Tony Rucci - Negotiating with Ransomware Attackers

all right thanks everyone thanks for showing up and uh let's get started here um I'm Tony Ruchi and here's a little bit of background on me um maybe I'll um have heard me talk before I'm a retired counterintelligence special agent and I kind of grew up in the intelligence Community running computer cries investigations um for a good part of my career and retired in 2004 went out to work at Oak Ridge National Lab um and 2011 we recruited to go out to Reno Nevada to go build some data centers out there and after we stood them up I stepped away and began starting some companies in the commercial space out there well um I found very quickly that a lot of folks

are um you know focused on keeping the lights on on the day-to-day operations and one of the things that they used to ask me about all the time is hey can you come out and and give us a look uh you know kind of a walk down our stack and and give us a security look another set of eyes and so that really stood up a couple of sectors of business for me and uh and you know as a result I kind of transitioned a lot of that military training in the government space into commercial sector and especially these days with ransomware and and data breaches kind of running off the charts um it's one of those things that I mean

it's not going away while a lot of people have been out of work uh there's many of us in the infosec community and especially the incident responder side of it have been um you know busier than ever um so let's get right into it and take a look kind of what um you know everybody has their their media sources and the news that you look at these days and you know people think about when they have the security education awareness they start talking about their um uh email really focusing on your email and watch the the links in your email and your embedded email but you know one of the things that's transitioning has been transitioning for

a while is you know where do you read your news you're either reading it online or you're portable or your uh mobile devices and that type of thing but uh in a lot of cases we uh we're reading it online and watching you know web-based news and you know how easy is that to manipulate that traffic especially if somebody's in close proximity to you to do like a man in the middle attack and be able to manipulate that traffic and put something there in the uh headline that's attractive to you and I know you're going to click on it if it's something that's relevant to you so everybody has their own media of choice for social media some people like to

watch videos you're watching uh you know your news through very specific apps if you've got children in school you might have a app that's provided by the school and the staff a lot of cases you know everybody's ordering from online services these days so you know you're waiting for that next package coming in from Amazon it's pretty simplistic to create that link and put it in your uh put it in a message to you and there's a good chance you're going to click that and if you that mobile device happens to be connected to your domain then then it's game over in a lot of cases it's just like clicking that email link within those environments so

this day and age we equate ransomware to the coronavirus in your network you know you have to ask yourself a few questions is your network really ready for a ransomware attack I guess the real question is can you recover your network from a ransomware attack especially if you're the defender yourself you know one of the challenges being able to um uh defend that and recover it and we always ask one of the first questions that I always ask well the first two questions when I get called out on an incident is you know do you have invest in onboard I.T staff or are they outsourced and what's your recovery strategy look like do you have a

recovery plan and you are are you able to recover you know um you know a lot of cases they don't really know if they can recover because they've never exercised it so we ask them have you ever exercised your cyber incident response plan and then that's when you get the sucking teeth in a lot of cases you know it's either the answer is going to be no or yeah we're kind of building in that direction but uh yeah we really haven't haven't gotten there yet you know we're working on that well it's too late when you're you're still working on that and the reality is in a lot of cases they don't even know what the hell it is

and then that's the day that you know that you're probably going to be negotiating with somebody if uh down the road if they um have been compromised with ransomware so that's one of those types of uh uh you know moments and there's the aha moment you know early on excuse me now one of the things to consider is the type of ransomware that's compromised the network as well because there's a few families of ransomware that I've dealt with and just since Thanksgiving I've dealt with about six or seven cases uh specifically and on three occasions uh Phobos ransomware which comes out of the Dharma family is one of those unique uh varieties of ransomware where it has a

nasty habit of well a favorable habit for us of failing Midstream and so it doesn't do full encryption it doesn't continuous uh the overwrite the data that is deleted so as it encrypts the the top layer of the files you can in a lot of cases go in and do like a forensics recovery if you've overwritten data review uh deleted data in the past and trying to recover that data from the from the raw drive and uh and I'll talk about that a bit and I'm going to kind of mix two different cases I know in the in the bio there I said that I was going to talk about a specific case but I'm

going to talk about two of them one was with regards to to Phobos and um and then uh another one here that uh is pretty unique in and of itself here that we'll talk about but that's something to always consider and we'll talk about uh recovery in just a little bit but for those attackers out there you know summer are much more disciplined and they have their attack teams and then you know they do this as a business you know ransomware is a service is out there well ransomware as a service heads up uh dashboards and command controls centers they can be purchased for you know four hundred dollars anybody can go out there in the dark net and you know purchase

Philadelphia and if you're familiar with any kind of Sales Management or or CMS uh dashboards is very Salesforce like you know you can track who you who your victims are you can build your attack uh uh platforms you can attack specific type of systems you can keep track of them globally where they are and it gives you a lot of heads up information in there one of the things with regards to Philadelphia and a few others I think is pretty interesting that there's the the uh give Mercy button there if you look at it down the bottom uh about about seven o'clock so if somebody gives you a good enough story uh to the attacker they're

gonna be able to you know just go ahead and hit that button and give you your decryption keys back or send you to a link where you can download those keys so that's it's kind of uh feature Rich right if you might say um jokeroo is another uh C2 here that uh is is been in the news and and it's been used quite a bit lately um and uh it just has a few more features than uh Philadelphia but it's just a straightforward navigation you can just walk right down and it's very intuitive you don't have a have have to have a lot of skill or training in it that's the scary thing is because a lot

of these folks who are hitting uh companies especially on the small to medium scale they don't have a lot of training and so if they screw something up in your network or if you piss them off or they get pissed off themselves just out of out of pure anxiety they walk away and you're not getting your data back if you've got no way to recover yourself and so it's extremely important to to manage the uh the conversation and we'll talk about that in pretty good detail in just a second um there's a few more shots of Joker kind of look at here's the victims list there it gives you a nice heads up display of

your victims themselves and then hey there's my reporting page so I can see who has what and and how I want to report that activity out maybe I've got to report to my seniors um because I'm I'm just a field agent out there and I need to keep on task right I'm here I'm tier one and then here's your attack Builder if you if you want to go ahead and build a campaign it's just like if you you know if you have like the no before or fish b or whatever those other uh you know uh campaign Builders are it's the same type of thing you build your campaigns of attack um against your your uh targets

foreign so you have to think about you know kind of your your victim management and uh uh do's and don'ts uh there uh you know when I get called out for an instant response and somebody calls up and and it's usually uh the first conversation uh is is Extreme they're in stream Peril and this is the worst day in in a company's life in a lot of cases because they've invested you know so much and they're keeping their business you know operating or making it successful and and then now all of a sudden they just watched everything go sideways overnight they come in after a long weekend a long holiday and that's usually when those calls come in over

Thanksgiving Christmas New Year's Fourth of July or whatever that long holiday might be uh that's when uh these things seem to happen but you know remember that whenever you're negotiating with um an attacker or any of the conversations you're acting on the behalf of your clients so you can't have a holier than now uh type of attitude and uh you need to to make sure that uh you know if the client doesn't already have a Bitcoin account uh you may already have one if you're an intersect professional and you may already have one that you may you know be willing to offer up you know the uh the account to to do the transaction but in some cases

it's a liability and they don't want that they want they we've got to keep it and maintain it within our our own uh uh sector so we've got to build the account themselves so that's something very important we'll talk about that they count uh itself because you don't just stand up a Bitcoin account overnight and you don't just uh um uh stand up an account tonight and then throw money in it this afternoon and then expect to transact you know fifty thousand dollars tomorrow it doesn't work that way in most cases and in some cases you're going to get these Ransom notes says you have 48 hours to respond and act and move money and you

know that's that's an indicator for you whether or not you're dealing with a mature organization or you know some script Kitty out there who may have just downloaded uh and and spent uh you know his his allowance on a 400 piece of software um I'll let you kind of look through that we're going to walk through each one of these here um but it's important that uh you you pay attention to these and I'm gonna have this whole slide deck available to you at the end uh as well I'll drop it in my uh my instance there but no matter what goes what uh uh happens with with the engagement one of the questions is always ask from the

client is you know all right so if I pay this we're definitely getting our keys back right and the answer is you know maybe maybe not these days in most of the cases that I've worked it's it's high probability that it's upwards of you know mid 90s uh percent that that you're getting the credentials back or the decryption keys back in whatever form that is um this day and age it's almost like they have a Yelp you know in the Underworld where they they've got to keep up their Yelp rating uh because you know when you do your research and you you find out who it is who uh may be attacking you uh you kind of know

whether or not you're going to get them back by the time you you pull that trigger but we'll talk about that as we kind of Roll Along here so getting back to the Bitcoin uh account set up you know is a few folks have already asked you know you know setting up Bitcoin account uh you know am I setting up an individual account or am I setting up a a business account does it make a difference it does because the way you set it up allows you to move money quicker and you have forms of identity that you can provide that you can validate yourself you know the the pure uh essence of of you know

cryptocurrency is the anonymity in a lot of cases but in these types of incidents um you're not going to have all that that level of anonymity uh if you need to set it up quickly because you need to perform uh provide you know some form of federal ID or something like that in a lot of cases depending on you know which service you decide to set up an account and uh so those are things they're all taking consideration and I've got a a little uh uh Bitcoin 101 that I'm going to add to the deck there at the end of it along with these right here as well but you know you pick your your exchange

of choice you know coinbase is an example there one of the things that uh you can do you can put credit card uh you know attach that to the account and you can move money almost immediately but you can only move a little bit of money at a time and you have to kind of build the trust with them and you have to uh you can level up if you will I'll show that at the next slide but it's important to point out but if you do Bank transfers yeah I can move a whole lot of money with the bank transfer fifty thousand dollars I can move that tonight but that money is going to sit

there just like if I moved fifty thousand dollars into a bank account I really can't touch it for you know five six seven eight nine days depending on uh where that is and wouldn't you know it as soon as you start a talk like this that's when the phone rings it's either the phone or the dogs in most cases but so those are things that uh you need to take time and research and uh and and help educate them as well uh because the leveling up is extremely important a lot of cases you're dealing with you know maybe they have been hit with a you know a two Bitcoin uh Ransom or something like that and you can negotiate those

things down but you know in some cases you know you're dealing with you know you know a million dollars and that that might be extremely challenging in a lot of cases so um those are things that to take into consideration and so you can see by the time you level up into level three which which may take a bit of time so you know you can encourage them to use your account or use a uh another organization's account that already has one or if you've got a pre uh uh a relationship with them already and that's something that they're concerned about have that conversation now and say Hey you might want to go ahead and set

up an account and just move some money back and forth and then begin establishing The Bona fides with with that exchange that way if the time does come because you know it's quite quite possible that their time is going to come and then it all boils down to how fast they can move it to be able to respond and keep those numbers down I guess the big takeaway there is is at the end we already uh reinforced that a few times so here's here's the example of the phobo splash screen and it's in the info text uh file that's that's dropped usually in the C drive or or somewhere in the root and it's dropped in a bunch of different

places on a machine once it's been compromised but um you know kind of walking through that tells you a lot because a lot most cases you're going to see this just as a copy and paste template and they'll just change the Header information their primary secondary email and the reference ID it's it's their reference ID and you this and it's a it's a dash and then then your uh usually a four to six digit uh reference ID and that's you as the victim and that's that's what you put in all the headers back to the emails uh back to them so it gives you a little bit of instruction there and here's some of your approval of Life

opportunity here they're already telling you hey we want to show you that we can decrypt your data you it's important to make sure that you let leverage that and take advantage of that if it time comes when you have that conversation with them that you want to go ahead and send them a couple of mundane files that have been encrypted first to prove have them prove to you that they can compromise or that they can decrypt those files and return those to you and then this is an important statement here about how to obtain the Bitcoins this is where you can really determine the maturity in a lot of cases of the organization and you can tell whether or

not they're seasoned they know what they're doing the verbage in here is very straightforward and standard they won't try to rush you they won't try to throw any idle threats in here but this is one of those ones that they uh those those blocks right here where they'll throw in there that you've only got 48 hours to stand up a Bitcoin account and money needs to be there or you know we're going to start doubling it every every 24 hours after that you know no delays and they'll try to throw all the the anxiety and stress on you that's what really flips people out but that's also an indicator that somebody's uh really doesn't know what they're doing

because they don't realize uh and take time to sit back and think the other indicator is a secondary Communications while you've got a couple of email accounts up there that you can use and leverage you also have um a jabber client in here and I'll show you the another Communications client in the other splash screen here in a second but that is more useful than the email because email you're dealing with time zones and things like that all the time and you're not going to get a whole lot of sleep while you're doing this because you have to operate on their time zones in most cases to to maximize your communication and you don't want to let

Communications lag and you don't want to let let them go to sleep because they're dealing with lots of lots of uh victims at a time and you don't want them to put you at the bottom of their priority stack once you finally do get your act together and and you you've are ready to transact funds on behalf of a client um and you know the last one there is just you know I think it's kind of cute in here they're giving you a little heads up a little security Awareness on how not to damage further damage your files one of the interesting things is a lot of cases uh you're able to take those files off of a hard drive and drop them

on to a virtual space and and still recover them so it's kind of a moot point but um it is pretty interesting now here's a bit payments flash screen and it's a little bit different because when you um hit the screen uh and it pops up it shows you exactly what um you are gonna owe them coming back to the Phobos you'll notice in there you don't know how much your oh you owe them yet you won't uh the clock really won't start ticking for you until you reach out to one of those email addresses up top and you tell them hey I got this on my computer and it said to reach out to

you how much do I owe you or you know what what do I need to do you know you kind of play it dumb and we'll talk about about that in the back and forth in the messaging but bit payments one where it it shows you exactly how much they're demanding uh right up front it gives you their Wallet information it shows you your reference ID and you put that in an email to them you go out to their wallet you can verify that that wallet is active and they're just waiting for you to drop money in there in this instance here they're asking for 10 Bitcoin and here's my contact email so you can also email me or you can use

that chat in the very bottom right corner on that first half of the uh the pane that proves to be probably the most effective form of communications that you'll you'll use emails are are great but the online chat is extremely useful in these cases especially when you get an idea of you know the time differential um are they four hours six hours in front of you um you know when when do they answer the first time usually and when's the last time you hear from them you can start putting that Association Matrix together as to where they might be regionally and then you can pull a lot of it out of their uh out of their vernacular as well

for me I like to you know keep a lot of screens heads up uh on my machine when I'm having any kind of conversation even if I'm just having a conversation with them because I want to make sure my vpn's not down not down um and you know using encrypted browser is a good idea obviously and uh it just creates another layer of protection for you because here I'm using my machine I might be at home or I might be on client side in my hotel or wherever that might be but I don't want to give away any kind of detail about me if I don't have to uh any of those machines and so

um you know keeping up their blockchain I like to look at their their wallet as well to see if they're also receiving transactions elsewhere are they getting a whole lot of money running in there and all of a sudden you know they're only looking for a few Bitcoins for me but I'm watching you know 150 Bitcoins transact through this uh wallet a day you know these folks don't need my money but how bad does the client need their data back and those types of things and so or you know are they asking me for one Bitcoin and I don't watch any money transact that there's there's two reasons why either they're you know they stood that you know wallet

up today and you can you can verify you know when it was stood up and you know if they're smart they're only using one wallet per victim and they they spin up another wallet for each one of their victims but they might be dealing with you know 20 or 30 uh victims at any any given time so you know um it again it all depends and every one of them seems to be a little bit different then I have a working browser in there where I can do some you know heads up research without having to to jump screens and things like that around there so when you send out in that Phobos message and you send that

email back out to them uh you get that first response back and it tells them that that's what it tells you hey I decrypted all your files you need to pay 1.8 Bitcoins in this instance here this is just a couple months ago where that was about twelve thousand dollars at the time at the current exchange rate uh twelve thousand sixty three dollars I think it was is what it was and and then it gives you all the instructions um all the way down the line in the very bottom you can see the email that I sent to them it was very straightforward very professional remember it's a business transaction it's it's business to them uh you don't

need to play games you don't want to you know use a lot of slang and and and street slang and things like that and try to you know Google leap speak because that's not who you're dealing with in most cases um you know you want to do some research on you know in the background you've got somebody on your team that's either yourself or somebody else who's who's skilled in forensics you want to be able to start pulling some data off of there looking at uh you know indicators of compromise and see what you're dealing with and make sure that you actually do have you know a specific family or variety of ransomware as opposed to

having a false indicator or somebody just playing games with you and has uh messed around with your machine and then drops you know and and uh index file in there like that which has happened in the past and it really scares the hell out of people so you're looking and and it's very clear uh when you drop them into places like uh virustotal or you can go to you know uh any run and you can drop one of those executables or even the binary into a Windows machine and watch that thing spin up and watch you know what happens it's a great demonstration platform and you can do this if you don't have your own

capabilities in your own environment or you're anxious about doing that and spinning up a virtual machine and watching it blow up um you or you can do that yourself right there online and drop it into an environment like that so it's a great resource to have bookmarked so that was you know coming coming back to that business transaction that was my email back to them uh is you know you spin up uh either fire mail proton whatever you know any kind of account a burner account that you can use for that instance and you know I'm I'm one of them uh for that that sake of that discussion uh remember the first conversation you have with that client

is going to be you know there's absolutely no way that I'm paying a ransom on here so we got to do everything that we can do well when you start running down that whole chain of events with them and you say look do you have any way of being able to recover that data do you have any backups local do you have them in the cloud is there any possible way um and you've exhausted all those resources then you start having that math conversation with the you know the uh the c-suite of how much would it cost you to reconstitute and rebuild all of that critical data that you lost because you don't need everything you just need

the critical nuggets how much would it cost you and if that number is more than what that uh Ransom is then you start having to have that next conversation with well it might be logistically you know and uh economically better for you to maybe pay that take your chances and recover that data then we scrub it we carve it off and then we blow up all your instances of your active environment that was compromised and you need to replace drives or or machines if they're you know completely dead in the water and that type of thing so you have those conversations but you know it takes you back to this point here when okay you've gone through that entire

exercise yes it is necessary for us to to go ahead and do that we received that response back from them and now the clock starts ticking when you're dealing with something like uh Phobos where you've now learned the destiny and how much it's going to cost then you go back to them is this something you can deal with it's it's almost like going to a flea market you can almost always ask for half um at a minimum and in most cases as long as you're keeping that conversation alive I like to play the you know poor country boy type of conversation with a lot of them and and you know we're just you'll see some of my conversations in here

we're just a poor rule School we're just trying to look out for the kids and that type of thing um so you know but as you as you get down to the the conversation here you know you you say well all right we're thinking about it I've talked to the leadership in the meantime you want to keep that conversation alive now the clock is ticking with them so this is the time that you want to go ahead and throw them some files and you send them some files that doesn't have any kind of critical data in it you don't want to send them your password list so now I can get into all my systems because the

IT guy you know was is AWOL um but you want to you want to send them those files and then they're gonna send them back to you in most cases you know they send you a link and I I like this one here because this was a pretty interesting password that they chose um they believe in strong passwords you know we always kid kid around you know when we find some some uh you know botnets out there or something like that they don't even protect the botnets themselves and they got a default password uh in their infrastructure a lot of times but when they choose a password like that maybe they thought we were just the poor Bumpkin uh company at

the time but I don't think that's the case you'll see in a moment yeah so comes back to the don't play games with them you know here's here's one instance where you know I'm just telling them we're a small you know management company and you know this is where they were asking for 1.8 um you know uh Bitcoin which is twelve thousand dollars and they did have a rule with uh their board members that the general manager could not allow could not spend anything more than five thousand dollars without calling together a board uh board meeting in for them to vote on it and so rather than having to call up an emergency board meeting to to go through that whole

thing is like hey let's go ahead and just put that back to them and offer it up and see what they say and so when we did that they did say hey yeah you know what we'll take fifty five hundred dollars is the the least amount that we can take and uh you know and then you start going off from there and you can see I tried playing the whole you know poor us you know look at ours small handful of employees here we're a small development they rely on us to be up and operating and you know kind of play the old and come on do it for the kids and I even threw the covet in there

but you know we still ended up now on the other side this is one where I may have taken a little bit of a heavy hand with them and saying hey you know it's unfortunate you make you've mistaken us for a large corporation um you know as maybe wasn't the right way to go well it clearly wasn't the right way to go thank you we're at rural school and they did hit a school district was a pretty big School District and you can see the rest of I won't read it to your verbatim but you know I tried playing it down hey we're just real small we just want to make sure that we focus on the kids in this rural town and

their response back was an email with an attachment that had the financials from the previous year you know letting them know look I was in your system I know how much your budget is I know how much your expenditures were and it's just a drop in a bucket for what I'm asking you here and uh we did end up negotiating it down they uh they asked for 10 and uh they they agreed on three um I went back to them after we got that message back and I said hey can we please discuss it and this is where we're in that chat window and you catch them online you just keep it going back and forth with them and

you know he said hey you said to reach out to you discuss the price and I've still kind of played that we're still small and he was just very matter of fact so what's your offer yeah I don't care about all the sob story what's your offer and you know this is what I stalled for a little bit more time with them and say hey I can't make a legitimate offer without going to the board he said so discuss it and then you know do it well we were rolling into the Fourth of July weekend uh at that at that time so he said all right you've got until Monday so we did buy a little bit more time in

that instance and one of the things important is to keep that conversation alive so every day I sent them at least two messages just to let them know hey just to let you know we're still working it and I'm waiting on the board and hopefully they're they're going to be able to find everybody and pull them all together and we're going to get a decision even sooner uh than we had expected and so kind of kept that going and finally I told him I said hey I've been offered a granted approved to offer you one Bitcoin and still trying to beg and plead and you have to swallow your pride in a lot of cases because you're you know

here I am a grown man trying to to beg and plead for mercy and uh you feel like uh you know geez I feel like I'm just you know cowering down to him in a lot of cases but remember you're doing this on behalf of an entire Community or whoever that uh that client is at the time and so you can see the response uh back and forth in there one of the things that I'd ask and it's not captured on this is can you can you take a smaller amount right now and give us encryption keys for just a few of the machines because it's really important we get payroll and that whole nine yards and then you can you know

when we can get the rest of the money we can pay out the rest of it then you can give us another key to give us the rest of data that's where he was explaining now it's it's one key decrypts everything so it's a it's a one and done kind of deal um so you can see how that went um and then it's important not to make promises you can't keep you can't say that yep okay Monday I'm gonna move this money and it's gonna definitely happen on that day um it's you know I'm gonna try we're gonna we're gonna attempt it I always use the the kind of the um the the soft messaging the passive

voice that this is my first time hey we don't do this very often you know we don't we don't have a Bitcoin account I don't even know what Bitcoin is before this all happened and you know we finally got the money in the account but it was being delayed because it was a new account stood up and then you know so I asked them just to try to keep the conversation alive it is this common and uh yeah so this is kind of coming back to the uh the other case where we'll do our best to move that money just kind of keeping it um you know passive but at the same time it's not me doing this it's us as a

collective team because I'm representing a large uh you know an organization and so it's not just me they didn't just hit a single person and that way they'd understand that they're not just dealing with one person and I don't have decision making Authority and so um I always try to put it in that we versus I um you know you hit me you you you uh put me in this predicament it's it's us and we type of thing so you get to the point where um you've been watching your heads up display and you you finally transact that money it drops into their account you watch their uh wallet transact the funds and then it populates with you

know whatever the the volume was this is a response that you get with the bit payment which is pretty interesting and comical uh from an investigator perspective because at the end of the day they're trying to help you protect your network further down the road uh they they try to tell you that they don't intend to come back or something like that but they give you a little security awareness but they also teach you how to run the tool itself but the interesting piece in the very end I've highlighted it there they point you to Jim Shaver's uh uh Mimi cats uh blog post back in 2016 defending against Mimi cats and so when you click on that you

end up jumping to Jim's page there which is pretty interesting many of us have read it uh over the years but you know they're kind of giving you a an exit security awareness briefing hey Knuckleheads here's how I here's how I did it in a lot of cases you know we find that that phobos's attack Vector is through 33 89 with open RDP and that's where you know it's extremely important to stress to the folks you know hey look this is this is how we we see that they got in and it's important to be able to capture you know a lot of that uh perimeter information like the logs and all that traffic like that because one

of the questions that the board members or any of the investors or any of the c-sues are going to ask was this an inside job or if somebody hit us from the outside how did they get in what happened and they want to know the full forensic uh story of what happened and did anything exfiltrate my perimeter and and that's you know where you can or you can't answer the question depending on what available information you have because the last act that an attacker is going to do before they exfiltrate your system is they're going to delete any logs and they're going to pick up all their crumbs that they can on the way out and so they delete a lot of those

logs and in a lot of cases because you're encrypted and your your full disk encryption now in a lot of cases you don't have the ability to recover that um so it's hit and miss and especially if they you know are hit you at your Edge and you didn't have a uh an independent firewall in a lot of cases a lot of these small medium-sized businesses is not the case you know I had a server and it had some firewall logging my printer's got firewall on it so I was probably okay right um You can see where they're standing so it's extremely important to be able to to pull that forensics uh information for them to be able to do that analysis

to say you can't say to your investors that nothing left our perimeter so that transitions you know to the type of conversation when they go public and it's extremely important for them to be transparent uh with regards to what's happened and the last thing they want to do is lie um intentionally you know withholding some of that information because we all know that first report is always wrong um and it's just you know what's that second report gonna hold is it going to be 180 degrees on that story this is this is just kind of [Music] Tony's joy and all this well as a hunter and as an investigator I like to know where this money is going and I try to chase

that money as long as I can um after the transactions have been has been made and that's part of why I keep that wallet up because you can chase the trail to a certain degree and you can see in this instance here um where our wallet makes the payment to the attacker and then the attacker starts breaking that up right away and he starts carving that money up and he's breaking into the you know 2.24 then 0.75 and then each of those start running down their trails and they're either paying out or they're washing it a little bit of both but they'll start you know kind of uh laundering or blending that money so that it's

obfuscated a little bit deeper in case Secret Service or anybody else is uh trying to track them hard but in most cases they're paying out anybody that's on their team and that's usually that's smaller bucket on there where they're they're paying people out and then you can chase those Trails down as far as you go and then you finally lose track of them so it's difficult at best and there's a lot of folks who just you know when you when you lock onto a wallet they want you to throw it in the wallet and they'll do all that in the background you can't eat up your time you know hunting and chasing that down the road but uh here's kind of a blow up

if you couldn't see it very well on your screen of that larger transaction and that larger slice um as they were beginning to blow it out um so once you've got your money transacted and you've got the keys now then you start depending on the type of uh decryption tools that you uh uh ransomware that you have you begin decrypting it your conversation with the attacker in a lot of cases isn't over you have to maintain comms with them because in some instances you receive a file you download it and you execute it on the encrypted files or the machine and you're done you're done conversation uh with conversation with them in the case of Phobos that's not the case you end up

having to run and I'll kind of walk you through you run the tool um on the respective drive and you just you know scroll to the drive and you're either looking at a a directory or you're just doing a full disk itself and drop it in here and you're scanning it and then what it does is it drops a hash back to you well let me back up here and you email that hash back to the attacker and then they send you another hash for the decryption and you pick that hash up at their drop site and then once you receive that hash you drop it back into the tool and then you decrypt that specific instance in that

machine every machine has its own unique signature that you have to do so if you've got an entire instance in a company that's got 100 machines you're doing this transaction with Phobos 100 times so that's why it's important to segment out Hey where's my critical data is it just my my financial servers and my core server do I need to hit all of my end user machines you know do I have the ability to do that do I care so you really have to have those conversations because that can really be time consuming because once you let that conversation die for you know a half a day or a day they're gone and they're not coming back they've already got

their money there's no priority for them to to you know make sure that you're taking care of of cleaning house and speaking of cleaning house you know once you've gone into that server and you pull off of that you know or that uh machine that's got that critical data it's interesting a lot of times to see what is left there and which artifacts are are left behind and what value add or gifts they gave you and you can see in this instance here there's a a variant of uh of a Bitcoin miner that's you know left in there even after all of the ransomware is removed through the decrypter so it leaves a bit there and

that's why we always have that conversation with well I've decrypted it I I'm back to operations thanks a lot guys go away it's not that you now you've got to go ahead and and scrub that pertinent data off and then you're starting over with fresh drives uh in some instances it's time to to refresh your Hardware as well because that was Legacy Hardware anyway it's that time to go ahead if you're going to go through that effort let's just go ahead and and uh uh you know build out new instances or let's just you know migrate you uh to the cloud or whatever that might be depending on your deployment but you know it's important to reach in there

and and uh clean that up and blow up those machines if they've got a little bit of a disciplined uh capability in there um a talk like this wouldn't be valuable unless you know kind of what do we see in the Horizon you know ransomware is going to continue to grow it's not going away anytime soon you know regardless of what you heard back in 2018 when they said hey 2019 it's going to start fading away that you had that little downturn it's almost like the Corona right it's it's going to downturn and then it's probably going to come back up for a lot of folks in some areas because they're getting out uh ahead of themselves well

you know we're already seeing uh a lot of the the fileless attacks out there where you're not clicking on a PDF that's sent to you an email it's happening with those apps that I talk to you up front and about and then you're also seeing instances where uh some of the teams are saying look you know if you play games and you refuse to pay then we're gonna dump your data out there in the public domain and so doxing your victims is extremely important for the the the the victims on out there to understand when they ask that question you know well did they exfiltrate anything it's highly likely that they have exfiltrated that data from your

network already because they wouldn't be able to dox you uh if that's not the case so um and it's going to get bigger and bigger they're they're already targeting you know large financial institutions and and hospitals especially in these critical times it's pathetic to see those types of things but I've dealt with three cases alone uh just over the the period that we've been you know quasi quarantined and uh that's not always the case uh when you're you're doing something like this but the fact of the matter is it's going to get worse before it gets better and you know you're already seeing instances you know even prior to the uh the new year of

people dumping uh people's creds and and uh and access to their machines as well as uh their uh internals out there I think last week there was a there was an instance where an Israeli uh group dumped a bunch of folks whoa is that me oh is that your end of speech timer no that was that was mine yeah that was that was mine nowhere I put my little heads up to myself over here so let it run over trying to be respectful of uh rush hour I know everybody's got to drive home to the refrigerator yeah yeah pretty much I already made my way there so uh I'll I'll leave you with this you

know if there's you know there's always those lists of here are the top things you need to be doing really we're all doing MFA we all should be thinking about it if you're not but the reality is if there's one thing that a company needs to invest their money in is a three two one resilient backup recovery strategy and and practice practice practice give the confidence to the it teams even when they've got an effective solution in place if they haven't practiced it there's an extreme amount of anxiety when they push that button the first time and if you've been there you can speak to it um it's it's extremely anxious for those those folks out there everything else in

there is just traditional uh you know administrative housekeeping the good networking uh security and and taking care of business but with that um I'll let you guys get back to well hey Tony we've got we've got one question on the line for you have you had cases where you have made negotiations sent the payment and then received nothing from the attacker how do you avoid the risk or at least communicate it to the client uh the risk that they might pay and not get anything that's that's a great question and it's an upfront conversation because as soon as you start having that conversation with them um that okay you know we we've we've determined that we can't recover your

data uh you don't have any backups there's no way to rebuild this it's a very unique you know one-off data and there's no other way to get it back unless you reach out to who your attacker was and try to try to do this their question is usually all right so if I pay this no matter what the price is I'm I'm guaranteed I'm going to get it back and the answer is always you can't guarantee anything uh in that and so you have to make sure it's very clear to them and they're not trying to hold you liable for that as well it's a huge risk you do see all over the press a lot

of instances where they're not paid out but I'll tell you I've done this for for quite a while and it's in the the mid 90s you know low to mid 90s that they're paying out and so it does happen but it's a very rare occasion these days that was more you know three four years ago and you can usually tell by the time you get to that point that you're ready to transact funds if you're dealing with somebody who's mature organization or or a kitty who downloaded a piece of software and we have one other question just curious have you dealt with an issue where the entire network and shared device were encrypted yes yeah and so that's those instances where

you know you're not spinning anything up and and and that's you know one of the conversations we have with a lot of folks on their Nas when we do assessments and Pen tests is you know the make sure that you're you're back up in storage is not binded to your domain in a lot of those cases because it's crawling the domain and any of those domain attachments are are being encrypted as well even when you push them up into your your off-site storage um and we're seeing those so you know in some some cases it's kind of comical because you'll see in in you know the last pen test report that we got was that we got gigged on it because it

wasn't we didn't have it bound well it's it's actually a good thing these days because it's it's giving you kind of a gap in in some instances but that's where you start rolling into the area let's find those critical machines and let's try to do a forensic recovery of those machines just like we buy I try to you know do a disaster recovery for a drive that's crashed it looks like we have someone put in one more question they're an inquisitive Folk so when is it better to refuse the payment or is it never a good option you're talking about refuse um refuse to pay the ransom so yeah that's a it's a great uh topic

of discussion and it really it turns into a heated discussion so if you remember about November of last year a bunch of Mayors all across the country and to date I think it's well over 100 or something different mayors around the country have put together this letter and they signed um the the letter saying that we will not pay ransomware under any circumstances and I shot out to the mayor of a couple of cities that I do business with regularly and I said good luck with that because I know what your network looks like and you're gonna Fail Hard uh when it comes time to to address that because if you can't recover and you and I talked to these these I.T guys

a lot of times and they go man we've we think we have it but we haven't exercised it well let's sit down and exercise it you've got to have the confidence and ability to to recover that and uh um your it team has to have the the confidence in them so elves and and to just arbitrarily say there's absolutely no way that we're going to pay it you know it's you tongue-in-cheek you just have to say good luck with that because it's you have to be willing to have that conversation you know at least ask if if you've got no other option because you know what are you going to do and Tony the masses are asking for your

slide deck yeah I'm gonna drop my slide deck on the uh um on the link on the uh besides talk there so in the schedule so I'll drop that in there shortly afterwards here perfect well thanks for coming out thank you guys for uh joining me on the talk here and hope you enjoyed it and don't hesitate to reach out