The Future of Destructive Malware

all right i made it thank you all for uh your patience very much uh let me share my screen here apologies for the uh little blip on the radar there yeah i do think someone uh messed with my with my computer who knows let me go in presentation mode here and uh we will get things kicked off all right thank you all so much for sticking around and apologies for uh the uh little technical difficulties we had there um so you know hopefully hopefully i didn't just get my computer infected with all of uh the stuff i was just playing around with here but um let's go ahead and jump right into it so this uh this session is kind of

interesting right because like back when i initially submitted this abstract to besides calgary um it's a completely different talk because of how things kind of turned out with 2020 and and you know this virus has really impacted uh you know the computer security industry as well so it's kind of going to be a whole different uh thing than probably what you saw in the abstract um but that's just due to a lot of the changes we've seen in the attack landscape so in general we want to just kick this off with is setting the stage for around cybercrime this has kind of been a main focus for us this year uh and essentially you know a kind of

scary statistic is that cyber criminals cost the global economy 2.9 million dollars every minute of last year so all of 2019 2.9 million every year uh it's significantly more than that this year even um i don't know if you'll have been following the news around some of the ransomware gangs such as like are evil and uh and the like but uh they actually uh just recently had one of their members defect and actually talk about their operations they were talking about you know some of their attacks they're making you know 17 million dollars a pop um and overall uh they're estimated to have made a hundred million dollars uh just that team in a matter of months uh so in total you

know we're looking at this as a global business uh essentially it it's costing the world 1.5 trillion dollars last year and this year we estimate that this is coming out to be about double that so a pretty significant problem and uh kind of staggering the the impact and just the wide reach that this has so what i really want to focus on is something that we have been inundated with all of us in the security industry and that's uh these destructive attacks now mostly we're talking about ransomware here but there's also been uh nation state actors that are leveraging ransomware and repurposing it for destructive attacks there's been attacks against databases you know just such as

wiping data and destroying data and then just the integrity of data as well is now being questioned especially here in the states i imagine you all have been following the news about the elections so that's a cluster on top of the virus um so hopefully we we get our act together so i can actually visit you all uh someday and actually leave the states at some point we'll see we'll see how that goes um but essentially like here it's just kind of like with these destructive attacks we're talking about is anything that affects the cognitive dimension so how we perceive data how we perceive the world uh you know what the integrity of the information uh that we're looking at

actually entails uh and then also you know that leads into the information dimension so the data itself uh you know the integrity of that data but the real scary stuff is these attacks that have the kinetic impacts so anything impacting the physical dimension and having real world uh tangible impacts we've seen this in the past you know with attacks such as not petya taking out uh whole entire businesses on top of um you know not just their their core business infrastructure but also power grid uh attacks and and things of that nature that are are definitely uh very concerning but the scariest one the one i think we're all most commonly going to be impacted by is

ransomware just from our data set alone from what we saw from 2019 to 2020 we saw a 900 percent increase in uh ransomware just in general across the board across all of our agents uh and essentially our our global deployment so this is something that is has significantly picked up uh this year and we think that's largely due to uh some of the changes i'll talk about that are happening in the underground kind of cyber crime industries and you know how they've changed their business models to adapt given that a lot of uh traditional crime has actually had been forced to move online in much the same way that a lot of just uh legitimate businesses have now we

look at uh who's mostly being impacted by ransomware uh predominantly what we saw is energy and utilities uh kind of the main industry vertical that's being targeted and that's pretty concerning because looking at the impacts that that could have you know if this gets into the actual systems that are controlling infrastructure or able to uh you know reach some of those utility kind of infrastructure it's uh definitely uh sort of cons very concerning fortunately a lot of that operates on segmented networks and and is mostly separate from you know what actually has the tangible controls of over these uh tooling but uh still pretty concerning just to see the amount of uh these types of attacks

we've seen targeting them specifically but shortly after that we have government of course uh and i imagine this year you know when we look at uh 2020 it'll be a significant uptick here just because we've seen this leverage and denial of service in georgia here uh just about a month ago there was a ransomware attack against a voter database where they encrypted the whole database um so you know we we've definitely seen this used for multiple purposes other than just uh for profit uh specifically but manufacturing is also a prime target that's mostly because a lot of this is outdated infrastructure um so a lot of these systems are uh you know designed to be remotely accessible

but they also are not often patched they're often running very outdated uh software and hardware and so that's why i believe we see such a significant focus on on manufacturing specifically then it goes down down from there but what i'm really wanted to touch on is some of the specific and more concerning aspects of ransomware itself so with ransomware we took uh a majority of ransomware samples that we saw across all of 2019 and uh we took all of the live ones that still had active c2 and things of that nature and we dynamically detonated these within our lab environment and we did this to specifically map out the miter uh techniques and tactics that are

leveraged within the automated uh ransomware payloads themselves and so what you're looking up at here these red dots are going to be the tids and the blue dots are different ransomware families and different ransomware variants and so what was interesting here is just seeing the overlap in all of these techniques and kind of what they're leveraging uh in their automated payloads now uh we're specifically looking at persistence techniques here and as you can see a lot of these different samples are leveraging even root kit type of behaviors modifying the master boot record and trying to persist in the operating system even after these victims have restored majority of their files they're establishing persistence that's going to be out of band and separate

from the actual ransomware payload itself oftentimes they're just leveraging uh you know signed binary proxy execution living off the land binaries and establishing scheduled tasks leveraging the registry modifying startup folder items and then predominantly using hidden files and directories now a lot of this is going to be to establish secondary and teachery persistence and access back into these environments so they're going gonna try and make sure they have multiple avenues uh to to maintain this access and get back in should you find out about their initial access or should you start quarantining their malware um and keep in mind this is only the ransomware payloads themselves we'll get into more detail about the actual actors and the groups behind

these and some of their tactics in a few slides as well the next one i wanted to highlight is credential access just about every ransomware variant that we looked at is accessing credentials in one way or another and this is predominantly going to be leveraged for privilege escalation or access to personal bank accounts emails other other credentials to services that they can basically take and resell a lot of this information online and most common we see these targeting the browser so if you have uh users who are storing their passwords you know within chrome within firefox things of that nature directly they're specifically a target of a lot of these payloads and even more so with the credentials

dealers and banking trojans so kind of interesting to look at how ransomware is also leveraging the theft of some of these items as well even outside the scope of just privilege escalation but one of the other interesting things we saw was targeting of you know chat applications like telegram was heavily targeted also looking for ftp ssh look for sscp or ssh keys or rsa keys i should say and essentially looking for anything they could leverage to pivot and move laterally and gain access to additional uh avenues within the organization and a lot of that's going to be done through capturing input so you know monitoring the clipboard doing key logging and things things of that nature

now we look at the next stage of collection uh this is something that a lot of ransomware families have have fully automated trying to move laterally through smb and then just gather files and information and and sort of start to encrypt this data but some of these variants that we looked into we're actually taking a lot of this information and packaging it up and exfiltrating it automatically usually to a compromised website where it is then quickly moved out of that site to you know their main marketplace or command and control network or kind of whatever their end goal is for that information so it's kind of an interesting thing to watch happen because a lot of

this is just fully automated whereas now you know we look at kind of 2020 and how this has changed a lot of this has shifted to the ransomware payloads being kind of more specifically just focus on the encryption and maybe lateral movement uh with the manual kind of component of attackers actually moving through and mapping out the organization by hand and a lot of that's done because they want to make sure they target the most high value data they also want to understand the business of the organization so they can put a dollar value on this data that they're exfiltrating and posting for sale later or just you know how how they're gonna decide to leak

and uh choose to extort the uh the victim of these attacks but again you know capturing the clipboard monitoring keystrokes and uh just general automated collection is going to be a large part of a majority of ransomware families that you take a look at so those are the three i kind of really wanted to dive a bit deeper on but if we look at the whole miter attack framework um the thing that's always commonly associated with ransomware is just these impact sections you know encrypting data inhibiting system recovery data destruction stopping services defacement all those kind of things that we commonly associate with ransomware what we found really interesting was all of these other components that uh

ransomware is leveraging in in their attacks and predominantly defense evasion as you can see uh basically every single sample that we analyzed is leveraging defense evasion in one way or another and this is typically just to subvert endpoint security software get around network security software basically make sure that their payloads are going to land and stick and they're not going to be easily removed now of course uh some of the more manual breaches that we've investigated it's it's a lot of hands-on keyboard where they actually go in elevate privileges and then just simply disable the endpoint security tooling um you know that's one we're seeing extremely common now especially you know with windows defender and things of that nature

just completely shutting it off and then choosing to launch their malware so um you know they they're just trying to take kind of the easiest path possible because our initial system is usually the most important for these for these folks because then if they can move through smb they can move laterally pretty easily from there a lot of it just comes down to using built-in windows commands in order to do encryption and the remaining components of their attack but that really depends on the type of malware that you're looking at and what kind of their goal is and who's who's behind it um yeah as you can see multiple persistence mechanisms in use and discovery is is big they want to do

as much automated discovery as possible so that they can go and you know without much work figure out where your target file shares are if you have any databases that are open if you have public websites that they may be able to lock up and use in terms of defacement and damaging your brand those are definitely going to be targets that they'll go after but to get into kind of the details of what these groups actually do after after they obtain this information has been something uh that we we've found rather interesting and and we've been trying to dig into a lot more recently and so i want to dive into the actual underground economy

and what's interesting here especially looking at i want to say like the last like 24 months or so we've seen really a shift in terms of the underground economy and the means at which they've they've been operating um and it's kind of led to what we're viewing as a sort of industrialization of this underground economy where uh to to the point of you know actually making this very easy for individuals to get in on this and involved and and some of these activities without having much real technical skill required and that's largely made possible through ransomware as a service and shared hosting bulletproof hosting especially and then uh the initial access brokers which i'll get into in a little bit here

but first i want to touch on double extortion um so for for years you know we we've been dealing with ransomware essentially doing their general extortion practices with encrypting the networks and forcing a payment in order to get the data back now what's scary about that is a lot of folks will pay these ransoms but they will have these residual components of the malware still within their environment um especially uh within their backups some of the groups now because backup solutions have progressed to a point where it's made it very difficult for a lot of these folks to actually turn a profit from extorting victims they've taken the longer game approach where they will actually try and get

their malware deployed and synced up to the backup servers so that when you do restore from backups you're restoring their malware um and depending on how those solutions are configured uh you know some some of the uh environments we've seen where it's just standard you know storing of uh backing up of files from user directories and stuff on a windows server those are gonna be prime targets for these ransomware groups and especially for backdooring those servers uh the traditional way or the most common way i should say that we see them doing this is just establishing a teachery backdoor on these on these hosts that's going to call back you know maybe once a month or

even longer than that and it's mainly just their means of leaving a foot kind of in the door to prop it open so that they can get back in should you find out about their initial access vectors or their other back doors that they already have kind of established throughout the network um but you know in terms of of these backups progressing to a point where a lot of people just were not paying uh these these large ransoms that are being asked they started moving into double extortion uh significantly and it's really started with this one group called maze that that essentially is kind of credited with coining the double extortion technique um but essentially you know what that is is

they take the organization's most sensitive files they exfiltrate this data and then uh they basically say hey you know you have to pay to decrypt your network and you also have to pay for us to not go embarrass your point your company publicly and post this information online or sell this information or use this information uh you know for for other kind of nefarious purposes and uh we've actually seen you know started out with kind of marketplaces being leveraged for this where they would go to you know xss or exploit in and some of those uh very common kind of crimeware marketplaces and they would just post uh some of this data but now it's progressed to a point where

they're actually running full-fledged web servers that are are getting this information openly you can pretty easily go and comb through there and see which companies are impacted and download this information and uh what i find most surprising is a majority do run on onion or itp but there are quite a few that actually just run on the clear and uh you know don't really care about about getting caught it seems they're extremely brazen and so speaking of extremely brazen crimeware groups maze i would say is probably you know one of the top most brazen groups that's out there or at least was uh until they just recently decided to cease their operations um what you're looking at is their their

website uh it's actually down now they do have a uh the onion site is still up but this is essentially what these double extortion sites look like so mays over here they refer to their victims as their clients and you can see each one of these is going to be a different company that has been extorted and uh their information is posted here so you can actually download this data and usually what they'll do is they'll post teasers of this and they'll show kind of previews of some of the data as proofs that they actually have this information and then you can either purchase the full dump or at some of them they will just release this data at some point

most commonly this data will be posted in encrypted format and then at a later time you know once they've finished negotiations with the with the victim and if the victim has chosen not to pay them then at that time they will release the decryption keys so you can actually gain access to to this information and they're extremely active i would say just about uh every day you know during the time of kind of their heyday they were posting massive blog posts and news releases on their site and a majority of them are actually multiple companies that they are releasing their data at a single time so over here is a single blog post from the maze team and um it's a real

interesting component because maze they have their core group but they also are operate as a ransomware as a service so the tricky thing there for for us as researchers is this really muddies the water in terms of attribution and it was evident by uh you know a lot of the misconstrued news that ended up out there about maze and about their quote unquote partners you know the media even referred to them as the maze cartel at some point and they were saying that hundreds of members and stuff like that and it was something like you know before we started really digging into it we were like oh wow this is impressive we actually kind of believe

some of that stuff but uh you know i'll get to kind of their announcement in a little bit um but it's it's interesting to see you know how much of this is just like in terms of attribution is just kind of pulled from thin air and made up uh in terms of what you know bits and pieces people see from different evidence that's kind of scattered about and i think that's largely due to the nature of how some of these groups operate because a majority of core ransomware operators do have a ransomware as a service component that's very much the same case with ragnar locker another very prominent uh ransomware group and the reason i put maize and

ransomware and ragnar locker together is because it was rumored that they actually were partners uh they had teamed up and that they were working together but it turns out there was just a group that was leveraging the maze ransomware and the similar tactics of ragnar locker you know in terms of how they would deploy a virtual machine and then release the maze ransomware from within that virtual machine in order to get past endpoint security tooling and so a lot of these kind of mixtures of different data points that that are coming from all these different angles uh it really muddies the water and makes it difficult for any one actor to be pinned pinned down for a lot of these attacks

now some of these other ones are definitely more segmented from each other like nephilim there they've been pretty much like you know there's this one group and they are this one group running this one double extortion site called corporate leaks and so it's just one of these things that we just kind of have to watch these evolve over time so we can really fully understand the nature of these groups and how how large they are and how wide reaching some of their uh some of their attacks could potentially be but you know same sort of thing as what maze and ragnar locker do they just have their blog posts where they post information on their

uh on their victims essentially and a lot of these sites are are actually where they handle a lot of their communications as well um and so interesting thing about that like if you're uh investigating a ransomware attack uh definitely do not upload the the text files that basically have the ransomware notes in them to virustotal because that's something that we found very interesting because you can download all of these and so uh if you go to a lot of these sites you can actually look through and see the conversations that organizations are having with these ransomware groups um so it's a big thing like if you're investigating these or your company is hit by ransomware

definitely don't go uh upload those notes because then folks like us will will take a look at it uh to learn more about these groups um so you know it exposes a lot about their operations uh in terms of just following up on how they do their negotiations and what they actually say when when their victims are negotiating with them which brings me to our evil probably one of the more more well-known ransomware groups that's out there and they run this website called the happy blog and what i found real interesting about this one uh the reason i chose uh this this one in particular is they actually give a little insight into how they run their operation so up here

they actually mentioned that uh for over a month the structure of the corporation's work user services and cloud data storage were examined and uh one terabyte of confidential data was copied as a result and it kind of lists that data so that's getting into more of what we're actually seeing now with these ransomware groups a lot of them are gaining initial access through targeting internet facing in infrastructure most commonly i would say is remote desktop protocol that's unsecured doesn't have multi-factor enabled you know they're they're using credentials that they've obtained from other breaches especially if you have partnerships with organizations and you have shared access between organizations like managed service providers are a big target for

them because they can use that access usually to gain access to adjacent organizations and that's the the big thing with a lot of the stolen data um even though there's this gap in time before they post this information publicly you have to understand that they are sharing this information within their inner circles and they're leveraging this data they're getting their their use out of it before any of it is published here and before they even often notify the customer and begin the encryption process so there's kind of this whole cycle that's happening before these victims are even aware that they've had these attackers in their network for uh often a significant amount of time now paisa or protect your system amigo

they also go by mespanosa and these guys have a pretty creative site it looks kind of like an old commodore 64 sword terminal and they actually give little advertisements for their victims here and they refer to them as their partners it's kind of kind of creative but these guys are still for sure klopp another pretty uh well-known ransomware gang and what's interesting about their site so you know as you can see there's a bunch of stuff kind of fuzzed out here that's where you can communicate with them and there's other companies that are listed um but essentially they list down here that they've never attacked hospitals orphanages nursing homes charitable foundations and they will not go after

these targets so it was kind of interesting to see some of these groups actually post information like this whereas other groups are specifically saying like no we are going to go after those types of organizations because we know they will pay that's something we're dealing with right now in terms of ryuk now ryuk is not a double extortion group they're not known to do the leaks and things like this but they are known for moving incredibly fast through networks often you know matter of a couple hours to pivot and encrypt an entire organization and they're one of the groups that they they've kind of uh created some infighting within these ransomware gangs in terms of they're the ones that are

like no we're just gonna go after whoever uh we don't care we you know they they specifically targeted uh united healthcare within uh within the united states recently and uh over the past couple weeks they've specifically been targeting various hospitals across the united states so it's kind of interesting to see some of these groups have some some kind of standards and then other groups just do not care at all doppelpamer another uh double extortion group posting their their leaks online uh second is an interesting one they they were extremely prolific i would say just about every day or two they're posting new victims on their site and now this site has actually been taken down

and it's it's believed that they have switched names and kind of changed tactics quite a bit um so there's rumor that a grigor ransomware is actually uh the new variant of second um but same same kind of thing they both run uh these data leak sites and and post this information online um and the interesting thing too with segment or or a grigor is they also run on the clear net so you don't have to use tor you don't have to use i2p or anything like that to gain access to their data leak sites and i think that's part of the reason why they have so many hits as you can see here you know 28 000

views of this or this uh insurance organization's uh data set so you know these in these uh data breaches are wide reaching and and very publicly damaging to a lot of these organizations conti is a neat one this is a special one for us because one of our threat researchers brian baskin actually was the first to discover this one and report on it so he did the initial reversing and and kind of you know hit the ground running with this one and at the time we didn't know this is double extortion group uh we thought this was just you know uh traditional ransomware just kind of taking some of ryuk's components because it was believed at the time it

was the new variant of ryuk um but interestingly enough about a month after uh our write-up came out on this we actually found conte news and they started posting double extortion information on on their victims now suncrypt you know very similar thing uh you know run their they run their uh same sort of data extortion site uh so nothing too too interesting here but often times these ones that say like full dump you can actually just download all of this data um so all this is is extremely useful for for uh crimeware groups because they can use this for all sorts of various purposes which kind of brings us to looking at some of these

crimeware forums specifically now this is where a lot of the smaller operators will will post their information you know usually across various uh crimeware sites and and hacker forums and things of that nature so um you know if you're looking at like xss or exploit.n or raidforms which now is kind of probably i would say one of the most prominent ones because of some of the high profile breach data that's been posted there uh a lot of these are going to be these smaller actors that are maybe using a ransomware as a service or something like that um to to kind of commit their crimes and they're usually just a single individual that's kind of uh running with some of

these attacks now getting uh back into maze this is actually a couple days ago i should have updated this but um on november 1st they actually announced that they officially closed the maze project and it's funny they actually call out how the media referred to them as the maze cartel uh how it never existed how they were not this massive group but it really shows just kind of that problem with attribution and us as an industry we always want to have a name to put to things we want to have a someone to tie to these kind of nefarious things but at the end of the day oftentimes it is these small actors who managed to

just create a service that's very useful to a lot of different people so it seems much bigger than it is um but yeah maize maze cartel has has quote unquote officially ended their uh their reign and the funniest thing about this is they said they stopped uh due to the fact that they were just trying to prove organizations had vulnerabilities essentially which um you know we all we all know is they they made millions off of these attacks and i wonder if they just kind of got spooked maybe hit some larger more uh you know more well uh well-funded uh companies or larger companies with more well-funded security teams and maybe got spooked and decided

to close out but still real interesting to see kind of some of this news come out and the impacts that this can have now getting back into how some of this information is used uh credential stuffing is a significant component of these attacks um you know all almost all of the ransomware and just various other types of power that we look at is going after sensitive credentials and exfiltrating this data now this information is used to gain access to personal accounts to other companies uh and things of that nature uh oftentimes you know if you have like a relationship with another company one of the things we'll see them do is start leveraging uh credential or

conversation hijacking um and especially with emote recently this has made a significant resurgence but essentially what this is is they will compromise office 365 directly especially orcs that don't have multi-factor configured um and then they will go through and find these historical conversations that you might have had with uh with a different company where you have this trusted relationship already and they simply start rekindling these conversations and ultimately send a payload usually in the form of a macro enabled document or something like that um but it's very believable these incidents we've looked into um you know they they look at the cadence of discussions they look at you know kind of your wording how you talk and stuff

like that so it's not like these traditional phishing attacks we're used to it's actually very targeted something that i mean you most people i would say could be tricked by some of these methods that they're using now even more interesting some organizations that have uh more detailed segmentation in place um you know making it very difficult to pivot directly between nodes they've actually resorted to pivoting using things like slack and inner office chat technologies which is super interesting to see but leveraging that same sort of uh same sort of concept with email but just doing it in our office within a single organization and i think part of the reason we've seen that so significantly so significantly now is

because of the the wide move to remote working so a lot of people just aren't connected to the vpns they might not have to be a lot of their information can be accessed through the cloud now so it makes that pivoting and moving laterally to get to some of their end goals a little more tricky but it's definitely been interesting to watch this kind of evolve over this year now some of the tools that are being leveraged open bullet is one of the most commonly used credential stuffing tools that we're seeing uh and it's pretty open you can take uh you know any of these lists of credentials you've obtained either from some of these dark net sites or from

breaches and you should just load them into open bullet and it will go essentially try these credentials across a myriad of personal and commercial websites um so that's the most common one and this is from some data that uh one of our partners digital shadows just put together a report around so if you want to get more information on that i definitely recommend checking out the report but one of these i found most interesting was centrumba because it actually does image recognition for solving captchas directly within the tool so pretty neat to have that capability uh although it only uh will do simple captions it won't actually go to the more complicated like google recaptcha and things of that

nature um but still pretty interesting that they've kind of automated some of that capability because that is pretty impressive capability to see just within general crimeware tooling now for uh those sites where you do have the more complicated captchas to solve some of these tools get around it by allowing integrations to capture solving services i.e captcha outsourcing and so some of these i've just listed here although there's a lot more of these but essentially what they do is they outsource the solving of these to people in other countries that sign up to just solve captchas all day and it costs you know i'd say like around twenty dollars to do like two hundred thousand captions so

uh very uh economically feasible for these groups especially assuming that they can try you know hundreds of thousands of credentials without having to do anything themselves and they just come back and figure out what they got into and oftentimes it's going to be bank accounts and other means for them to make additional money so it's really a low cost and high return on investment sort of attack for these groups now that leads us into initial access brokers these are the groups that their whole goal and oftentimes is just an individual that does this but their whole goal is to gain initial access to an organization you know exploit them from the perimeter maybe fish them you know however means

they need to get into an organization uh and then map them out from the inside understanding you know how many nodes they have uh you know what their business is like you know how uh what their year yearly revenue is all of these kind of uh details that allow them to uh decide on a price for what they're going to sell this access into this organization for um what's interesting too is like depending on the actor a lot of these we've seen go for you know just between like a thousand and maybe ten thousand dollars for just that initial access and it's often going to be using a remote desktop protocol or ssh or sometimes they'll actually

deploy an implant and you can gain access that way through a c2 service that they have exposed um but it's not a new technique although it's something that um we've seen kind of really shift significantly this year and explode in popularity um you know this is one of the ones like back in 2008 or so is when like we really trace this back to like being kind of a new sort of uh technique for for individuals just compromising individual assets and using them as nodes for pivot points to move laterally and gain access to additional resources uh but now it's shifted significantly towards targeting organizations and then just selling access to these organizations for the purpose of

encrypting and ransomwaring uh their their contents now here's just an example of one of these posts this is someone selling access to a government institution in the united states um so they don't give too many details here it's one of these where you'd have to message this individual to find out more about kind of what they're selling here but this just gives you an idea of kind of some of these posts and some of the information that they're selling in terms of these initial access brokers um as you can see this one's going for almost 40 000 uh given the current price of bitcoin and they work through these escrows within these marketplaces as a means to kind of create a mutual

trust for each each party in a sort of very untrustworthy sort of ecosystem now i want to highlight one of these for this individual who's actually been arrested for doing just this just operating as an initial access broker this guy's name is andre turchin of kazakhstan and he's uh probably better known by his alias fx msp or otherwise he went by uh the invisible god on various sites um but his whole thing was just selling initial access he would do the initial exploitation gain access and then resell access to these orgs and it's funny it wasn't anything complicated or anything like that just rdp scanning and password sprays and then pivoting and backdooring backup solutions

and he was able to impact 135 companies across 44 different countries in the time he was active which was between 2017 and earlier this year and he was estimated to have made about 1.5 million dollars just by being an initial access broker and the main reason i think he was caught was he went after uh antivirus vendors uh he was he is the guy who is known for compromising three prominent antivirus vendors and he was selling direct access to their organizations and their source code for around three hundred thousand dollars and he did sell that to some individuals successfully so real interesting actor but it does show this is a very profitable venue for a

lot of these individuals now getting into the marketplaces you know this is essentially where a majority of these folks are going to operate especially the initial access brokers but there's also some that are specifically focused on only providing initial access and that's mostly going to be focused on individual nodes that are compromised so you're looking at more home user systems so getting back to kind of the traditional means of compromising systems for use as a proxy as opposed to compromising organizations for use and deploying ransomware and espionage and you know things things of that nature but the commonality between all of these is is it really comes down to either reputation or your ability to pay so if you're you're

willing to throw down a couple hundred dollars you can gain access to just about any of these marketplaces though the real kind of uh interesting ones are often only based on reputation so it takes a significant amount of time to get into some of these but uh this is one i found real interesting uh this one's called the russian market um as you can see here here's their sweet little logo and their login page once you gain access to this it's mostly a initial access kind of marketplace just specifically for for personal devices but over here you can see like they're listing them out by the country they have the state and city and then

they have the details of the operating system they list whether you have admin access to the host or if this is just going to be like you know some other user guest access or something but they're very cheap so if you wanted just a cheap little windows box to hop on and then pivot through for additional attacks i mean they're going for around five dollars pop now they're also selling ssh access which goes for about two dollars then they have steeler logs which are real interesting these are compromised websites uh they exfiltrate the logs from so you can do a lot of interesting stuff with those logs sometimes these are even network logs from a from a corporation they'll

often contain session tokens you know just general user information oftentimes usernames and passwords depending on the type of logs and it'll often tell you before you go into purchase any of these as well but they also sell paypal accounts and they have credit card dumps as well so the kind of standard stuff but for any good uh crimeware market there has to be customers right so what's interesting is this guy on amadeus mozart i guess they posted this this advertisement on one of these crimewar forums and i was just surprised at the marketing quality that went into this thing so it's actually a very nice little flyer advertising for just what we're talking about they want

to buy rdp access into organizations so they can deploy ransomware and that's their their whole thing um and if we scroll down they even highlight the different price points based on you know the different geographies that they're targeting so just kind of really interesting to look at kind of how some of these crimeware markets operate and you know what uh you know that there's there's these actual stores that are selling this type of information and there's quite a few purchasers of this data if you start poking around some of these marketplaces you'll see there's tons of posts going around just around this topic i mean initial access brokerage i would say is one of the top

most active kind of posts that we see on these crimeware forums today it's just every single day there's new organizations being posted for sale uh every single day now last thing i want to touch on is just the monitor money laundering component of this uh for these criminals to be successful and and for them to actually be able to make money off of this they have to convert their coins and they have to heavily rely on privacy coins um so majority of like crypto miners that you'll see and also just the general tumbling that happens after this money needs to be cleaned is going to be using the narrow now there are some rumors that have come out recently that

companies such as chain analysis can actually trace through monero and can actually uh you know put the end to end uh transactions um basically on a map so to speak so you know that i think is going to really change things for a lot of these crimeware operators and it really is going to change things for law enforcement as well because if that's true imagine what could happen if they decide to go back in time and look at all these previous transactions that have happened so once those rumors came out we saw a significant shift towards haven protocol um and so that's a significant one that we see ransomware actors leveraging right now and it is

very similar to monero um but it's one that they believe cannot be as easily traced but the big thing is for these for these actors to actually make uh make real world profits from this they have to uh pass these coins through an exchange of some kind and convert them to fiat currency you know whatever their local currency is and that's the point where you know often law enforcement will actually be able to tie some of these transactions to the individual and it becomes a point at which these these guys have more potential being caught so a lot of these groups that we're following oftentimes just have massive massive cryptocurrency wallets but they often leave a lot of that money in and just

continue amassing it until the point where they want to essentially disappear uh and so that's what we think happened with the maze group is they actually got to that point where they made enough money now now they're trying to get out of the game but overall the the last point i want to make here is just the fact that you know all of these kind of components uh that we we kind of sped through because there's so so much more we could really talk about in this regard but all of these different components make it very easy for someone who doesn't necessarily have the technical skill to pull off some of these attacks to get involved in this and actually

commit uh pretty significant and devastatingly impactful attacks without really knowing what they're doing so we took some general prices so just like averaging these out across what we saw across all of these markets i'd be very easy to go out and say purchase initial access to a midsize organization then rent a ransomware as a service so on average these go for about five thousand dollars uh in cryptocurrency and then you know all you have to do is go log in and drop the ransomware payload and let it do its thing uh you know and then just handle the kind of communications and talking with them after the fact to negotiate payment but really you know you can make a

significant amount of money with little initial investment so that's why i think we've seen such a significant shift to these industries uh because these markets are exploding rapidly and uh it's scary for us because it not only muddy's attribution makes that very difficult but it makes it so literally anybody can get in on this and actually become extremely profitable and cause some very significant damage so with that uh thank you all very much and appreciate you all sticking with me through those technical issues earlier on uh my apologies for that i i don't know how to computer um otherwise i'll be i'll be around in the chat all afternoon so if you if you all have any questions or

anything like that feel free to reach out and hopefully next time we can uh we can do this in person so thank you very much