ICS Ransomware and Lessons from Conti Chat Logs

over there

all right good morning everybody Welcome to b-sides 2022 San Antonio and the first track for track one in the clouds welcome to the stage the owner of Enclave defense Garrett miler

all right thank you as mentioned I'm Garrett of Enclave defense and uh first I'd like to like to thank beside San Antonio for providing this opportunity for us to gather together as infosec professionals to network and learn from each other and for me to share with you some of my research on ICS ransomware uh ransomware specifically targeting industrial control systems and the lessons that we can learn from Conti chat logs um I have spoken at a conference before but this is my first B-side so I won't skip the customary about me uh slide um I'm I'm from what they call the organ Trail generation but technically that's still a millennial so I think I'm legally obligated to talk a little bit

about myself um like probably many of you uh I got my kind of the foundation of my career uh is uh started in the military I was active duty as an Airborne crypto linguist um specifically in Special Operations uh or a dizzo if I have any of former air Commandos in the room um that job is kind of the coolest job in the Air Force possibly um on paper um I don't want to sound ungrateful uh working with special operators was incredibly uh awesome and I was honored to to do training with Army Rangers and and Navy Seals and things like that but I felt my skill to be more valuable as a cyber Warrior so since 2015 I've been um

uh helping the dod with their cyber warfare Mission um as a part as a what they call a weekend warrior and as a DOD contractor um doing both offensive inside and defensive cyber operations and a little bit of a good variety of things from the Strategic to Tactical levels of effort um Enclave defense has been around uh in some form or another since 2015 but the only Revenue we had that year was me selling uh t-shirts cyber themed t-shirts to my fellow cyber students at uh Keyser Air Force Base in Biloxi um and uh but since the beginning of this year I've uh left DOD Contracting to consult in the private sector I'm specializing in cyber risk assessment

and project management in industrial um or in critical infrastructure um this is my uh in chronological order where I try to convince you of my uh credibility as a speaker I already have you guys here in the room but it'd be a bit embarrassing if you got up and left so here's the Rel here this this slide is a relevant details of my life uh on a PowerPoint slide right so I I personally think these things just pretty much demonstrate your ability to study uh good reading comprehension and test taking skills I am not that interested about this portion I don't care to talk too much about it um if you want you know I'm always here to Mentor if anyone

wants to talk interested in these certs I'm an instructor for Isa but um I'm more interested to talk about my family personally um I've got a beautiful wife and five hilarious kids and some cool Hobbies so if any of those pique your interest feel free to talk to me later um all right so uh before we get started I think it's important that we kind of make sure we're on all in the same playing field that we all understand what I mean when I say industrial Control Systems um uh ICS networks uh facilitate the communication required to um for the control and monitoring of physical processes so think uh HVAC power generation uh the refinement of

raw materials the manufacturing of food and and products that and and much more um as a point of clarification some ICS ogs um commonly use the phrase operational technology or OT synonymous with ICS I personally don't do that I because OT is typically juxtaposed with it and in my experience calling icsot well in in the with technology convergence that has been happening over the years every ICS Network I've seen is a pretty healthy mix of both IP enabled traditional it as the dod might call it with Legacy Oak T Systems and unfortunately oftentimes people who refer to their whole network as OT kind of do that to justify keeping it guys out from messing their stuff because

they think they're incompetent and the physical processes which are there is a legitimate concern when you're dealing with physical processes but it's I I think it's not a healthy uh Paradigm and uh I I'm passionate about that topic but that's not what we're talking about today Enclave defense has been YouTube channel where I talk more about that if you're curious but ICS cyber security has kind of been received more focus in the last few years because of its association with critical infrastructure um and the increased risk that comes along with oh I don't know Russia uh hacking Ukraine's uh civilian power in the middle of the winter or more recently people panicking after uh after an oil pipeline gets hacked and

filling up uh grocery plastic grocery bags full of gas um so yeah ICS can be fun um so let's talk about ICS ransomware um dragos I'm not affiliated with them but they're a large company that specializes specifically in ICS cyber security in March they released uh their report their annual report kind of covering the the trends and issues that they're seeing amongst their customers and on the left there is uh indicates uh or they they indicate ransomware as being like a leading cause for the increased risk um that they're seeing in industrial sectors and on the left they they is there data on um a sector breakdown of ransomware victims that they've seen and you can

see 67 percent um is manufacturing so um and then separately they provided um four key like high risk um common factors that they found uh and broke it down by sector and just to help you see there um I thought it was interesting that wind food and beverage and rail are the most vulnerable SEC or appear to be the most vulnerable sectors based on their common findings yet uh those three combined as almost like a third like almost three times as much uh ransomware attacks are happening are targeting manufacturing so I thought that was interesting and kind of the basis for this presentation um it begs the question oftentimes we're so focused on looking at vulnerabilities and mitigating our

vulnerabilities because that's the one thing companies can kind of do within their control but when it comes to racking and stacking those uh mitigations prioritizing them um you need to it begs a question you know what else are ransomware attackers looking at besides vulnerability what other factors might be weighed even more heavily than vulnerability at least standalone uh so uh before we kind of get started I feel uh uh intellectual honesty requires me to address some of these analytical caveats we have to remember that that 67 might look like um at first glance might appear to be a disproportionate amount of targeting towards manufacturing but that might not necessarily be the case um you have to kind of consider some of

these things this is where I feel I kind of is my specialty is because is catching these analytic analytical caveats the we have to remember that the data set is just dragos's customers which is a smaller subset of all sectors right they focus on Industrial sectors and so yeah at the top left is uh uh Palo Alto unit 42 recently released a ransomware report covering all sectors and so you see while manufacturing looks so outsized when you look at industrial sectors it's actually fifth in terms of order when uh according to unit 42's data so um and then also you have to consider is dragos's customers um equally distributed across ICS sectors um it's possible that they might have

like a niche they might enjoy like a niche in manufacturing um sector um and let's say that that 67 percent um statistic takes on new meaning if let's say 70 or more of their customers come from manufacturing conversely you could think well uh maybe they're finding it easier to get manufacturing customers because more of them are seeking cyber security services After experiencing a breach or compromise so it's kind of a chicken and egg situation there um you have to consider Regional bias they've um they have Global as far as I know their customers are Global so does anyone here work in manufacturing sector I.T Instagram no okay well imagine you did uh here in the U.S

it'd be good to know if you your your opinion of your ransomware risk might change if you were told that um that let's say a huge chunk of dragos's uh customers come from uh the Middle East right um especially when you look at unit 42's numbers uh a big like half of of the overall Target uh targeting is against U.S companies so it actually might be underrepresented um your your uh ransomware risk if you're a U.S manufacturer and then there's Target density that gets even more complicated uh they might have a large sector in terms of like gross output but how many companies are in that sector are you dealing with a few big boys or is there like a more

plentiful uh Target um start like so uh more plentiful targets so anyways I've kind of opened up an analytical can of worms that I can't definitively solve um my wife though reminds me of um regularly reminds me of a mother's intuition uh I might be dating myself this is a young crowd but she um you know she uh and and even though I I'm a logical and analytical nature I uh it's a phenomenon I totally have to acknowledge and if there's such a thing as a cyber security analyst intuition uh my gut tells me that manufacturing as a sector likely is experiencing some just to some degree disproportionate targeting targeting of ransomware um attacks um and the rest of this presentation is

kind of maybe support that theory but I I don't have the data to definitively prove it I'm doing this on my spare time my client isn't paying me to do this so um and I don't have that we can't because I don't have access to dragos's uh information right all right so uh vulnerability obviously is important but it doesn't exactly automatically or directly mean you're going to be a victim or directly uh increase your risk there's other factors and this uh Jason I think is his first name Christopher is uh dragos is uh director of cyber risk and he's got a funny tweet that I think applies here he says that of things that of the things that kids all children

need to hear things like I love you and I I forgive you and you can do it uh one of those is uh vulnerability management is a uh is just one aspect of cyber risk which is a complex function including uh uh I can't read anyone else can read it from there anyways threats and impacts that's right impacts and threats so um the function or um equation that we often use to depict cyber risk is basically threat actors that utilize various ttps to exploit vulnerabilities um and that when that threat event is realized it has adverse impacts and that is what makes you have cyber risk but uh threat can further be broken down into

uh resources I actually like capabilities I forgot to change it capabilities which includes resources like funding and and personnel and their motivation um and I know this might seem a little Elementary but I think Formula One racing I don't know if anyone got into the Netflix series but Formula racing provides a fun kind of example of this equation um and I know this is a room of Americans Texans no less um but uh my my work has me engaging with International clients so I had to go with uh reuse this formula one example instead of NASCAR so any NASCAR fans I'm sorry but um so Aston Martin is a is a Formula One team and if they're assessing their risk

of losing they are going to look at their the other competitors competitive teams as their threats and they have to look at their the weaknesses and vulnerabilities of their own drivers and cars that those teams can exploit um and uh and the consequences of not getting on Podium uh and scoring any points for their team at all um but here's where it kind of gets fun okay they throw Aston Martin would be wise to not only consider the capability of their competitors but their um but their motivation because um if you don't know Aston Martin's like at the bottom of the pack right now in in Formula One and Red Bull the Red Bull teams at the top so while arguably Red

Bull is the most capable of their threats um it would be wiser for them to focus on the similarly ranked Haas team um because they have their weaknesses and straights because they have more of a chance of actually beating them so that similarly we have to look at the Nuance when we look at what we're going to look at is Conti I'm sure many of you want me to dig into the country chat line so I'll try to get through this quickly um but it's important that we kind of understand um what in order to learn from the Conti chat logs um all right so let's look at the ransomware groups um from the ICS data that dragos provide

um here's the breakdown of the uh ransomware groups and their share of responsibilities targeting ICS sectors on the right we see unit 42's breakdown of the group's activity in all sectors but if you notice I kind of caught locked I'm like why is lockbit so low most people don't aren't counting lock bit and lock bit 2.0 separately so I kind of fixed it I hacked it a little bit and fixed it there so it's a more Apple to Apples comparison but as far as ICS is concerned um lock bit and Conti represent um the majority of uh of ransomware activity in ICS sectors so wouldn't it be neat if we could get a peek behind the curtain and

learn the the the the the motives and the ttps and and the um uh being used by one of these prolific ransomware groups well boy howdy are we in luck because in late February if you don't know um the Conte is a Russian uh ransomware uh uh located uh or centered uh group so in late February or they posted this announcement on their um on their uh uh onion uh leak site supporting their support uh expressing their support for for Russia in their um aggression and war against Ukraine well one of their members happens to be um I suspect there's some debate but I suspect one of their members it was one of their members who's a Ukrainian and they they

weren't too happy about that announcement so they took to Twitter I'm sorry it's so small guys you guys in the back they'll teach you next time sit closer up but uh he he created a Conti leaks uh Twitter account uh for the sole purpose of leaking uh a treasure Trove of like I think close let's see in the next slide I think it's like around 250 000 individual chats um that somehow this person had access to um and with the message again you can't see it it says like f the Russian government like glory glory to all you all glory to your Crane or something like that so um so yeah here's kind of a

a high level summary of what the chats look like they're breaking up into they're broken up into two different chat Services um jabber and Rocket as you can tell jabber is a much bigger chat and then there's kind of they're broken up time wise the jabber chat is broken up into two separate groups um there was some infiltration and issues that they had around the between 20 end of 2020 and the beginning of 2021 so um what's hilarious so if you if those techies probably know wait how are we reading their chats didn't they use encryption no they did not almost entirely I found one single message out of the 107 108 000 messages in the

earlier jabber group um that was encrypted they used it more frequently in the second um group um and so but and 254 members well I probably missed a few there's probably more than that but with hundreds of members they're not Conti's not that big you'll see it in the slide they're like less than 100 people so they're not they're not practicing as as you know Elite hacker ransomware hacker group they're not practicing very good cyber hygiene they're not encrypting their messages and there doesn't appear to like they're kicking off old members which might have contributed to uh the leaks okay so I tried to do some analysis on um man you guys are going to want to

move closer if you want to see if you're interested in the receipts that I have so um I tried to do some analysis on what the difference is between the rocket chat and jabber um and it more work is needed there guys because no reporting I haven't seen any reporting trying to diff really explain that I found like one sentence um I thought I was getting somewhere when I found this example actually a lot of the companies mentioned the targets mentioned in the chats there actually isn't very much overlap um between jabber and Rocket I found one and it was where the the company was mentioned and then a few like a week later um it was mentioned in jabber so I'm

like oh cool that says something well I found a counter example the other example I found was the company was mentioned jabber and then weeks later as mentioned in um rocket chat my theory looking at the information is that there's a lot more like mimikats commands and and more credentials it appears to me there's my I didn't quantify it but appears to me there's more credentials in rocket so looked if I was to guess I would say that rocket or the rocket chat is and the members in there are more focused on the privilege escalation and the initial lateral movement in the net in their target Networks um and so yeah if you want uh you can find

you can download the files and help me with this analysis um part of the reason why I'm not as prepared as I would have liked to be is because I was up till three in the morning Thursday night um finding some really cool stuff that I couldn't share in this presentation I I thought I should vet it through the FBI first so um there's still more work to be done and that's where I kind of thinking it's kind of fun I'm going to correct the record on a few things this is some tools they use they've got uh PHP uh framework tools you might recognize um oceans they they do use uh there is indication that they're paying for the

premium oscent tools and then some exploit tools I'm not including all of them but uh Cobalt strike and and supporting modules are the big ones um and Mimi cats um signal higher if you don't know I believe the last two uh signal higher and crunch base uh are probably being used to get um like the personal emails and phone numbers of like Executives to kind of put on the heat during negotiation Zoom info is the one that is most easiest to see in the jabber chats they're sharing zoom into the links like crazy just as a profile to provide a profile of their targets um and then of course I didn't I I it's almost embarrassing I didn't include

this for those who know um it's the oh trickbot trickbot they're kind of is they're kind of their call sign um for it's a banking Trojan that they use and then um the locker of course to encrypt and decrypt their victims information um here's the receipts if you're sitting close enough you can see it talks about getting the premium the buying Showdown and and Signal higher and zoom info um for their new ocean department so they they it's kind of a formal operation they got going in fact uh this was not really in detail I never saw this reported anywhere else um this is um they talk about the teens but I thought it was interesting to look

at how much they're actually paying their guys um you can see the main team is the biggest total like I said under 181 at this time and um how much they're getting paid I broke it out on averages if you look per person the ocean team is actually getting paid the most more than the reverse Engineers that probably pisses some people in this room off but um it could be because it's their senior leaders maybe are taking care of some of that oh sent but um it kind of highlights that how maybe how much value they put into the the ocent legwork of prioritizing their targets fun fact I looked up that 1800 this is US Dollars

I'll talk a little more about linguists I had Russian linguists confirm that this is not rubles here um 1800 which that would be really horrible 1800 rubles 1800 average uh monthly comes out to about top 15 percent of wage earners in Russia there's some complaints amongst team Conti team members that they're not getting paid enough but that's that's not bad um here's the receipts too small to see if uh unless you're really close but uh what's the date on that uh I think it's June 2021 so they could be paying their guys more now who knows all right so targets I use the word targets intentionally not victims because while I can see a list of bunch

of companies it's not easy to confirm um how many of them actually experience I tried reaching out to a few of them and they wouldn't return my calls um one of them I think a high executive at one of them uh probably learned that he shouldn't put his cell phone number in uh his away message uh uh his out of office message so yeah I left a voicemail didn't hear anything back but um some people are really sketchy about that uh I just like reference my military background and hope that they don't think I'm nefarious or something um so anyways multiple people have reported that um they are seeking victims that have a hundred million dollar annual revenue or

more I kind of think that my respect to Krebs and and this great team here that did some good announce on it uh I think it's uh dangerously misleading it provides a false sense of security to companies go oh we're not even close to 100 million so we don't have to worry about ransomware well I think part of the reason why some people might have overlooked this is like I said I have as a former linguist I have some pretty good hookups with some really talented Russian linguists and I kept on noticing rhubarb come up in places where I don't think they should be talking about rhubarb and um so I had my Russian linguist friends look at it and

that Russian word while it translates to rhubarb it's what we would call a loan word if you say if you push the Google translate you know listen to what it says it sounds like new that was my best Russian accent I could I guess but um so um those two uh messages there indicate that they're actually on paper they're targeting 50 million annual revenue or more even uh more interesting is of all the companies that are that listed via Zoom info links the minimum went all the way down to one million annual revenue the top was 12 billion the median was less than 75 million um I confirmed eight companies using their leaked site uh their onion Leaf site I

confirmed eight companies that were both in their chat logs and um did experience you know based on that leaks I did it were victims and the lowest one had a public publicly known um annual revenue of 11 million okay so you have 15 million you think oh we're just a real estate office or just this or that you know that's not high risk well Conti is the most prolific and they're willing to go after 11 million there's other ransomware groups that will probably go after less so um something important to keep in mind uh [Music] all right so forescout did some great analysis that I didn't want to um you know reinvent the wheel um they call them victims I think

they're probably just mean targets that were referenced in the chats but you can see there the biggest chunk is actually medium not large companies and mind you to consider Conti is the highest grossing ransomware in 2021 both in number of victims and earnings uh what and what what what's reported so um yeah and and even small companies are have a healthy representation there sectors sector breakdown Services were first then manufacturing and then retail shoot I have like 10 minutes okay let's look at revenue and ransoms um it's been reported it other people are reporting that they kind of their initial Ransom demand is based off of a percentage of their annual revenue but I didn't see anyone reporting the revenue

that what that percentage was so I thought it was useful information um for people who are managing their Ransom uh you know trying to quantify that's a big thing that companies do in risk assessment they want to quantify the risk well there it is what's your annual revenue they're going to initially demand or at least Conti is going to initially to demand around three percent give or take but as that top um message if you can see they say well um ask for I think it's 4 million ask for 4 million but um so that we pick up at least two so they understand that they're probably gonna they're willing to negotiate to about half of what their

initial demand is um that's actually a little more aggressive than average according to uh unit 42's data they indicate the average Ransom demand is 2.2 million and the average uh payout is about a quarter of that so um Conti's a little bit maybe more aggressive um and you see that one time someone offered like 18 Bitcoins and like oh they just swore up the storm they were so so insulted that they went through all that work and they're only offering 18 Bitcoin which was like I don't know 30 000 at the time at that time or something like that um no maybe 300 000 that's probably low huh anyways um all right so now we start getting to

motivation I thought it would be interesting to look at to understand though I see numbers in the chats but how do I contextualize it so I uh analytically so I thought it'd be interesting to use gross output data um to kind of uh as an indication of the the Deep pocketed sectors how much money is flowing through a given sector and um when you look at that wow actually it kind of lines up manufacturing is first in both with Transportation food and beverage kind of neck and neck behind manufacturing maybe manufacturing is a little bit disproportionate so you have to remember that they're not just interested in and successfully um rants uh deploying ransomware on a

deep pocketed victim they also want to secure of the ransom payment right so that's another thing in particular when you're working manufacturing um you know every hour every dollar that production is offline they've they know how much money they're losing every hour um so there's that additional pressure where they they already know how much every hour is worth um easily and um that may be uh that be maybe on top of as far as ICS sectors go on top of the being deep pocketed you know that that's an additional pressure that may be increasing the um disproportionate targeting okay all sectors it gets a little bit more interesting uh with unit 42 uh data and

uh the Department of Commerce data um notice that construction uh is relatively not that deep pocketed compared to other sectors but it's number two as a ransomware Target sector um so you have to consider well um that's where maybe vulnerability is playing a bigger part there as a sector they're more vulnerable and maybe they're more willing to do a quick and easy payout to get back to work um conversely if we look at uh state and local government sector um they seem to be kind of uh under targeted based on if you alone look at their um uh you know rev or output by sector and I think the key to this is 2019 does anyone remember let's try to

get some audience I like participation does anyone remember what happened here in Texas in 2019 relevant to ransomware no uh coordinated ransomware arrival ransomware attack targeting uh impacting 22 Texas municipalities I might have recognized that um when I said it but um how many of them paid the ransom zero big fat whopping zero pay the rent well at least that's what they reported um so uh and then that was in May of 2019 and then in August uh another big city got hit bigger than the little Texas Country Bumpkin towns um the uh it was Baltimore Baltimore got hit with uh Robin Hood uh ransomware and um I was actually living in the area at

the time and I didn't take public transit but they it really impacted their operations and their Ransom was seventy six thousand dollars and they refuse to pay um the estimated damage and and I think went into the millions and um but they took a principled step it's funny it's funny how governments seem a little bit more willing to um to tolerate the suck on principle um so um they uh but to their credit it appears to be working for them as a sector that ransomware victims kind of have maybe gotten the idea that state and local governments are more likely to follow FBI guidance and refusing to pay a ransom and it's benefiting the sector

so I'm totally sympathetic I'm I'm totally sympathetic to the for-profit companies that are looking are in the situation and they say well um you know it's best for our customers it's best for our stakeholders our investors that we just pay the ransom um but maybe there's some innovative solutions that we can think of that would encourage uh companies to to refuse ransoms ransoms more um I'm thinking sisa might be able I I maybe private sector Solutions too you know through industry um collaboration ways to incentivize companies to benefit the whole sector anyways um just a thought so motivation they obviously they're financially motivated attackers that's what I I reference that phrase often in my risk

assessments financially motivated attackers they're motivated by getting that money but even then there's some Nuance there it's not like I said before it's not just go chasing after the highest dollars it's a it's there's a it's a function how how much might I get based on their revenue but also how willing are they to pay fun fact since I have the time um they uh of the eight companies that I confirmed uh two of them were uh multi-billion dollar annual revenue and I'm protecting their identity if you haven't noticed um but one of them refused to pay I don't know I I reached out that was one of the companies I reached out to I

wanted to know and well I should say based on the fact that zero or a hundred percent of their data was released on their league site I'm assessing that they they refuse to pay and I kind of wanted to find out why with Thelma how much how much they I wanted to know did maybe they reduce it to two percent or you know uh with that high of a ransom anyways so that's my presentation um thank you again for the b-sides for this opportunity and I'm able to take some questions for the next five ten minutes if anyone has any yes is there I think we have a microphone here so everyone might get picked up on the recording as well

[Music] do you think that uh companies willingness to pay and government's lack of willingness to pay is maybe related to insurance that companies may have that maybe governments don't have a way to purchase or haven't figured out how to purchase it could be um the CH I didn't dig that deep into the insurance chats but it has been reported that they they definitely were interested in who had insurance that would just kind of do a more easy insurance payment so yeah that's a really good point I don't have insight you you believe that governments aren't buying cyber insurance I I guess they I guess they aren't right they're like they're who's gonna I don't know I uh

that's a good point I I'd be interested to do you know do you have some insight into whether or not they they are are not buying insurance I don't but I know that one of the complications is of course like who are we paying this money to who would our insurance pay this money to a government might be hell is more held easily accountable if they pay money to North Korean hackers um especially when you don't know who you're dealing with and a company can kind of hide behind lawyers with insurance I really don't know that's a that's some deep Insight no I really appreciate that I kind of agree with your initial assessment that um the kind

of the additional complexities of of a government I mean I think that probably comes in line more with the federal government than than state and local municipalities but um fun facts uh that brings up an interesting point is that um there's some reference I forget if the outlet was named but there's reference to a journalist that was helping them kind of broker negotiations I thought that was kind of uh interesting I if I was a tech journalist I don't think I would put myself in that position but uh they also said they have connections there are also some indications that they're um they are tied closely to the Russian government they were it appeared that

they were tasked to look up I'm not a Korea you know Asia is my kind of area of responsibility when I was linguist but to look up um I forget his name some big Target of uh that Putin Putin enemy that they were responsible for kind of getting information on so there that that tie to like you said that tie to nefarious governments that's a good concern definitely to think about when when paying a ransom um any other questions yeah [Music] great talk I have a question about one of the insights which is the medium uh size companies are actually one of the largest targets do you have any thoughts or ideas as to why

um they would go after those the more after than the big companies I would expect big companies be the majority of the targets um I would suspect okay so one thing I forgot to mention that that reminds me in the tools section is that what was conspicuously missing from the tools that they used um are initial access tools um so it is I agree with the assessment that it looks like they're using um access Brokers so that could be um at play is that maybe it should you know they they aren't organically generating their targets really they they are starting with maybe access Brokers and so uh maybe there's more medium-sized companies than the larger

ones that they're getting initial access to maybe the larger ones have the budget to kind of do some of that take care of the low-hanging fruit type stuff um and so yeah I suspect It's a combination of just uh what what they have access to and um the number of companies right there's there's you start to get that density like I talked about gets more when you get to medium-sized companies good question thank you yeah

Wiley do a line next time how's it going early at the beginning you had a slide that showed Conti lock a bit all the different like ransomware groups are you able to talk a little bit about like how that attribution is done how easy or hard it is it looks like you kind of got kind of got lucky getting that dump of of content on Twitter is it usually that easier is a lot harder um good question um you know threat activity attribution is is a really sticky monster as I understand it um you're looking closely at the ttps but attribution with ransomware gets pretty easy because um of their they basically of of who's

who they're paying for the rant who's you know they kind of try they can uh see what the wallets are that they want to send Bitcoin to and the The Ransom note is usually distinct they're not usually hiding and then and then they've got um the league sites right a lot of unit 42 oh sorry wrong slide a lot of unit 40 42's data um if you see where was it uh is come on the left there is coming from uh League site data so they're they're it's it's pretty easy to attribute when they say you know pay us Conti um but uh so I don't think attribution is too big of a concern here even if you

don't have the Insight um I don't know if they say like you know send money to the Bitcoin address or something yeah yeah the ransomware were typically give instructions so and they'll have contacts like I said they kind of run as somewhat a formal operation like oh let me uh pass you to our customer care oh you've been ransomed uh well thank you for doing business with us let's transfer you to our customer service department they'll handle your payment right so there I I uh fortunate I guess fortunately you can say ransomware isn't as difficult as other type of exploitation activity maybe one or two more questions thank you one more question yeah that was that was a good question

though I think uh no more questions thank you guys I really appreciate it

alrighty thank you everybody we'll be back at 11 o'clock with the next speaker