Ransomware and Egypt

uh so we're going to talk a little bit today about uh state of ransomware in general and then ransomware specifically to egypt and feel free to ask any questions i apologize i'm very good or non-existent so hopefully uh you all can understand me um but feel free to stop and ask any questions so a little bit about me i'm a threatening television that means basically i spend my days uh researching and understanding what the bad guys are doing and trying to help our clients and the rest of the internet i understand that as well so they can better protect themselves uh i co-authored a book on ransomware and i think they're giving away a few

copies of it so hopefully enjoy the reading before i dive into specifically what we see is the situation in egypt i want to talk a little bit about the current state of ransomware so we have this trend for those of you that don't know ransomware has been around since 1989 [Music] but the original ransomware uh was as you expected today files are encrypted but in order to pay the ransomware through the ransom you have to send a check and that doesn't usually work because you can always stop that uh you can get that money back so we really saw the rise in ransomware attacks coincide with the rise of bitcoin uh once you had essentially a currency that was

effectively untraceable though that's debatable uh it became a lot easier to convince people to pay the ransom and actually keep that money um so we saw this big rise in ransomware from roughly 2013 through 2016. and then it dropped off precipitously in 2017 and picked back up in 2018 through 2019 and the reason for that was the original targets of many ransomware actors were your grandmother and your grandfather right they were all people that they could convince them on really badly worded phishing attacks and spam attacks and they could get 500 bucks to pop and that was great but then google uh microsoft yahoo kind of got together and said hey look we need to

stop these attacks so they did a better job of coordinating sharing information and protecting their their recipients from getting those emails and that meant that the attackers had to shift their focus and the shift came more towards corporations corporations actually have some in some some ways some corporations have fewer protections than home users in terms of email etc so they uh so they would turn around and they would um you know hit businesses and when you hit businesses you can start demand more money so we saw the demand and ransom go from a couple hundred bucks to a thousand dollars hundred thousand dollars even now in billions [Music] and ransomware is still among the most

profitable types of attacks so in terms of where you can make the most money if you're a bad guy ransomware is where it's at and there's nothing that comes even close to that [Music] and so because of that there's been a heavy investment in underground markets and by the bad guys in producing better and more effective ransomware and now we've added to that extortion so let's say that you're a good

a bunch of files organization we were on your network now if you're not going to pay the ransom you have to pay us or we're going to publish all your files publicly so they're adding the resume actors are adding new tactics and new techniques to do whatever they can to extort as much money out of their victims as possible uh governments have been a huge uh target for ransomware actors in the united states we've been tracking the growth of ranks for attacks against state and local governments they've gone from a couple dozen a year to over 100 last year and the thing about the government attacks the attacks on the government is they tend to be

really good at helping the ransomware actors not only make money but then sell their ransom in the under grand square underground markets so there's kind of two revenue streams uh aside from the actual excursion part of the ransomware um the ransomware actors also resell their service so if you're a wannabe hacker you don't know how you're going to make money being a hacker you can go and you can rent the ransomware infrastructure for a couple hundred or a couple thousand dollars use their infrastructure go after your victims and uh and make money that way and what we see in these ads in these underground forums like people call the dark web and i'm going to people drink every time somebody uses

that target that's a whole other story um uh what what's locally called the dark web um what we see is they'll advertise the state local look this ransomware was used to go after baltimore this ransomware was used to go after this town in france or or whatever it is that they're using because these attacks generate a lot of press and so even if the victim doesn't pay the ransom the fact that it's all over the news means they can use it to try and sell their ransomware to other uh would be hackers so they can make extra money from that okay just turned off the mic sorry about that all right you think after 20 years of

technology we know how this works [Music] the other big thing that we've seen is rising healthcare attacks and this is all over the world and the reason is that wherever you are in the world whether it's united states whether it's here in egypt whether it's australia france spain healthcare providers have a first priority of treating patients and whatever they need to do to get back to treating patients as quickly as possible they will do and so healthcare providers have been a huge target hospitals especially if they can get into the network they will deploy the ransomware as quietly as possible in order to impact patient care because when they do that they know the hospitals are more likely to pay

it seems like an awful thing to do but it's very effective that all you care about is trying to make as much money as possible and the other thing with health care providers that makes them an attractive target is that a lot of healthcare providers uh are stuck using older systems in partners they don't have a big id budget but also in part because a lot of medical services run on outdated systems and contractually the healthcare providers can't update those systems so they're saying okay here you know i see this i go to my dentist a couple times a year my dentist is still running windows 7 because the the package that he uses for

his uh office will only run on windows 7 and he's not allowed to upgrade it it has to be upgraded by the people that manage the package and of course they never actually get around to upgrading it and whenever i try and tell them hey you should really find a new package that's not running on windows 7 for whatever reason my uh checkup is a lot more painful so i just want to keep my mouth shut and of course yeah they're talking about the united states but they're happening all around the world uh you know these are just publicly reported attacks and this is a big problem most people don't want to talk about um being hit with ransomware it's kind

of embarrassing right um and so we're relying on publicly reported attacks but even then just in 2019 in the united kingdom you saw 202 attacks in spain 111 france 128 canada 107 australia 43 and these were just the ones that made the news and that's only about 10 of the attacks that are actually out there so uh you know so that means that each of these countries have saved thousands of attacks thousands of successful attacks a year um so who's behind the ransomware tax uh you know so it's kind of stating the obvious that cyber promotes specializing ransomware have continues with all of their tactics we see that these cyber criminals are making sometimes hundreds of millions of dollars a year

from these ransomware attacks a lot of that money is going back into uh is going back into buying exploits going back into hiring better developers producing better ransomware to make them more effective so you know whenever the whenever interpol or somebody arrests or puts out a warrant for one of these bad guys they show pictures of them with the maseratis and the nice houses and all that other stuff and that's all true but they also invest a lot of money in making their malware better so they're not just helping the ransomware underground market they're helping the underground market for uh foreign market for developers the underground market for other types of malware etc in general they're lifting up the entire

underground market which is bad for all of us that are trying to defend our organizations um so we've already talked a little bit about the move from uh large-scale mission campaigns to much more focused campaign so instead of seeing millions of emails being sent out we see thousands of emails being sent out targeting specific industries but they're also looking at other avenues of exploitation as well remote desktop protocol is a huge one the recent citrix vulnerability has been targeted heavily by uh by ransomware actors and we've seen uh you know them piggybacking on access through third-party providers through managed service providers etc so if you've outsourced a lot of your i.t functions the um the reservoir actors will gain

access to your massive service provider and then use that access to jump into your network because we generally don't do a good job of securing our third-party vendors or sharing access with our third-party vendors and

machines at a time so that is you know something that a lot of people don't understand that a ransomware attack these days is not just i landed on one person's computer and encrypted it when they get in the network they're in the network for a couple of weeks scanning and understanding your network oftentimes building a better network back then the people who are defending the network actually have and they will use that access to make sure they can inflict the maximum amount of damage so they'll install it on as many workstations as possible or servers as possible etc and it creates a real problem for the vendors trying to stop the attack once it starts

which is why it's so important that to be able to detect the initial entry rather than wait until the ransomware actually hits um so according to security first map 2019 remote desktop protocol as a method of gaining access actually over to fishing for the first time uh the fishing plus rdp account for more than 54 of all attacks uh other ways that we've seen attacks uh exploit kits and advertising uh we also see uh uh ransomware implanted in download so oh download this free calendar app no data's transfer things like that so they'll put in a lot of fake apps etc that's another area that they're that they're investing heavily in is figuring out how to fake search

so that it looks like you're buying a signed version of code and it turns out it's actually malicious so who are the current biggest players we're going to look at four different ransomware threats right now that are kind of the big players in here um ryan ryan's the one you'll see most often mentioned they've had the most amount of success um they began targeting campaigns for life primarily on rdp for access now they've started incorporating phishing campaigns primarily relying on immoted and trick font and they use that to actually deliver the ransomware keep that in mind because trickbot especially is an information stealer and so what you get is you have them sitting in your network

for two weeks stealing a bunch of information and sending that before they uh before they deployed the ransomware so not only have they installed ransomware in your network they've also gone ahead and stolen a whole bunch of data and so we don't know what they're doing with that again ryan's one of the few that haven't said that they're going to uh uh that haven't done sort of the extortion after saying they're going to release your data but they are collecting a bunch of this uh sodomiki is a also called rebel um rents where's the service offering they're very selective about who they let join the ransomware as a service it costs ten thousand dollars in u.s

to sign up for their service um but they've also been very selective uh they've also been very successful it appears they're the same people who were behind again crafts so game craft you know famously retired last year after you know thousands of successful uh ransomware attacks now they retired the same time that the fbi shut down their infrastructure and uh released the key to decrypt all the files so i think it may have been a forced retirement um but they managed to uh they managed to come back with this ransomware and it's being delivered again because it transports the service there are multiple actors behind it we see phishing you see attacks through managed service

providers and other attacks through the desktop protocol based ransomware they're in here because they've generated a lot of news they're actually not very good at their job they're getting better um but they aren't very good at what they do they gained a lot of attention because of their extortion play so in other words what they've done is they uh again they they say if you don't pay the ransom they'll release the plot will release your files and they started doing that they've set up a website etc it was interesting because they set up the first website in ireland and they published the first sets of data well then they found out that as powerful and as bad as ransomware actors

could be they're not as strong as the courts irish court issued an injunction um to to shut down the website and so the webcast site got shut down however they reset up shop in china and i don't want to pile on china because china has a whole lot of problems right now but no court in china has so far made them shut their website down so uh so you know they're now releasing uh their uh they're releasing the victims who don't pay they're releasing their data there if you ever want to check out their website i don't recommend it because we don't know what all they're doing there it's called maizenews.com they also in case that one gets

gets shut down they've also registered a backup domain that they haven't made public yet called newsmaze.com because they're not very creative i guess so if you ever want to see what kind of stuff they're putting up there but the reason i say they're not very good is we haven't seen a lot of ransom collected by them and by last count they have 27 uh victims listed on their website this is as of a couple days ago may have gone up or down um that's not a lot compared to the kind of proliferation that serving and uh and right in terms of uh in terms of their ransomware so you know they get a lot of attention

they've managed to do a good job of making a name for themselves and getting their name in the press that doesn't necessarily mean that they're actually very good at their job and then final coder file coder is not a fantastic ransomware but it's still one of the most popular that's delivered every year they've been active since 2014 primarily through fishing although in 2019 we saw them going after uh juvenile wordpress sites um they target sites in uh in us japan thailand canada um etc so they're kind of all over the place and this is just in terms of activity this is kind of what we see in terms of activity for them you can see there's

much more activity for raya overall um for the like the nephew transfers another one that's been fairly active this year he's had fairly steady activity final coder they're quite quiet and they have a couple of big spikes and then they go quiet again so like the next one is really interesting and i don't like to make fun of friends more actors because you never know when they're gonna target me but if you watch their activity their activity comes almost exclusively at the end of the month like they have to pay their rent and just suddenly realize they're short so it's like oh i i need money to pay the rent so i'm gonna go ransom somebody and and get my rent

money um i you know i mean don't get me wrong i did the same thing in college but i just work with double shift waiting tables i did install brands um so let's talk specifically in egypt um east is a really interesting country uh and in in general egypt's an interesting country but egypt and ransomware's a really interesting country there was a whole lot of activity starting in 2017 and it then dropped off noticeably in 2019 and uh you know even into 2020. so ransom uh the sort of the big awakening in egypt was uh east was one of the top 20 uh countries hit by wannacry so congratulations i guess um you know but yeah so

so uh obviously monarch was really bad it it had a whole area within machines over 200 000 machines were affected um and according to trend micro in 2017 there are 3.9 million attempted ransomware attacks against targets in egypt now i like turn micro turn micro is a great country but sometimes i think they release statistics to uh scare people more than actually say anything effective his 3.9 million attempted attacks could mean 3.9 million uh phishing attacks uh uh official emails that's not actually an attack that is somebody sent you official email what are the chances that you actually opened it etc however i think a better number is 2019 is firstly reported that five percent of all stop dates of

new ransomware attacks were against targets in egypt so that's kind of interesting um because it ties in with november of 2019 the egyptian cert reported a rising ransomware attacks exploiting team viewer and the attackers were using uh dow which is the variant of the stop station food ransomware um so they're the you know you you saw the top four ransomware actors that their ransomware campaigns that we see out there none of those are specifically targeting egypt but we do see that there is a lot of activity happening from the stoppage of your ransomware so and it's a that's a really weird one and it's actually one of the more popular ransomware campaigns because 60 to 70 percent of daily submissions to

id ransomware are for stop data boom but they just don't get a whole lot of attention or garner a whole lot of attention so this seems to be a ransomware campaign that's specifically targeting egypt and middle eastern countries and not you know the broader world they're very prolific they release two or three versions of their ransomware day and they're really hard to track it's really hard to track that you've been hit with um uh with the days of your ransomware because unlike other ransomware actors where they use the same extension so when your files are depicted it'll [Music] or whatever as the extension they basically make up a new extension on the fly so there are thousands of

extensions associated with the danger of ransomware which makes it really hard to identify as deja vu without looking at the ransom note without looking at the encryption process etc makes it much harder to track down so israel is primarily distributed through compromised remote desktop protocol servers and team viewer servers as well as using adwords spyware and trojanized software downloads not a lot of phishing here but if you're downloading illegal software or crack software etc they may be a part of that um and here's the thing so the uh you know the the team behind the criminals behind stoppage i who like to use uh when to use rdp to get it so i did a

quick search uh in showdown last night or two nights ago and there are 5400 open remote desktop protocol servers in egypt which is maybe one of the reasons why there's uh you know they're targeting egypt because there are a lot of open remote desktop protocol servers compared to libya merit to jordan israel there are a lot more in egypt than there were in other countries so that may be part of why that's there same thing with teamviewer there were 1279 that were publicly accessible which means that basically anybody could have gotten access to them um and again that's a lot more than you saw in libya that's not what was on israel and other um in other places uh nearby

and you know this is just what shounen found if i were an attacker and i wanted to specifically target egypt i'd probably use more direct scanning methods uh but that is something to keep in mind when you go back to your organizations and your companies to say hey do we have any exposed remote desktop protocol servers or teamview servers if we do we should probably at the very least if we can't take them offline we should at the very least enable two-factor authentication or something else to keep the bad guys away from there um there's also been kind of an interesting reporting problem so there are lots of groups that appear to be targeting egyptian organizations

for ransomware but there's actually very little public reporting uh of attacks uh so there's two reasons that could be it's one that everybody in egypt is successful i'm sorry hopefully that wasn't me um everybody needs so successful defending the organization see if hackers are never successful that's what i would like it to be but knowing in general that uh people seem to be losing the rents more about i'm guessing that most organizations just aren't reporting when they've been hit with the ransomware attack and they're trying to keep it as quiet as possible this is completely understandable nobody wants to admit that but if you share that information and you don't have to share it with me

because i can't help but if you share with other people other organizations you know through uh through stuff like this like besides cairo and other types of organizations you can help other organizations protect themselves oh hey we got hit by this i should let other people know that that we got hit by in this way so that they can protect themselves from it that goes a long way to stopping the ransomware which is ultimately what we're all trying to do here so how do you protect your organization let's start with backups i know that's obvious but that's the best way to ensure that even if all of your other defenses fail that you can um that you can actually

still recover from a ransomware attack so having good backups will ensure that um and then backups are only as good as your last test i can't tell you how many organizations i've walked into that have said oh hey yeah we thought we had backups but nobody's tested them in three years and it turns out we were making uh sending backups to a blank team so actually test that your backups are working and then you can recover those fan cups and then make sure that your backups are stored in a disk that's not easily accessible whether that's a tape or whether it's a file server that requires extra authentication login this ransomware actors do look for backup

servers and they will encrypt the files on the backup servers so like one network i walked into um to help them recover they had their backup server labeled backup in every but every system on the network could access it no username and password so of course all of their backups were encrypted so that didn't help so you want to keep them out again we know that they're going after a remote desktop protocol we know that they're going after team viewer servers lock those down if you can you know if you don't need to have them public facing then take them offline if you have to have the public facing and able to factor authentication so the way the the these actors work

is um two ways we'll look to see if they can exploit the service so if there's a vulnerability out there make sure that if they have to be exposed or fully patched and that should be sort of your number one priority since you know the ransomware actors are going after that make sure they're fully patched but then they also will try and reuse credentials so they'll troll the underground markets looking for lists of content credentials and then they'll try those credentials against your remote desktop protocol server which is why having two-factor authentication on anything that's exposed is so important because even if they are able to successfully reuse credentials they can't they won't be able to get

past the two-factor authentication and then of course you want to look at phishing campaigns so i highly recommend conducting regular fishing exercises within your organization you know it's a pain in the butt i know that no matter what you do there's always that one jerk that insists on cooking whatever email you send through and there's nothing you can do about that person and i get that um but for the other people that aren't that one person um nothing regular fishing exercises does work make sure that people are aware of what the threat is and and i'm a big fan of the reward rather than sort of the name and shame like you don't want to necessarily

embarrass somebody because they click on the link you want to reward the people that that don't or that reported properly or something like that and simple rewards work really well just you know kind of like an attaboy or uh you know if you can get a t-shirt printed up or you know something simple and silly works really well and it reinforces positive behavior if that doesn't work then yes bring out the bats um disable any unnecessary council services um so ransomware actors rely on so many people having local admin access to their machines because that allows them to move around the network so if you can disable local admin access and i know a lot of people will yell at

you i need local admin access because i have to install whatever stupid thing i need to install my machine that i don't really need but if you can disable it it goes a long way to shutting them down now keep in mind that a lot of ransomware will include x-plays that will allow them to gain admin access to local machine even if it's disabled which again is where patching comes in it's really important any other service accounts that can be disabled um disable them and then uh ransomware actors really love to use powershell to move around it works so if you can remove powershell from all but the admin machines it it makes their job a lot harder it

doesn't mean they can't still move around but it does make them but it makes them it makes their job a lot harder and they also use things like yes exact and other admin tools so whenever you can remove those from machines you don't need them it saves you a lot of pain and heartbreak and it makes their life more difficult um and then understand what their current threats are so understand you know in general the way ransomware actors are changing their activity twitter is a great place to keep up with that because a lot of that information is is out there and being shared uh gossip the dog in uh in the uk is a big

one who's published a lot of really good stuff uh the malware team is another one that publishes a lot of really good information on grand square we'll let you know what the latest keys are and so as much as i tell you hey if i record a future and then you'll get all that information you can get it you can get a lot of that from uh uh you can get a lot of that from twitter and following other accounts like that and again i highly encourage you all to share if you're building a great community here share this information you know with each other so that you all can help keep everybody safer um and then it's important to take

uh you know appropriate precautions i i don't want to be like all doom and gloom like oh no we're all going to die um there's no way we could win but you you know it is important to um to be aware of what the actual threat is take appropriate precautions um and then when you're trying to get funds so i've been talking about things that don't cost a lot of money other than you're maintaining a good backup system but sometimes you want to implement things like you want to put in carbon black or you want to put in an advanced endpoint protection that will help with that um when you do want to talk to your

leadership about hey we really need this service you want to make sure you're talking to them in terms they understand because they speak dollars and cents not this fights so if you explain that i can you know block this many ip addresses or i can you know stop this kind of attack that's not going to mean anything to them if you can say yes but you know if i implementing this i know it's going to cost us this much but if we got hit with a ransomware attack that would cost us you know 3 million pounds or whatever um then uh you know talking to them in terms they understand goes a long way toward

helping get the budget you need to do what you do and that's all i have um thank you all very much this is an incredible venue and it's great to see so many people here building this kind of community so i really appreciate that happy to take any questions if anybody has anything

was actually what we call a ransom worm and the way it moved was it replicated itself across the network most ransomware doesn't do that so sometimes it does um but usually it relies on like your active directory controller or something like that to distribute ransomware throughout the network so one in crime and one was completely automated we think so everybody's pretty confident that the north koreans were behind using uh an exploit they stole from the nsa um so congratulations joint north korean u.s operation um uh we think that they released it earlier than they intended to um and they didn't realize how successful it was going to be um so but it moves my capabilities most rent support

doesn't in fact most modern ransomware requires manual intervention that means the ransomware operator is sitting in the network and they decide when they're going to deploy it that's not always the case but that is the top the other questions listen in those cases when you get right you have to debate like you say them like what are the odds that they will actually give your keys like how often does it happen so it's interesting most of the time they will give you the keys whether or not you can ever fully decrypt your files that's a whole other scoring because a lot of times they won't decrypt for a variety of reasons but the ransomware actors don't want to

get a reputation for not giving people their files back because that's bad for their business and i know that you're thinking it's weird but if they know the next organization to pay they have to be able to do it so i've actually been in uh i've been in victims uh you know at post attack where the consultants that were there were in a uh in a conversation like they were they they were in a chat conversation with the ransomware actors for five hours trying to troubleshoot a problem because they couldn't get some of the files to the correct and the ransomware actors were here try this or here try this or you know here we there's an

update you said now it's like the store service there right yeah exactly right you know and you'll see that many of these they do they have chats and they have other ways of customer service because they want to make sure they do it now i'll tell you that like one of the things that i found is a lot of the ransomware um they can't decrypt large files so i was working with one town in the united states that got hit and everything got decrypted they paid the rents and everything got decrypted what they couldn't release was the um the body cam footage so some of the police in the united states have cameras they keep um to track uh

traffic stops and things like that um none of those video files could be released because they were too big and basically the you know that's a limitation in windows anything over four gigs couldn't f4 game size couldn't be decrypted and there's nothing that can be done about that but most of the time they will try to help you make sure that your files get decrypted all right all right well thank you all again for your time