The Current State of Ransomware

Great. Thank you for the introduction. Thanks for having me. Um, as I was just browsing the darknet this morning, I saw a very disturbing thing. So, the Bside Galway uh organization was hacked by the infamous uh lockbit ransomware gang and they're holding our data hostage and uh they are trying to extort money from us. Um well and the time is ticking as you can see quarter of a million uh US dollars is the price they want for not releasing all Bites Gway data to the public. So but let's um before we dive in, let's dial back um a little bit. Um, I hope I'm not repeating myself too much on what Rob already said to you about

ransomware, but uh, let's give a quick uh, bit over quick overview over the history. Um, I remember the good old days when all the researchers, the security researchers were really hunting for each little piece of malware because they were so eager to try to dismantle and understand it and learn from it. But today the situation has kind of shifted. So the hunter has become the prey. The malware is evolving is getting dangerous and d more and more dangerous every day, every minute. And now we as the security researchers have become the prey. I don't know who remembers this one. was one of the first prominent um examples of malware, the I love you virus, which was actually it was pretty

interesting thing. Um it was it didn't really do much harm besides uh sending itself to everybody in your Outlook address book. So it spread around the world pretty quickly. Um a little bit earlier before that uh in 1989 um this was actually the first ransomware not kind of ransomware as we know it the so-called AIDS virus which was actually uh shipped uh via post on a 5 and a/4 in floppy disc. It disguised itself as a research software for the uh AIDS virus and it did actually ship to lots of lot of biology labs which would open up the software and uh install it on a computer and after a few uses the computer would lock down and asking for

a license fee to the company and it's actually a little bit described in the um small notes that came with the um floppy drive but The first real really big appearance of ransomware was in 2017 with the W to cry ransomware that got a lot of public attention because that red box you could see on many many big signage displays uh on airports on train stations on your local ATMs that really um spread around the world. And it's um as Rob said earlier, that was like this end user end customer game with like a very small uh $300 um fee for unlocking the files. So yeah, that was that. What I found most interesting about that one was the

history of the vulnerability actually that uh the vulnerability that was used in that to infect all the machines was the eternal blue vulnerability that was in possession of the NSA and some hackers broke into the NSA installed it and sold it off or tried to auction it off with many other vulnerabilities on darknet. Um at some point Microsoft hatched a vulnerability. um the hacker group, they were called Shadow Brokers, they did actually release Eternal Blue, uh this one specific vulnerability to the public to say, "Yeah, we have a really good set of vulnerabilities stolen from the NSA and it's really worth to um pay for it uh so you can use it." And um well 2 months after

Microsoft released the patch um the worldwide uh breakout of W to cry happened. So basically you could have installed a patch for 2 months and maybe prevented this but not anymore today. Uh moving forward a little bit to 2023. This is actually um also um a ransomware case even though it was not uh the data was not encrypted. It was just stolen and the people were just extorted for the publication of the data. Um it was on the so-called move it platform. It's a data exchange uh service, data exchange appliance many many big customers had in their networks. And the patch came out on the 31st of May. And after some investigation, it came out that already

4 days before that patch came out, you could see the first exploit attempts in in the wild. So basically patching did not save anybody. [Music] Here we were al uh last year me and my colleagues we were discussing um when are we going to see more of cloud usage by ransomware and it actually um got some big news coverage in January of this year um before ransomware gangs targeting corporations were usually um encrypting and locking all the onrem infrastructure structure, but now um they're also moving on to uh cloud services AWS and encrypting your S3 buckets. Quick show of hands, who has S3 buckets? Who has a backup of their S3 buckets? Mhm. Good. How it's going? Um this is the

part where I'm probably going to do some repeats. Um, so I'm going to skip a little bit over some things. Um, actually ransomware nowadays is kind of a quadruple extortion scheme. What we've seen, we've seen the first uh extortion mechanism is the encryption. So they lock up all your data. You can't work anymore. But uh companies have learned to have backups and restore from their backups which is why the ransomware gangs had to kind of adopt because they saw um the ransom payments going down because the uh companies were able to recover with u certain um hardships but they were able to recover. So they introduced a a second scheme where they could extort people is the exfiltration

of the data which is now what they're doing what you're always seeing the leaking sites um they steal your data and they try to extort money from you so that they won't release the data to the public. The third uh extortion scheme which I have only seen as a threat not uh actually in real life is they're trying to dodo you while you're trying to recovering from the ransomware attack while you're trying to build up uh build back up your infrastructure. They try to disrupt you with DOS attacks. Luckily I haven't seen that yet. Um but the fourth one is uh they're actually trying to communicate with your customers and with other stakeholders, with law

enforcement, with your competitors and make your life hard and maybe sell your data or damage your reputation. This is actually something I have actually I I've really seen. Um one time when I was working on an incident we were sitting with the management board um in the meeting room in the evening and one by one of the managers the phone was ringing and uh um foreign phone number was calling all the managers of the board saying like yeah we hacked you we want to talk you haven't you haven't reached out to us please do Um, ransomware is a business model. Um, we've seen that before. I'm not going to go too deep on that. Ransomware

as a service, um, you have your, uh, ransomware operators, the big groups on top. They take a cut of 20 or 30%. Most of the money stays with the affiliates and they do the the leg work on the ground. Um, funny thing is about that, we've actually uh already seen that automized. So um if you look at the um blockchain, you can see ransom payments um that reach a certain wallet which are automatically distributed uh in uh in the 3070 or something split between the ransomware gang and the actual affiliates. So smooth business model. Um this is kind of a statistic about the um most uh about the medium payment sizes. So all the rans or most

ransomware gangs are on there. You can see how uh frequent their ransom they the ransomware payments are to them and how big in the mean. So you have like the really um really big players up here with big payments, but also you have like small fish with very infrequent but smaller payments. It's it always depends on who gets hacked, what infrastructure gets hacked, and who is the affiliate. Um how do they recruit affiliates? It's not just uh the initial access brokers uh that already have access to the um to their networks. They al also advertise on darknet forums. Um this is an example from absol um and they they write um articles about what what what can you

get when you work with AOS lockers. You get support for Windows, Linux, ESXi. So that's most platforms. You get assistance in negotiations when you've hacked someone. They will help you um with negotiating the ransomware payment. You get very configurable bills. You can adapt it to every situation and you also get data storage, DOS attacks and the aforementioned calling services. So you don't really need to bring much on your own besides a target. Um sometimes it's also very prominent if uh if a company gets hacked. So, this is taken from a wallpaper um that was left uh after a company was hacked saying, "Oh, we stole all your files and encrypted everything blah blah blah." How do you feel about

earning a lot a million of dollars? You just you can work with us. Uh hack some more companies, give us access to the networks, and we'll share the profit with you. So, that is the first thing uh IT guys see when they open up their computer in the morning like, "Oh, my company's hacked." and they want to recruit me. Sometimes these uh ransomware gangs also have rules kind of ethical rules or how how you want to work with them. Um lockpit is as one of the biggest um they really want you to prove that you're worthy of working with them. They want you to deposit one bitcoin in their wallet as kind of a down payment for

their 20% share. Um, and that's also kind of to weed out uh journalists or law enforcement to stop them from entering the system. Um, you have to write an application where you include uh certain uh profiles you have on hacker forums to prove that you're legit. Uh you have to show some proof that you already have access to other networks that you can really start working right away. And you also have to state, and this is very interesting to me, um state if you work with other um ransomware gangs, not because they don't allow it. It's not kind of exclusivity, but below because they want to be better, they want to improve. So you have to report I'm working also with

ransomware gang X because feature X is better over there and then they can implement it and get better. Um they do have as I said some ethical um guidelines. So they say oh you're not allowed to use our tool to attack hospitals except when it's a private plastic surgery. You're not allowed to uh attack schools except when it's major universities. As long it's making money, it has to care for their IT security. You're not allowed to attack critical infrastructure or at least you're not allowed to encrypt critical infrastructure. You are allowed to attack and exfiltrate with critical infrastructure. And if you're unsure if it's critical infrastructure, you can just go and ask your help desk. They

have a help desk to figure out is this critical in critical infrastructure am I allowed to encrypt that you're also not allowed to attack any postsviet countries because that's where all they where all of them come from but now they live in the Netherlands I don't know and they really hold up to uh those rules so um this is an example of a children's hospital um that was hacked and encrypted by a random affiliate And after some discussions and complaints, um the operators behind lockbit said like, "Oh, we apologize. Sorry, this is against the rules. Here's the decryptor for your data for free." And we um threw out this [Music] affiliate. Um the market of ransomware is actually

so big. Uh maybe some of you know this kind of figure a gardener quadrant about um vision and ability and performance in your market and they're kind of ranking the ransomware gangs by their effectiveness and um completeness of vision. And that's by far not all of the ransomware gangs. But now let's move on to some war stories um from a from real incidents. I've stitched some together to create kind of a story line um to take you through what happens if you kind of catch ransomware. Um first it's always the initial compromise. Um there are many many ways from from driveby downloads from leak credentials from stealers from VPN tunnels. The numbers how to get

initial foothold are a lot. Second thing is you have kind of a lateral movement. The attackers look around in in the network. They move from one machine to the other. they move up uh through the active directory try to get um administrative credentials so they can control all the endpoints all the servers in the network. Then um you might hopefully notice uh that there's something going on in your network that you have some increased uh traffic because they're trying to steal data, exfiltrate data. And they really look through your network shares for anything that is interesting. Financial data, proprietary, proprietary data, customer data, um, everything that is good and nice to steal and to extort

you. Then hopefully it doesn't come to this. It's Friday evening. You're enjoying a really nice dinner with your family and your phone rings. Your colleague calls you and tells you, "Hey, my computer looks weird. All my files have a weird extension ending. I can't open my PowerPoints. What's going on?" If you see something like this, it's too late. Your files are encrypted. Everything is locked up. and you have big big problems going on. Um, you will find a ransom note saying, "Oh, we are this and that hacker gang. We hacked you. All your data is stolen. Do not call law enforcement. Do not shut down your computers. And here's a way to contact us." This can be either done uh sometimes via

email, sometimes via talks chat, but sometimes there's also like a onion link to the darknet. When you access the onion link to the darknet, uh you might be greeted with perfectly uh formatted site like this saying, "Oh, your network is compromised. Um the full price to decrypt is $14 million." But wait, it's only $9 million US if you pay quickly because we want to help you uh resolve that quickly. There's a little bit of discount if you pay in the first 7 days. There's even instructions on how to uh get the bitcoins for the payment or the monero if you prefer that. There's a live chat for support and there is even a function a trial

decryption where you can upload some files of your network so they can prove to you um that they can decrypt it. But sometimes it's not as professional as that. Um sometimes you open up a chat and they don't even know who you're talking to or at least the first level support doesn't know who you're talking to and they ask you, "Hey, please introduce your company's name." and yeah so we can work with you. Next thing you ask for is proof um that they actually have stolen data from you um and you ask them to send some data examples and you usually get them you get a list of files that they have stolen and then you can evaluate how

much damage this is to your company. But sometimes there's also no proof. This was also an example from the case case we're working. Good afternoon yet we cannot provide. The person who has access to data does not contact for the reasons unknown to us but it already was I think will appear in the nearest future. Can you send files for test interpretation? Did you estimate macha? How to you? Yes. What that is exactly what we thought. Um this is basically you see it's not native English speakers. Uh it's al it's lots of people this so actually you're just chatting with a first level support engineer and they have to wait for their backend engineer their affiliate to come back to give you

the data. um why does this work or why does it happen sometimes? um VX underground two years or I think it was two years ago they asked like hey Lo bit why why are you not publishing any recent victims right now and they said like oh we're on holiday we're enjoying the nice summer weather we'll be back soon also happened in one of my cases uh where it was said make a decision faster our team is going vacation my customer did not like that um another funny example of uh first level um and second level negotiations in those uhruct infrastructures like we were talking to first level and he didn't know what to tell us and he asked

his seven level um engineer bro how to decrypt and how much second level um wrote a very nice instruction with ransom payment and a test password for decryption and stuff like that. What do you think the first level guy did? He waited 2 days. So from the 11th to the 13th October, left the email lying around and just forwarded like I have reply. Go on. Very unprofessional. Um sometimes uh when you try to negotiate the prices um you always try to push them down um saying like oh we only have like $480,000 US the maximum um but it does not work. Um we have your financial documents uh because we stole them and we analyze them and um we say you can

afford 880. This is with our discount. Uh if you don't pay in three days, it goes up again to over a million. So that that's the that's really uh crazy part about ransomware. They steal exactly the data and they they know how much you can afford. They know where your pain point for the ransom is. Sometimes uh you try to push the price down, but your order is very little business to us. Um we don't care much. just pay or leave us alone. [Music] Sometimes um it says like oh it's.16 bitcoin which is what four 4,000 5,000 euro and that's where we as in where we as incident responders say like yeah okay just pay the guy um we are

more expensive than that but just paying does not solve the problems just to state that you still have to really fix how they got in. How do you do that? You usually uh after you pay you get a penetration test report. It doesn't look like much of a report but it contains a lot of info. Yeah, there was an email containing an attachment. We was a Citrix user blood hound computers authorization to domain administrator. We found your backup SQLs. We used mimic cards. Uh we found your keypass and your RDP servers and your antivirus servers. Please download daily updates. install Kasperski and change all important passwords once a month. This is what you get after you

pay. Um little introduction on how to be better in the end. You even get like a infrastructure listing infrastructure database that's usually more complete that you the than the infrastructure database you have in your own company because they know all your infrastructure and you don't. Um after that um it goes on to like oh we can use s delete will you accept that as a proof of deletion that we deleted all the files that we stole from you and then 2 days later you get a log file saying all the files are [Music] deleted. How to avoid all of this? Um I always try to think it think of it as in kind of two pillars. You always

have like a preventative side but also you have to have a reactive side because you can't prevent 100% of IT security things. You can't never have 100% IT security. So it's good to also know how to react on the preventative side. Even though I said patching will not always help you, exploits can be before the patch, patching is still a good measure and you should still do it in time on every critical system as soon as you can. Endpoint or infrastructure hardening. Um there's lots of hardening stuff for every flavor of system out there. for Windows, for Linux, you have Microsoft security baselines, you have SA Linux app armor, you have uh CIS hardening guidelines, you have tearing

models that you can build up, harden your infrastructure as good as you can, especially for uh Windows infrastructures, I I really like to work with this one tool called Pink Castle. It's free for individual use. And it really gives you within like a minute or so a perfect overview over your active directory security um with a risk level and lots of lots of measures. If you if you have a Windows active directory and you run it, you you will get work for at least 2 months to reduce your risk. Um be prepared for uh cyber attacks and please don't prepare like that. Um, pulling all the cables will not help anything if your data is

encrypted. Have some contingency plans. How to lock down your network, how to lock down your data, who to inform, who to talk to, how to continue working if all your infrastructure goes down from one day to the next. And of course, backups. Their ransomware gangs are looking for backups actively. They're trying to delete, destroy, encrypt your backups. Think how you as an administrator of a network, can you with all the privilege in your networks that are available, can you delete and destroy your backup? If so, the ransomware gang can do as well. Your backup should be offsite, offline, as far away from your infrastructure as possible. Last but not least, um my kind of favorite point, it goes into both

pillars, preventative and reactive visibility. Try to get a visibility into your network. Try to have a baseline. Know your network. Know your systems. know what's going on because it's just the tip of the iceberg that you see and you have to see what's below the water to be able to distinguish what's good and what's bad in your network. And with that, thank you for your attention. Um, I don't know if we're going to do questions right now or you can find me outside in a coffee break.