 because he has lots of interesting things to tell. Just want to tell you what he does. He is a senior cyber security consultant at Lemon Shark, Dutch company. And he has lots of interests, from SIEM and SOC, to pen testing, to compliance. I asked him why, and he says, I just like too many things. Well, that's what we recognize, right? We like so many things. That's why this whole program is so diverse and that's why we'd like to have you on stage. So please, a warm welcome for Don't Turn Your Back on ransomware, Eric Heskis. Hi, everyone. I hope you have a good time. I'm definitely enjoying myself and absolutely fantastic, these things. I'm being okay now again to meet each other in person. Absolutely great. So today we're going to have a talk about ransomware. And we probably know what it is. And first I have a question for you. Can I see some hands who actually was involved with a real ransomware attack in some way? Definitely a couple of us are. So I was a victim, and as well I'm being performed in these exercises, like table top exercises, and it isn't as exciting as it sounds. But anyway, ransomware is still here and the attacks are only increasing and I think I'm not exaggerating as we take all of the computer systems in the world. It might be the case that 50% or more are involved with some kind of ransomware attack. Now, let's have a view of what we're going to talk today about. I'm going to show some ransomware history. I'm going to show some examples of ransomware. Obviously I'm going to give a demonstration and at the end we're going to look at what we can do to defend ourselves and to put some eyes and detection on ransomware indicator for compromise. So let's start. Yeah, ransomware, you probably know what it is. It is a digital way of, well, you can say hijacking, but I like to call it a digital way of extortion. And usually the Bitcoin is a very popular way to release whatever has been hijacked. So what the attacker will do, when he is encrypting the files, he will use a form of hybrid encryption. That means that he will benefit from both the speed, from the symmetric algorithm, has the confidentiality and integrity which involves the asymmetrical algorithm. So we basically, he will first encrypt everything with its symmetric algorithm and that encryption key will be encrypted with an asymmetric algorithm. All right, so here is a timeline of all the, a lot of ransomware species that occurred around the globe and it's quite a lot. And if I am going to summarize all of these, then I think we can stay here for hours so I'm not going to do that. But keep in mind that before all of these ransomware species were released, it was, I think in the 80s, there was a guy who went to a conference and had a list of anyone intended and was handing out free software to all of them. Now, next, when you install this software, your computer was automatically rebooted and there was a system displayed. Well, if you like your software, please put some money in an envelope and send it over to me and then I will release it. So, eventually there was Joseph Popp, he got caught and I think that was the first ransomware attempt ever. And next, there were also none encrypting kind of ransomware like the screen lockers. We have seen probably threatening messages from the police or from the FDI, FBI, AR Explorer with a message to pay a fine or you will get prosecuted and you feel like that. Very scary, but actually it was harmless. It was a browser message, you can click it away and then nothing happens. But actually some people fall for it and either pay the fine or showed up at the FBI to turn themselves in now. If you look at the Crypto Locker, for instance, this was the first edition effort making use of Bitcoin as payment and introducing the Seuss Banking Trojan as extra addition to extort even more money by attacking for financial gain. And then a lot of species arise like the Server Tesla Crypt, we got into the WannaCry misery where a lot of financial damage, also in Holland, occurred. And the ransomware also started to advance like spreading over the network, making use of data, elk filtration and trying to disable your backups like happened in Maze and Grand Crab Club, et cetera. And now we had some incidents with Lapsar Stoller. We have a lock bit, Black Cat, and the list goes on and on. So, lately we had an incident with Microsoft that was the Lapsar Stoller group and they will also be able to exfiltrate some of their code. We had an incident with the media market in November, 2001, which was done by a ransomware group, The Hive, and The Hive will also attack on hospital if they got a chance. We got a supply chain check organized by our evil and that means that Casillas actually, the software, maintains other clients' infrastructure and they managed to encrypt all their clients' infrastructure by means of that exploit. And then the way the fast that it came, the fast it also ends because the encryption key was eventually disclosed. The colonial pipeline to have an idea about the impact is providing the fuel for the plane. So, in Washington, the planes were kept on the ground as a result of that attack. And obviously, Ryuk, also a very fierce one, attacks from hospitals in America. And there is even a rumor that it actually also caused a human casualty. I don't know if that's true. Ok, though, so if you combine all the services, they join their forces, even they have all these elements, like the one who is providing the software, doing the negotiations and et cetera. You put all the elements in a big bonus turret, you have something that is ransomware as a service and as you can see, that is a really money-making product. And also ransomware groups are now combining and buying stuff from each other and handing out knowledge to become even bigger to be more successful. If you look at this kill chain, it kind of looks like a cyber kill chain. It also starts with a delivery where you can first send an email for a fishing attack with an attachment to gain foothold to your system. Sorry about that. Yeah, sorry about that. That was in the wrong hole. Now, after having the foothold and there is a callback to the attacker server, all the files will be encrypted by means of that asymmetric algorithm and the ransomware will actually show a message in order to pay. Now, if this happens on a single system, it could be a server or a network device, anything like that. Well, we call that an attack type one. When the attack will also try to do some lateral movement, we're going to look for that later in the demonstration and we'll try to exfiltrate sensitive information and also make sure that the backups are unusable. We call that a type two attack. So for the demonstration, we go on first, have a look at the victim which we can fish with an email attachment which I have a microfiber in it and some malware to gain some foothold. Next, we're going to look for some accounts which are on that system and try to raise our privileges and see if there are more accounts we are interested in and eventually we're going to target a domain controller and the end goal is to encrypt the domain controller and to deploy our malware over there. So I would say just sit back and relax, then we're going to start the demonstration. So in this first step, we're creating a phishing email and the phishing email could have some social engineering as well because the receiver might expect an email from someone with sending in a presentation. Take some time to type this message. Okay, now the email has been sent. Not sure if you see this red dot probably not. It arrives in the inbox of the victim, try to open it. It seems that it's coming from a trusted sender and next, the email attachment is opened and there is a PowerPoint presentation in it. Okay, so let's see what's going to happen now. The victim enables the content, very smart thing to do and in the meanwhile, well we all know the victim gets the bait. In the background there was already a listener started and now we have a reverse shell and this is the first step of the attack. Okay, so the connection has been enabled. Going to move to the next one. However, in my example I used the macro and doesn't necessarily have to be so. Not so long ago there was a zero-day vulnerability. You probably have seen it, the FOLINA, which is making use of the Microsoft diagnostic tool and that's also a way to provide foothold. So the victim opens this Word document and in this scenario also a reverse shell is being set up in the background. Okay, and that's that. We're going to look at the next step and that is privilege escalation now. Privilege escalation is quite a complex thing so I took some shortcuts here and there also in order to save time. In this example we're going to look to listen on the network for events we can use in order to catch some events which will give us the password of a particular user we're after. So this user is trying to look for a particular server on the network. However, there is no such server but in the background negotiation will take place anyway. So there is a listener running. If I'm correct, there is also a hash being captured by the tool and disclose the user's password. So now we have a user's password. Next a very nice feature in Windows is auto logon and when you enable that for the attacker can look for the registry key and see if actually someone enabled that with a clear text password. It's a very easy thing to extract the information and to have the administration password. I'm not saying that this will happen often but it can be the case. So and there we go. We've got also now the local admin password. So we already have a running shell in the background. Now we want to upgrade that shell with that administration password to raise our privileges. So we're still the demo user. We put it in the background and then we run our script which includes our new username and password. This is a post attack on the existing shell. And we create a new shell and then we have administrator permissions. Okay, so that is one workstation that we have compromised and now we wanted to move around to look for better targets. That's what we're going to do now. So first we're going to deploy our tool which is going to map out the network with a sharp hound. The sharp hound will create some files and the files, the JSON files we're going to import into Bloodhound and Bloodhound will give us the visibility we need to have in order to find the shortest path to our best target which is the domain controller. So there we go, we start at Bloodhound. The files are important and we have our attack path. The visual is there. Okay, so next we're going to combine the information we already extracted from the user accounts. We've got the hashes and we're going to combine all that information also with other accounts we have found and combine that into a ticket which is what we're going to create and the ticket is going to grant us access to the domain controller so we're able to create a remote connection with that ticket and deploy our malware. So first we need the hash and there it is. Then we go into the shell and we start at Mimicats and we combine the hash with the user we want and we have a ticket to be able to use for the domain controller. So the only thing we have to do now is to copy with the domain controller, copy our malware to a system we can copy it from and from there we copy it over to the domain controller and execute it. So it's already now being copied to the domain controller. The malware is named new.exe and in a PowerShell window we can just execute this file and there it is. You can notice the system has been encrypted with Grand Crab ransomware notice being displayed. Okay, so what we can do now is to see if there is any evidence of this attack and therefore we're going to use a SIEM system. And a SIEM system will have all the logs of all the endpoint devices of all the servers in the network. That's the way how it's been traditionally done and when you're configuring all this stuff together to make sure all the logforders are forwarding the right information then at the end you look like this. So we have a ransomware node as evidence and that is something which is where we are interesting in to start our research with. So we're going to start a query which is going to look for that information and in this example you will notice we have find some ransomware nodes. Other indicators of compromise we are interested in are for instance the clearing of the event log because an attacker will probably try to hide the traces and that will also leave an event behind we can use as an evidence. Next we are interested if there is macro files are being used or malicious tools like sharphound or anything like that are being used is also a nice way to threaten on. Not mentioned here the disabling of antivirus for instance can also be a nice indicator of compromise to search for. So what we've seen until now is a red teaming exercise and a blue teaming exercise and in the red teaming part we're doing the offense kind of game where we're going to an attack system and see if he can try to maintain access and to deploy on malware and in the blue team we'll try to see if they are able to detect this kind of attacks and if they are able to mitigate them. Okay and if that all goes well then at the end you can have a really good backup after searching attack you can use in order to go to a good known state but what happens that when a backup could also be infected with a certain malware that will execute after some time and then all your backups are encrypted as well. Also what can go wrong is humans obviously can make mistakes they can click on the link for instance and then you can have as much as defense kind of mechanisms in your network but when a user clicks on a link then you have an incident. If you are in a ransomware attack usually there is panic and in a panic situation maybe that you don't have access anymore to a server or to a data center and if it's not clear in the procedure who do you need to contact or where do you need to go you can run to in a lot of problems. Obviously malware will eventually run on workstations the obfuscation techniques will be better better in the examples I just showed you there was no obfuscation at all but be aware that's the case in real life and then we just have to deal with that also to prepare and as you just shown zero-day vulnerability it was there in Microsoft Word so we have to deal with these as well so what are you going to do then? I must admit that in the most exercises I did the end advice was to provide multi-factor authentication and it's often being used as a silver bullet to take all your problems away now I wanted to point out that multi-factor authentication multi-factor authentication is very good to have but it's not magic so you should really be aware how to apply this so for instance if you have a system with high privilege accounts in Active Directory for instance and you want to protect these with multi-factor authentication from Azure and synchronize all your high privilege accounts to Azure in order to be able to make use of that service you might consider yourself thinking to be a good idea or not so yes in order to prevent the things you will have in your backups with a logic pump for instance make sure you have your backups right protected and at least use any form of immutable data or even better put them offline somewhere obviously you should use practice cyber resilience and basically that means run the patches make sure you apply least privileges and all that I think I don't have to tell you it's just do the right thing okay it's easy to say and in large corporations usually that is the case but if you look at small organizations security doesn't necessarily has to be a priority right so therefore if you are in such situation I would advise you to make use of the things you already know and apply that into your own exercises so I wasn't ready yet what about cloud well cloud could be a gift and a curse and I would say a gift because the cloud like Azure and AWS they have fantastic tools you can use to even improve your security like security here for instance Azure has defender ADP so don't be aware if you're on a public cloud that there are multiple challenges you need to take obviously detection with scene and if my example I showed a traditional scene but there also a way to protect your endpoints with EDR and couple of years ago or maybe even longer EDR was just beginning and it was nice to have and nowadays often think you can do without obviously use proper segmentation in order to prevent lateral movement from happening and I would say document when you ever get attack document every step and then you can prepare for a next attack and previously mentioned don't bet only on one horse don't think MFA or EDR will take all of your problems away combine all these strategies and make sure you apply defense in depth and do the proper thing so I hope you enjoyed it this was it and if there are any questions I will be around and I can answer them if anyone has one thank you there is some time for questions just a few so if someone has one please yeah I see them from the back walk to the microphone great and see a second person let's see who's first the person in the back is first hey everybody see always practice running that way you get to get to the microphone first and ask your question in all seriousness I've heard some very interesting but super anecdotal case studies of ransomware being used by APTs that have been extracting data and then actually using ransomware attacks to hide the traces that an APT or to essentially disguise an APT as a ransomware gang rather than a serious attack by a foreign government to extract data and I'm just curious if as I said the data I heard about it has been super anecdotal so I'm just curious if you've witnessed it in your work can you look me up after this talk because there are a lot of things I don't want to disclose here for a large public but I definitely have some experience with the art funds precision threat yes cool all right, next one run not the question only two comments thank you for your demonstration here but shophound don't need local administrative permission you can run it as a user I think you know it but you demonstrate to be local administrator first and after that you run shophound but it's runs directly and the other point the ransomware that attacks the entire active directory and therefore it's a good recommendation to separate the backup system out from the active directory that's it, thanks two comments there was no question thanks a lot or you should have any reaction on that if there is still time I don't know we've got two minutes I don't know if there's another question from the audience at this moment I don't see anyone so then if you want to react on that you have still one minute or you can join the discussion with that person or perhaps other persons later it's okay, let's wrap up then that's good for that I'm sort of curious, so thank you very much thank you everyone