 All right. So now what you're seeing on the screen is the set of steps for the field of the ransomware. In the first screen, what you are seeing is it's the folder with a name tools. That's where we have got most important files. So when I look at it, I've got two files in there for this proof of concept. One of the name is most important file and the second one being the sensitive passwords. So let's open one of the text files. Looking at the text file, it seems that there is some text in there for the demo purposes, but it's in plain text right now. So let's close this file and let's look at the second file, which is sensitive password files, which contains some dummy passwords in there in plain text. So I'm going to close this files now. So now you know that these are the important files on the machine, which we are going to encrypt it through Filotti. Okay. What I've got on the right is the C drive of the machine in which we are going to infect it with ransomware. What I'm going to show here is this is the folder structure. And remember that right now we have configured our ransomware to encrypt files in the tools folder. However, this can be customized to encrypt the full folder of complete C drive or the whole document folder or pictures or whatever you like. Okay. So let's keep it open and see how things are changing when you run the ransomware on the infected machine. The third folder I have opened here is the temporary folder. That is where all the certificates and the symmetric keys are going to get dropped and then it's going to get exfiltrated out on to the attacker. In the fourth window, I have got browser open. In the first tab, I've got the Google Drive. Right now, if you look at this Google Drive, there is only one folder and a file. However, there is no other thing available here. So if you're not the users for the exfiltration purposes, when you have big files, it's going to get exfiltrated to Google Drive. So I tried it with this test MP4 file, which is 126 MB and it works perfect. So what is going to happen is these files over here is going to get copied into the Google Drive when you run the ransomware. Okay. And remember that we have distributed our attacks infrastructure in a way that we are not relying on one single service. So for the symmetric keys are going to come to poke mail. And how do you set up poke mail I'm going to show you in a moment. But before that, let's look at what sort of USC controls we have on the infected machine. So let's look at the USC settings. It seems that the highest level of USC is always notified. Whenever the app tries to install a software or make any changes to the computer, this is going to notify the user. So this is currently set on always notified. Let's minimize this and look at the current certificate store, which is the local store on the on the box. So the current store has only has got only one certificate in here. However, when when the ransomware is going to get deployed, you will see one of the one of the other certificates, it's going to get installed and then then it's going to get removed afterwards, right? Once you exfiltrate and encrypt this files inside the tools folder. Okay, let's minimize this now. So let's set up our ransomware with the email address where you wanted to exfiltrate the keys for the certificate. So I'm right now I've chosen the Statue of Liberty as a location. So I'm going to click on this and then get the chord this geographic coordinates. And I'm going to paste it in here. So this this is just geographic coordinates as for the Statue of Liberty. I'm going to set this as my location. So once I set this as a location, you'll see that it has created a unique location for me. And then it has generated a random looking email account for me, right? And then it has got one email in it as of now. Okay, so so you have to copy this email and then put it inside your ransomware file and have to make changes in the email address parameter. So I'm going to do that now. So I've modified the email address for one of three, one in here. And the other place where you want to make changes is email one parameter over here. So after you make those changes, save the file. So I'm going to save this file. And I'm going to minimize this for now. And I have got I've opened a PowerShell file. And I'm going to run the ransomware. To run the ransomware, all you need to do is just run one single PowerShell file. Once this is going to run, you will start seeing files going to get dropped inside the temporary folder. And then, you know, in Gmail Drive, you're going to see a zip encrypted file, you know, containing the exfiltrated data, right? So I'm going to hit enter. So it is going to create a B64 encoded certificate. This is going to be the public key. And then it's identifying. So then it's going to install the 7-zip module onto the machine. However, let's see if this has already installed the certificate on the machine. Not as of now, but let's give it some time. And then you'll see another certificate being installed in here on the machine. So once that is done, you know, it's going to start encrypting the files. So right now, it is zipping the files. So if you look at this, it has already created the certificate. It is creating files. And now the files are already zipped. And email has been sent to an attacker on the poke mail. So if we go here and refresh it, you know, it has created the zip still dot zip file. It is, it is running some enumeration on the files on what are files the the ransom and needs to encrypt. And then the it's going to start uploading the files to the Google Drive. So once it's going to upload the large files, it's going to delete it from the temporary folder. And then you'll see that it is going to start encrypting the files. If you look at here, you'll see that the files are already been encrypted. And we have successfully deployed the ferrotti ransomware onto the machine. So once this is done, you know, it gives you a notification on the on the infected machine that, you know, they have been run some and the files are encrypted. So, you know, as of now, I have put 30 seconds for the proof of concept. But then you can set this timer for your timer for, you know, however long you want, right? And so once this is going to done, it's going to close the UI, and then it's going to change the desktop of the infected machine. Right now, if you see that if you have a quick look at the the folder where we had sensitive files, the files have been changed with dot ferrotti extension. The file type is again changed with ferrotti. And then once you see here, see here, the background gets changed as well with with the ferrotti background. Okay, so that that's been done as well. And if you look at it here, right, you have received emails containing the private key for the certificates, or the certificates is already deleted from the infected machine. And then and then if you try to open the a close folder again, and see if it and try to access the files, you'll see that, you know, it's no longer accessible. So if you open it, you know, that there is just chunk characters in it. And it's been encrypted with dot ferrotti. So, so that's what the ransomware does. And so the next step is to actually go ahead and download the encryption keys. So I'm going to download the backup one dot zip file. And if I go back to inbox, I'm going to download the other file as well. So I'm going to copy this. I'm going to backup this as well. You know, so once downloaded, you can go to your Google Drive and you'll see that still dot zip file is already in there. And if you try to open this, you'll see that you've got the same two files in there, the most important file dot txt and the sensitive passwords dot txt. This was the actually in the, these files were actually on the infected host in dot txt format, which is now converted to dot ferrotti. Okay, so if you try to open this, you won't be able to open this, the reason is, but however, let's download this. So just scanning for wireless and once it's going to download, let's go to the download folder. It's not downloaded yet. So let's go to the download folder and see if we can open this. So if you can try to open this, you know, it requires the password. And this password for these files are actually inside the poke mail, right? So and in the backup dot zip file. So if you try to open the backup dot zip file and look at the sys dot txt file, that's the private key for the zip encrypted file, which is on the Google Drive. So, but however, it requires the password at this password is encrypted using the this initialization vector over here, which is using the symmetric key, right? So this is the symmetric key for the very first file, which is the sys dot txt, right? So this initialization vector as an attacker, you are the only one who holds this. And since this is running inside the memory, and as you rotate your infrastructure, no one else would be able to gain access to this, okay? So let's verify and put this as a password in there. And sure enough, this is the password for the stolen file, right? So this is the password for the sorry, certificates using which the files have been encrypted. So when you want to send this decryption key, this is what you are going to send it to the user, okay? So that's how the attack works. And if you look at it, that there is going to be ferrotti dot txt file on the desktop, such as this, and if you try to open it, it's going to give you the same note which you saw it in your pop-up window, right? That your files have been encrypted. They're asking for 0.10 Bitcoin. If you don't pay it, they are going to you know, release your files, sensitive files to the internet. So the same can be done with the phishing emails, right? So if we go to, let's go to Gmail and see how this attack can be done via phishing emails. So one thing I'm going to show you here is how do you bypass antivirus? Because that's not the scope of the project. We are purely looking at the ransomware and how you can create a proof of concept and make your incident response team work for it to see their behavior and identify the gaps, right? So supposedly, you receive emails like this with a subject line, important promotion list for 2020, right? And supposedly, you receive this from your colleague whose email is compromised using various other means. And since you trust that your colleague and internal email addresses, you think this is an important file to work with, okay? So once downloaded, the files look like this, okay? And this looks very legit. An attacker can generate this kind of data and use someone to, you know, download files and run it, okay? So once you have downloaded this, there is a note here saying that click on the chart to display the insights. Suddenly, you'll see that, you know, the data is good. However, the issue is the chart is not getting loaded properly. So let's look at the macros and what an attacker has done in here. So the macro looks like this, okay? So it's going to download the test.patch file from the GitHub and then it's going to run demo.patch file. It's going to save it in the temporary folder and then it's going to run it, okay? So let's see what's in the GitHub and how it's going to pull this stuff. So right now, I'm in the test.patch file. This is what it is getting pulled. So once things are getting pulled, it's going to run somewhere which can be downloaded on the machine itself, right? Like the way we are downloading this patch file. So, okay. So let's try to run this and see if it is actually working. So since it says that, you know, click on the chart to display the insight and what I've done is on click event or for this chart is going to call the macro and it's going to run it. So let's see if this is working. So once I click on this, right, it has open.cmd and it's going to pull the file from the internet into the temporary directory of this machine. So let's go to TMP directory and the demo file has already been downloaded, okay? So if you look at the timing, it's 11.16 and just now the file has been downloaded. It is creating the sys.txt file. The ransomware is running in the background. You can confirm this by the way this CMD has opened. But if you don't want the CMD file to pop up, you can hide that as well. See, it is creating different files. It has created backup.zip file and it's going to perform the same attack again and what it's going to do this time, it's going to repeat exactly the same send steps on the machine but without even user realizing that something is happening on the account, right? So if you see that still.zip file has already been created, zip file has been created. Let's see if there is actually the certificate created on the machine. Yes, it says CER has been created just now. But you can verify the same stuff by actually downloading, by looking at the personal certificate store. So this store, it is going to create a self-signed certificate on the user machine even though we have a USC of Always Notify, right? So if you double-click on the certificate, you know that we have got a private key which is getting sent to an attacker via poke mail, okay? So once this is going to, once the attack is going to be successful, it's going to delete this self-signed certificate and the private key from the machine and then user won't have a chance to encrypt their files, okay? So that's how the attack vector works even with the phishing and let's go to our, oh, so the attack has already been finished. It is refreshing the window and that's why the window's got closed and then when you, you can confirm this by going into the same tools folder and see if the files are encrypted already. So the files are encrypted and then the certificate is going to get deleted. So if you keep refreshing it, if you refresh it, the certificate is already deleted and that's how the attack works through phishing and that's how the ransomware gets sprayed from one machine to the other. I hope you like this demo and you've learned something new out of it. So let's jump back to the presentation and see some mitigation strategies now.