SlideShare a Scribd company logo

Oh... that's ransomware and... look behind you a three-headed Monkey

S
Stefano Maccaglia

The document discusses the evolution of ransomware attacks and hybrid leakware/ransomware attacks. It describes how hybrid attacks now steal data first before encrypting it, then blackmail victims with threats to release the stolen data if ransom is not paid. The document also discusses the rise of malware-as-a-service (MaaS) and how this has lowered barriers to entry for criminals. Two case studies of recent ransomware attacks are presented, highlighting investigation techniques used like deploying endpoint monitoring tools. The document concludes with recommendations around negotiating with attackers, supporting investigations, and improving defenses to prevent such attacks.

Presentations & Public Speaking
1 of 43
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
1 ©2020 RSA Security LLC or its affiliates. All rights reserved.©2020 RSA Security LLC or its affiliates. All rights reserved. OH... THAT'S RANSOMWARE AND... LOOK BEHIND YOU… A THREE-HEADED MONKEY!... A flamboyant tale of swashbucklers and leakware.... CONFIDENTIAL
2 ©2020 RSA Security LLC or its affiliates. All rights reserved. Who we are... Evolution of the Ransom-world From Cryptware to Leakware The Rise of the MaaS A very recent Ransomware case… Negotiation, investigation and recovery… Lesson learned AGENDA
3 ©2020 RSA Security LLC or its affiliates. All rights reserved. I am a Senior Principal Consultant and a leading figure of the RSA IR Team operating worldwide. I started my career cracking software in 1985 with a Commodore C64… I decided to get out of the cracking scene in early 2000s and for about three years I remained focused on Networking… until Nimda and Blaster came out and testing networks and systems security became an interesting career… I worked on the offensive side until 2009 when I jumped onto the IR bandwagon. Since then, I got busy with engagement around the world covering investigation in banks, military, governments and telco companies. STEFANO MACCAGLIA
4 ©2020 RSA Security LLC or its affiliates. All rights reserved. MARCO FAGGIAN I am a Senior Consultant for Incident Response operating in the EMEA area. I joined RSA in 2012 as Delivery Specialist performing implementation, design and analytics support to customers globally. From 2016 I am part of the RSA Incident Response team and I participate to engagements covering Private and Public companies and the Telco sector. Graduated in Computer Engineering in Padua, I started my career by dealing with issues related to computer security, collaborating with different consultancy companies located in Italy and in UK. My actual role led me to follow some of the most important customers in the EMEA region.
5 ©2020 RSA Security LLC or its affiliates. All rights reserved. ▪ If we look at the common definition of Ransomware, we stumble on something like this… Evolution of the ransom-world Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers and can thus quickly paralyze an entire organization. It is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage and expenses for businesses and governmental organizations. ▪ Are we sure this description is exhaustive nowadays???
6 ©2020 RSA Security LLC or its affiliates. All rights reserved. • Let’s just play with this… • Do you see anything strange in this ransomware message?... • C’mon… don’t focus on the fact they hacked the network… there is more in this message… Evolution of the ransom-world
7 ©2020 RSA Security LLC or its affiliates. All rights reserved. • Look!... A the three headed monkey!... Evolution of the ransom-world
8 ©2020 RSA Security LLC or its affiliates. All rights reserved. ▪ Since December 2019, ransomware operators have been using leakware/ransomware hybrid attacks more and more often. ▪ These attacks combine the classic ransomware attack with a leakware attack. Evolution of the Ransom-world In a classic ransomware attack, the victim’s data is encrypted and is decrypted after the victim pays a ransom. In a hybrid attack, the data is stolen, then encrypted. The victim is blackmailed with the data being released publicly unless he pays a certain fee. In a classic ransomware attack, the Ransomware is the main tool. In a hybrid attack, the Ransomware is just one of the tools.
9 ©2020 RSA Security LLC or its affiliates. All rights reserved. Long story short… They just forgot to tell us:
10 ©2020 RSA Security LLC or its affiliates. All rights reserved. Hybrid Attacks • In a hybrid attack, the data is first stolen, then encrypted. • Then the victim is asked to pay the ransom for decryption. • If the victim declines to pay the ransom, the attackers threaten him to release the stolen data publicly. • In some cases, business partners and/or customers of the victim are also informed of the impending data release to put even more pressure on the victim. This strategy is a “game-changer” as it introduces new techniques and new actors… let’s see an example…
11 ©2020 RSA Security LLC or its affiliates. All rights reserved.
12 ©2020 RSA Security LLC or its affiliates. All rights reserved. The Malware-as-a-Service
13 ©2020 RSA Security LLC or its affiliates. All rights reserved. MaaS auction example
14 ©2020 RSA Security LLC or its affiliates. All rights reserved.
15 ©2020 RSA Security LLC or its affiliates. All rights reserved.
16 ©2020 RSA Security LLC or its affiliates. All rights reserved.
17 ©2020 RSA Security LLC or its affiliates. All rights reserved.©2020 RSA Security LLC or its affiliates. All rights reserved. A recent case C O N F I D E N T I A L
18 ©2020 RSA Security LLC or its affiliates. All rights reserved.
19 ©2020 RSA Security LLC or its affiliates. All rights reserved. 19
20 ©2020 RSA Security LLC or its affiliates. All rights reserved. 20
21 ©2020 RSA Security LLC or its affiliates. All rights reserved. 21
22 ©2020 RSA Security LLC or its affiliates. All rights reserved. Nefilim Ransomware banner
23 ©2020 RSA Security LLC or its affiliates. All rights reserved. 23 Spearphish email Macro in Weaponized Document CommandLine Powershell downloads Emotet Emotet Nefilim Ransomware Disable AV Data harvesting Credential theft TrickBot Drop final stage If the system is of interest Emotet accesses a dropzone Emotet downloads Trickbot C&C Dropzone HTTPS HTTPS HTTPS Look behind you… a one-headed human...
24 ©2020 RSA Security LLC or its affiliates. All rights reserved. 24
25 ©2020 RSA Security LLC or its affiliates. All rights reserved. 25
26 ©2020 RSA Security LLC or its affiliates. All rights reserved.©2020 RSA Security LLC or its affiliates. All rights reserved. A Second case C O N F I D E N T I A L
27 ©2020 RSA Security LLC or its affiliates. All rights reserved. C O N F I D E N T I A L ▪ On a lazy morning in a far land… a customer IPS sent an alert to the SOC: Dead Men Tell No Tales ▪ Due the fact that the customer has a retainer contract in place with RSA, SOC team decide to open a call to verify if the IPS alert is anything to worry about… more a scruple from the SOC team, than a real point of attention. “Possible Metasploit Reverse HTTPS traffic”
28 ©2020 RSA Security LLC or its affiliates. All rights reserved. C O N F I D E N T I A L ▪ RSA NetWitness packet was already in place on the main datacenter to monitor the network traffic. Dead Men Tell No Tales ▪ When the incident occurred, the Customer was not having an EDR solution in place, so RSA IR Team proceeded to deploy RSA NetWitness Endpoint and started to distribute the agent on all the involved hosts.
29 ©2020 RSA Security LLC or its affiliates. All rights reserved.
30 ©2020 RSA Security LLC or its affiliates. All rights reserved.
31 ©2020 RSA Security LLC or its affiliates. All rights reserved.
32 ©2020 RSA Security LLC or its affiliates. All rights reserved. C O N F I D E N T I A L ▪ EURMILLAP3275 contacts the link included on the email and few minutes after starts to communicate on SSL with 2 more hosts. Patient Zero analysis No website associate to the hostname and no information on Google about it! Organization (O) and Organizational Unit (OU) on the certificate Pretend to be signed by a CA but the CA chain was not real Looking for all the SSL traffic with similar charatteristics allow RSA analysts to uncover all the C2 stations used by the attacker.
33 ©2020 RSA Security LLC or its affiliates. All rights reserved. C O N F I D E N T I A L Patient Zero analysis The two TXT files, with a name formed by strings of random characters, saved in c:ProgramDataMicrosoft are actually the two javascript that allow communication with the C2 Through the endpoint analysis performed using NetWitness Endpoint, RSA analyst was able to retrieve part of the malware artifacts used for the initial infection.
34 ©2020 RSA Security LLC or its affiliates. All rights reserved. C O N F I D E N T I A L The Malware infection flow
35 ©2020 RSA Security LLC or its affiliates. All rights reserved. C O N F I D E N T I A L On the same client RSA was able to identify a command line Active Directory query tool called: Patient zero analysis File has been stored under c:WindowsTemp and executed on the day of the initial infection, presumably to enumerate the the Active Directory servers. RSA was not able to recover the data exfiltrated due the missing of an EDR in place during the attack. AdFind.exe
36 ©2020 RSA Security LLC or its affiliates. All rights reserved. Living-off-the-land attacks • Attacker behavior that uses tools or features that already exist in the target environment. • Using pre-existing software avoids the process being flagged as suspicious and reduce the possibility to be intercepted. • Distinguish malicious use of built-in tools versus the authorized use of tools by the system administrator can be tough for the analyst. • Additionally, the attacker is secure to find the correct version of the software on each machine, don’t need to be warried about compatibility of it is artifacts. • Attacker tend to use fileless attack where the resources used are not written to disk. Thinks that stay in memory are much harder to both detect and to find later.
37 ©2020 RSA Security LLC or its affiliates. All rights reserved.©2020 RSA Security LLC or its affiliates. All rights reserved. To protect and serve… C O N F I D E N T I A L
38 ©2020 RSA Security LLC or its affiliates. All rights reserved. Advices for the Negotiation • When the Ransomware is detonated it will display information about on how to contact (the crime gang) to pay the fee that they are looking for and receive the key to unencrypt the data. • While we recommend not to pay, unless critical to keep the business on, we advise to open the channel for a conversation with the cybercriminals. • Once authorized by counsel/client, contact is made with the gang on the dark web to advise them that systems are impacted and we would like to discuss getting our data back, or data not being released to public sites, etc. • We provide them with a known encrypted file to make sure they are able to unencrypt and provide us back the known file to ensure that actually have the decryptor. • In addition, to gain credibility, we have a discussion about how to lower price, funds available, etc… • There is always room in negotiating a fee lower, and the cybercriminals expect that.
39 ©2020 RSA Security LLC or its affiliates. All rights reserved. ▪ In the last twelve months we participated to the negotiation in several cases and we learned some important aspects: ▪ Do not underestimate the negotiation from the Cybercriminal gang, they are often skilled individual with wide experience on such topics… in fact, in one case, we clearly faced a conversation with a former FSB negotiator (he told us about that). ▪ The conversation should be strictly limited in number of participants. In one case, when an uninvited participant joined the negotiation at a later stage, the attacker get off the channel and the data went immediately released… ▪ The attackers are willing to explain how good they are… this is the only weak spot we found during the negotiations… you can leverage on this to collect some critical items useful for the IR investigation. ▪ The attacker is usually not keen to overreact, he knows he has some good files in his hand... He reviewed his stuff before detonating the ransomware, so every attempt to downsize the value of the stolen material, during the negotiation, will fail… sometime will fail miserably… Negotiation pitfalls
40 ©2020 RSA Security LLC or its affiliates. All rights reserved. LESSON LEARNED Don’t let the pressure guide you… Always think about possibilities… The blackhats tell you they are perfect… but they are not… The key is to use the negotiation as a functional step Don’t take shortcuts… try to support the investigation Think positive…
41 ©2020 RSA Security LLC or its affiliates. All rights reserved. Post-Incident recommendations • Even with the decryptor, unencrypting the data is a painful and costly experience for a company... • Our continuous message to clients is to secure and segment their infrastructure so these attacks are not as successful. That is cheaper than the response efforts that occur with a breach. • The anonymity of the Internet and the lack of international cooperation between the countries have really hampered the ability of law enforcement/prosecutors to take any real meaningful action to identify and prosecute these OC (organized crime) and nation-state actors. • Thus, since this avenue is a long shot to dissuade threat actors, it is up to companies to do a better job of protecting themselves
42 ©2020 RSA Security LLC or its affiliates. All rights reserved. Q’n’A
43 ©2020 RSA Security LLC or its affiliates. All rights reserved. Thanks!

More Related Content

PDF
UN Presentation - 10-17-2018 - Maccaglia
Stefano Maccaglia
 
PDF
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Stefano Maccaglia
 
PPTX
Chasing the Adder. A tale from the APT world...
Stefano Maccaglia
 
PDF
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
PPTX
Crack the Code
InnoTech
 
PDF
WannaCry Ransomware Attack: What to Do Now
IBM Security
 
DOCX
Case Study of RSA Data Breach
Kunal Sharma
 
PDF
Analysis of RSA Lockheed Martin Attack
Gavin Davey
 
UN Presentation - 10-17-2018 - Maccaglia
Stefano Maccaglia
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Stefano Maccaglia
 
Chasing the Adder. A tale from the APT world...
Stefano Maccaglia
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Crack the Code
InnoTech
 
WannaCry Ransomware Attack: What to Do Now
IBM Security
 
Case Study of RSA Data Breach
Kunal Sharma
 
Analysis of RSA Lockheed Martin Attack
Gavin Davey
 

What's hot (20)

PPTX
NDIA 2021 - solar winds overview and takeaways
Bryson Bort
 
PDF
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
PDF
RSA Anatomy of an Attack
integritysolutions
 
PPTX
Evolution of ransomware
Charles Steve
 
PDF
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
ClearDATACloud
 
PPTX
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
CODE BLUE
 
PPTX
Common Techniques To Identify Advanced Persistent Threat (APT)
Yuval Sinay, CISSP, C|CISO
 
PPT
Security Intelligence: Advanced Persistent Threats
Peter Wood
 
PPTX
Ransomware: Emergence of the Cyber-Extortion Menace
Zubair Baig
 
PPTX
Industry reactions to wanna cry ransomware attacks
kevinmass30
 
PDF
Triangulum - Ransomware Evolved - Why your backups arent good enough
Martin Opsahl
 
PDF
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
PDF
Flashpoint ransomware april2016
Andrey Apuhtin
 
PPTX
seminar report on What is ransomware
Jawhar Ali
 
PDF
Ransomware
m3 Networks Limited
 
PPTX
Ransomware
DevAkabari
 
PDF
Advanced persistent threats(APT)
Network Intelligence India
 
PPTX
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Invincea, Inc.
 
PPTX
Ransomware Detection: Don’t Pay Up. Backup.
marketingunitrends
 
PDF
Ransomware 2020 Report
Fortis
 
NDIA 2021 - solar winds overview and takeaways
Bryson Bort
 
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
RSA Anatomy of an Attack
integritysolutions
 
Evolution of ransomware
Charles Steve
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
ClearDATACloud
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
CODE BLUE
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Yuval Sinay, CISSP, C|CISO
 
Security Intelligence: Advanced Persistent Threats
Peter Wood
 
Ransomware: Emergence of the Cyber-Extortion Menace
Zubair Baig
 
Industry reactions to wanna cry ransomware attacks
kevinmass30
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Martin Opsahl
 
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Flashpoint ransomware april2016
Andrey Apuhtin
 
seminar report on What is ransomware
Jawhar Ali
 
Ransomware
m3 Networks Limited
 
Ransomware
DevAkabari
 
Advanced persistent threats(APT)
Network Intelligence India
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Invincea, Inc.
 
Ransomware Detection: Don’t Pay Up. Backup.
marketingunitrends
 
Ransomware 2020 Report
Fortis
 
Ad

Similar to Oh... that's ransomware and... look behind you a three-headed Monkey (20)

PPTX
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Adrian Sanabria
 
PDF
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Roger Hagedorn
 
PDF
What is ransomware?
Milan Santana
 
PPTX
Advanced Threats In The Enterprise
Priyanka Aash
 
PDF
Ransomware Trends 2017 & Mitigation Techniques
Avinash Sinha
 
PPTX
ITPG Secure on WannaCry
ITPG Secure Compliance and Certification Training
 
PDF
3. Ransomware (cyber awareness series)
Isaac Feliciano
 
PPTX
Defend Your Company Against Ransomware
Kevo Meehan
 
PPTX
EverSec + Cyphort: Big Trends in Cybersecurity
Cyphort
 
PDF
How ransomware can hold your business hostage
Tom Mellish
 
PPTX
Ransomware : A cyber crime without solution ? by Prashant Mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
PDF
Ransomware ly
Lisa Young
 
PDF
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
ClearDATACloud
 
PDF
Ransomware (1).pdf
HiYeti1
 
PDF
Get Smart about Ransomware: Protect Yourself and Organization
Security Innovation
 
PDF
How to Help Your Customers Protect Themselves from Ransomware Attacks
Solarwinds N-able
 
PDF
Ransomware : Challenges and best practices
EyesOpen Association
 
PDF
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
Matthew J McMahon
 
PDF
Ransomware_PDF
Ren Hao
 
PPTX
All your files now belong to us
Peter Wood
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Adrian Sanabria
 
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Roger Hagedorn
 
What is ransomware?
Milan Santana
 
Advanced Threats In The Enterprise
Priyanka Aash
 
Ransomware Trends 2017 & Mitigation Techniques
Avinash Sinha
 
ITPG Secure on WannaCry
ITPG Secure Compliance and Certification Training
 
3. Ransomware (cyber awareness series)
Isaac Feliciano
 
Defend Your Company Against Ransomware
Kevo Meehan
 
EverSec + Cyphort: Big Trends in Cybersecurity
Cyphort
 
How ransomware can hold your business hostage
Tom Mellish
 
Ransomware : A cyber crime without solution ? by Prashant Mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Ransomware ly
Lisa Young
 
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
ClearDATACloud
 
Ransomware (1).pdf
HiYeti1
 
Get Smart about Ransomware: Protect Yourself and Organization
Security Innovation
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
Solarwinds N-able
 
Ransomware : Challenges and best practices
EyesOpen Association
 
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
Matthew J McMahon
 
Ransomware_PDF
Ren Hao
 
All your files now belong to us
Peter Wood
 
Ad

Recently uploaded (20)

PDF
Why Top Brands Trust Enuncia Global for Language Solutions.pdf
enuncia-global
 
PDF
Swiggy’s Playbook: UX, Logistics & Monetization
mainikunal09
 
PDF
oil_refinery_presentation_v1 sllfmfls.pdf
TusharPrajapati65
 
PPTX
Hydrogel Based delivery Cancer Treatment
sgsayan31
 
PPTX
fundraisepro pitch deck elegant and modern
aishanmims
 
PPTX
Relationship Management Presentation In Banking.pptx
ssuser1d0512
 
PDF
Instagram's Product Secrets Unveiled with this PPT
mainikunal09
 
PPTX
Non-Verbal-Communication .mh.pdf_110245_compressed.pptx
ansarihussainh
 
PPTX
Introduction to Effective Communication.pptx
AnithaT18
 
PPTX
Presentation for DGJV QMS (PQP)_12.03.2025.pptx
M. Alper SAHIN
 
DOC
学位双硕士UTAS毕业证,墨尔本理工学院毕业证留学硕士毕业证
enmytc
 
PPTX
Primary and secondary sources, and history
valenciamarcchristia
 
PPTX
nose tajweed for the arabic alphabets for the responsive
Hijabi1
 
PPTX
Understanding-Communication-Berlos-S-M-C-R-Model.pptx
JommelVienne
 
PDF
Parts of Speech Prepositions Presentation in Colorful Cute Style_20250724_230...
ShomailahRashid
 
PPTX
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
PPTX
Project and change Managment: short video sequences for IBA
safwanhossain11
 
PPTX
Tour Presentation Educational Activity.pptx
PaulineAngeliqueBere
 
PPTX
Emphasizing It's Not The End 08 06 2025.pptx
FamilyWorshipCenterD
 
PPTX
The spiral of silence is a theory in communication and political science that...
MrSam30
 
Why Top Brands Trust Enuncia Global for Language Solutions.pdf
enuncia-global
 
Swiggy’s Playbook: UX, Logistics & Monetization
mainikunal09
 
oil_refinery_presentation_v1 sllfmfls.pdf
TusharPrajapati65
 
Hydrogel Based delivery Cancer Treatment
sgsayan31
 
fundraisepro pitch deck elegant and modern
aishanmims
 
Relationship Management Presentation In Banking.pptx
ssuser1d0512
 
Instagram's Product Secrets Unveiled with this PPT
mainikunal09
 
Non-Verbal-Communication .mh.pdf_110245_compressed.pptx
ansarihussainh
 
Introduction to Effective Communication.pptx
AnithaT18
 
Presentation for DGJV QMS (PQP)_12.03.2025.pptx
M. Alper SAHIN
 
学位双硕士UTAS毕业证,墨尔本理工学院毕业证留学硕士毕业证
enmytc
 
Primary and secondary sources, and history
valenciamarcchristia
 
nose tajweed for the arabic alphabets for the responsive
Hijabi1
 
Understanding-Communication-Berlos-S-M-C-R-Model.pptx
JommelVienne
 
Parts of Speech Prepositions Presentation in Colorful Cute Style_20250724_230...
ShomailahRashid
 
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
Project and change Managment: short video sequences for IBA
safwanhossain11
 
Tour Presentation Educational Activity.pptx
PaulineAngeliqueBere
 
Emphasizing It's Not The End 08 06 2025.pptx
FamilyWorshipCenterD
 
The spiral of silence is a theory in communication and political science that...
MrSam30
 

Oh... that's ransomware and... look behind you a three-headed Monkey

  • 1. 1 ©2020 RSA Security LLC or its affiliates. All rights reserved.©2020 RSA Security LLC or its affiliates. All rights reserved. OH... THAT'S RANSOMWARE AND... LOOK BEHIND YOU… A THREE-HEADED MONKEY!... A flamboyant tale of swashbucklers and leakware.... CONFIDENTIAL
  • 2. 2 ©2020 RSA Security LLC or its affiliates. All rights reserved. Who we are... Evolution of the Ransom-world From Cryptware to Leakware The Rise of the MaaS A very recent Ransomware case… Negotiation, investigation and recovery… Lesson learned AGENDA
  • 3. 3 ©2020 RSA Security LLC or its affiliates. All rights reserved. I am a Senior Principal Consultant and a leading figure of the RSA IR Team operating worldwide. I started my career cracking software in 1985 with a Commodore C64… I decided to get out of the cracking scene in early 2000s and for about three years I remained focused on Networking… until Nimda and Blaster came out and testing networks and systems security became an interesting career… I worked on the offensive side until 2009 when I jumped onto the IR bandwagon. Since then, I got busy with engagement around the world covering investigation in banks, military, governments and telco companies. STEFANO MACCAGLIA
  • 4. 4 ©2020 RSA Security LLC or its affiliates. All rights reserved. MARCO FAGGIAN I am a Senior Consultant for Incident Response operating in the EMEA area. I joined RSA in 2012 as Delivery Specialist performing implementation, design and analytics support to customers globally. From 2016 I am part of the RSA Incident Response team and I participate to engagements covering Private and Public companies and the Telco sector. Graduated in Computer Engineering in Padua, I started my career by dealing with issues related to computer security, collaborating with different consultancy companies located in Italy and in UK. My actual role led me to follow some of the most important customers in the EMEA region.
  • 5. 5 ©2020 RSA Security LLC or its affiliates. All rights reserved. ▪ If we look at the common definition of Ransomware, we stumble on something like this… Evolution of the ransom-world Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers and can thus quickly paralyze an entire organization. It is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage and expenses for businesses and governmental organizations. ▪ Are we sure this description is exhaustive nowadays???
  • 6. 6 ©2020 RSA Security LLC or its affiliates. All rights reserved. • Let’s just play with this… • Do you see anything strange in this ransomware message?... • C’mon… don’t focus on the fact they hacked the network… there is more in this message… Evolution of the ransom-world
  • 7. 7 ©2020 RSA Security LLC or its affiliates. All rights reserved. • Look!... A the three headed monkey!... Evolution of the ransom-world
  • 8. 8 ©2020 RSA Security LLC or its affiliates. All rights reserved. ▪ Since December 2019, ransomware operators have been using leakware/ransomware hybrid attacks more and more often. ▪ These attacks combine the classic ransomware attack with a leakware attack. Evolution of the Ransom-world In a classic ransomware attack, the victim’s data is encrypted and is decrypted after the victim pays a ransom. In a hybrid attack, the data is stolen, then encrypted. The victim is blackmailed with the data being released publicly unless he pays a certain fee. In a classic ransomware attack, the Ransomware is the main tool. In a hybrid attack, the Ransomware is just one of the tools.
  • 9. 9 ©2020 RSA Security LLC or its affiliates. All rights reserved. Long story short… They just forgot to tell us:
  • 10. 10 ©2020 RSA Security LLC or its affiliates. All rights reserved. Hybrid Attacks • In a hybrid attack, the data is first stolen, then encrypted. • Then the victim is asked to pay the ransom for decryption. • If the victim declines to pay the ransom, the attackers threaten him to release the stolen data publicly. • In some cases, business partners and/or customers of the victim are also informed of the impending data release to put even more pressure on the victim. This strategy is a “game-changer” as it introduces new techniques and new actors… let’s see an example…
  • 11. 11 ©2020 RSA Security LLC or its affiliates. All rights reserved.
  • 12. 12 ©2020 RSA Security LLC or its affiliates. All rights reserved. The Malware-as-a-Service
  • 13. 13 ©2020 RSA Security LLC or its affiliates. All rights reserved. MaaS auction example
  • 14. 14 ©2020 RSA Security LLC or its affiliates. All rights reserved.
  • 15. 15 ©2020 RSA Security LLC or its affiliates. All rights reserved.
  • 16. 16 ©2020 RSA Security LLC or its affiliates. All rights reserved.
  • 17. 17 ©2020 RSA Security LLC or its affiliates. All rights reserved.©2020 RSA Security LLC or its affiliates. All rights reserved. A recent case C O N F I D E N T I A L
  • 18. 18 ©2020 RSA Security LLC or its affiliates. All rights reserved.
  • 19. 19 ©2020 RSA Security LLC or its affiliates. All rights reserved. 19
  • 20. 20 ©2020 RSA Security LLC or its affiliates. All rights reserved. 20
  • 21. 21 ©2020 RSA Security LLC or its affiliates. All rights reserved. 21
  • 22. 22 ©2020 RSA Security LLC or its affiliates. All rights reserved. Nefilim Ransomware banner
  • 23. 23 ©2020 RSA Security LLC or its affiliates. All rights reserved. 23 Spearphish email Macro in Weaponized Document CommandLine Powershell downloads Emotet Emotet Nefilim Ransomware Disable AV Data harvesting Credential theft TrickBot Drop final stage If the system is of interest Emotet accesses a dropzone Emotet downloads Trickbot C&C Dropzone HTTPS HTTPS HTTPS Look behind you… a one-headed human...
  • 24. 24 ©2020 RSA Security LLC or its affiliates. All rights reserved. 24
  • 25. 25 ©2020 RSA Security LLC or its affiliates. All rights reserved. 25
  • 26. 26 ©2020 RSA Security LLC or its affiliates. All rights reserved.©2020 RSA Security LLC or its affiliates. All rights reserved. A Second case C O N F I D E N T I A L
  • 27. 27 ©2020 RSA Security LLC or its affiliates. All rights reserved. C O N F I D E N T I A L ▪ On a lazy morning in a far land… a customer IPS sent an alert to the SOC: Dead Men Tell No Tales ▪ Due the fact that the customer has a retainer contract in place with RSA, SOC team decide to open a call to verify if the IPS alert is anything to worry about… more a scruple from the SOC team, than a real point of attention. “Possible Metasploit Reverse HTTPS traffic”
  • 28. 28 ©2020 RSA Security LLC or its affiliates. All rights reserved. C O N F I D E N T I A L ▪ RSA NetWitness packet was already in place on the main datacenter to monitor the network traffic. Dead Men Tell No Tales ▪ When the incident occurred, the Customer was not having an EDR solution in place, so RSA IR Team proceeded to deploy RSA NetWitness Endpoint and started to distribute the agent on all the involved hosts.
  • 29. 29 ©2020 RSA Security LLC or its affiliates. All rights reserved.
  • 30. 30 ©2020 RSA Security LLC or its affiliates. All rights reserved.
  • 31. 31 ©2020 RSA Security LLC or its affiliates. All rights reserved.
  • 32. 32 ©2020 RSA Security LLC or its affiliates. All rights reserved. C O N F I D E N T I A L ▪ EURMILLAP3275 contacts the link included on the email and few minutes after starts to communicate on SSL with 2 more hosts. Patient Zero analysis No website associate to the hostname and no information on Google about it! Organization (O) and Organizational Unit (OU) on the certificate Pretend to be signed by a CA but the CA chain was not real Looking for all the SSL traffic with similar charatteristics allow RSA analysts to uncover all the C2 stations used by the attacker.
  • 33. 33 ©2020 RSA Security LLC or its affiliates. All rights reserved. C O N F I D E N T I A L Patient Zero analysis The two TXT files, with a name formed by strings of random characters, saved in c:ProgramDataMicrosoft are actually the two javascript that allow communication with the C2 Through the endpoint analysis performed using NetWitness Endpoint, RSA analyst was able to retrieve part of the malware artifacts used for the initial infection.
  • 34. 34 ©2020 RSA Security LLC or its affiliates. All rights reserved. C O N F I D E N T I A L The Malware infection flow
  • 35. 35 ©2020 RSA Security LLC or its affiliates. All rights reserved. C O N F I D E N T I A L On the same client RSA was able to identify a command line Active Directory query tool called: Patient zero analysis File has been stored under c:WindowsTemp and executed on the day of the initial infection, presumably to enumerate the the Active Directory servers. RSA was not able to recover the data exfiltrated due the missing of an EDR in place during the attack. AdFind.exe
  • 36. 36 ©2020 RSA Security LLC or its affiliates. All rights reserved. Living-off-the-land attacks • Attacker behavior that uses tools or features that already exist in the target environment. • Using pre-existing software avoids the process being flagged as suspicious and reduce the possibility to be intercepted. • Distinguish malicious use of built-in tools versus the authorized use of tools by the system administrator can be tough for the analyst. • Additionally, the attacker is secure to find the correct version of the software on each machine, don’t need to be warried about compatibility of it is artifacts. • Attacker tend to use fileless attack where the resources used are not written to disk. Thinks that stay in memory are much harder to both detect and to find later.
  • 37. 37 ©2020 RSA Security LLC or its affiliates. All rights reserved.©2020 RSA Security LLC or its affiliates. All rights reserved. To protect and serve… C O N F I D E N T I A L
  • 38. 38 ©2020 RSA Security LLC or its affiliates. All rights reserved. Advices for the Negotiation • When the Ransomware is detonated it will display information about on how to contact (the crime gang) to pay the fee that they are looking for and receive the key to unencrypt the data. • While we recommend not to pay, unless critical to keep the business on, we advise to open the channel for a conversation with the cybercriminals. • Once authorized by counsel/client, contact is made with the gang on the dark web to advise them that systems are impacted and we would like to discuss getting our data back, or data not being released to public sites, etc. • We provide them with a known encrypted file to make sure they are able to unencrypt and provide us back the known file to ensure that actually have the decryptor. • In addition, to gain credibility, we have a discussion about how to lower price, funds available, etc… • There is always room in negotiating a fee lower, and the cybercriminals expect that.
  • 39. 39 ©2020 RSA Security LLC or its affiliates. All rights reserved. ▪ In the last twelve months we participated to the negotiation in several cases and we learned some important aspects: ▪ Do not underestimate the negotiation from the Cybercriminal gang, they are often skilled individual with wide experience on such topics… in fact, in one case, we clearly faced a conversation with a former FSB negotiator (he told us about that). ▪ The conversation should be strictly limited in number of participants. In one case, when an uninvited participant joined the negotiation at a later stage, the attacker get off the channel and the data went immediately released… ▪ The attackers are willing to explain how good they are… this is the only weak spot we found during the negotiations… you can leverage on this to collect some critical items useful for the IR investigation. ▪ The attacker is usually not keen to overreact, he knows he has some good files in his hand... He reviewed his stuff before detonating the ransomware, so every attempt to downsize the value of the stolen material, during the negotiation, will fail… sometime will fail miserably… Negotiation pitfalls
  • 40. 40 ©2020 RSA Security LLC or its affiliates. All rights reserved. LESSON LEARNED Don’t let the pressure guide you… Always think about possibilities… The blackhats tell you they are perfect… but they are not… The key is to use the negotiation as a functional step Don’t take shortcuts… try to support the investigation Think positive…
  • 41. 41 ©2020 RSA Security LLC or its affiliates. All rights reserved. Post-Incident recommendations • Even with the decryptor, unencrypting the data is a painful and costly experience for a company... • Our continuous message to clients is to secure and segment their infrastructure so these attacks are not as successful. That is cheaper than the response efforts that occur with a breach. • The anonymity of the Internet and the lack of international cooperation between the countries have really hampered the ability of law enforcement/prosecutors to take any real meaningful action to identify and prosecute these OC (organized crime) and nation-state actors. • Thus, since this avenue is a long shot to dissuade threat actors, it is up to companies to do a better job of protecting themselves
  • 42. 42 ©2020 RSA Security LLC or its affiliates. All rights reserved. Q’n’A
  • 43. 43 ©2020 RSA Security LLC or its affiliates. All rights reserved. Thanks!