransomware is basically going to come for you and try and encrypt you and try and extort you for for Bitcoin um so a little bit stats of ransomware you know throughout 2024 2024 is actually set to be the highest grossing year for ransomware payments which is you know not great because that means ransomware is getting worse and companies are still paying and some companies are actually paying even bigger Ransom so this year we actually also saw uh the largest Ransom payment publicly known to dat in you know the entire history of cyber security basically the one company decided to pay

one ransomware group $75 million which is you know a pretty tasty payout for the ransomware gangs but you know eye watering for all of us Defenders who've been trying to stop ransomware over the years right so things are getting worse unfortunately um the medium amount of Ransom payments has actually gone up from from 2023 to 2024 um many because the threat acts have been more successful at getting into large companies encrypting them and and extorting them um uh we are we have about seen some pretty notable takedowns and shutdowns so shout out to any NCA or FBI officers here you know done a great job this year taking down lock bit you know hat tip for Operation Kronos

probably one of the most uh you know elaborate law enforcement operations against ransomware we've ever seen so more of that please thank you uh also other things we've seen 2024 we've seen ransomware targeting uh es6 uh esxi hypervisor a lot using a very very trivial exploit uh around you know adding uh as6 admin to your account uh as a description and you're G gaining access to hypervisors and you know just encrypting thousands of VMS doing that so pretty straightforward stuff um we've also seen a lot of activities from scattered spider again we've actually seen some arrests from those adversaries as well we've seen you know four or five members including one or two from the UK

uh being arrested from this group but as we may know you as you'll probably see a bit later they've done some pretty devastating attacks on the UK um we've also seen nation states actors launching r attacks so we've seen Chinese threat actors we've seen North Korean threat actors the Chinese threat actors launched a devastating attack on the Indian healthcare system which I recently learned about uh over a year or two ago um and it was actually you know very very devastating and if you've not um read or heard about that then I highly recommend going investigating what it looks like for a country's you almost entire Healthcare System to be taken down pretty crazy stuff not again

not a sign of things getting better sign of things getting worse um and all sorts of other ttps we've seen voice fishing we've seen abusing Microsoft you know built-in features like quick assist we've seen uh you know vulnerabilities being exploited in the wild zero days you network based Network Edge based stuff um and we've also seen an entire data center uh company which is you know relevant for me for for working at eex an entire data center company from Sweden I believe or Finland had uh you know a lot of their customers impacted by an Aira ransomware Tech um and if you work in inst response then you've probably done a lot of Aira you know and

things this year because they've been very active as well UK Council so everyone in this room you know you're all affected by ransomware because some of your tax money is going on paying uh paying for Recovery of Ransom attacks not necessarily ransoms but uh you know there's been so many councils hit this year I just like to use this slide as even if you don't work for a council it all affects all everyone in this room right because we all uh you know we're all part of the same system and that system is under attack unfortunately and we're supposed to be you know the cybercity defender and and the good guys the white the white hat people um and

you know we're still getting attacked we're still getting hit this way but the UK's ransomware problem in general is you know the Outlook is pretty glum uh travel X was a pretty notable attack that we saw in 2019 I believe that was on New Year's Eve Kind of a Funny Story for me I was traveling to heo I think I was flying somewhere but uh when I got there and I went to you know change to money all the staff and employees in travel X they were back to pens and paper basically you know the the I believe one of their vpns or you know virtual desktop in infrastructure provider was ransomed and you know

basically just lost access access to everything and probably a similar story for all of these other large name companies you know we've had Royal Mail was hit by lock bit I'm sure many of us in the room have seen that or maybe personally dealt with it um British library was actually you know another big one and if you think about what the British library is it's all the documentation books you know archives of the UK were encrypted which is also not great um know Southern water you know I'm sure everyone likes to drink water here right that was encrypted and hit by R someware uh and then capita which is a name you may have

heard of or if you've not heard of them you've undoubtedly had to deal with them because they do things like TV licensing and they do things like vetting for the ministry of Defense you know another not great victim of ransomware um so let's talk about why ransomware attacks are so prevalent why companies of all sorts of shapes and sizes still fall victim to attacks um and the the answer may be a little bit upsetting because it's not actually that difficult or sophisticated some attacks relatively stay the same you know the threat actors get in they move laterally they create accounts they escalate their privileges they steal the data and then they lock it you know they

encrypt the systems with ransomware it's not really that difficult these days um but nonetheless un if they follow these steps they hit enough companies they get encryption and they get a ransom payment and the cycle just keeps on continuing so two examples of this of a s potential source of information of how these ransomware gangs and Affiliates keep getting uh the ability to run ransomware attacks and maybe even new ransomware operators aspiring cyber criminals uh where they're coming in and able to join in is because there's literally stepbystep guide of how to launch a ransomware attack created by ransomware operators for ransomware operators um and both of these were written in Russian and then translated

um but basically they had you know command lines what tools to use uh obsc techniques uh like how to set up your infrastructure and environment basically everything you need to be able to start your own ransomware campaign and these things are freely available anyone can access them and if you're a Defender it is pretty much worth very much worth going through through these and ensuring that you are protected from them uh you know at each step because this is what you know hundreds potentially thousands of aspiring cyber criminals are going to be trying to use against you so definitely a good idea to focus take the Lessons Learned Implement changes and hopefully get these things covered

off so threat intelligence and threat hunting if you're dealing with you you know we're all aware in this room with the ransomware problem right or you know now I've explained it to you um how can we leverage that information to then protect ourselves how can we monitor when a new ransomware campaign happens or a new attack happens how can we take that information and use it to you know secure our systems and upgrade our defenses basically so I'm going to talk to you a little bit about that as well so you know one of the favorite things is the Pyramid of pain I'm sure some of us have are aware of this and come across this before but where I kind

of want to Target to improve our defenses was with a project I created that mapped all of the tools used by ransomware every ransomware gang I could get my hands on um basically and what tools they are using because if we can figure out what tools they're using we can make it really really challenging for them to be able to launch attacks against us right if they can't use their preferred tool then they have to actually think on their feet they actually have to use their brain uh to think about how they're going to get get around defenses or how they're going to move laterally because a lot of the time like I said with these manuals they say

just use this tool just run this command you get the results you get the access and they just keep going and the attacks go really really fast that way but if you can block each tool on each stage then you know they actually have to spend some time doing a little bit of research a little bit of development a little bit of training somewhere and you're slowing the attackers down if you can make your network harder to attack than your neighbors then there's more likely a chance that they're going to give up trying to come against you and and go against an easier Target right at the end of the day time is money for

these of criminals I also want to talk a little bit about the different types of ransomware adversaries so you know there's a kind of a misconception in ways or or maybe a a a juvenile understanding of the ransomware ecosystem which is that you know you have one ransomware gang they launch the attacks well actually it's not as simple as that um it's an entire cyber crime economy an underground economy with various different parts working together you have the people that write the ransomware you have the people that uh host the platform in which other criminals can you know buy access to or download the ransomware and use it you have the criminals that can gain access

to systems and then sell that access to other criminals you have the Affiliates the ransomware Affiliates who are the ones actually doing the Hands-On keyboard typing you know following the playbooks and following uh actually doing the lateral movement writing commands running tools all that kind of stuff the sort of you know workhorses of the ecosystem and you also have have a kind of another type of adversary as well which is the state sponsored adversary so these are a little bit you know they can come in and into play they can be initial access Brokers they can be Affiliates they can even you know become Ras uh operators as well um but you know do keep in mind that we do see

you know uh dprk Iran all sorts of different countries uh getting involved with this very very lucrative ecosystem and underground economy uh one of the main sources of you know threat data that I used to create this project was sis the US cyber security and infrastructure security agencies uh stop ransomware reports so if you're not aware of sis you're not aware of these reports they're a great repository of compiling observations through multiple intrusions and explaining like a summary of the ttps of each individual group rans group I say in quotes because at the end of the day the final payload delivered is basically people think that is the group but most most of the time it's a

group of Affiliates who then launch multiple intrusions and they can deploy different binaries at the end of the at the end of the intrusion so one group may use M uh you know you may have one group that used r evil who also used Conti who also used ryuk you know they're you know they're not exclusive really to which platform they're wherever the money is whatever's easier whatever's best um so take that in mind um but at the end of the day we have you know great repository of threat reports over the last couple years of what the ransom gangs are doing what tools they're using what ttps they have so another great source is the DFI report

um again if you've not heard of the DFI report highly highly recommend uh you check them out because they do do a similar thing that sistera does they break it down they do the forensics they share the output of some of the forensics tools and things um I just want to quickly clarify you can take as many pictures as you want I don't mind you know keep go for it if anything that's good that means my slides are helpful um but yes DF report another similar Source great data and great information so that basically brings me to my project where I got started was was all that thread data and I was like where can I quickly look up uh you know

what tools of which rans Gang has used like maybe if I saw the first few stages of attacks and a few tools being deployed and run um which ransomware gangs has has have also done that um and that's sort of that idea cuz that resource wasn't available to me I just decided to create my own as is often the case um so that led me to the ransomware tool Matrix which is on GitHub so anyone can come you can go and browse it on your phone now if you want or after the talk and things um basically this has all the tools the rans gangs use and I've broken it down into different categories so we have rmm tools for

remote monitoring and management tools we have have uh exfiltration tools we have defense evasion tools all types of things that we commonly see in intrusions of ransomware Gams Ransom ransomware tags and the list keeps growing I think the last time I counted it we were up to 228 tools uh most notably 41 different credential theft tools and 43 different arment TOS so these are the kinds of things where the adversaries like to change it up a little bit um but yeah we have a lot of a lot of opportunity here to basically if we can stop these from being run in our environment we limiting the opportunities for the adversary to move laterally or gain persistance or

steal credentials that kind of stuff so from doing this research I actually came up with a list of uh most used tools so from going through the reports extracting which tools are being mentioned in which reports of which ransomware gang I could then figure out okay so uh let's take soft perfect net scan I could actually figure out that there's you know maybe 10 15 25 different ransomware groups all use this tool within an intrusion so that is like our Target so if we can block this tool we're making it harder for these 10 15 20 ransomware groups right um granted there are other scanning things but that's sort of the the premise of these

attacks right and if you give yourself more opportunities to detect attackers then there's more likely you're going to detect and stop them right um so yeah so there's a there's a sub page on the project of most used tools so this is a good place to start if you want to use this project to increase your defenses then this is a great place to start other Trends and Discovery so other things I found from doing this research scattered spider is a predominantly English-speaking cyber criminal group from the US Canada and the UK sort of teenagers that come up sort of form a bit of a community which you know kind of I don't know ironically

calls the Comm um but they launch ransomware attacks where and they s of affiliate them El of sort of Russian speaking ransomware gangs that that you know host ransomware as a service platforms but they're generally English speaking thread actors that uh are doing this and some of the interesting things about scatter spider was that they use a really large huge uh number of different rmm tools maybe 20 20 30 different tools and one of the sort of theories behind this was that if one is blocked then they just go to the next one go to the next one and if they deploy you know five six seven rmm tools Maybe gets left behind when you're doing forensics or

something I don't know what exactly the adversary is thinking here but they do use a absolute ton of armm tools just for persistence that's an interesting Trend I thought worth paying attention to and if we can block all of these then I'm sure any other ano gangs you know the the tool the list of tools is not actually that big generally globally so if you can block most of these ones then you know you've already got a head start other interesting things about scatter spider was the use of uh you know for forensics tools that forensics companies or or developers or or you know researchers created so magnet Ram capture I'm sure some of you in the room

have probably used it to you know actually you know capture the ram of a system right so these are actually used by inst responders but the adversar has figured out that it's a it's a legitimate tool and it's pretty much likely that the the target is has not blocked this tool as well so they can use it they can you know get credentials from it from you the Elsas process or something um and it's just another way for them to get around your defenses and steal your credentials same with volatility um you know NE I say more I'm sure most everyone's pretty familiar with that one and then other tools were uh microburst and paku which are

actually Cloud uh offensive security Frameworks so ones for AWS once for his year um and again another interesting thing about this adversary is that they use those tools and we've not really seen any other ransomware gangs using those as far as I know from from what's publicly available to me because again at the end of the day the information I relied on was open source intelligence right so I don't have access to all this ir and DF data and things that some of you may have but this is you know the best I've got and the best I can do secondly we have the continuity of Conti so Cony was you know one of the

most prolific ransomware games for a very long time they kind of evolved from ryuk and trick Bart in 2018 2019 um and they kind of emerged as this brand new uh massive ransomware as a service or ransomware gang and cyber crime Enterprise really so they had about 100 100 to 150 operators part of Cony which we learned from from the cony leaks themselves so um maybe a little bit more backstory about that was in in February 2022 the ransomware gang came out with allegiance to Russia during The Invasion and a Ukrainian member of uh the Conti group decided to sort of rebel and leak the chat logs and messages of this group so it was a big bonus for us as security

researchers and CTI analysts and things and we learned a lot about how Cony operates uh from this and basically after that incident they shut down and then following that we saw the creation of several other groups so we saw Royal Ransom we saw Quantum Ransom we saw black suit black baster and Akira and if we actually take the again we take the threat data from the observations of intrusions we map those together and we can see that actually you know five of these groups are all using the same uh you know five tools so pretty interesting how we can you know find the behavioral patterns there and another another layer of con confidence that these new ransomware groups are kind of

a Rebrand or a splintering of Conti as well right by Society Rebrand of uh you know Reider is a Rebrand of Vice Society um many of us suspected this and you can perform sort of maare analysis and uh you know basically static string analysis of the binaries themselves and find the relations and things but this is another uh example of how the operators of the ransomware the actual Hands-On keyboard Affiliates are also doing pretty similar ttps you know five out of the uh you know several tools that we've seen viy use we've also seen Reider operators use so again sort of a closer interesting overlap and pattern of behavior among ransomware attackers um another interesting Trend

was what we saw remember I spoke earlier about different adversaries that gain initial access then uh this is inter because we saw one thread actor uh using Chinese speaking tools and this adversary was had been working with multiple different ransomware gang so uh profit spider had been gaining access via uh exploits in you know internet public facing instances so Oracle web servers and citric instances and things um they have been gaining access and then providing it and selling it to sort of Russian speaking rans gang so maybe a potential indication that this is a sort of a chinesee speaking adversary working with speaking adversaries in the cyber crime underground so I thought that was a pretty interesting Trend potentially

as well there okay so if you are a company who has you know several a large it stay you know you have Windows and active directory and all this kind of stuff which many large companies do how can you increase the defenses using the ransomware tool Matrix like what's the inside scoop here you know how can I really get the most out of this so example approaches that is kind of a tricky thing actually because at the end of the day these are legitimate tools a lot of them and your company may be using these tools already so you have to go through a kind of a staged approach uh for this is the best sort of you know

the best way best pass forward that I can really explain so we have the goal of figuring out you have this list of tools first step is to figure out which of these tools are in your environment um which of these tools are already installed on your endpoints and you know are kind of basically the current immediate problem for you to deal with um and this requires you manually searching and this requires you basically having abil the ability to manually search what software is installed on endpoints because at the end of the day not every company has EDR or something installed on their endpoint so that's a pretty big challenge to start with as well

um the second phase is to then block the list of tools from the ransomware tool Matrix that are not installed so this is a pretty easy win this is a pretty good win uh for your organizations to then you know if okay none of these tools are installed L and points so if we block them there's no impact done you know we've stopped we've potentially stopped and made our Network Harder for attackers to W intrusions against um so you know yay we've done that one uh let's move on to the next stage um phase two it's actually pretty hard to uh actually get your your it people you know the users it's actually pretty hard

to convince them not to download tools that you know aren't in compliance with your software approval list kind of things or prohibited software lists um you know developers are going to develop an IT people are going to keep the business running you know they're the people we need to work with the most and and and keep them happy but um you know it's pretty hard as a cybercity team sometimes to have that authority over an entire it you know Enterprise it team um and sometimes you have to do a bit of back and forth you have to compromise you know okay let's take you know any desk Ral maybe this one is used across our environment even though loads and

loads of Ransom gangs use it um let's make sure that we have a backup plan so if any run is downloaded we have a system that ensures that it's an authorized download right so pretty pretty basic stuff but working with those teams raising awareness highlighting the issue is probably one of the the best uh Keys key ways to actually resolve this issue and then finally another pretty important stage is the removal so like I said before you've identified you've look you know what tools are in your network you've blocked the tools that aren't in your network you've worked with the teams to not download additional ones so now you can go and remove the unauthorized

software inside of your network and this is actually a really hard stage as well because you actually have to have the awareness that these tools you have to know what these tools are being useful again which is another challenge in its own for your company to know what every individual software is being used for on every single individual endpoint if you have a massive estate then you know sometimes it's if you remove something you'll Cause A disruption and this is probably one of the worst case scenarios if you're you know maybe a threat intelligence team or threat hunting team or something or a security engineering team um because then you know you're causing cost to the business you're

disruption you're causing disruption and you know anything you try and do in the future is going to have extra extra scrutiny so this is a very very important stage as well if you do try to go ahead and use the r tool Matrix um this is a very important stage to to pay attention to so yeah I've kind of gone over some of these challenges as well already um maybe a key one to focus on here is access to binaries if you don't have access to the binaries of this legitimate software tools from the rware tool Matrix you don't know you don't really have a way to block them so you need the hashes you need the

certificates you need the V the vendor and publisher names um it's actually a much bigger problem and difficult challenge than you realize when you're first embarking on this which I you know came across myself and if you don't have virus total Enterprise it could be even more difficult because then you can't search and mass download uh these binaries and things and get that information really easily so maybe there could be some sort of followup to this project which is providing some of these binaries because uh otherwise you know it's all all well and good trying to do this but if you can't block them you don't know what you're blocking you know you have to do a whole load of research

to do that so that's the ransomware tool Matrix the next one is the ransomware vulnerability Matrix so this is again a kind of a kind of a uh another side project I came across I find if if the data is not readily available and easily available to me then I want to share it with everyone else and if if I don't share it with everyone else someone's going to you know make a tool and try and sell it to all of you so I thought I would actually try and you know do everyone a bit of a favor with this so again it's not really that sophisticated of a project but it does map every single sub

vulnerability that has been exploited by a ransomware gang uh it also shows when that report was published which Ransom gang it was and where the sources so not to throw shade on on sis or other organizations that do share lists of exploited vulnerabilities they're often lacking a lot of context which is what the Gap that this project fills as well so now now if you're ever interested in a particular ransomware gang you have two projects straight away to look for you have the ransomware tool Matrix to see what tools they've used in the past and you also have the rans vulnerability Matrix as well to see what vulnerabilities they've exploded in the past so this is all sort of useful

situational contextual information to help with your instant response or threat hunting or whatever it is um another interesting trend from this is the fact that some vendors were kind of repeat offenders right we saw uh Microsoft obviously one of the biggest software companies in the world no surprise there but then again we did see foret we did see we did see some Citrix we did see some ianti and we did see some VMware exploit so there are some kind of repeat offenders and if you are running these appliances or devices then you might want to focus on those or uh you know or maybe take some more drastic action um Integrations uh another interesting thing is from creating these

can I add it to my data set and I'm like yeah let me go for it so as of right now um or as of already um the in ransomware live which is another really really awesome website that I know the the developers and authors of um you can actually go and see the vulnerabilities tab you can see the tools tab um and if you actually go to one of the ransomware groups profiles say you know not to pick on Akira again but if you go to Akira you can go and see what tools and vulnerabilities they've used as well as well as all sorts of other information of who their V recent victims were how

many victims they published to the league site you can even you can even go and see um ransomware negotiation chat so you can see conversations between victims and The ransomware Operators and you can see you know things like the initial demand of a ransom and then the actual Ransom amount that was paid um so all sorts of interesting stuff a great site free resource for everyone right so who doesn't love something that's free and yeah get involved you know I inv inv everyone in this room if you have some information if you have some useful data threat data that can be included in these projects then you know you're more than welcome to get involved

uh on the GitHub Prof on the GitHub repos I have a how to contribute Pages you can go in there and share all sorts of things uh you know but there are some you know there are some rules you have to uh well the thing that makes this difficult is if your instant response you want to share useful interesting threat data that you've seen on intrusions however you can't always really site where information came from um and you can't be independently verified so I know there's some great instant responders in this room but if you if you can't tell me where the information came from then we can't really include it because it's it's kind

of you know hairsay at the end of the day um unfortunately but that's just the nature of the project that that that I've done um in general uh so to summarize main takeaways here is Ransom gangs reuse the same tools we can exploit this fact this is actually good for us because they don't spend time doing research and development they just go for whatever's easiest there just a big loads and loads of attacks they just want to scale up operations and if you are a Cy organized cyber crime gang you can take someone who is very pretty limited technical knowledge and you can just throw these in front of them throw them in in in a

you know in a terminal or an environment and they can just you know start running Ransom attacks basically as simple as that um unfortunately for us as Defenders um and again these a lot of these tools are malicious but they're also used legitimately by it teams we can block the ones not in our environment but if we have to be careful about removing stuff because we don't want to cause uh we don't want to cause disruption right um and at the end of the day these tools are downloaded by the adversary so there there's an Ingress Point into your network and you know that is always gives us the sort of Defenders advantage in that regard as

well right so we can detect them uh other than that that's pretty much my talk thanks very

much okay so I'll Stick Around not sure how long we've got but I'll stick around if there's any questions I think there's uh the the staff can help with microphones as well so any questions about the rans to Matrix

if not going once if not oh you have a question down here yeah I was wondering about

you yeah how they doing that yeah yeah great question so the question was about how are the ransomware gangs getting all these millions of dollars and how do they launder the payments um so ransomware gangs a lot of them aren't that sophisticated with it um you know a lot of them are based in countries that are Untouchable to the US uh from us extradition or UK extradition or whatever um so they don't actually have really have to take too many precautions a lot of them do something and we talking a bit more like blockchain blockchain analytics and and investigations and things so a lot of them will do things like peel chaining so if you get take that company that

paid a $70 million Ransom uh moving $7 million around it's pretty easy to spot where that money is going but if you can split that into uh different amounts tiny amounts maybe chipping off 10,000 5,000 every time you move it it becomes increasingly exponentially exponentially harder to track where all those payments are going and they then they can uh chain hop they can take it from Bitcoin to ethereum take it from Bitcoin to Monero they can invest in you know all sorts of G traditional money laundering uh operations as well so there's there's a whole you know entire I could write an entire talk on how you Ransom gang launder their funds um but you know

there's there's many different ways they do it really um uh if you want to learn more you can do you know forensic 589 is the uh best answer there any other questions yeah one down [Music] here yes

so sharing ioc's of from rare attacks for for this one um I think I mean it's a good question um I think that would require a ton of you know storage and data and processing um I'm not one of the authors of this website so maybe it's an idea I can I can share with them um but I do recommend various other sites abuse. CH you know those guys are really really good um I recommend uh otx Alien Vault as well another one you can find this stuff on on various other sites um this the ransomware live website is good because there's a lot of stuff you can't easily get from other places there are a few other sites that

scrape leak sites and scrape net forums and things and po make posts there but I really like Ransom live because it's all the information in one go about any particular group great any other questions no oh one where back there is there a microphone yeah yeah question I have speak

loudly yeah yeah

yes I yes I get the question yeah so if you can so if the if the thread actors use some sort of Packers or uh Crypts and things on these legitimate tools it makes things harder well that work that's where it really comes into performing behavioral analysis of these tools as well so some of the defenses is as well as blocking the tools that you know by certificate or by publisher or by hash it's also good to build detection tools on how these legitimate tools operate as well so maybe some tools they when they're downloaded they may download them from the same sites they may uh you know the the sort of command line Flags required to run that

tool are going to look the same there's all sorts of different detection mechanisms that we have we can write Sigma rules or based on the behaviors of these uh you legitimate tools as well um but I mean it's a good it's a good not every organization has access to those that Telemetry U maybe if you're only using antivirus some of these things may may go through who knows it's a it is a massive challenge overall because of legitimate tools at the end of the day

yeah [Music] yes are already exist yeah um is to

yeah I mean it's a interesting situation you get where if you're not blocking tools that are prohibited already or you you prohibit something but those tools are still installed on endpoints you know what it's like with Enterprise and it and hundreds and thousands of end points um some things get missed they either not don't get removed or um you know some some sometimes that just the enforcement policy is just not there it's just not strong enough you may have a list of prohibited software tell users not to use it but they still download and use it um it's just kind of a weak enforcement of the policy um but that is the kind of thing that leads to

you know that's it's also the precur of a ransomware attack someone downloads a rmm tool and uh even though it was on your pried software list they were still able to download it and then basically that was where they you know they go from there with the intrusion so at the end of the day it comes down to policy enforcement really um and if you don't have the tools and mechanisms to detect and block then you know you're going to end up a victim of a rware attack using these tools yes at the end of the day yes if if you if you have a rmm tool which you have to use for your operations but

ransomware gangs use it then at the end of the day you can't block that tool because it's being used so therefore you have to build detections around around uh you know Common like maybe you set a specific location to download that tool and if it's downloaded from another location then block it and be like refer them back to the legitimate way to download it you're welcome great any other questions if not I'll let you go