Tim Crothers and Ryan Borres - Using Ransomware Against Itself

you got in line and they ran out of sandwiches they have sandwiches good news part one part two if you didn't get a meal ticket we have enough lunches to feed everybody that didn't get a meal ticket so if you feel like bugging out here real quick and go and get lunch and come back that's cool uh I would imagine by the next time we get to a break we won't have any more Lunes left two quick pieces of uh minist trivia uh ticket numbers uh for the hack five kit are posted out here right outside this door on that board but I'll read it anyway 9655 3 9655 and then for the noi which is a

Kickstarter project 285 3964 285 3964 so you can stop right out here at the giveaway table check your numbers and pick up your stuff at 345 they're going to redraw for all the unclaimed stuff all right so it's my uh this next speakers um I just met one last night uh but uh uh one of the speakers uh here I kind of one of those one of those guys that you really wanted to meet early in your career and I uh I have the I had the fortune of meeting him and which was which was really good but I wish it was 10 years ago because he's uh he's really a great mentor and uh and and really just a fantastic

leader in this business uh so I'd like to present to you Tim CRS and Ryan B thank you well overdone but hey is everybody having a good conference yeah yeah we've got some great organizers like Phil and Doug and everybody let's let's uh give a handful this is my at least my second time here I think my third time third time third time all right FL together I'm old I I'll say that up front right now um and uh uh so Phil had the displeasure of working for me for a number of years so uh so don't hold that against him he's he's really is a good guy um but uh every year this conference

gets better and better and uh I think it's a testament to the hard work that Doug and and Phil and all Lawrence and all the other you know folks that are arranging this so so as Phil mentioned I'm Tim CRS and I'm Ryan Bor and uh we work at the poster child for security breaches and it guesses as to uh what organization that might be come on you can spit it out it's good Target exactly uh we are post breach uh our job is to make sure 2013 doesn't happen again uh but um but one of the things that we've been working on is just lots and lots of ways to tackle stuff and uh one of the things unless

you've been living under a rock right um as the prior speaker highlighted right the ransomware has just absolutely exploded and and what we're going to talk about in this talk is yet another option so the the prior speaker had some great um you know there was some good solid ways to tackle dealing with ransomware uh but most of that stuff today is happening at the host layer and uh so I've been doing this a long long long time right and um I like ruining bad guys days so I i' I've done red you know I I've been on the offense but I love blue I love defense to me defense is much more interesting it's much

harder uh and thus ultimately much more work doing in my opinion and and nothing as a Defender makes my day like ruining a bad guys day and so what we're going to talk about this afternoon is just some ideas this is not a silver bullet as I hope everybody here realizes uh despite every vendor claim that will ever happen there never will be a sub bullet it's always going to be people processing technology what we're trying to do is give you some concrete additional methods for tackling this and this is really a credit to Ryan uh Ryan was uh responding to an incident on this and and came up with the core of this idea uh that that we'll be talking about

so ransomware let me let me just give you a little bit of stats so we track a lot of malware so what I did was I went out and I've been kind of gathering samples cuz I'm I'm an old school reverse engineer guy I like to take samples and look at them and see what they're doing right and analyze so this is as of the end of August over here on um the your left hand side right those are the distinct different hashed versions of those different pieces of ransomware those are just the top fames okay on the right here are kind of your standard cyber crime toolkit stuff notice that locki alone has had

more iteration so far this year than everything on the cyber crime comeb by right literally that's the root of this problem and and as the prior speaker uh mentioned and I completely agree I don't think this is going to get better before it gets worse right the crypto currency thing in particular has really been and I and and it's not that we can't figure out who they are with cryptocurrencies but it makes it a lot harder it's a lot trickier the bureau is really good at chasing money through you know standard you know uh wire transfer and banking systems they're not so good yet at unfortunately tracing it through blockchain can be done uh and that

actually plays a little bit into uh our talk here um so let's talk first then then about how most of these families work and the way the cycle happens is you get the initial installation that happens right so whatever that ve uh that vehicle that the malicious software comes in through uh it gets installed right loader Etc Pony N A lot of these are being use right to distribute the uh the ransomware ransomware installs and then most of the current ransomware the process it takes is it reaches out to the C2 okay when it reaches out to the C2 once it gets that connection the C2 server basically gives it a unique ID okay it generates a pair of keys a

public private key pair most of the ransomware at this point is using really solid crypto right AES similar uh strong crypto and the public key gets passed down to the to the software it then uses that public key to encrypt all the files right um then it pops up its notice and says hey you've been infected you know and of course there's lots and lots of variation most of them now give timers uh the one we're going to look at a little more closely one of its variants uh pops up porno images right uh it just they they have all sorts of tactics to try and they're trying to shock you into pain I've seen some they turn on your

webcam absolutely right it's like we're recording you absolutely anything they can do and they're going to continue to iterate that right where they're trying to shock you into right because what do we do as people we make poor choices when we Panic right and so they're trying to get you to panic oh crap I'm screwed okay I'm just going to pay right uh and you know the escalating payment amount all of that is aimed at getting you to pay um and then if you pay so locky for instance you submit that payment the authors right who are behind that they then have to go look up right when you submit your payment you have to

supply an ID well that ID is your unique ID that lets them know which private key is used to encrypt your files and thus decrypt so they have to load that into a downloader tool and then make that available to you to download and then you can down or uh use that to decrypt your fge right so a good opportunity to that that I don't see many organizations doing here because what we're talking about in this talk is how do we disrupt this more the network layer is if you can subvert that Communications between the installation and the the C2 then the encryption never happens so if you DNS sinkhole if you use any of those techniques which I get

right A lot of these guys are jumping pretty quick so you're going to have to be Johnny on the spot to keep up with that but subverting that C2 comms is a way to completely stop that cold and also know that you just had somebody try to get infected making sense so far Okay so then we had a situation and and Ryan's going to talk about it more detail um we've been fortunate we you know we've been tracking this very very heavily I'm very fortunate I was able to go out and get some really really really super talented folks and they make my life easy and uh they do a really good job of staying on top of this and and

helping us keep ahead but prevention is never 100% right um and so the particular family that we're going to talk about today is defended from a a variant called jigsaw and and again Ryan's going to go into a lot more detail here in just a second but jigsa is what I would call a more typical Evolution and I I'm hoping that this is a a a route that a lot of the bad guys take because the good thing about bad guys is they tend to be lazy right and in the the standard model here they have to go get the ke out and put it in a tool and put that tool up you for you to

download so that you can decrypt your stuff right that's effort you know even if they script it that's still effort right so on the other hand the jigsaw family the authors did what I would say is more typical of of bad guys and that they realized well wait a minute why bother with all of that we can just have the uh the malware itself right the ransomware check the blockchain make a query against the wallet and determine if the payments are made and decrypt okay and there in lies the weakness that we can thus exploit right uh and Ryan will talk about that but literally the way jigsaw works is it does an installation it generates a

random uh blockchain wallet ID which those are readily accessible that's just a simple API call to get a a fresh blockchain wallet ID so it generates a a wallet ID and then it instead just generates its own keys and pulls the blockchain once it sees a value in the wallet ID it then goes ahead and self the preps okay and that coms looks like this right so that's just a query there's several ways uh if you're not familiar with with uh uh cryptocurrency so Bitcoin there's one what's called Master blockchain Okay so the point of the cryptocurrencies is anonimity but it's not to prevent people from being able to see transactions part of the transparency

around the cryptocurrency is transparency matter of fact there's a talk going on during this slot that I I'm going looking forward to seeing on YouTube talking about uh uh analyzing the transactions in the blockchain right you can go out and look at the blockchain which by the way is a really good way of tracking how successful a lot of these ransomware actors are because they put their wallet IDs in the uh ransomware stuff all you got to do is query the blockchain for transactions to those wallet IDs and you know exactly how much money they're making oh and then you can see the transactions going from that wallet to another wallet to another wallet till they consolidate so

um lots of interesting ways for figuring out who are the actors kind of coalescing because interestingly enough a lot of the different families of ransomware the when you follow the money through the blockchain transactions all ends up in the same place but that's a separate talk um and not our Focus for today so makes this query right so at this point I think I'll let uh Ryan pick up the the story with what happened and uh and do some explaining on how he came to the next step all right thanks Tim so what happened is we had a team member who received a spear fishing email that was very well crafted and they had clicked the link in that

email and eventually this downloaded onto the machine executed so this this is a version of Jigsaw it's actually called man um and a little bit about it I'm just going to jump out of here

quick I should mention Ryan's one of our triage analysts in our in our Seer that does revers cars yeah sorry I should probably yeah so a little background I worked at the state of Minnesota doing it for a couple years and then I've been at Target now for about a year and a half and recently started doing malare analysis so what caught my interest in this was that we had a single host get infected and we were able to successfully decrypt it oh got to move it I don't have it actually up I'm just going to actually so for this demo one more yeah almost there you go oh did it go back to to um are

extended no okay all right so I'm going to actually execute this while I talk a little bit just because you'll see that it prints out you know you've been infected with Ransom world we don't have to wa for that so when you execute this on the machine though you're going to get this pop up so that's it image can't be displayed user will click okay now in the background it's going through and starting to encrypt your files so yeah the particular version that that we had go off um put up pornographic images which is obviously a little embarrassing potentially yep in an office environment I think the team member was actually the conference so what I did for this

presentation is I just graded out I removed that image so you're not going to see a whole lot you'll see the text scrolling across but you'll get the gist of um what happens we figur we'd try to offend Everybody by showing inappropriate images so this is written in net and it it is slightly offis skated basically all the function names you can't really make sense of them they're kind of gibberish but most of the functions you can see so what I started doing BR this over here so you can watch it um what bothered me was that okay so we had a single host get infected and so I started thinking what if this would

happened on a larger scale like how how would we respond respond to this quickly because it it did take us some time to get the get the files decrypted and reimage that machine have the team member get a new machine get the files back on yeah so we should interject here right important thing to understand there's decryptors available right because because this tool um you know keeps the private you know the uh secret key essentially on the Local Host there's tools to go out and extract the challenge with those that approach right is that you have to do a new version for every iteration so every time the bad guys iterate a new version we've got to

go out and build a new decryptor right we got figure out okay where are they storing the key specifically in this new version Etc totally decryptable right we we decrypted it but to Brian's point is how do we do this at a bigger scale right how do we do this so say a thousand people got this at once we can decrypt across the entirety of those rather than on a one by one basis keep going and so all right it's all right so this particular piece of ransomware there's there's a lot of so what I look for when I'm doing analysis especially on this was like how can I exploit this piece of ransomware like initially what

caught my attention is that there was no call out and so when I analiz this I'll check for Network traffic to see what's going on I didn't see anything the only option you'll see here soon is you get a popup saying I I submitted my payment so I'm like okay well let's see what happens you know when we click that to see what kind of traffic we get that pcap capture that you guys saw was that traffic and so what I realized was like well this is clear text it doesn't look like it's doing any sort of encryption for the uh communication to that site and so I was like well this might be you

know pretty straightforward as far as decrypting it so I had to dig in to the net assembling figure out exactly how it was working and some things I noticed for that you know um so after after this counts down you kind of see it so you get an hour's time to pay if you don't it says it's going to delete three files I did confirm that it will the the other thing to consider when you get hit with ransomware is you know what do you do in that situation um so this one in particular if you restart the machine there's a check uh that'll check to see if it did run which there's a file on

the system that gets dropped that literally it's just going checking for that file checking to see if there's value in there and it goes oh it ran so if it detects that and you restart this computer it's going to delete 10,000 files or sorry thousand files files every time you restart and it encrypts up to 10 million bytes or 10 a 10 Meg file basical so it does have some limitations it's basically going through and looking for common files like word docs Excel docs it'll encrypt temp files um I can actually switch this

quick

so just to show you here after it encrypted so the extension that it adds is poral Ransom so I'll just do a start at porn on the C drive and we'll see what comes up so you'll see we're at about 10,000 sorry oh and that's the other thing so when this team member got this it's not very crafty in the sense that it like actually locks your screen you could drag this and move it out of the way but all this gray was basically adult content so you could have just moved it down and but the thing is they they want you to freak out panics that you pay so here's all the encrypted files right now we've

got 10,581 it appends the do poral Ransom and so what I what I sorted digging into was like okay well how how would I decrypt this well luckily for us uh the adversaries decided to put the decryption key into the ransomware so all the algorithms or all the functions were built in to decrypt I just had to figure out how can we how can I get this to to do what I want it to basically so what what I wrote up was a little um python script I'll show this

here I it over and I'm using uh a Mini web server it's just I wanted something really quick on the host maximized it moved it off all right screen resolution is hard so I wanted something just quick and easy just for testing to start out with u but I knew at some point we'd have to build something more robust some sort of framework that would give us more capability and basically what it does is I edit the host file to redirect traffic and you could implement this other ways to um redirects traffic to The Domain that's going to call it to which is the BTC blockr.io back to the host and then I created a web structure for that so

that when it asks when it requests the file it'll basically grab those files and they needing that Json content so so the that U block.io is just one of the many uh publicly available sites for quering the blockchain for quering W uh wallet IDs right and so what we realized with this approach is it's much more broad so over the last several weeks we've been testing and it's I have yet to find a version of any of the and there's several variants already of the jigsaw family The Hitman the porno the ETC uh and this works for all of them um and what happens is you can just say you right redirect in this case the first

this is the Prototype version we'll have a version two that's uh up here probably posted uh later this week which is uh a little more extensible so you can run it on any platform so easily redirecting you know just do a DNS sync hole at the Enterprise layer right to the little site so it just Returns the expected values for the API because it's just a simple uh post and Bob J all right so drag this over here so it's pretty simple so the the host is infected right now right the files have been encrypted so what I'll do is I'm just going to excute that jigsaw

py and it takes two parameters so typing is difficult

the jsr is just a command I or parameter I passed just to specify because I had I had a few other things in this program before so it'll take the two parameters which got get back to needs wallet ID yep so I'll need the wallet ID and the amount so for this one they're asking for $150 in Bitcoin technically what this will do is it'll go out and get the actual value that day and then it's going to multiply whatever you put in to compute that to see what you get obviously the Bitcoin value fluctuates 6 change today so we paste that in and then it's 0.4 will give us an all and so then we'll execute this so

now it's listening for my for the request and so what we can do here is I'll show you this too you can see the list of encrypted files which is right there it's essentially the same ones that I searched for so that's a scare tactic right show you here's all the fils that you got encrypted hopefully there's none that you need so what we'll do now is we'll click this it's going to go out you'll see the requests come in and it's basically just going to grab the the the fields that I changed so it's tricking in a sense it's kind of like a man- in-the-middle attack it's going to grab the the the the

Bitcoin value for that day that I gave it and then it's going to put in the the 0.4 multiply and so it it ends up being over $150 which the check in there you know passes and so then it'll call the decryption function which passes in the built-in key and then starts running through and decrypting on files the other thing I noticed though with this so right you're always looking for mess ups that your adversary makes so it decrypts all the files but in the process it doesn't complete completely remove the extension from it so you're end up you end up having porno ra so what happened was the Implement implementation prior when they removed

the extension they just said okay let's subtract three from it get rid of it well they they basically did a subtract four on this and so you didn't you you're still you have all your files that are decrypted but you can't access them right so so the code was borrowed right big surprise the the bad guy stole the code from somebody else or maybe bought it looks like they stole it they didn't understand it fully right what it's descended from put on a three character extension so dot what what fun the original fun right and so they didn't understand that code enough to remove it left it so it just takes off the last four characters instead of the

entire porno Ransom that was at it because big surprise not all the bad guys are really good coders which is the benefit for me because it makes my dve easier when I have to fix that it does all right so I'll just run this search here quick so we'd still need to do a little bit of cleanup the files are now decrypted but because of the bug in the code we're going to have to take off the rest of that extension but that's pretty easy to do on a master read right little python code Etc so here's all the files have been decrypted right but they've still got the poral ra extension so again I just what I did is

I whipped up something quick to remove that part so that you get your files back the problem is is that um when it goes to rename them I don't know if the OS is generating new like temp files and stuff some of the files I end up getting issues because it's already there so I just have it right out to a file right now just to see which ones didn't actually um give me name so toggle back to the deck if you would make sense so and and as we've been continuing to dig at Ransom part of really what what we're hoping to accomplish with our talk this afternoon is is to get everybody thinking about

additional attack you know kind of vectors on a lot of this ransomware because as we're seeing this explosion right um it's just continuing to you know go in all sorts of directions we're going to need some tools like this to kind of mass defeat them um you know the the prior speaker you know gave a a great example with with the healthcare right where hundreds and thousands of uh systems are infected and um the longer of course we're we're down the the uh the worse it is in terms of uh impact to to our uh to our legitimate folks fire

all right so what we're putting up is eventually there we go uh so what we've created is a little tool what we du subterfuge uh we'll have it up at GitHub uh here shortly we're again making a little uh cleaner uh Etc and uh like we said the intent here uh this really mainly works so far with the the jigsaw family uh which is a bunch uh to be clear certainly not as prevalent as locky or some of the others um but in the the sample we used it just used a simple little DNS entry in the local DNS right Windows system 32 at cdns file redirect the URL that's going to to Lo loopb back we run this on Loop back it

intercepts the API call gives it what it expects so that it can self decrypt um and what that ends up being then is a much better way if you've got more than one um uh you saw how quick that actually decrypted it when we had this on an actual host uh the decryption took about half a day um yeah I think with the decrypt tool I think it was right around four five 6 hours it feels like I mean one of the issues you might struggle with depending on your environment is getting access to that host and then also ensuring that you don't infect other hosts while you're trying to do that so right yeah the

beauty of this right is then that we don't have to go track down the specific decryptor for this specific version of Jigsaw Plus in this case our actual uh Team Member happened to be remote right uh she was out at a conference at the time when it happened so with this sort of mechanism we can do a redirect via VPN right have her go ahead and click the link yep I pay and it will decrypt we ship her down a little script to take care of the rest of the cleanup and again then then that uh resolves it much more much more cleanly Yeah question uh Spearfish yeah it was a Spearfish she was checking email in a

conference it it was a pretty decent Spearfish I would say the spear fish was actually higher quality than the code um of the ransomware maybe I'm partial uh but it's it but they're certainly distributed lots of ways um this one just happened to be distributed they certain come out lots of ways um and then we did the demo so longer term again like you said we're going to get it posted and and uh it's all written in Python you know so have at it extend it uh we're going to continue to work at you know I've been looking through a bunch of the other families to see if this is more applicable and what we can do to uh you

know to again just make this a more robust tool but again the the real thing i' I'd stress is taking away that kind of approach that a lot of this malware can be attacked in ways where you can use the malware against itself and and in many cases I think uh that's going to be a much more effective approach so the next time you're dealing with one of these think about that as an option right look at those coms is there a way that we can trick it into uh you know as long as the bad guys only retain the private Keys then our our best bet is to sinkhole it not let it communicate to

the C2 in the first place that will shut it down cold for the ransomware um but that's a bit of you know chasing the uh chasing the c2s so that can be obviously problematic um questions thoughts sir particular private correct are there

instances so the great question there absolutely are so a lot of the a lot of the takeown or or take Down's not the right word a lot of the free uh decrypt stuff that's been released has been released because what's been happening is uh a lot of our av players uh Microsoft also has really been working hard at this are working with law enforcement they'll get proof so that they can get a war you know so law enforcement can get issue a warrant and take the server so they can collect the keys off of that but of course that's just induced the actors that are doing this to you know move their hosting to non-extradition countries

where we don't we don't have law enforcement access or cooperative law enforcement access I guess is so there absolutely are um I haven't yet found a variant um that stores the private keys in a way that's publicly accessible the other thing I have been searching for is um you know fortunately a lot of the bad guys have very poor opsac and so they'll commonly store the keys and that I think personally I think there a gray area where um you know hacking as defined by the Computer Fraud and Abuse Act is very broad right um I feel like the letter of the or the intent rather of the Computer Fraud and Abuse Act is if I have to

authenticate with credentials that aren't my credentials that feels like that should be where that line is the good news is certainly in a lot of the uh cyber crime stuff they don't put any authentication on stuff because they know that tends to break it getting through our corporate proxies and stuff like that right uh unfortunately so far most of the major variants or ransomware are using authenticated servers um but that's another option that I I suspect we'll see at some point with some of the families as this continues to explode is them just leaving it on if you were in the rat talk uh next door at 12:30 right he talked about his C2 server he's just

stuffing that stuff in my S and there wasn't a lot of authentication about that and there's potentially ways to access that data that's unauthenticated personally I would I feel like that would keep me within the spirit of legality to retrieve my private keys but that that's getting very deep down the rabbit hole so we probably shouldn't go any farther that direction other questions thoughts sir you have to pay the r at least once in order to no no we uh no we reverse the whole thing and yep yep uhet in particular of course you know uh as as the speaker next door correctly pointed out writing things in C uh andet it makes it very

very easy to reverse um so uh so we didn't know Ransom was paid the Intel team quickly found us the actual decrypt Tool uh for the variant so uh don't we didn't pay the ransom and we wouldn't have uh since it was an individual corporate laptop you know not highrisk sir when uh you were giving demonstration initially there was the error screen that popped up said that we clicked okay atun what if you just click the red X it would it still goes yeah and that's just a popup just to get it's actually going in the background once that kicks off yeah but it's that's an indicator and I'm we're not I'm not I was unclear you know when I saw that and

was doing some of the I did some rehearsing on it as well right um I'm still not clear why the author Pops that up I suspect that's again yet another um kind of probably a remainder from you know inheriting the code from another variant that just was not removed but either way it's going to continue at that point here it's executed other questions

sir you want to speak to that so what was the question take the key out of so what what did it for me was that first of all they had all the decryption algorithms in there so even if I didn't have the key you you still saw the algorithms and normally when when when I've seen that right the keys within it so seeing the key seeing the algorithms right that's probably how people made the tool as they took the key out and they they copied the algorithm and just made a standalone program um you could also encrypt encrypt the traffic you know don't have it go to just the HTTP site that was probably but the

encrypting the traffic isn't an option in this case right because because they're making an an open API call to a publicly accessible site right they they really can't encrypt the tra I mean they could run it SSL instead of uh plain hdtp of course uh because that site supports SSL but then we can just break the SSL um but uh you know because they've got a query the the reason I think uh this has become a newer popularity right is it's just so much less work for the bad guy right with with locky and those they've got to maintain the the key servers and all of that kind of administrative work the beauty of this is they're literally just

spame it out right and sit back and you know pull from the wallets right even if they instance of payment ends up being lower than Acky uh they're still because the the gain to work ratio is so much higher um because they just Spam it out and at that point they don't really care it's going to get some people and some people are going to pay um I certainly so I did a bunch of queries against uh using the wall ID part of the interesting thing is I haven't figured out with this one specifically is how they're knowing which wallet IDs are being chosen right so that they can use those wallets to collect the funds I I haven't figured

that component out yet in this particular variant uh but um I suspect once I do figure that out that you could probably reverse the payments um you know if you get to the funds faster than they do uh when they're sweep so interesting uh interesting new angles yes so I'm hear right from their perspective I mean you're just you're just software think you P it they just don't end up getting that's correct so they don't even really I mean for all they know you could have just said fine keep my on here yep yeah in this instance right uh they probably knew there was an in C because I suspect there's some sort of a notification of

the wallet ID that I haven't you know that we haven't figured out yet so I suspect they knew there was an infection but it'd be no different than somebody just not making a payment right and at the end of the day they're going for a numbers game right not necessarily alerted that you did anything no no no they've got no way of knowing that we subverted their system L they watch this talk on YouTube but uh that's that's fun I don't mind but that's right yeah I don't have enough to I mean some of the software errors in there that you were talking about right yeah there there were some other fun stuff in the code

too it's the downside of using somebody else's code too if you don't go through it and completely understand it and you just whip something up to change it you might have who knows what's left over right yeah I I I'd be interested you know it wouldn't surprise me and I I have no reason to think that this is what's going on but I it wouldn't surprise me if whoever actually wrote This is actually getting the wallet notification and then sweeping the funds or a portion of the funds right I can totally see that sort of shenanigans going on but don't know for sure sir in the back they're all over yeah they're all over uh certainly we're seeing uh huge

uptake out of Brazil uh Brazil is becoming the new hot bed for cyber crime in general um I I haven't done a uh lot you know we're still working on attribution attribution is is hard uh we're getting grouping for tying actors to families and stuff like that but that's not the same as knowing who the individuals are right um certainly in looking a lot of the Deep Web forums you know um uh there's I don't see how this isn't going to continue to explode right there's currently ransomware source code for sale for $40 to $50 right so when you only have to invest $40 to $50 US uh to get ransomware and it's pretty easy to you

know reach out to your botnet install service and get the installs how you know the success is is is uh going to continue to drive that which is why ultimately we we thought you know throwing this out there you know this isn't a huge deal right this is one family um that is certainly not one of the most prevalent families by any stretch uh but we really were are hoping as much to spark folks to get thinking about other ways to tackle this problem because um until we can you know if you've attended any of Chris's talks right um um you know about the economics right until we can make the uh payback less valuable than the work it's going

to continue to go up right uh and so that's the Tipping Point and I don't know how we can do that unless we can figure out some Mass tools to you know kind of Target some of the stuff head first do you have a question sir earlier thought you ra your I just going to ask where we find oh these will uh these will get posted on YouTube usually about a week out on adrianne's channel right yeah be in about a week adri iron geek yeah iron geek yeah go out to YouTube search for iron geek uh yeah if you're not aware so all of the so Adrien goes to pretty much every security conference I'm sure he

misses a couple but not many and and videos and so all of these talks for all the sessions today will be up on YouTube freely available you know so if you miss some you know like I say I'm I'm definitely intending to catch some that I that I had to miss so conflicting session ah ah sorry thank you for clarifying he okay perfect I know he post some stuff on his YouTube channel too um but yeah it'll be out there so besides Augusto has a YouTube channel sorry thanks Phil for the clarification I see another question we good I think we're in good shape so we got to do some uh some uh handouts I'm told so we have up a

couple well these are cool jealous aren you that's right I I find I as my wife will the test I spend way too much fing on on toys so so uh we got to come up with a uh some uh questions here uh I'm terrible at coming up with questions what was the most prominent what's that was the most prominant sure so from the initial what was the let's see I think it was that gentleman right there yes luy it is come on now all right we need another question what uh what are uh the two most prominent uh distribution layers for a lot of the not just the r but the the uh the uh the cyber crime stuff that I

mentioned earlier got that I I saw Phil first first okay no good thought I I they were specific Mau names I mentioned sir Sal no not salad salad was on the slide no those are ransomware families so these are distribution channels I just mentioned it once in passing so we might have to go to another question but uh but if you're not aware of them you should be aware of them um because they are a couple of the the uh things being used to distribute a lot of the deliciousness today Piers all right Paul neckers and uh no uh all right n and pony is the two I specifically mentioned but that that's close enough all right so

um we have two more got a question and the next one is this is an awesome book python forensics if you haven't read it shame with you just saying fantastic book really really good book so uh next question question I don't know if anybody heard me say it so what was the name of the function uh that performs the check for the hour and it'll delete a thousand files I think I briefly mentioned it you mention the function mention when it happens when does it happen rest start all right and we have one more we have a really cool set of lock picks to give away give me another question right right now what's that I don't have

any right now what is what is Phil's alternate full name sir yes bill plam that's going to haunt bill for a long time for those well thank you very much everybody I hope uh I hope that had some useful and uh forward to the rest of the