Behind Enemy Lines: Engaging and Disrupting Ransomware Web Panels

He never believes that anyone comes and uh sees me like watches me talk. So that's that. Uh welcome to my talk. Uh deep strike behind enemy lines disrupting ransomware blah blah. We're going to [ __ ] some [ __ ] today. So uh that's viewer discretion is advised. Uh I'm what my friend there would call a besides veteran. This was one of the very few European besides that I have never talked into. So back when they started I was like yeah I'm getting Amsterdam and I still have Copenhagen and I'm full. So minus one I guess. Uh, I'm well known for saying [ __ ] a lot, sit a lot, and other bad words in Greek. So, if you are

easily offended, please raise your hand. Nobody raise your hand. I would tell you to [ __ ] off if you raised it. So, good. So, that's me. Uh, my name is Vagel Stas. That was me 25 kilograms ago. I'm the CTO at the penetration testing firm called Atropos and an agentic AI security solution uh named Kumio. Uh we are specialized in renewable energy and APS. That's a really uh strange duo to be specialized in, I know, but that's me. So if you don't understand, I don't either. Uh my research interest is based on APIs, uh a IoT, uh C2, uh a ransomware groups. And I'm blah blah blah blah. I'm the ultimate uninvited admin for malware

panels. That's my title. Uh the year before last I did a talk about malware and it was really easy for their city to get in. So I wanted a bigger channels challenge sorry and uh wanted to go after ransomware panels. Could it be any harder? Those three [ __ ] in there. Drop them a follow. Also drop me a follow but I'm not that interesting. So sulfur is curi and charles me sihara we have a signal group that usually uh challenge each other uh all three of them are defcon speakers and black hat speakers they're crazy smart people I'm not I'm the dump in that group and they read that they read that from Marcus

which says CTI is also wild industry h usually it was heavily regulated uh from near total monopoly and everything is classified. While in CTI there is some dude named Brad who got really baked one night and yolled his way into the major AP's backend server. So two things in here. One, I'm not Brad. I'm Vagelis. And two, I really like whiskey but I'm not taking any other drugs. So that's a story of me getting into some APS back end. I thought that the malware was easy. So I had a 50% uh succession rate. So out of 36 C2 panels, I was able to get into 18 on ransomware. It was damn difficult. I made into three and a half out of 140.

That's what ransomware is. If you don't know what ransomware is, come after. I'm I'm not going to read the the whole text in here. It's like they're bit bad people that try to encrypt your computer, blah blah blah. [ __ ] them. >> Quick intro to them. Uh they are malware distribution and infection, command and control. We're going to take a good look at it. Discovery and lateral movement, data extraction, data encryption, extortion resolution. The next couple of slides are going to sound like I really like them. I want to make super clear that I [ __ ] hate them, but they're good at what they're doing. So, the fastest growing type of cyber crime, their payout hit 1.1

billion in 2023, 1.3 million billion in 2024. Uh we still don't know in 2025, but we expect them to degrade. uh they're highly professional industry. It seems that the boundaries have uh fall off after the whole uh hotel hospital uh going rogue industry and want to cry open the can of worms. A really quick view into how the gangs work. They're highly hierarchical and I mean really highly. They have a clear structure. They have a tech part that tech part they're going to look uh that we're going to look afterwards. They have a ransom negotiation and customer support. have moneyers that uh were arrested late uh there are a lot of moneyanders arrested this summer and

their collaboration and partnership because I don't know capitalism I guess the tech part they have malware developers they have exploitation which is possible zero day or end day developers they have data thefts and leaks they have a lot of operational security and they have infrastructure and hosting and believe me they have a lot of infrastructure and crazy amount of hosting because this is a true uh story. They have gotten into a lot of companies that had terabytes of data and at the very first time couple of times that the gang rises and hacks they don't have enough storage to store what they steal. So they end up [ __ ] up uh their own uh uh their own

selves. So they invest heavily in infrastructure and hosting. This is how they used to be. Right now it's only Russ. They used to be lone wolves. They're long gone for the past five years. Uh some of them are initial access brokers. This means that they only get access and then they sell it to someone else. They have all-in-one ransomware groups. We're going to see some of them later. And the ransomware as a service because as I said capitalism, you're going to see a lot of uh corrupted capitalism in the following slides. How that corrupted capitalism works? Flat monthly fee. They didn't understand capitalism at all. This is not Russ. Uh affiliate programs with a monthly

percent of uh the profits. One-time license. I think only one was that but they they're no longer around. Uh pure profit sharing payments made to the ras most well known were done done. All of them are done. We have new uh kids on the block. Now this is my only chance of trying to use draw in security. This is how we the ransomware works. Can you tell me who the hacker is? Anyone? No. Come on, guys. You It's that guy. He has a hoodie. If you have a hoodie, you are a hacker. If you have a red hoodie, you're a bad hacker. Okay. Come on. Seven years and you forgot everything. how they're extorting. They're

establishing communication with victims anyway, Telegram, Signal, uh to Messenger. They lay their terms and they extort victims in multiple ways. They are saying that they're going to the first way is run their own data. The second way is that we're going to release your data. The third way is we're going to use the knowledge from Dane from the data to do the dosio and for the past couple of years we are seeing uh communicating with customers and shareholders and stakeholders and even government saying that oh that company was hacked so we're going to communicate with the government and tell on you so pay us. They're [ __ ] 19 year olds. So what we are going to do in this talk

identify situ and data leak sites try to find vulnerabilities identify people behind them try to disrupt panels threat actors and three really really basic stuff do not disturb any active ala investigations don't be a malacas and don't get van those three facts are those three terms are the only things that my wife told to me. Don't get arrested. Don't get vanned. And don't be a malacas. If you don't know what a malacas is, come after. I'm going to explain to you. That's what getting van means. I don't want to get into one of those things at any point in my life. But so I was joking that, oh, you're going to get van. You're going to get [ __ ]

And at some point, one nice Wednesday, you wake up and you get that email. Government backed attackers may be trying to steal your password. So yeah, I have been mocking and poking people that I shouldn't. And there are people who are using zero days. zero days that uh have been cost I don't know a million to access my computers. Is there a camera here? Where is the camera? So if anyone wants to burn their zero days with me, I'm going to give you access for half the price. I'm just going to delete my kids photos. That's it. Again, they also went after my iPhone. State sponsor attackers may be targeting your iPhone. This is my iPhone. If someone wants

access to it, don't burn a million. I'm going to give it for you for half the price. They tried at least. Like, I don't think that anyone has access to my data, but if they do, good. They're gonna see a lot of teenagers playing uh football or playing their cello. Good for them. I hope they die. How do I identify pass panels? one, two, three really really good uh uh sites uh projects that they are identifying ransomware uh and lots and I mean lots of doom scrolling and monitoring CTI companies for new post because they do have a really small lifetime unfortunately they have a really small lifetime so once you know that they're around the

cities you're going to have a really small time window that you're able to attack them. Datalix sites are really looked after because they're to and they're behind to and onion. So you have to jump couple more hoops. What we're going to do ignore malware distribution and reversing. I'm dump. I cannot reverse uh things. I'm a web guy. Run the malware in a sandbox. Extract whole URLs. Use data links URLs found via CTI. So, we're going to be highly opportunistic and use what we can get from the easy ways out. And we're going to use what I like saying is the Toyota Corolla of penetration testing, also known as web application penetration testing. So that's what we

are going to do. No fancying [ __ ] Dear search, I'm old. I don't like FFUF. Burp suit tour expert bundle tour browser and took the trifecta of accessing anything via tour coffee any several droplets on digital ocean. Do you remember that they have obscuring my infrastructure? So done IO and census so that we can find anything without tour and did I mention coffee because I had a lot of coffee during that research blackbox web app testing use any acquired information for furthering my attacks interact with the data leak and sat websites intentionally infect sandbox to get a ticket so I don't know if how many of you are familiar with ransomware if you're Not lucky you. If

you are when you are infected, you're getting a ticket, a password, an ID. I just wanted that ID so that I could interact with uh the [ __ ] de and fuf returned pretty minimal stuff. Only 15 URLs gave something interesting back. So I had to move to manually checking everything. Five of them were WordPress because they're bored. A couple of them were leaking IP addresses. Some of them were cheeky. One of them told me to [ __ ] off. One of them told me, "Fuck you, Migga." And one said, "Just business, nothing personal." We're going to see that later. Also, that slide had me arrested on blackademia. So, let's go let's go into the [ __ ]

ransomware land and see what we can have. Malox. Oh, you also going to see a lot of names because it seems that CTI command is like naming things that have already names. So, I'm going to go with what I found as the first name. You can name it however you want. So it's also known as target company Fargo whatever. Their first appearance was June 2021. Targets mostly Windows machines. It exploits MSSQL by brute force accounts and it says they have hundreds of victims. Here are the victims. Here are here is their to their tour uh site back in 2023. And here's where you get the tickets. Enter your private key. private key. They name it private key. I'm going to

name it ticket because I'm old. So in here, can you see the screen or should I go? Okay. Uh we communicate only in English. Nice. I also know English. Hello. Hello. One. Can anyone tell me? Do you see anything interesting in that uh web uh site? So, Apache server status exposed, leaking URLs and server IP address, leaking tokens to check other people messages. So, by going into Apache server, we could see some tokens. So, we could see other people going around. But hello, can you see a reply there? It's what we old people in the forum land called quote. Can you see in here? That's the post request that it was doing. Can anyone guess what went wrong?

>> Who? >> Ah, it wasn't that easy, unfortunately. So, it has a reply ID. That reply ID has a number. So in secure direct object reference and reply ID parameter parameter was an incremental ID I and by I mean such wrote a for loop to get all the messages I get all the messages and got all the messages and those are some really interesting one. So there's a guy named boss because I don't know he has some issues. I work according to my own schedule. Blah blah blah blah. I'm really important. I have a well-maintained business. Okay, that is no way going to be deserved by any [ __ ] that could not secure their machines. Irony. He

couldn't secure his machine either. Their price is final non-negotiables. You should pay or data will be released. I was on special K. I don't know what that is, but sounds illegal for a couple of days. So, [ __ ] off and do the work I'm paying to do. He's not a good boss. Panda guy boss the budget for this client. So, they're negotiating that he has some employees that are negotiating with him. Do you agree? They don't need much data. Boss is not in a good mood today. Let's be careful. First of all, [ __ ] you, boss, whoever you are. And I also found here's the decryptor for one company, here's the crypto for

another company. I got them. I communicated to those companies. So we saved two companies I guess. Second thing that I'm trying to use draw this is the boss panda Jessica Malox is male. Those are the five people that uh contest with that company. Unfortunately, when the guy woke up from special care or whatever, the chat was disabled, message was not delivered. I was too verb bro and got just got internal knowledge of the team got some decryptors once the machine once the admin got up it got fixed. So I think that was mediocre at best. I could have gotten a better way of maintaining uh things, but I got, you know, super interested and [ __ ]

everything up. But yeah, I think that was not a really bad interaction. Second, Blackat Alav, sorry for the Greek. Uh, also known as Noberus and Alphav. First appearance was in 2021. It's a ransomware as a service, Rust based malware and server side C2. They had a triple extortion scheme. They're using Rust loader which was released by which was researched by B Defender Labs. They were targeting Mac only. It's developed in Rust because they're secure I guess. C2 used on all uh that C2 was used on all of Blackat malware. So that guy uh I'm gonna try to pronounce his name. It's Andrea Lunanu. Labanu found the new macros back door writing in Rust shows possible link blah blah

blah. What we care about is those CNC URLs. We just have four URLs and we have a really small uh lifetime that those URLs are going to be around because once something is released about them, they're just changing IPs and names. It checked all USC2 URLs. One of them was uh online but was returning just 40 or four added in the loop of uh continue scanning. Two days later, it downloaded documentation. So I need to explain. I have a really complex no I I have a Python script that runs de search on a lot of [ __ ] and I put them in a DB and it constantly scans. So I could name it however you want but that's just me. So

two days after it downloaded the documentation and that documentation had a lot of [ __ ] So clients bots client uh bot ID tasks. So it had all the C2 uh configuration and how it worked and how it could go. Unfortunately when I tried accessing them, it uh was not available. I had to automate check and put it in the loop again and wait and by wait I mean wait for a lot of time. And at some point finally I extracted 1977 commands in two minutes on a 4 hour window. You can see what it had in there kind of. So it's uploaded files. It had the result. It had clear text of everything. And when you see zip minus r environment

zip, this is not this was not xxx. This was uh a company name environments. So they were zipping AWS environment files and those were root environment files. We I had to switch to a mode that I never like which is notify mode. Uh I identified four companies. All of them were cryptocurrency related. Two of them were unicorns and are still unicorns. I notified they acknowledged the issue. None of them was ransomed. So I kind of did a good work in there. I got all info for them and understood the their lateral movement. I stopped the whole campaign that was targeting uh that was targeting crypto companies. Four companies were not ransomed and I do believe that I they got a really great

financial hit. And after that under increasing federal scrutiny blackout ransomware gangs pulls exit scam on its way out. So they scammed people and I think I played a role in there and uh if you saw u two weeks ago some people were arrested. I think they're related to that black hat issue. So all in all not bad right after that. So that that's was up until my black hat 2024 talk. I had a lot of fishing attempts. They targeted me. They target my wife. They target my partners. They target my colleagues. They target my sons which is pretty low for them. They target email, Instagram, and Twitter of all of us. So all in all, [ __ ] them. I'm happy that

they're arrested. They can all die. Next one. Everest active since late 2020. High-profile targets. Pivoted to initial access broker then repivoted because capitalism graded as highly sophisticated by multiple researchers. That's a highly sophisticated web page. Do you know what this is? Can anyone guess what this highly sophisticated web page is? No. No one >> Squarespace. No, that's behind tour. They're highly sophisticated. So,

>> do we all know what this is? >> Nice. So, I did what every hacker does. I wear a black hoodie. I went and run WP scan 42 vulnerabilities identified it. They had a really outdated but unfortunately I'm not that uh skillful. So I wasn't able to exploit any of those vulnerabilities. I could only found that PHP reporting was on it was a window machine because who uses Linux nowadays and they have vertigo serve hosting. They also had uh you know I could read their files uh file listing on I have PHP my admin. Then I went and did uh what every super hacker would do and wrote Vertigo serve default MySQL password. MySQL default user is root and the

password is Vertigo. in addition SQL blah blah blah I tried it and I failed but then as I already told you I have two sons one son is a musical something prodigy the other one is weird like me so likes going around and reading my tabs because I have as all of us a hundred open tabs and at some point he says who the [ __ ] names names his uh product verrigo and not vertigo. I'm like what what the [ __ ] you're talking about? It's not vertigo. It's vertigo. I can So I should have copy pasted and not right vertigo. It was vertigo. And so yep I was the admin. I'm the admin in WordPress and by

WordPress is like I just reseted the password and got in. Then I uploaded a cell. Their cell was admin. So I had their IP address and I had all their data because who am I is administrator. As you can see, they're not English-sp speakaking people. They're Russian. And their biggest crime, can anyone guess what's their biggest crime is? >> Dude, you're making half a billion in three years. Pay [ __ ] winer for [ __ ] sake. So, what did I do? database export username extract uh remote command execution on the server got hold of their onion secret keys so they have to change their onion uh if they don't want me to monitor their [ __ ] lots of logs to

analyze couple of uh 100 gigabytes

that's black 2024 so afterwards they changed IP address they did not change the login again. Same thing. Then they they changed everything. They forgot to remove my web cell. So they changed everything again, but I also had another web cell. And then Martin uh back in uh this March uh because a lot of people say said like, "Oh, you didn't prove that you had access. You're just saying [ __ ] I did live on Prague on besides Prague on my talk. Someone hacked ransomware gang Everest leak site. So if you remember the XOXO from Prague, that was me hacking your Everest live from besides Prague because I'm bored and the bad person. Black emerged in May 2022.

uh high-profile targets, babuk babuk based, Linux ESXi focused, received the record 75 million ransom. I really love that guy raan. He always found [ __ ] that I can look at. So he found the actual IP address. It's still live if you want to take a bite. app secret MySQL uh password etc etc env file exposure internal URLs exposed some error logs exposed found some uh messages but wasn't really fruitful that was fast I could have done some more but yeah and we are getting into the end of the talk and we're also getting into things that uh are really interesting and uh really not don't have a real answer the correct answer I don't like correct things black

and white gray and [ __ ] so do any of you kind of see the issues that we have with that research no one no It's [ __ ] illegal, mate. >> So, like it's the definition of hacking buck. >> Uh, and I'm really lucky to live in a country that is not actively pursuing hacking back. And in order to pursue me, usually the person who was hacked need to sue me. But if I was doing this in here, which I never would, I would end up in jail. So it's one of those strange situation that uh you are not exactly bad, but you are doing bad things. So as uh the closing keynote in this uh conference is going to say,

we need to not be criminals. We need to save our kids from becoming me. Conclusion. Uh besides London 2022, I went after spyware. Uh on defcon 31, I went through after stealer and botnet. And on this talk, I went after ransomware. This is four out of the five horsemen from uh VX underground. Uh, I want to say that I won all of them, but I did not. I can say that I looked at all the five horsemen in the eyes and never took uh looked back. So, I think I won, but even if I didn't won, I didn't lose at least. So, that's a win in my book. Thank you guys. And We do we do have some time for any

questions if >> Yeah. Any questions? Happy to take them. I'll run around. >> So, thank you very much for the presentation. There are some great insights there. Um, why do you think these so-called sophisticated attackers like making these websites that are really easy to hack and they're just never improve? Because then they really care. So usually for the cities they really uh think that they're online only for the attack window. So that's half a day to a day. So you have to be extra quick. And for the WordPress, I think they don't really understand what the [ __ ] they're doing. They do care about getting getting the easy money in and nothing else. >> Thank you.

>> Thank you. Anyone else, guys? Oh, that lady here. >> Hi. Absolutely loved your talk. Uh, I wanted to ask what do you think of the cartilization of different ransomware groups going together like crimson wave and the spider lapis scatter scattered hunters groups coming together to kind of infiltrate different groups together. >> I Okay. I can answer it single word. It's capitalism. Again, I I also love capitalism. I'm just saying that. But it's one of those things that they will unionize. They will become one so that they can not uh they can maximize the profits by minimizing their uh their costs. So again, capitalism. So they will try to ease their way into anything. Okay, anyone else guys? Folks, thank you

again.