Don't turn your back on Ransomware!

we have uh eric here from lemonshark he is a security consultant with a technical background uh he has handled security topics like uh cnn sock purple team pen testing and compliance he's going to be speaking with us today about some ransomware issues should be a lot of fun okay then hi everyone welcome to my talk and it's good to be here and really fantastic to be in a beautiful city like this and i've already seen and like the atmosphere around the open mindedness and everything so it's very good and also to see everyone here in person now my name is eric i work for lemon shark which is a cyber security consultancy company am i particularly interested in

topics like the offensive kind of security and the defense kind of security that is really my game and let's have a look at the today's agenda there we go so we're going to expect today we're going to have a look at ransomware what's going to be the topic a little bit delicate we're going to look at the history of ransomware we have some ransomware examples and we're going to do a demonstration of a ransomware attack what to do before and after and i would like to summarize with how to prepare for an attack as a key to close with okay so let's move on to the recent ransomware campaigns now back in 2017 there was this big attack by wannacry

which had a lot of companies a lot of impact and damages from for instance also fedex companies and in holland we had also in rotterdam there were a lot of victims and to move on with that the ransomware campaign started also to increase and even there were not only compiles companies were victim but also hospitals for instance so there weren't really any ethical or other morals um as an objection to attack those companies as well and to give another idea about the impact for instance there was an attack on colonial pipeline and could you imagine how it would be without gas or even without water so the impact started to increase as well and then we had a

an attack on the cassia software which is being used to manage other companies i.t infrastructure and that was attacked with the supply chain attacked by their evil and in that way they were able to basically to destabilize a lot of companies well the code the decryption key was accidentally disclosed that was the good news and some of them were eventually being caught as well now in holland we had the media marked under attack by ransomware it was in 2021 and mediamark is a big retail company with a lot of locations and to give an estimate about the damage the cash registers were completely offline and people were not able to return their goods anymore so you can

have idea about the impact there as well and recently we had an attack on microsoft company by lapses and they were even able to exfiltrate some of of their code now ransomware well maybe you know what it is and for the ones who don't it's a digital hostage situation and only by means of encryption and your files are only being released after paying a certain amount of cryptocurrency which usually is bitcoin now how does this encryption work well this is a picture of asymmetric encryption you have a public key and you have a private key and what that can basically do because asymmetric encryption can be very slow therefore the attacker will first encrypt everything with a symmetric

algorithm and then the symmetric key will then be encrypted with the asymmetric algorithm so that is a form of hybrid encryption and in that way the attacker will benefit from basically two of the properties of encryption now we're going to look into some runs away history and you're able to see it started 1990 well that's not entirely true the first ransomware attack was done before that already in the 80s and that was done by someone who just distributed software on floppy drives to people who installed it and after that their computer restarted automatically they were confronted with a message in order to well you want to use my software you need to pay a certain

amount and you can put money in an envelope and send it to me and then you can use my software well that was joseph poplar was in the 80s that was basically the first digital way of extortion ever and there were also non forms of digital extortion for instance the screen lockers and the pop-ups you had in the browser message there was an fbi announcement you need to pay an amount of money otherwise you would be reported to the authorities it was totally fake you could click it away but you could imagine some people didn't like that and next the ransomware got more advanced in terms of introducing bitcoin as a method of payment that was done by

cryptolocker also they included uh remote extrajons like the zeus banking trojans for instance and then the ransomware group started to increase we had for instance server tesla crypt pecha and not petya and the big wannacry attack over there and then what happened the ransomware also started to get more advanced in a way to get the most out of the extortion by exfiltrating sensitive information but also trying to move lateral and effect other systems like being done by mace for instance okay now and then there were a lot of other species and like lapses we have seen already now i want to move on to the next figure and this is taken from friar's total and 20 000 won and back then grand crab

was the top dog having the most infection worldwide now the thing about grand crab is they are probably retired they're not seen anymore and it's only effective in russia or ukraine for some reason okay here we have a code example of wannacry and do notice here there is a reindeer algorithm being used which is an advanced encryption standard so a way of semantic encryption and the other code example i have is from eternal romance and that is an exploit being used basically to infect via smb network shares as part of the attack now we have all these elements like for instance the one who is doing the negotiation providing the software doing the fishing attacks

all kinds of elements you put them in a bowl and you stir it and then you have the end result which is ransomware as a service and it is just a way an ecosystem to have basically the best possible way of extortion to generate as much money as possible and the thing is also they've gotten so big because the currency in bitcoin was uh increasing in the time and they benefit from that also they were able to expand their businesses so very lucrative way in order to earn earn not good work but to uh benefit from it so here we have a ransomware kill chain which looks uh quite similar like a cyber kill chain basically it starts

with an infection a delivery a phishing email then there is a reverse connection being made with a c2c a connection for instance cobalt strike then the attacker full control over the system then the encryption will start generate public and private key and during the encryption the private key will remain on the attacker server and then when the files are encrypted the instructions are left behind how to pay to release the files now when it's happened on a single workstation or on a server or it could be also a network attached system for instance now we classified it as an attack type one and when there are more devices involved for instance the attacker has a foothold

on the system and wants to try to move lateral and actual rate sensitive information and also try to cover the traces remove and destroy the or encrypt the backups then we call that a attack type 2 form of attack now what we're going to do today is we're going to deliver a phishing email to the victim the victim will actually fall into that catch debate and click on the attachment then the malware dropper kicks in we have a full hole on the system later on we're going to raise our privileges in order to see if there are any more credentials we can collect and when it's been done we're going to try to move lateral to eventually encrypt

this domain console right here so i would just advise to sit back and relax and watch the show but before we're going to start i would like to point out that the delivery is being done by a powerpoint presentation and i would like to point out it's not the same presentation i've used to submit to this clock it's for demonstration purposes only okay now here i'm going to type a phishing email and do notice also my poor english writing and that could be just part of a social nearing way of attack because the victim might expect some email about from a dutch guy

and next i only have to send this email to the victim

and the victim has received the email and notice hey i might have an attachment here i want to have a look at

so next it seems that it's a powerpoint presentation but the content is disabled so the victim enables the content here

and then it seems the attacker has already started a reverse shell in the background or a listener in order to wait for a review show coming in and when that happened here now the attacker has foothold on that system okay now we're going to in the next phase going to look for privilege escalation so what the detector will do next is first listen on the network by using a responder and it's just looking for all kinds of events on the network and just accidentally the victim can browse for a particular server and maybe make a typo but in the meanwhile in the background some kind of negotiation is already going on and the attacker will benefit from that

by catching that negotiation and catching the hash and when the attacker has the hash he is able to decrypt it and get the user's password so the next thing what the attacker will do is try to see if there is a way to elevate his permissions so in this case the attacker will upload a certain kind of script to the victim machine which will retrieve a particular registry key what the victim has set without knowing enabling automated logon well it's not a very smart thing to do because when that happens the password is in clear text and we have also now the local admin password so next we are still connected with a regular user account to the shell so what we're

going to do next is put the shell in the background and going to upgrade it by using a certain kind of exploit when that's been done we should now have elevated rights on our existing interpreter shell and we are now a administrator on the system so now we are already have more possibilities in order to advance our attack so next what we're going to do is use the credentials we found the password and our elevated missions and going to use that to explore the shortest path to domain controller domain admin and see if we can get everything together to create a ticket and log on to the main control to deploy our malware so first

we're going to upload sharpount sharpound will collect for us the information we need to find the short path to the main controller so we're going to execute it

and then sharp hound will collect all the information we'll need and once it's been done we're going to start bloodhound and the bloodhound server will consume all of the sharpness information to map out the network so we able to see what the shortest path will be to the domain controller so that happens here click on shortest path and notice here we've got the full attack path to the domain admin right here we can use to attack the domain controller okay so when it's been done the next thing we need is to create a ticket and therefore we need also the kerberos hash of the service count which runs under the main controller we've collected right here

now we're going to bump into the shell and we're going to start mimikats because we also need the antelope hashes to combine with the kerberos hash to make our ticket to be able to log on to the domain controller

when that's been done we combine that information we have a ticket now to create the ticket is now put into memory and the only thing we have to do now is to remote connect to the domain controller and just deploy the malware

and it's happening right here so see we already have a connection we have the host name of the domain controller we are administrator and now we're going to upload the malware which is executing the ransomware for us

and there we go and now we only have to execute the file we just uploaded sorry about my typing here by the way

and do notice we've got a grand crab ransomware infection now going on this domain console oh dear what we have to do now well if we got a infection like this it can be too late obviously but we want to prevent it's going to spread even further but before we even know there is an infection going on there are ways in order to look for indicators which can lead to an infection and that is what we're going to do with a seam system security event monitoring we're going to do some threat hunting on certain indicators of attack which could lead to a ransomware infection so basically that happens as follows is that you have all your pyramid devices

here on the network like the firewalls and proxy server email gateway and they are sending over their logs to a sim system which is here and all the bad things are happening here and also inside the network are being captured in the log files and eventually collected and now we're going to just to browse through all these log files by doing queries in order to filter the information we need to see if there is really a ransomware attack going on and we start here by just one and simple query to see if there is a particular file extension on our system which could be related to a ransomware indication and do notice i think there are quite a

lot of dot log files already being found here so that's our first type of evidence we have found next we're going to look for some ransomware nodes and basically it's the same idea we're on a query we gather all the information in there and if i'm correct i already noticed here some decrypt.txt which is enough evidence to actually confirm that it's a ransomware infection and next we're going to run another query and we're going to examine if there is um some evidence about malicious software being used between machines there was a connection right here and there was mimikats being used here so that us our third type of evidence we needed to start in our investigation

well basically there are a lot more indicators of attack and for instance we also could look for event log here usually part of an attack is that the event lock is going to be cleared to make sure there is no evidence what could relate to an attack and that is something we can include in our searches as well in our example we used a powerpoint file and the file type can also be included in the search if necessary and also part of an attack usually sharp hound is used very low very often there is also something we can include here as well and not even in this picture usually the attacker will try to disable

antivirus software in order to not being mitigated from the attack and particularly real-time monitoring and that could be included as well in the search if necessary there are tons more of indicators which can put in the searches but these are particularly interesting for our investigation now what we have seen now basically is a red team exercise with an offensive kind of game like the fishing attack and the way distributing the the malicious payload and you have seen the blue team looking for threat hunting in order to mitigate and build up the defenses and it's a very good thing to do also when you want to practice those kind of things and you want to make sure

that if a ransomware ever hits your company or infrastructure that you are prepared for it by doing these kind of exercises so that is also a part to how to prepare for this well first obviously without backups it's going to be very hard to go to a previous state so i would definitely advise to have offline or a write protected backup of course macros in my opinion should be always disabled unless explicitly necessary with a good reason obviously email attachments should be scanned and even removed from the email if they are malicious basically doing this kind of threat hunting with the seam system and edr is very handy to do but edr is something that is not

very convenient an extra addition on the endpoint and here for not so long but it would be definitely wise to include it as well but i would say it's not a silver bullet but it takes some of the pain away obviously the segmentation will prevent any way of lateral movement and simulation attacks firewall drills red teaming and routine i would advise to do as well now if you don't know that it could be still the case there is a risk that backup is overwritten malware is being run somewhere and always yeah also people will just make mistakes by accidentally clicking on an email without a malicious payload and during a ransomware infection it can happen that some systems are not

reachable anymore there is panic and then you need to fall back on your procedure and playbooks and if there's a gap in this playbook then you can also run into trouble so therefore we just have to assume we are always um infected with malicious files uh there has always been mistakes will always be made and vulnerabilities will be exploited and if you take all these things in account then you're better prepared for a attack so to summarize my takeaways again mention the backups very important to have these right protected or offline and do practice cyber resilience by executing patching because the most ransomware species and types abuse the existing vulnerabilities zero-day vulnerability into a ransom attack is very rare

what about cloud yeah well cloud is a multi-tenant environment so even if you have an attack on your end as a cloud customer and it spreads to maybe to one of your neighbors you might get held against liable so therefore the stakes are even higher but on the other end there are also security tools like for instance security hub and cloudtrail or defender atp available in order to mitigate those attacks better so that's the other side obviously implement incident response and make sure there are no gaps in your documentation and everything is up to date and document and learn from each drill or attack and you can might all these things can take some of the

pain away but in my opinion you should combine everything to apply security in depth so these were my key takeaways and i want to thank you for your attention and i'm happy to answer any question thank you