Ransomware Incident Response - The Real-World Story of a Ransomware Attack

Foreigner I can hear myself too, so I guess welcome to the session. Don't all gather in front. We have something exciting. What you call content. Material. Adventures ahead of us this afternoon. I'm not going to waste this. gentleman's time or all yours I'll make the change early I'm your session chair if there's any problem throw something at my head or text me on slack or something um Joseph Carson you can read about him on the show like I did, but I asked him what are some interesting things about you that people might not know and he started talking about your hobbies and stuff and then he mentioned that, like it says in the first sentence of your bio, 25 more years of 25 years of experience, but it was Brian Honen's fault that God went crazy with this in 2001, the year of Our Lord, so you're going to take us on a little tour of

ransomware

from the other side of the Looking Glass.

Ok let's go. Receive a warm round of applause and one last thing, I'm sorry, it's been years since I did this before the applause. There's about a kilogram of Belgian praline chocolates down here. I think good speakers deserve good questions. The good questions will be. rewarded by me with Belgian pralines, just keep that in mind for the rest of the day and with that warm round of applause for Joseph, thank you, so it's a pleasure to be here, this is my first time and the first time I'm speaking, so I'm very excited to be here sharing my experience and knowledge with you and for most of this session I will try to do a live demo.

I had two options when I was selected to speak here today. throw slides at you and walk you through them that way, but I think it's always better to see it in the actual demo type to give you a

real

understanding of what it's like from the

attack

ers perspective when they're actually targeting an organization and the steps. and techniques that follow. I've been privileged because there aren't many organizations where I've been in the industry for long and not many organizations give you permission to tell their

story

, share their experience and guide you through the journey. to what happened with their businesses and I have been fortunate that they allowed me to share that experience to give them the knowledge and hopefully organizations will learn from this and

real

ly prevent them from becoming victims in the future. give the

world

a chance, we're all here superheroes fighting a major crime and I think it's important that we really have to share knowledge together and work together and that's what you allowed me to do so I'm going to guide you through a

ransomware

. insta

response

and this particular

incident

is related to the crylock version of the ransomware, so some of you may be familiar with it.

I like to take

incident

s that I have experienced in the past and that taught me something new that I learned from them and that I think others should also learn from that now, crylock was an updated variant of ransom which previous versions were known as cry Echo and crackle they went up to version 1.6 and it was available until mid 2018, maybe early 2019, and then it disappeared and that was around the time they actually found weaknesses in the encryption ability and eventually a key was revealed to previous victims, then it disappeared for a while, then it resurfaced in mid-2020 and in mid-2020 it was interesting because it was one of the first it wasn't necessarily ransomware as a service, it was actually ransomware with an affiliate program, so think about the ransomware creators that They have a channel program that, for those who want to commit cybercrimes, can become partners or affiliates of that ransomware.

Creator and then basically go and distribute it and get runs from our rewards and they give rewards to the creators of the rescuer so for me it was an interesting time and this was something that was very catastrophic for the business so the first thing What happens is that this organization promotes organizations where you tend to find out that you are a victim from the outside before you even know yourself and what I mean by that sometimes you will listen to law enforcement sometimes you will listen to third parties customers Partners Even your employees can sometimes listen to security researchers and they will share a particularly interesting

story

about this incident.

In my experience as a security researcher, sometimes you can hear them on social media, you can hear them on Twitter, the

attack

ers might be embarrassing themselves. and you know, blaming you and notifying your clients that you are a victim, also this particular attacker, actually notified the security team directly early Sunday morning, they decided to send emails to the security team notifying that your organization has become a victim of a ransomware attack, the attacker still had persistent access, they were actually still at that time notifying the security team that they were still extracting large amounts and gigabytes of data from the organization, so which will basically continue to escort the organization's business data now.

I always like to share an interesting part of this: when I was actually doing the instant

response

in digital forensics of this particular case, it is common that sometimes you find other evidence from other victims, the attackers were not sophisticated enough to do a they copied and pasted a lot and they actually copied and pasted some of the scripts and some of the records and evidence from other crimes and they actually reused them in this particular incident, so while I was digging through the records I found another victim of the rescuer and I thought like a good security researcher, what should I do?

I need to notify the victim, so I notified them of the contact details. This is a fairly large organization, so I sent them information saying that I am investigating another incident here and find evidence of their IP address server names. usernames passwords that were actually discovered in this particular case and basically a few days later I get a response saying you're wrong, we don't have, we have no knowledge of urban summer instruments and we're not a victim. I was curious, but I'm looking at the data, so I decided okay, I sent back, maybe this is a good opportunity, maybe they haven't implemented the ransomware yet, maybe it will give you a chance to go investigate, maybe They are preparing me, maybe this is a good time, in fact, you have the opportunity to protect the silence of your organization after that and about a couple of months after closing and doing the investigation, the time came when I had to take all my files and all the records and all the evidence were passed to the organization that was the victim and they were going to pass it on to the authorities for evidence collection, etc., and I thought that with other due diligence I should notify this victim again so that he could affirm that they were not.

I am not a victim to let you know that I am handing over evidence that actually contains traces of your data immediately after I received a notification saying that yes, we were a victim, we don't want anyone to know, they actually paid the ransom to recover, so which is always interesting when you do digital forensics, instant response, sometimes you find evidence of other types of victims and other crimes. Another interesting thing was that when I was collecting evidence, I also found a crypto mining software. which had been running in the environment for two years at that point, so cryptocurrency mining was installed long before the attackers had access, so it was probably installed by an employee who decided to mine cryptocurrency from the company's systems. organization, so it's always interesting to know what other things are in this now, of course, when the organization was notified that they had become victims of ransomware, it was a weekend and, fortunately, all of their employees, most of their employees who had laptops, had brought them home on Friday, so were not directly connected to the corporate network at that time, but unfortunately all the servers that were connected quickly became victims of the rescuer himself, for which the organization triggered a flushing response and one of the lessons they learned in this particular incident was that having a plan is one thing is actually practicing it and another thing is that many organizations have spent the last time since then, not Petra and they want to cry, they went through this planning process between responses and they have these plans in place and then they left. them for about a year on their SharePoint on their file systems and then when it comes time to activate it, what happens is it's encrypted, they don't have access to it, they have an old copy that might be a year old, so Many In some cases, organizations may have plans in place, but I think we need to understand the point that we need to practice.

They need to simulate. They need to understand that instant response is no longer just an IT or security team accountability responsibility, but is actually a business. impact, we need to make sure that when they do simulations they really work with the business, they work with other departments because, in this sense, it was the first time they decided to talk to the finance team, it was the first time they started talking. with the HR team when they first started talking to labels in other parts of the business to understand what they needed to do to get the business back up and running, now unfortunately they made the decision that within an hour or two of this incident They had to decide because the attackers still had persistent access, they still had access to the network and the decision was made.

I can only make recommendations. Sometimes I would like to observe the attacker and understand more about his techniques, unfortunately at the time the investigation began. the attackers had actually deleted a lot of the log files, so logging and archiving and events were very, very difficult, there was a lot left at that stage so I'd like to look, but the attackers were still extracting large chunks of data, so the decision was made. Basically, to shut down the environment, they decided to shut down the systems, shut them down, shut down the Internet to make sure they could control the incident and contain it.

Some things were able to function independently again and were isolated. The important question was do you know how we make sure the attackers can't come back? Where do we find patient zero? What systems were used for the staging environment at this time? At this point there was a big decision on how to obtain it. back to operation what's the way now a lot of things happen in between about understanding the ability, understanding how many systems are affected and we got the point right, let's restore from a backup, unfortunately, as in most organizations, the backup was on the same network with the same credentials and what happens to that backup is also encrypted, so you face a situation where all your production systems, all your backup, are not encrypted and faced a difficult decision at that time when the business was gone.

The business had basically evaporated in a matter of hours and this is a big business. Hunter employees have multi-million-year revenues and are faced with the choice of how to recover this business, so they started investigating the ransom payment and always Listen, I mean, I'm a security researcher, an ethical hacker and always we heard that the recommendation is not to pay the ransom and that is the recommendation, we should not force organizations to make that decision because ultimately I can only provide my opinion. it's a business decision whether to pay the ransom it's a business decision what choice they face sometimes organizations pass that decision on to cyber insurance companies now as part of the policy so you need to make sure you understand what's in the policy because some cyber insurance Company policies say that the decision to pay the ransom is now part of the insurance decision because it is a financial decision.

Lucky enough for this organization is that we found a system that had been migrated a year ago and was decommissioned by GDP that had not been completely wiped and was decommissioned. a year old server was migrated that was actually used as a base to rebuild this environment, so what we were facing was no longer that the entire business was gone, what the business was now facing was a year's worth of your commercial data. disappeared and it meant that we used that migration server as a base, we actually migrated it and used it as a base. We hired a group of data analysts to review and examine evidence for data, review receipts, paper inventory, all asset information. and start recreating a year's worth of lost data from thatcompany, it took almost two or two and a half months to do it, but they actually avoided paying the ransom and in fact this method was much cheaper and still costs a lot of money, hundreds of thousands. of euros, but in reality it was much cheaper than paying the multi-million dollar ransom that was demanded and of course if you don't pay the rent in two days it increases by 50 percent, so what I was tasked with in this particular incident was not only help coordinate and deal with basically the dynamic and static analysis of the Renaissance itself and also help coordinate the team and make sure they can collect the right images, etc., and I was tasked with understanding the attacker's techniques My job was to put the hat on the attacker and understand how they did it, what they did, what steps they took, what scripts they run, and as an investigator, we're dealing with a ransomware case.

One thing they are excellent at is destroying evidence when looking at ransomware, but many times logs are emptied and events are deleted. are deleted, actually the systems logs are also encrypted, so sometimes you are dealing with. I call it almost like I've been giving a 10,000 piece puzzle. I'm looking at that puzzle and I only have 300 pieces left and I know I need to put that puzzle together and tell the organization what the big picture was. It's almost a difficult job to do. It's very challenging to be able to understand the entire attack path, so I was given a clue as to what to do.

Do they have the domain controllers, what systems do they have access to, what data, how many applications were limited to on-premises and the cloud, how long did this attack last, what types of tools did they use, did they leave hidden backdoors? allowed them to come back at a later stage what data they took and how they extracted from the organization what the timeline of events was and what evidence was left to actually conclude a detailed research consensus now what was really It was difficult to find the stage of the machines in that time, so what I did was I had very little evidence left.

I used things like plaso and recording the timeline. I got a lot of the event logs that were left and what I did was at that point, to try to find my way to the staging machines, what I did was look at the timestamp of the deleted event logs and I was able to create a pyramid to observe them with systems and timestamps to find the first one. machine on which that deleted event log had occurred and which was then able to find patient zero again. Now, when I got to Patient Zero, it was the next stage where I was able to start building the footprints and understand the fingerprint of the attacker, to know who he is. ready for a demo I hope my machine is so let's see if I can get this working let's hope the demo gods are with me today yeah we'll see.

I like to put myself in these challenging situations, so I'm going to shorten it. Because I don't have a lot of time to go into as much detail as possible, there are many different ways the attackers could have gained access, but we know that seven months before the Hands-On keyboard, seven months before the attack itself there was a successful login from a known disreputable IP address that came from an outbound traversal node, so we know that seven months earlier it was a successful login, how they got those credentials, it could have been phishing fight, it could have been through things. as a responder, no bias and collection of hashes, maybe a machine was compromised at some point, maybe someone entered the credentials on a phishing website, there are several ways to do it, but the way we think was the most likely It was through RDP Brute Force, why do we think?

That is that the system that was patient zero was an interesting system, it was a Windows database machine that was owned and responsible by an accountant and that accountant was in a different country and during the beginning of the pandemic that accountant needed to have access. They couldn't travel to the location anymore, so what they did was Roland called it, they called the hosting provider directly and demanded that RDP access to the server be available so that they had security in place, they had antivirus. VPN, they have multi-factor authentication on everything, but because the accountant has a little bit of power, they decided to call the hosting provider and the hosting provider decided that this is the person who pays the bills.

We must do what they say, so they created RDP. publicly available access on this particular system, this system was also vulnerable to Eternal blue uh and what happened was we didn't find any evidence that that vulnerability was exploited because it's generally a very unstable exploit and sometimes you see a lot of noise. in the event logs we saw no evidence of it even though it was vulnerable, but the most likely route was through RDP Brute Force, so we simply used the IP addresses and all passwords, everything related to the victim. I've anonymized and simplified them, so what you see in the demo are not the actual passwords that were used on the victim.

I simplified them, but they could be cracked because they were human-created passwords, so just using something as leverage, what you see here is krillbar. basically pointing using RDP is pointing to a particular server that we have already listed and done a handshake to get the username and basically created a word list of possible passwords that this person has created. We will only obtain prior password disclosures. looking at basically his social media footprint to create word lists and then create a very big, very smart password word list and I'll run this. I have selected a thread, you can select multiple threads, but you can just see it here after a period of time I achieved a successful login, so that's what we think happened seven months before and then nothing happened for three months, three months later there was another successful login two weeks before the Hands-On keyboard another successful login, all of those three successful logins came from three exit nodes from different countries, so basically it's very likely that the Initial access has been obtained by an access broker, someone who specializes in obtaining access to this infrastructure.

It is very likely that he then sold it on the dark web to another actor who basically also had become an affiliate of the crylock ransomware creators and also purchased the credentials and was then able to use them to gain access. The next step the attacker did was basically RDP to this target system, so now with those credentials that they purchased and knowing that this machine is publicly available, probably using things like showdown to gain access, they log in now that they have a foothold in the infrastructure, so let me basically explain to you the steps that the attackers actually took now, unfortunately, what the employees do to make their lives easier.

I'm not kidding, on the desktop there was a file exactly like this called important things exactly called important things and when you open that file, actually the accountant had deleted all the credentials from the database and the financial systems in the cloud, um here . making it easy for them to basically see and start looking more by numbering another thing that was unfortunately in the system was what browsers love what's the browser love apart from cookies they love passwords when you go to a site web, the browser says: Hello, you know. so you don't have to remember this in the future, we'll save it for you, it's not that great, but unfortunately what browsers don't have securely enabled by default, so simply the attacker can click on the passwords and, ultimately, in this victim.

They also use this machine to explore other things that they may not have been able to do from their own machine because it was a managed or restricted browser and as you know, in some cases they installed another browser to get around that, but browsers love passwords and they want store them and apply them by default, the attacker when he gains access to the system can now move that employee's cloud email to his file system to other things that are simply only password protected, so these are some of the things that the attackers The next stage that the attacker did was to start to understand more about the user that is on the system and the next step was to simply go to that user, who else is on the machine?

I can see different administrators, then they can do local group and see what kind of privileges I have and unfortunately this user was a local administrator, so now the attacker has the ability to make configuration changes on this machine, now they have the ability to change the state, most organizations Unfortunately think he is a local minister. yes it can only damage this machine, it can't damage our infrastructure, it's only local, it's admin, they can actually do bad media to this machine, but nowhere else, that's a false sense of security, just because it's called local It does not mean that you cannot actually expand and be able to elevate yourself and obtain other privileges;

There are only two steps from having local minister rights to reaching full domain and this attacker knew those steps very easily, so they would end up doing well now that they know the local administrator, so on their attack machine they set up a web server and the web server had a number of different downloads and of course this was available from the cloud and what they will simply do is go to this IP and we will be available mainly in this structure, sorry for those in the back, let me see if I can zoom in here for you or zoom out a little too far so what they did was a b c d e f and so on and then they have the scan and then hit zap now it was the first LED download file that's the first thing they're going to download and what was basically an enumeration scan on the system the places where they actually put these downloads were a couple of locations one was the C drive and it was actually in a folder called Intel and here were enumeration scripts, all the locations were in user profiles, things like videos, images and so on.

Now in the listing here you'll see that the first thing that was just Automation a was just automation of this system and in automation they had things like disabling security, so knowing that I'm now a local minister in the system, one of the things What you can do now is basically show them the script itself. In reality, this would disable any security element that was on the system and the sessions lasted between four minutes, most sessions lasted four minutes, others lasted no longer eight minutes and the purpose of them being so long was that in Windows Defender it has an automatic recovery to protect the service so when it is off for a certain period of time it will actually restart but those sessions were shorter than that window so they could actually stay hidden they could perform the activity malicious script inside that state, so this would be the ability to disable security, the next thing they would end up doing is running the downloader and the downloader would go to that site again and then download B C D and from there inside c b c and d were the malicious scripts and malicious tools in order additional numbering because knowledge security is disabled on the system, it will not detect anything they download and run from that point.

In the first few sessions they didn't do any backdoors, but then they decided to add some users, so about a week after the attack, they added the user and added that user to the real administrator and remote desktop users. We think the purpose was that they were afraid of losing access and they were afraid that the user might be changing their password and therefore limiting that access, so they created a backdoor, another backdoor that they also used, which is still ironic Nowadays, what has still been used is sticky keys, so sticky keys are the ability to go and change in the Helper utility and molgun screen that when you click on Actually, it will open a full command prompt and you will have Full access to the NTS system authority, so you can go if you ever lose access.

This is your shortcut to create another user and regain access to the machine, so another interesting technique was used. to create great persistence, once they did all this, they basically also ran fine passwords to see if there are any passwords saved in the registry on the file system and at that point they would end up downloading the file. The B file that contained memicats, so the mimikats now have the ability to go and check for passwords and cleartext, so remember four minutes disabling security, downloading the Malaysia files and now basically doingconfiguration changes in the system, the first thing they do is this. exactly the same scripts that were used in the attack, so the first thing is of course that in Windows 12 sp1 a change was made so that passwords are not stored in clear text, but with a simple registry change like Local admin user can revert that change and unfortunately, this change will be persistent.

Now with this change, anyone who logs in after adding this to the registry will be able to detect passwords and post clear text at this time, so once they've done this they will also do this. so maybe run a Thumbscred and basically you'll see here that this is the exact script that the guys throw out and also the reason they have some of those color coordinations at the top is that they can also pass parameters from another tool like well, but you can see here just protect the processor. They also wanted to make it look pretty by changing the color to something they knew and they also changed the title, but they'll actually run the correct version of mimikats for this particular system now, once they basically got the dump and realized that, Of course, the first time they did this, there were no real passwords other than the credential I logged in, so they'll renumber once I've made that change, they come back from Automation and run a clean script.

The clean script will delete all those files and replay all the changes and also delete the last few minutes in the log files of an end user or system. admin perspective when you look at this you just see that this machine rebooted or was offline for four minutes and if you look at your AV panels you will see that a communication was lost for maybe a few minutes and most people will just ignore that most of support managers will simply decide it was a blip, maybe a network failure, maybe something out of four happened. minutes it looks like everything is back online now it seems fine but the attackers made some small modifications so now what they were able to do is do some additional enumeration and unfortunately for this organization this was an accountant's machine that was running a financial database. that actually for that accountant to do financial statements for the organization now within the IT team we are backing up that database and they had a script running, they had exact PS running in the background, they open a connection, they copy the database to a local system to backup that database and luckily the credentials of that PS exec script was a domain administrator, now the serial was the attacker just needed to wait a period of time , which is also interesting in this particular case, the attackers had also downloaded gmr and was confused.

I was wondering why they are using gmr because we use it as defenders. We use it to detect rootkits to detect things like filter drivers and minifilter drivers that communicate with the kernel to understand. Do you know why maybe there are backdoors that attackers are using to find out what antivirus and antimalware software is running in the background that they might not see in the system swap? They may not see in the interface that they are running. to see what tools we are using to evade detection after doing a numbering on the system, the attackers had enough knowledge. crylock wasn't the only ransomware variant they had to basically remove to use, they had five other ransomware versions they could have chosen they chose crylock because of the security controls and everything that was implemented on these systems they knew would not be detected needed to run successfully if the defense was able to stop it when I actually ran it the first time when I got this particular version.

I ran the virus total. I ran it in Joe's sandbox. I actually did a dynamic scan and virus total. Only three antivirus vendors detected it, three at the time of running it, so this organization had a defense in place and unfortunately the attackers are looking for ways to get around it, so a few days later the backup script is run , the attackers come back, get back in, run security disabled, check their backdoors, come back, run memicats, throw the credentials open and after running this a few times, it's only a matter of time before the backup script that is executed can see it eventually, at some point you will see it here, although basically I have been able to understand that it is not correct. here, the domain administrator account that comes from PS is the exact one your computer is using to perform systems administration for this environment for backups, so now the attacker has knowledge of the domain controller's credentials, move on to the next stage and fortunately at that point.

The time you are talking about is hours before you become a victim of ransomware, it is hours at that stage once they have access, so the next thing they will do is go when they run a scanner, now that the scanner was used in this case particular. it was a self perfect network scanner, it's great for small business sysadmins to use to manage the environment and ultimately here they were able to scan the environment and unfortunately for most organizations, what do they do, what name they put their servers. The backend server, the Erp system, we call it SQL so we can easily understand what it's doing in the business and, unfortunately for attackers, it's almost like giving it to them basically if you know a complete footprint of the environment.

Okay, the scan doesn't work, but I. I'll find a reason to find out, but one of the things was interesting and this is where they set up the automation. This is the program, so it's built into the scanner, so when it detects servers in the environment, they can simply fix it. click and run this, this was the first evidence that the attackers actually spoke Russian from Russian origin and now it doesn't mean that there were Russian citizens or Russian nationals, it just means that here it was actually an acrylic language, which meant that They were basically Russians.

Speaking, there are some hints of attribution that I can't reveal, but where they potentially come from, but this was the first hint that we found evidence of attribution in this location from the acrylic language that has been used in this particular tool. The next stage of course was to run some of those scripts to basically create download machines and staging files on other machines, ultimately doing an RDP and that was moments after logging into the main controller, about two hours later to make this point, when the ransomware was implemented and removed. the entire business, so these are the steps and techniques that the attackers have used and that's what sometimes we're here to reverse that and look at the evidence, see how they got it, what evidence was left, so some of the areas a Once they have access and they pass, they can just go back and do things like PS exec from Impact it, you can go and basically know that you have credentials.

I can simply use a command line just like the backup script does and now. I have access to the victim preparation machines. I can also use evil win or M with the past method of the heist and go and just point to the domain controller now if you even know I don't have the password, I just have it. the hash, I can just log in and now I have full access to the main controller as that user, all the techniques that the attackers are using, so looking at this, what can we do to reduce the risks?

How can we begin to reduce these types of attacks? attacks happen and it's about all of us working together, it's all of us using our knowledge and finding ways to make it my job to always make the attacker's job harder, force them to create more noise, force them to take more risks in the business and give the Defenders the opportunity to see those ripples in the water, see those techniques that are used to prevent the attack from happening or stop it in the middle of the attack, but we know what things we can do from these lessons, good education and knowledge cybernetics. and awareness for the team, not just for the IT team and the security team, but also for the entire company, making security usable, making people want to use it and also the backup itself, the organization learned a very important lesson that the backup itself was a protection against data corruption or hardware failure, but it is not designed for ransomware and organizations should review their backups and make sure they actually have a backup copy. security and a plan in place that actually considers the types of ransomware attacks practice the prince of least privilege make sure that basically the user credentials are not local admin users are not overprivileged users are not using domain accounts domain administration accounts and backup scripts that have scripts to prevent lateral movements that then rotate the credentials, so even I was able to get the hash.

I can't reuse that hash to move around the network using privileged access management tools to rotate credentials. Make sure they are not human-created credentials. Control applications. Many of the applications used here were basically used. You know that the attackers practically lived off the land, they lived off what they could find, but they made sure that when things were working, say, on a Sunday morning or a Saturday night, they could detect the difference between what executed by a malicious attacker and something like that. This is done on a Tuesday afternoon by an authorized employee who can determine the difference.

Control applications need to make sure that you actually have a behavior and understanding of when they run and, maybe after hours, you have additional security checks in place and just make sure you do the same. basics of patch management and security updating, ultimately my last statement is that understanding hackers' techniques is the best way to defend yourself. If you know the techniques they use, we can implement the appropriate controls to make it more difficult for them, but we need to translate that into In the business, we can't go to the business and say we need to implement this to stop attackers.

We need to translate it into business, basically, ROI to get the budget to allow us to do the things that cause the attack ourselves. It's harder at that time. I think I'm out of time and I'd like to thank you for being an amazing audience and taking the time to listen to me today. If I have time for a question or two, I'll be happy to answer them. Yes, don't forget there are some chocolates in here. I think that, uh, you will, you're willing to do it, so even though we've managed to, oh, I can see you, we've now managed to stay away from ransomware attacks.

We handle practically 100 of our suppliers' incidents. with involving ransomware and we recently ran into a unique situation. I was going to run a passage and see if you heard about it where the provider was refusing to pay the ransom so the ransomware attacker sent random emails to some of our employees saying we have their data on the systems of this company and they refuse to pay the ransom if it does not twist their arm and force them to pay that ransom. They were going to leak their data. Have you encountered those situations? I have absolutely seen it. many cases similar to that in several different ways, sometimes it's your customers, not so much your employees, sometimes they do it, they threaten to leak data on the public internet, no matter how much you know, they cause some damage to the organization with the needs regulations, etc. forward like gdpr um and the privacy law so yeah I've seen we're looking at a ransom you know even if you look at the lapsis group their technique wasn't so much to sexually lock down systems but rather steal data and threaten to reveal them. data so yes attackers have different ways to gain financial gain and some of them can take multiple steps either being threatening and you know employees need to reveal the data so yes multiple extortion techniques have been used , it is not only about the destruction of data and systems, but also. threatening disclosure and other brand damage and financial damage that can do absolutely fine uh we have time for one more question hi yes hi George kutepas from a certain U thanks for the brilliant talk um it seems like we associate ransomware attackers with a higher degree of automation is usually a fishing email, the victim simply clicks on some links or executes something that is attached to that email and we go from that, in your caseWe see the attackers putting in a serious, let's say practical, effort and a very deep investigation of the victim, was this a special case of a threat actor or was it a special case of a victim that would satisfy the need for a higher degree of effort due to the expected profit?

What is your opinion on this? Thanks, great question, thanks for asking the question, uh, from this particular, you know these attackers made a lot of mistakes. When you look back, when you look at the remaining evidence that I reviewed, they were not quiet, most attackers who are more sophisticated prefer to remain stealthy, they made a lot of mistakes that they made in a lot of areas, so from my point of view, these were borderline script kitties, you know, with a little more skills, so they were not very eventful and took the path where, instead of sending phishing emails themselves, most criminal gangs are now.

I started going and buying access directly so they didn't have to do that. Their special access brokers, instead of me having to do multiple types of specialties, you know, fishing and then creating ransomware and then doing internships. keyboard and gaining uh and then even doing the communication in this particular case, it was actually another group that was actually dealing with the communication because the attacker's native language was not English, so you're dealing with a series of almost as a supply chain of criminal activity, then yes, more attackers are starting to, instead of trying to be a specialist in everything, they would specialize in one thing and do it very well and instead of fishing, they will just buy the credentials of an access corridor that this particular organization actually had. they did all the right things, they had all the right things in place, unfortunately one employee had a little bit of power and was able to do Shadow I.T like most organizations Shadow I.T is a very dangerous thing and can affect security quite extensively and Unfortunately, that was the case here, it was Shadow I.T that ultimately created a backdoor into the organization that the attackers are very skilled and are looking for, so this is not sophisticated, it's a common thing I've seen. 80 percent I see in most cases I've worked on, it's just the entry point and the ransomware variant tends to be the slight differences, so thank you very much for the great question, thank you for Joseph Carson, our speaker, thank you very much, it's been It's a pleasure and I'll be here for the rest of the day today and tomorrow, so if you have any questions, don't hesitate to come directly and as long as you know, make sure to provide feedback to the organizers, because I would love for this not to be the case. my first and only conference I would like it to be the first of many.

Could you please ask our next speaker to come here? We've got a big lineup ahead of us, but we'll get started here in about, say six or seven minutes and if he asked a question, please come over if he wants to grab some chocolates.