Artsiom Holub |Deconstructing The Cyber Kill Chain of Angler Exploit Kit

uh let me start uh I think I'm competing with some virtualization stuff so I don't think uh any more people will show up uh so my name is RTM holop uh I would like to present the deconstruction of the Cyber kill chain of the angler exploit kit campaign so let me just uh clarify a couple moments for myself uh how many of you are familiar with exploit kits what about the angler okay have you heard the Cyber chain before awesome okay so that's um I'm currently a security research analyst in Open DNS uh we've got acquired by Cisco a couple months ago uh I I came from belus so English is not my and sometimes I sound funny

that's okay uh I got uh my I was studying for a software engineer at belarussian at National Technical University of Belarus uh when I had a chance to move here and I did that uh then I was a student of City College actually I am currently enrolled there too uh I finished their network security program obtaining certificates both in uh network security and cyber security uh for about two years I've been a freelance pentester uh mostly on the Russian BAS bed uh uh social networks and Banks uh I did some uh back bounties for uh such a huge uh social networks like um vk.com which is the biggest Russian speaking Society uh social network there

and uh I got couple bounties of them but uh unfortunately I couldn't be a contribute full-time to that uh so I got a job at open DNS where I do U more of a pure analysis I don't uh tend to break stuff anymore but I like it to so let me start uh I will tell you where that angler came from uh right uh then uh why am I using the Cyber kill chain because before most of you in the context of the AP uh which is Advanced per and mostly uh they've been targeting huge companies getting access to their Network be persistent there keep stealing their intellectual property and other stuff in this case it's little different uh the

uh angler exploit kit targets uh the specific uh regions of the IP spaces but I think uh that uh we can use the cyal chain for it as well so uh this uh exploit key huge amount of Mone money uh but most of it come in Bitcoins and I would uh give you some idea how those Bitcoins become real cash for the mous authors and then some uh uh ways to detect uh how we do it at Open DNS uh how system administrators or some people who want to secure their network uh what steps they can do to mitigate the risk and the pre prevention Okay so uh the first appearance of this exploit kid uh dated

back to uh March 2012 when one of the Russian analyst find those uh what he called a a bodess bot attacking Ukrainian uh and the uh Russian IP spaces uh from the uh biggest news portals in Russia uh right but at that moment nobody uh paid that much attention of that because there are not that much money were involved yet uh so uh the person who actually gave the uh angler its name is uh caffeine he's a pretty well-known exploit uh and uh he's you can follow him on Twitter he posting uh everything that's possibly can be find as fast as he can about uh any exploit kids including angler Nino uh he uh been doing a

lot takeown of that uh black hole exploit kit and uh the first time he saw that it was in August 2013 uh he gave it name in the 2013 with the black hole uh exploit kit campaign was taken down and after that uh with a more time to research he mapped it to the uh Tri X exploit kit uh that was around since 2010 and that's what we call the uh the year of uh birth of the this exploit kit so why do I draw parallels uh and why see signs of AP in that threat so let's start it's Advanced uh not a single exploit kit evolves as fast as angler as soon as new cve comes out

it's already there they already exploiting it uh also uh the payloads that delivered by that exploit kit uh are almost undetectable uh they are implementing honey detection so analysts don't even know that they are there they can't catch it using their honey pots uh antivirus detection doesn't work if you heard about ransomware that's the uh payload that's delivered by that and so far I haven't seen a single antivirus product that would detect it at least at like 90% most of them about five seven if it's like really good okay uh also they're using uh techniques like domain shadowing uh that was uh first used by this uh the the people behind this campaign and now a lot of other

malicious authors also using it and all the pilots that are delivered by it are either uh highly off fiscated or encrypted in one or other way so it stay persistent uh a lot of efforts uh uh security Society is uh trying to stop it from spreading so the big win was by Talos team based at Cisco and uh it was just uh about four months ago when they uh took down uh they thwart access to as weing about 90% of uh angular traffic right so what the people behind it did oh they just changed IP schema they start targeting uh new people they probably read the tals report so what they screwed up change it and it's still and now what we

can see for the last 90 days it increased from 10% what it stayed after the takedown to 50% what it used to be just within that 3 months all right and uh it's a big threat the revenue that it generated is huge uh before the th it was getting about 990,000 victims a day uh 62% of those victims uh were delivered with uh r somewhere so they either have to lose their data if they don't have uh data backups or they have to pay the people behind it are trying to make as much money as they can not just delivering pays they also use the existed existing infrastructure to rent it to other malicious authors and let

them reuse it for their own purpose uh tals also uh using uh Open DNS software investigate were able to track down three accounts that are associated with uh bdp c2s they were hosting angler they were using the Ki Tron uh spreading the worms like uh syil and uh lur Nexus lur and uh they all were tied to that infr structure they was primarily put up by the uh people who are behind the angler so let's break down that uh cyber kill chain and see how all this happens so in the AP uh you have a little uh more steps that the Cyber chain embedded but I have to modify it because a lot of processes in my case uh happening either

simultaneously or one right after another so I'll talk about the reconnaissance exploitation and weaponization that happens at the same time delivery and installation of the actual payloads uh what are their common and control server does and actions on the target so Recon uh if you've been at the uh people already talk about the reconnaissance how it's important for any malicious campaign and in our case uh it's not different at all so for ENT kid they basic infrastructure what it means is that there are people who actually use either their fake identities to put up uh servers that would serve payloads and the initial campaign that they used to obtain uh registrant emails that later used in the

domain shadowing but when that uh basic infrastructure up they acquired what they need they take it down almost immediately so it's really hard like when the compaign is going and the people already see it it's really hard to back Trace to the very beginning of it uh they also use a lot of bulletproof hosting bulletproof hosting is the hosting who just care about money they don't really care what you will host on them most of them are located in sorry e Eastern Europe and uh countries like Russia Ukraine uh Czech Republic uh some of them were mapped down to uh Iran uh ASN and uh some of them Chinese right uh large large provisors usually will host the uh compromised

websites uh so they don't really aware that it's happening because they just let you host anything you want but all the security is up to you how bad you need it how bad you want it what kind of server do you have how much you care about it so when it become compromised the it's really hard for the provider actually to take it down without you noticing it also uh before they actually compromise those servers they have to somehow get the list of the servers to compromise so that mean that behind uh all these people they run like uh scanners all the time to get all the new vulnerabilities as soon as they come up

and be able to exploit them as soon as they have exploit or just to have a set of some servers that doesn't have any known vulnerabilities yet but they are on like large providers of bulletproof hostings and people don't pay attention to them they don't update it at time so they might go back as soon as the new cve come out and just exploit that uh most of the delivery of the traffic that was delivered uh to the lender Pages was generated malvertising so uh huge companies that do online ads were involved but it wasn't their fault uh they use something that's called uh ad exchange or ad hopping so they blindly trust some other companies that run ads

exchange the traffic to Target uh specific areas a specific website that they have presence and another company doesn't have so they the angler kid guys they would put up a fake ad agencies that look just like real but if anybody would uh take it serious and check it uh there would be most of the identities that either are stolen or don't exist at all so that's how the Recon happened uh they put up a dedicated bulletproof hosting servers that do uh like fishing campaigns what they fishing for it's not just regular credentials they are highly interested in the accounts that are domain registered accounts in that case they don't need to have that dedicated infrastructure that are pretty valuable

for them because it's really hard to put up the entire new infrastructure with like all new IPS and move somewhere they would rather use some abused providers or bulletproof hosting to do that so uh what what we see that uh one of their asns is actually still there and it's active and uh it's just belonged to some guy from uh Ukraine and he registered to either a fake Identity or his own identity but because it's based in UK or Ukraine uh there is like it's really hard to go for him or people who actually infected with that stuff and why is it happening I'll take little later so when the infrastructure is ready they launch

the so exploited and comom domains host pages are divided into the five more or less bigger categories so those are domain shadowing uh which is when the legitimate website have a uh third level domain that is ready registered to the different IP that the uh original domain then the WordPress we all know uh it's not because WordPress is bad just because it's used so wide uh they go for the technology that's uh implemented all almost everywhere if it would be something else it would have different name they would that part uh recently we see jumla coming up and some others so these are the CV that we've seen used for past 90 if you take a look

on them most of them are Java exploits one of them is the iie which is going away and for some unknown reason because it was really great for them I almost used for the people who are older and who just have some uh you know well have parents they're just using some um some PCS that you would never use you just let them do whatever they want and they are not the technical they don't knowledgeable and if they got hit with ransomware it's a big threat for them because that red screen saying that oh you lost all your data you have to pay they would rather pay and don't tell anybody that they screwed up so I was

really good on their end but now they're shifting from it so uh the payload that are delivered by the angler most of them ran somewhere about 51% was that Tesla Crypt and exp the payloads by itself also uh evolves too like before we used to catch Tesla Crypt uh when we analyze the currencies uh which uh what is the when you go to the website uh the during the load of the initial page everything that's on that page will Bel loaded such as ads some other stuff that have U that resides on different IPS in the actual page and when the Tesla crypt the first thing what it will do it will send a unique identifier including the

encrypting uh key to the common server but before that it would call the it would make the IP call and uh analyzing the ures and that those IP calls we will be able to find the domain that were delivering the Tesla Crypt but now they removed that IP initial IP call and we didn't have chance to find any other way to actually see if it's Tesla Crypt or anything else com a lot more harder to break it down uh to the categories but the next big one is a crypto wall it's also started with just the crypto wall then crypto wall 3.0 now it's 4.0 changing consistently implementing new techniques uh B P track and Timba which

are the uh credential steeling tro and Timba is the banking one uh they use it but they have a lot less uh traffic on them than the ransomware and probably because the ransomware is the most profitable exploit that you can the payload that you can deliver so that's how the uh lender Pages all usually look uh so first of all they use something that's uh we we see as a pseudo dark Le which is not a server level injection the malicious PHP code is injected into the uh VP includes menu PHP file and ites the actual iframe code on the fly from the remote server so if your uh system admin or whoever take care of your website didn't go

every single day to that actual PHP scroll it down all the way to see that highly off fiscated uh PHP injections there is no way for you to uh actually see that even if you try to view source code uh as a regular user it wouldn't be shown to you uh so second one and it's the biggest one that been using for last year DNS shadowing so the iframe URL it used to be the no IP dnamic host names that how we used to catch it we see the call to the no IP and we will like block it right away has been uh replaced with the third level domain names of sites with hack DNS

accounts a lot of them are go Dad but there are a lot of others abused providers that I'll talk about a little later so usually those links only for about two or three hours right uh they did it because they don't want everybody block everything like if they put them all at once yeah they will generate some amount of money that but then all these websites will be in all lock list and nobody will get the payload anymore so they usually shifting it from one domain to another and they usually do it uh about 3 4 days before they change the schema uh one of the reasons that we start seeing is a forum like URLs uh the

iframe URL now uh resemble URL of the forum sites so they look like that but then at the very end it would be like a long a fiscated string but for the antivirus solution or some kind of web filters it just looked like the regular Forum page and they don't block it so if to draw the sequences that how that action happens we can see that first the victim visits some well-known trusted site like Daily Mail was compromised with angler exploit kit Skype was delivering um malvertising with the angler exploit kit and those stuff you don't block IP reputation is high they are like Alexa top thousand or something like that contain not blocked everybody trust them

they use the uh Google shortener URL from the advertising to uh redirect uh people to next Pages where they will redirect again redirect again to hit the payload right so when the Primal uh redirection take place all the SSL that URL is a s encrypted right and uh they we've seen like recently they use GF images uh which is like really really rare but we'll see if it will be a new trend uh with the on the Fly en coding so there is not such a thing that these things is reside that PHP code look for it get it from where it have to be and it gets right there we encrypted stream right also not everybody will get

exploit not everybody will get payload they target a specific uh IP areas so most of them is Europe uh United States because the people here can pay money for ransomware and they there is no reason for them to Target some uh like third world countries or countries that uh they're are doing the business in in just because they can get kicked out pretty fast if they do that there right so uh again the IP rep reputation fails domain looks legit and then the the next redir to the shadow copy of that domain

sorry next we direct to the shadow copy of the domain which is a oh tldd looks like top level domain but it's actually a third level domain that resides on the different IP from the original domain and here usually no checks uh then the first flash file delivered and executed what it does it P it penetrated the system checks if if it's a Honeypot checks if there certain uh antiviruses are installed on that and based on that it makes a decision either stop uh the process at this point or delivered a specific payload that are not uh that wouldn't be seen but that antivirus or whatever the uh specific software installed on that system and uh only if uh also it will

check for the uh like uh the stuff that they can exploit so if is everything up to date they wouldn't bother delivering you payload because you will get the notification of your antivirus that you've being attacked and that might trigger some flxs for like your security uh Team or something like that so they just stopped doing that at this point and you didn't notice if you don't have anything exploitable you don't get payload but if you have only then you hit the lender page and when you hit the lender page web filter is failed web address is not blocked it's like unknown it lives only for 2 hours or so it's it's really hard make it or update your

block list like that fast like on the hourly basis and then the payload delivered just because because the ransomware is kind of um malicious code that looks like a legit application just uh look at it it just encrypts data how many of your software encrypts data a lot so there is uh no way to uh make like a strict rules against that to catch it on the flight so no wonder that antivirus failed again then the negotiation encryption again web filter failed communication is not blocked encrypted data then all the local uh repositories of the backups that you might have would be removed as well and then the bransom nodes would display so because it's so efficient it

generates a lot of uh money value uh about 60% of people are ready to pay ransomware and at recently you might heard that uh they start targeting like uh hospitals and schools and that where you can't really wait if you have a situation where you need the data right now no matter how much money they ask you will have to pay so as it was reported by tal team the estimated Revenue was about $35 million a year but then 90% of those ASN were taken down and within uh 90 days have like it gets up to 50% of what it used to be so it just cuts down to about 17 million it's still huge amount of

money but the problem is those money are not actual cash those money are bitcoins and to legalize that huge amount of Bitcoins it's pretty challenging uh we are doing uh a deep dive into the dark part of the web to figure out the that they use to actually uh get the real cash out of the Bitcoins so far uh we see that uh main ways that those money become legal are still the ways uh that we used 10 years ago by Max Vision right it's carding where you uh buy stolen credit cards with uh some amount of money and that would look like a you know amazing deal for the Bitcoin uh to do that like right away but

usually for the credit card that have from3 to $5,000 they ask for about 12 to $15,000 in Bitcoins so you lose 7% of your money right away uh you know it's not that great even like from 17 million go down to like 3 4 million that's a big loss so they're using

uh now with the raise of the Alibaba uh chinese-based company they shifting it there because uh eBay have implemented a lot of Security based in state in they don't yet do that uh but so let's see how long will it uh take for them to notice this stuff going there so Underground Exchange is pretty uh one of uh registered emails that owned by the authors of the exploit kit actually used to host a website that would let you buy Bitcoins and pay your real money but it was taken down not that long ago and I'm not sure if it was the actual person behind it or was something else so the end result anyway oh and of course money

fuls those taking about 10 20% of the money it's looks great for the malicious authors but not that many people are ready to become mules so the end result is about 50 plus% of the uh of the loss so out of 17 million it's good if they got about $78 million at the very end and this is during a year it might change because uh we're consistently fighting them uh taking down their infrastructure and everything else oh so detection prevention uh since I work at Open DNS I will be focused on the things so we use our uh uh software that we build is called investigate and it absorbs a lot of feeds from like different third party

vendors and it's using our own algorithms that our researchers come up with so one of them is the SP rank uh which stands for the spike rank uh if you don't know but open DNS started as the uh just a primary DNS resolver company so we have about 25 I think 26 now uh s resolvers all over the world we handle about 100 billion queries and a day so we can apply our intelligence to that huge amount of money of of data that we have right uh so uh would flag any domain that increase the traffic within the a specific window and flag it as uh suspicious right away so how it looks like usually let's say your

website have about 100 carries an hour for I don't know 10 20 days and then at some point it jumps up to like 1,200 an hour that's not normal it's either you are becoming really popular or something malicious going on right another one is the Honeypot used to be really a good source of all that uh HTTP uh embedded payload data and everything else but when they start implementing avoiding techniques uh it dropped a lot we used to see about 150 400 domains a day uh compromise domains and lender Pages at day using those honeypots now we dropped to about 80 maybe 100 so but then uh pivoting around those domains let us discovered compromised and uh IPS and ASN that are

dedicated bullet proof and we can make those uh decisions if it's a dedicated infrastructure bulletproof hosting or just abused hosting we also can see the uh patterns that they use uh like DJs or uh something else uh to DJ is really great because if you got the seed you can uh like you can use that seed and U make Like You can predict what are the those domains would look in the future and uh block them ahead of time uh but unfortunately they stop using djas and most DJ are used by the bot Nets right now and the exploit kit author staying away from them right so that's in my dat we had that uh domain

uh right here right uh which is have no traffic up until the six of March and then suddenly it got like 400 plus ques an hour so that's not normal uh when we take a deeper look in it we see that it uh registered by that guy uh obviously it's a Russian email and for uh like non Russian speakers it's hard to tell actually there are two real Words which is uh brain and break right also if we uh check how any other domains that are registered with the same account we can see that they look almost the same right uh it used the first word which is galova is a head and it used the animals so they started

with the uh crocodile else so those are patterns that you can use in the reex and like from that part we start seeing that oh those guys behind that probably Russians if they're using that stuff so uh that part is the alternative turers that they use they are uh highly abused they are about 12 to 1500 compromised domains in them if we pivot down there and see what are the other uh domains that are using this Authority ters uh for their purpose we again we can see those patterns those are Russian words uh written in translate and they are using uh the noun plus plus adverb which is color so and they use it a

lot uh so it would be like green face if you translate that from Russian and when we uh start uh checking those domains oh we can see they are registered by the different author and this guy uh owned a company it's called ad media which is a fake advertising and it was delivering all the traffic to the uh angler uh landing pages uh for last half a year and all those accounts are still alive they're registering a new domains almost every day on that and where the lender Pages actually uh reside and further you will see where they and uh those people are don't even hiding they just using like what looks like a real or at least stolen identity

to uh to own that so the next example the uh part that came from one of the honey pods so uh from for me like I already did like a lot of time but that looks like a domain shadow right away and have some legitimate looking SEC second level domain top level domain right here and then right right here it just uh it looks like a real word but they would add like couple extra letters that it's kind of real word and not the real word at the same time so if we take a look on the actual second level domain it resides on that IP but if we take a look on that uh

third level domain it resite on way different IP which started with 31 right so if we check uh who owns that domain we can see the registrant email we can check how many other domains he owns and if we check them there is nothing malicious there but now we know that malicious author already own that registrant email and it's just a matter of time when those domains uh would be compromised we can I suspicious and just wait until like the first Spike of traffic to block it or we can just block them Pro proactively but in some cases it's uh that work because uh people who own this registering emails they don't usually aware that they they got

compromised and then they would like call and scream oh my God why are you blocking us we are not doing anything bad yes you're not doing anything bad but the security on your DNS records wasn't stolen so then like how we can fix it oh go change it oh we can change it password changed so what we can do right and if we take a look again on the IP space where all those uh domain Shadow resides we can see that's mostly Russia okay so if you got a seed using uh open DNS investigate you can leverage down or you can use the seed from anywhere it's either Honeypot varus tootle malware thread grid but you got a

seed and then pivoting out that seed you can find out patterns infrastructures and other useful information that can find out who are those malicious author so the most abused networks you can see they are it's this is the mix of dedicated and compromised but you see on the very top there are most Russians and this one is Ukrainian that one that we've seen was used in the very beginning for advertising the Bon addresses that were used in the fishing campaigns and you can see they're using uh somebody's credentials that look really legit we will try to identify this guy but that's what what's Ono right now and we are trying to get those people behind

that part but yeah most uh uh abused providers uh the uh in fully Global corporations but they uh bought their part from uh GoDaddy then it's uh JP systems not sure where it's located and one ASN in Germany so this is the graphical representation of the most active ASN at the last 90 days okay so I was told that live demo is not work doesn't work usually but let me give it a try so I'm using uh open graphic which is a a open source project to uh visualize any data sets that you have it's uh I think it's open gravity.com you can check it out and do your own stuff but I will do it for the IPS that

were seen in the angry campaign and uh we identify the most active part of them let's go screen so I'm going to load the data set that I extract from the from our system and those are compromised and dedicated right so let it grow a little bigger okay so there are connected nodes and unconnected nodes connected nodes are those that were seen in uh DNS queries for the last 9 days those who are don't have any connections they haven't seen so let's just exfiltrate those so it wouldn't be that

noisy so

filter okay let's select

all he yeah that was I guess that was true that life doesn't really work that type let me so it's open source project so it's always evolving I'm not sure if they made any changes to the API something like that okay maybe just me

tripping so now I chose only the one that have connections

and then remove them now it works and then let's just add some color in

it let's do color blue let's

do okay so now we can get a so now we can see all the ASN that have a lot of compromised IPS on them and some of the and some of them are not that abused not that bad but they still abused so the uh that part where the uh signals going it detects how uh big is the traffic on this nodes So the faster it goes the more quer is an hour they have the lower it goes the less queries an hour it is so this is the graphical representation of all the ASN that were highly active in the last 90 days and those are just IPS if we add uh domains on the IPS there would be a lot more

nodes it at this point it's about half a million notes that are actually either abused compromised or dedicated lender pages so let's go back to okay so how to mitigate the risk uh keep backups of the data all the time at the Primal payload is the ransomware you want to have it I have three backups at least cuz I really care about my data I I don't care about the the huge amount of pictures my wife has something else so I don't back up her data but my data is is a must so uh we have to use a layered security system uh firewall is a must what we see now even so we can detect it

at different levels if you have a layered security a lot harder because you you have stop the exploitation chain it just one part to make it to Make It Stop So to break one link and that's it that's all you need so having the layers of Security will help you to do that also um most of the companies as it was uh discovered by uh Cisco about 60% of the Enterprises don't have any DNS control and this is very important implementing DNS control let us stop about almost like 70% more ransomware than we used to stop without DNS control patch management as you can see from the diagram of cves most of the CVS are well known they some of them are

dated like 3 months ago but there are still a lot of uh software a lot of websites that running that vulnerable versions and it looks like they either don't care or they don't have the right patch management system that would help them to uh mitigate those risks right and then uh as we see about 50% of all the lender Pages uh domain shadowing so implement the uh strict policy for your DNS records and DNS seconds is very important and you have to have a specific person that would check if there anything happened if you have if there is like another IP edit that point to your domain or something like that most of the domain

shadows live for months and months before anybody will notice and even when we notify companies uh like for example it's front tiet company they have a domain Shadow on their main IP for last four weeks right now they still don't follow up to us that threat is still there anybody can access it and it lives on the server where they have all there users login page so if that web server is compromised I'm not sure how users of that company can trust that company and user education unfortunately it's really hard for uh like in this case to educate user for I because you say like just don't use internet because that malvertising can be anywhere uh as

long as ad companies would try to go for big money and would blindly trust like ad hopping or ad exchange that will keep happening okay so short summary so the reasons why angler keeps winning right uh one is pretty obvious the organization responsible for this exploit kit campaigns generating millions of dollars and they don't want to lose this source of income uh especially there are like really uh strict signs that uh that criminal uh group based in Russia and with their Russian economics going down there is no way for people to get legitimate job that would let them make that much money uh at the start of my career when I just become belarussian National

Technical University I've got an email that uh offered me amazing deal at that time it was uh 8 years ago $50 a day just to answer about four or five Skype calls a day all I would need to say yes this is my credit card yes I authorize that transaction 5 years after I figure out so that that was a criminal group that were based in they will uh go for like freshman in the universities offer them that and they would Target like a postuse s countries where economics are not that great and $50 a day is huge money and then they would uh out the other criminy that would stealing cards would Outsource that part where they have to

as most of the banks uh when you have a huge transaction they would call the owner so they will uh catch that call uh reroute to your Skype and make you answer that it was reported that they stole about $640 million us of that schema so there is a there is a reason why it's still there there and it will be there and I'm not sure if up it completely so our findings pivot uh or point to a large organization that's using various threats uh to infect user for money gain and it's not just like a wine crime organization that is huge there are a couple of them and they either trade their stuff to each other

or they have strong connections between them however they still have this secrets from each other two and hopefully if we can play on their they might be a way for one of them to actually uh get some useful information to take down their competitor right so with uh close to 40% of users hitting angler infrastructure being compromised it's a significant threat uh right now when they Implement honey Po and antivirus detection techniques might go up to uh 75% unfortunately I didn't have uh that data available for that of analysis so I stick to the one that tals did uh five months ago so uh security applications do not quickly recognize r someware as I mentioned

before uh it looks just like Security application that makes it job but in case with ransomware encryption process the owner of the machine doesn't have any kind of control on it uh it's also hard for um uh security researchers and analysts come up with some solutions to stop that because the ransomware incidents uh do not need to be disc so in case of there is a way for forensic experts or some other experts to find the uh how the hackers got in and to find out the way to medicate this risk and when it ransomware it's notos and we are blind we don't see what's going on especially if they target like big companies and even when uh you have uh

forensic people coming to their machine as I mentioned before they used a a Bist technique which means they don't have anything actually reside on your PC when the payload get into your PC it LO d right into the RAM and all it happens in the ram so it's really hard to get volatile uh part of the RAM for analysis because you have to get it right after the encryptions happened but by the time when the forensic people can get to it it's already gone and I think that's it I would like to thank uh mware malware traffic analysis for the peaps talot we work together and caffeine the exploit kit expert thank

you so I think I still have some time for questions yes yeah apparently there's a now with getting cve and how um that has an impact significant impact on uh anir companies to um identify vulnerabilities and