Ransomware-as-a-Service: demystifying a multi-billion dollar industry

good afternoon everyone um i gave my presentation a fancy title but i promise i'm gonna talk more about cyber then i'm gonna talk about money but my talk is gonna be about transformer briefly about me i'm a local guy i grew up i spent most of my life here in pristina and then moved to norway six seven years ago i have a bachelor's from university of pristina here computer engineer by background and then specialized in cyber security have a master's in information security i have more than five years of work and experience i started as a software developer and then slowly move to move to security i'm a consultant in kpmg which means we do a lot of things within security

but i specialize in incident response and threat intelligence i'm going to explain briefly what they mean later on but uh if you see me at the company usually it's either too too good or too bad it's either a positive news or a negative news there there is no neutral in between so either the company is doing really good and trying to be proactive or the company has been hacked um how to reach out to me i'm on almost every social media out there but professionally i i like linting so if you want to reach out let's be friends on linkedin and we can learn a lot from each other i want to start my presentation by by

this famous quote from one of the greek philosophers that says the only constant in life is change uh and this this is very much true about all the fields of technology but also true about cyber security uh we are living in a world where uh things are changing a lot they're changing constantly uh things are becoming more complex in the very beginning of of technology if you will in internet and computers not that many people if any talked about security security was not the thing technology was built by having functionality as a design so it was a tool to utilize to facilitate our daily life but not that many thought about security uh as years pass by and as we can see even

today security cyber security is a really important topic and as we can see with the events in ukraine also with the panamic cyber is something we have to take care really carefully in the beginning we had concepts like perimeter security and security for those that i remember which assumed that everything within our yard everything we found within our house is trusted anything else is not and we try to protect our environment by just assuming that everything inside is is trusted uh that worked for some years but it doesn't work anymore it's not effective anymore uh you cannot longer just think about ourself where most of our data is in the cloud and we have a

little to no control of the cloud we cannot think just about to ourselves uh when we have vendor suppliers that we have no control simply the situation today is way more complex so we cannot think about traditional approaches that's why we had one of our talks today we have zero trust today and all those advancements but as things advance so does the threat actor so that the hackers also advance so how do we keep up with all these changes and make sure that we are protected one of the ways to do this is through the so-called cyber threat intelligence which is a field or a domain in cyber security adopted by the military the intelligence

services you have all seen the the movies the cia movies so the concept is adapted from from there uh it's known this is a field for quite a long but it got it momentum around 2008 at 10 after this big chinese operation called aurora a lot of companies started to investigate the the hack there and started also to share to share intelligence with the community and that's when they realized uh wait a bit uh the best intelligence that's the is the one you get after an incident response and not something that you'll find in the intelligence agencies somewhere in a safe deposit um there's a lot of definition about this but basically this information which is

process validated and then when it's put in the right context it's going to help you to protect your harmful from a harmful event personally i put this slide here because i'm a huge fan believer of the concept that is called cyber threat intelligence informed cyber security services in general so basically the best defense is the one that uh is driven by understanding the threat actors these these hackers that's the best way to do and this can be this can be applied to all the fields of cyber security whether just security training that's whether that's risk management whether that's incident response detection penetration testing etc so everything that is you have all the recent updates from from the

threat textures itself uh one of those things that i want to update you today is an attack that is called ransomware i assume most of you know what transformer is but a briefly is a piece of software that encrypts your files and renders them unavailable and then it requires a demo demands a ransom in order to get access back to the files as a concept is by no means new uh it has existed since at least 1989 when in a conference like this organized by the world health health organization one smart guy there decided to spread ransomware to around 20 000 researchers via floppy disk uh we were talking more than 30 years ago by no means that was no not

sophisticated for those that are into cryptography that was uh symmetric encryption easy to decrypt but yet again this is way 30 something years ago and uh also the demand for for ransom was pretty low compared to today it was around 200 but this is the event that we use as a starting point for ransomware uh for a period and things were a bit quiet not that much going on until uh 2010 when hackers i like to call them threat actors started using this fire and forget method which is basically automate your attack as much as possible target as many victims as you can and maybe some of them will fall it worked to some degree but yet again

there was no customization there you were just trying to target all the companies in the world the ransom demands were not that high so ransomware was not known yet in this period going back going further into 2015 these groups then realized you need some sort of hands-on activity uh in order to succeed you need some sort of customization that's when we started the period is called post-intrusion ransomware when they started to use the command and control server to to give commands and receive from the actual environment that they have been hacking to uh of course it meant that the attacks were more successful but also you could target less companies as you needed more hands-on people

um and then we go to maybe the biggest development in ransomware which i'm going to talk about briefly right now which is ransomware as a service when these uh cyber criminals realized well why don't we just operate like a normal business does uh no company in the world operates alone they do delegate parts of the operation to others they have partners they have suppliers so why shouldn't we do the same in cyber community as well so this is ransomware as the services basically they have subcontractors they delegate part of their attack to others and then get the revenue this of course means that the the big bosses they're going to be away from the actual operations less likely to be

caught from the legal environment agencies and therefore the more likely that they're going to be working for longer periods of time and lastly uh which is the period that we today call us name and shame in the last two three years ransomware groups became even smarter and they said well wait we're just encrypting the data why do why don't we steal first and see what happens so they're they're demanding uh payment for both to decrypt the data and also uh uh to not release them uh there were some questions about gdpr in the morning this is when gdpr comes into question one of the reasons why they're stealing the data is that the companies have more pressure to pay the

ransom because of the data leakages um back to the movies if you watch movies with hackers with with attackers basically they are single man working the basement wearing who this far from reality this picture shows an entire ecosystem to all the main actors that work in a ransomware group with the main guys being the so-called ransomware as a service operators these are the top management of a company these are the big bosses like any other company they have their own departments oops they have a development team so it's the people that actually develops the code i make sure that they're undetectable as sophisticated as destructive as possible of course you also have the testing team

which makes sure that things run normally they have an hr department they do recruitment those people are just people at the end of the day they have christmas they take vacations so of course they have to apply to the hr department for to take vacation they have a finance department dealing with finances and so on and so on basically like a normal company they have an i.t so they just forgot no company can exist with an i.t they need an infrastructure they need servers they need websites they need everything else so they have a department for that as well but what makes the difference here is that the next two actors with the first one being initial access brokers which

is a subset of groups a smaller group specialized in just one thing uh which is getting initial access into an environment a company and then solving that access to the bigger guys there are some that choose to to work just with with one ransomware group the others that just sell it to everyone can basically make as much money as you can the next which is affiliates also a subgroup of criminals but now specializing in the other part of an attack so initial access brokers get the access affiliates are those that actually perform the attack these are the people that deploy the ransomware as you can see these people operators they're far back they're not in the battlefield so

they're if one athlete gets caught affiliate group if they got caught the police they basically just replace them and they keep going their operation as normal uh two other concepts negotiators um after they ask for very ransom usually companies refuse to to to pay but if they do pay they want to negotiate so they don't pay the whole sum so they have people that actually are good with negotiating and paying in bitcoin and you know those technology technicalities that that should be done and lastly but not the least money launderer these people make millions if not billions and they have to do something with the money so they have specialized people that do do the money laundering

so as you can see far away from from the movies from away from a single man these these organizations if i call call them have hundreds of employees on their payroll this is just a demonstration on how how the actually initial access brokers work and how we could actually monitor the operations we could have prevented certain attacks on the left side you you see a timeline of february 16 last year some initial access broker says that uh there was selling access to a billion dollar industry uh it was as you can see here it's just i guess it's hard to see it's in russian but it says rdp and one million and then you have the cost over there

two days later the the excess was sold uh another two days yes later this ransomware group called dark side uh claims to have compromised this american company called gyro data which then a days later confirmed that they were compromised between 16th and uh 22nd of uh february 2021 i haven't analyzed this but i love i believe the source that i got it from but imagine if this initial access broker i was monitored there and the company actually would do something to block this access and again it shows how effective they are within a days and they get access deploy ransomware and whatnot uh some numbers for those that are fans of on the left side

uh i've put the numbers of victims uh for the last year and when i say number of victims is the companies that refuse to pay and their data was leaked on those extortion sites so ransomware groups have these extortion sites where they leak the data if the companies fail to pay it's a long list of the airport top three ransomware groups at least by the number of victims who decides for last year where paisa log bit and conti if you do the math these three combined have more than one thousand uh victims on on those on those extortion sites and the total number for last year at least some of the main groups is more than 2 500

victims one can just imagine that maybe the majority of the victims refuse to pay so the number of victims of ransomware is even higher on the on the other side you see the same numbers but divided by the time on the last two years 20 january 2020 to december 2021 as you can see the number of victims initially was relatively low and then around june july something happened and the number is high since and it's not expected to to lower down and uh you can maybe imagine what happened back then is is the famous corona happened and uh again anything any global event that's gonna happen uh in the world it's gonna affect the cyber criminals

uh all of a sudden companies were forced to have their workforce working remotely open some pores expose some services and they did this in a sort of uncontrolled manner let's just give this guy rdp access to this server this can work from home he works in it we know him he needs that access but this led to to increase number of ransomware attacks worldwide i'm not sure if you can see it but i'll continue with the numbers briefly how much ransomware how much companies pay and ransom uh their the data for two years and of course the ransom payments depend depends on also the size of a company on on location and and all what not but

in average at least for for last year 2021 companies paid around half a million dollar in ransom of course this is not the actual amount that these groups were asking for so usually you're able to negotiate these terms but um one can see that if you compare these numbers to a year before numbers are actually doubling year by year on the right side you just see some of the most known attacks transformer attacks for the last year and the amount of money that the comm actually companies paid and you see there 50 million 40 million 11 million uh you do your math as a few such attacks per year for these groups and you see how fast that we will

reach a billion dollars in revenue i wish you could see this but uh daniel we had this discussion about ethics of these groups and how they work and how much actually these people that work in these ransom groups know what they're doing and uh even though you don't see this this is from conte one of the it was on the top of that list uh this it's a group that's believed to be operating with orbit link to russia um and this group decided to take uh to take a stand when the war in ukraine started and they said there will be support in ukraine but uh unfortunately for them they had one ukrainian team member

uh which didn't like what their bosses were doing so he decided or she actually called their data especially chats and for us researchers as a gold mine where that's what we wanted to understand how these people actually operate and one of the things you could have seen in this slide is how the hr talks to a potential guy that they were recruiting and they say do you know what we do and uh basically the guy saying well not exactly but something that it's not completely legal then basically they know that they're working something illegal that is illegal but i don't think at least the smaller fish i don't really know they know the extent of the work they're

doing basically they're being hired by a company that says well we need this big strong encryption and it's not completely legal but i don't think these people go further into analyzing what they're what they're actually doing um the same group also the management is not that transparent transparent to to the employees same to most of the companies there are and you see chats of people talking with each other saying wait we're using the same tool as this other group are aren't the r b the same so there is a lot of question and discussion here but uh a lot of these people some of these groups work by fixed amount of money or percentage uh some or

some others just get paid by a fixed salary for example for county there are a lot of sources that saying this these people get paid a 2 000 per month in russia that's quite a lot of a good salary anyway um my goal was to best to get you familiar with with a ransomware attack and why it's relevant and why it's working today so a part other part of my job is the incident response uh this is when people actually don't like or companies don't like seeing people like me it means that has hit the fan so it means the company is hacked and they have no idea what to do and they call people like me

[Applause] i'm going to go briefly through the whole process and give you some some of my personal advice or experience i'll start with preparation i've i've left a slide in we had a question what to do if you're hit with by ransomware to prevent for from ransomware but the first phase is preparation and the usual is the phase that get neglected the most is basically what to you do to make sure that you prevent such attacks but also what you do to make sure that you respond to them in the most effective way should they happen i'll go into more details in the others a detection is how do you know that you have been infected with ransomware

um ransomware is pretty verbose i would say it's an attack and you will realize pretty fast that you have been attacked by ransomware basically it's friday afternoon people want to send their last emails or do their last notification on their files and all of a sudden things stopped working that's one way to do it and of course the it department gets a lot of calls things are not working website is down this and that so that's that's one way of doing it another way is through ransom notes these groups put some files on these compromised environments when they give details about about the attack and they say you should pay this amount into this account and

etc etc so that's one way another way of knowing that you have been a victim of ransomware a third one here just ideal case you have some detection rules in place and those detection rules trigger let's say you have a detection rule that's going to trigger an alarm that if your exchange or email server is going to all of a sudden send 10 gigabytes of data to an ip in russia you have no ipa business in russia why should the mail server be communicating to you to russia and then you start investigating and at some point you realize that uh you're gonna be you have been a target of ransomware uh analysis um this has two main goals

uh the first one is to know what kind of ransomware variant has you been hacked with you know there are a lot of brands a lot of groups all of them have their own uniqueness knowing how to respond it's also based on knowing what you're responding to so the first thing you do is know what kind of ransom are you talking about usually if you see the file extensions of the files that have been encrypted you're going to do some googling within seconds you're going to know what kind of random variants are we talking about the second phase is determined how we ended up there doing some initial root cause analysis um a lot of ways these hackers could get in

but uh um i've listed here four scenarios uh with the three first three one being internet exposed services um and the first two you have valid credentials as the way in you can either do phishing to get valid credentials or do password cracking or guessing as it called or you can even buy those credentials somewhere in the dark web the third one is a vulnerability in those exposed services on past vulnerability and the last one there is just basically you have a phishing email with a malicious attachment which is dropped as a malware in the environment of course there are other ways these are just examples but it's important to know when you're investigating to try to

understand what kind of initial root cause you're talking about it's not always easy sometimes you will never find the answer you have no maybe time and budget to go back in time and try to figure out those things but that this is the purpose of this phase the next three phases which are usually grouped together is uh first one is containment which is stopping the bleeding if you're talking in the physical world you have let's say car accident the er services go there and the first thing they do is well they quickly realize what's going on and stop try to stop the bleeding of a patient otherwise the patient is going to simply die so this

is the phase when you try stopping the ransomware from spreading further in your infrastructure i just because part of your infrastructure is infected it doesn't mean that your whole infrastructure infected to try to isolate whatever you can this is also the face when a lot of people make mistakes so if i ask you what do you do if you're sure that your computer is hacked i'm pretty sure most of you are going to say well let's unplug the cable shut down the computer well that's a way of doing it uh definitely not the way that we recommend to our clients by doing so you're going to lose a lot of artifacts that you're going to help

you in the next phases you're going to lose all the data that is in memory you might have the encryption key in in memory uh you lose there are a lot of malware that runs just in memories you literally use a lot of data from memory you lose a lot of data from from the network so basically don't unplug the cable unless someone that knows what they're doing says to do so the best way to do this is just disconnect all the infected devices from the internet of course a lot of practicalities there this is where our network segmentation comes into place in ideal case when your environment has different zones and you know that one

zone is disconnected you have one switch and then you go and unplug the switch but of course in practice not only here but all over the world companies are not are not that advanced yet they know you're going to see a lot of things and you have to do a lot of tweaking there and try to come with the best based output there this is critical face this is time sensitive this is the face when everyone starts yelling at you they have no idea what they're doing um especially big bosses that have no idea about technology the decision makers you're like we want to be back our services have to be back our website has to be back sure but we need

to we all we have to be so this is really the stressful situation there so you have to be quite [Music] patient with those people and try to explain to them that things have to wait uh the next one is eradication you know which systems are infected you know ransomware you have to make sure that you start removing the ransomware from the infected systems and you have to make sure that you remove the ransomware from all the infected systems whether that systems in the clouds endpoints servers what not it can be a lengthy process but has to be done and last phase within this phase is recovery going back to normal this is when companies ask should we pay

the ransom and we say no but then they don't have backups let me tell them why don't you have backups but it's actually too too late to talk about what they don't have and what they do have and they're like well we'll do what we can ideal scenario they have backups we just need to make sure that the backups itself are not infected we restore from from the backups that's ideal another one is if you could find a decryption tool if you could decrypt the algorithm that's another way the other one is basically do nothing get a clean os i hope for the best and the last one is pay the ransom i hope you never get to that

stage but that's a way to do it last phase also often ignored lesson learned companies got hacked they investigate the ransomware somehow pay a lot of millions and they're happy with it because you're back to the operations they never said to discuss did we actually do it well did they pay too much did we need so do we need something more what can we learn from this and just keep going take the old way and of course things can happen again so lesson learned it's not just the face that you learn in the books in practice it's really important to make sure that things don't don't happen again in the future i left this slide for the end as i was

not sure how much time i have and i have no idea how much time i spent but when it comes to preparation the most important phase maybe a lot of things you can do and a lot of those things are pretty simple there's no artificial intelligence there it's just simple cyber hygiene if you go back to the days with corona a lot of controls by the end of the day you're like do your hygiene make sure you clean your hands we say the same thing to the digital world as well do some cyber hygiene first control their asset inventory know what you have where you have it who's the owner what is the use for

just imagine you're investigating a ransomware and where do you start which servers do you start you start investigating first if i go to your company and ask where should i start and you have no idea you don't even have an excel list that tells me all the servers and what they do i'm going to pick something most likely it's going to be fine but i would rather have you know what you have because you're the owner of your infrastructure the second one patching a good amount of these attacks happen because of vulnerabilities yet again it's easy but not so a lot of companies have vulnerabilities that are years old simply don't have time or i don't know the resources are simply

there is a lot of vulnerabilities that are being exploited modern policy password policy yeah you all know what a strong password is yet again in practice uh this doesn't apply maybe to it sdit wants to have admin admin as their credentials and of course they get hacked so make sure that there's strong passwords all over your organization and those passwords that are known to be leaked are not used this applies to everyone in your organization there is no exception for iq or anyone else mfa if strong password this is one of the best controls use multi-factor authentication whenever you can it's gonna help you a lot segment your network i briefly talked about this make sure that

you limit your damage to one zone or two zones make sure that the ransomware doesn't spread to your whole organization backups i cannot stress how important this is when it comes to whether it should be appear should be not backup is the solution if you have the backups you simply don't pay i say save yourself some millions all those and most of those the others are technology based one that not a lot of people talk is about the human factor and security for years we have believed that security is a technology problem it's going to be solved just by technology that's not completely wrong that's not completely accurate as well invest in all the best technologies in

the world you're still going to have one stupid guy in your team that's going to click on the fishing link well sorry you neglected people so we need to spend time into educating our staff to understand what their role in security is we have they all play a role they should be part of the team so user awareness user education and stuff like that dark web monitoring that's we're going into more advanced terms but this initial access these things get sold in dark web and other we talk with some of you about these kind of things being solved in telegram and other other sources it doesn't have to be dark web but monitoring this kind of sources that are

being used by cyber criminals and also it's a good control intelligence-based security which is the first slide i was talking about understanding how these threat actors work uh what kind of tools they use let's say this one of those groups use this tool a clone whatever for exiltrating the data and you see that tool in in your environment and you have no idea what it is but if you knew that the tools used by this group for exfiltration it could have stopped the group from stealing the data so this is knowing yourself but also knowing the hackers if you know that you don't use the tool combined but knowing that someone else some group uses the tool why don't you simply make

a detection rule or a blocking rule and some of these things are solved uh lastly incident response plans worst comes to worst you get hacked who do you call physical words we all know the name of the number of the emergency services you get hacked today who do you call what is the number uh you want to 10 seconds uh you have to talk to your employees how if the email is working it's not working how do you how do you communicate things like that should be in part of your incident response plan i think i have used my time that was that was all for me thank you very much