2609, 2023

DeepSec 2023 Talk: RansomAWARE in 2023 – Steph Shample

Sanna/ September 26, 2023/ Conference

Ransomware’s explosion has been sustained for years. As tech changes, so too do the actor TTPs. It’s imperative to explore the 2023 mindset of ransomware actors: they are going after “target rich, cyber poor” industries that will make them money by selling data, exploiting the victims they hit as well as the partners and third party services linked to the victims. While double-, triple-, and quadruple- extortion practices are still around, actors are also adapting/changing their encryption processes to better emulate protective services such as anti-virus and file scanning software to blend in and provide no red flags to technical and cyber practitioners. This allows for a long-term, stealth presence in networks, which facilitates lateral movement to collect as much information as possible. We asked Steph a few more questions about her talk. Please

Read More

2810, 2022

DeepSec 2022 Talk: Fighting Fire with Fire – Detecting DNS-Tunneling with DNS – Artsiom Holub

Sanna/ October 28, 2022/ Conference

DNS tunneling used as a covert-channel method to bypass security policies has ballooned in the landscape of Ransomware attacks in recent years. This can be attributed to CobaltStrike post exploitation tools becoming modus operandi of cybercrime syndicates operating with ransomware. Most of the detections rely on packet inspection, which suffers from scalability performance when an extensive set of sockets should be monitored in real time. Aggregation-based monitoring avoids packet inspection, but has two drawbacks: silent intruders (generating small statistical variations of legitimate traffic) and quick statistical fingerprints generation (to obtain a detection tool really applicable in the field). Our approach uses statistical analysis coupled with behavioral characteristics applied directly in the DNS resolver. This presentation will cover examples of the malicious tools used by threat actors and detections designed to protect from such tools.

Read More

1910, 2021

DeepSec 2021 Talk: When Ransomware fails – Sreenidhi Ramadurgam

Sanna/ October 19, 2021/ Conference

Ransomware is a piece of code that is written by an attacker to encrypt the victim’s files. Even though it has been around for many years, its popularity has increased since the outbreak of Wannacry which shook the whole cyber world. When the logic of the ransomware code is observed we can see a common pattern here. It is similar to how humans interact with the system. I.e, to access the files, the code has to access the logical drive first. Here each logical drive is assigned a letter by the operating system. For example, when a code has to access the files in D drive, it has to access the drive ‘D’ first. What if there is a logical drive in the system which doesn’t have any letter assigned to it? Well, now

Read More

2409, 2021

DeepSec 2021 Talk: Do you have a PlugX? Artem Artemov, Rustam Mirkasymov

Sanna/ September 24, 2021/ Conference

Deep overview of a tool used by the Chinese nation-state APTs based on a real-life Incident Response case with a big industrial company. Investigation yielded the presence of PlugX in the infrastructure. This presentation gives a full overview of the tools functionality, its past versions, and nowadays usage (Thor is a new version of plugX). We show why it is hard to find and why it’s important for big industrial companies. And also we talk about our assumption that all recent big attacks – first Sunburst and then Exchange exploits (proxylogon related to Hafnium) are links of one chain. We asked Artem and Rustam a few more questions about their talk. Please tell us the top 5 facts about your talk. It’s about  pro-government APT The described threat is silent The threat target is

Read More

0910, 2020

DeepSec2020 talk: Ransomware: Trends, Analysis and Solutions – Josh Pyorre

Sanna/ October 9, 2020/ Conference

My talk on ransomware will be technical, but also tells the story of how it’s evolved, highlighting specific and interesting infections. I’ll walk through the history of ransomware, its relationship to cryptojacking, and the supporting software made up of malspam and exploit kits. We’ll also address the recent phase of ransomware data extortion. There will be demonstrations of current malware infections as well as unique methods and ideas for detection and hunting. We’ll end with multiple methods of prevention and mitigation, some using paid products, but with the focus primarily on opensource options. Since I work with approximately 15% of the internets DNS traffic in my job, I will be using some of that data to show statistics. Despite that, I’ve done my best to make sure this is not a talk about products from my company, and aim

Read More

0410, 2018

DeepSec 2018 Talk: Dissecting The Boot Sector: The Hunt for Ransomware in the Boot Process – Raul Alvarez

Sanna/ October 4, 2018/ Conference, Security

Ransomware is as cyber as it gets these days. It’s all over the news, and it is a lucrative business case. Modern malicious software has been put to work for its masters. It is the platform of deployment for a whole variety of additional code. So why is ransomware not the same as any other malicious software? Raul Alvarez will explain this to you at DeepSec 2018: Ransomware slightly differs in their attack vectors, encryption algorithms, and selection of files to encrypt. A common ransomware technique is to encrypt files and hold it for ransom. Petya ransomware does the infection a bit different from the others. Instead of encrypting files, it encrypts the MFT, Master File Table, which contains the metadata and headers for each file in the system. Another trait of this malware

Read More