While there are many technical resources available for preparing and responding to ransomware attacks, there's very little practical guidance for one of the most difficult phases of response - how to engage with an attacker, and whether to pay a ransom. We often hear "we'll never pay a criminal" and while this is an idealistic response, organizations need to appreciate the difficult and nuanced issues associated with making these decision - and the implications if they do choose to pay, or not. This presentation walks through a detailed methodology which we have effectively used on hundreds of ransomware cases, to help victim organizations to: 

• properly identify and assess the risks associated with attacker engagement and payment 
• consider alternative approaches for recovering, which don't involve paying a ransom
• walk through the decision trees to confidently answer the question "to pay or not to pay"
• understand the implications and next steps, whether a payment is made, or not.

As initial access merchants continue to significantly impact financially motivated ransomware activity in the cyber underground, it is important to gain a better understanding of the connection between network access offerings and ransomware breaches. Intel 471 analyzed victims of compromised access and ransomware operators' victims' blog posts to determine patterns and relationships. These include the average dwell time between the first initial access offering and a subsequent ransomware-as-a-service (RaaS) affiliate program posting the breached entity on their ransomware blog. Highlighting specific examples from the cyber underground ecosystem, we offer actionable takeaways and insights into the evolving relationships and activity patterns of the most prominent cyber underground initial access merchants and ransomware operators.

Have you ever wondered how those indicators of compromise relate to a ransomware attack? This talk will provide practical guidance on common ransomware tools and techniques observed from The DFIR Report Cases. We'll share detection opportunities and some threat hunting techniques for detecting attacker hands-on keyboard activities. This presentation will not provide academic thoughts or theory. All details are based on 'Real Intrusions by Real Attackers, The Truth Behind the Intrusion.' It will serve as a practical guide for defenders to understand a typical attack, the common tools utilized by ransomware operators throughout the intrusion, why tools are utilized, and the different techniques leveraged. We'll share some of the detection quick wins, and resources that are available to assist and prepare against ransomware attacks. The topics we will explore are:

• Review of common tools and techniques in 2021
• Ransomware attack objectives
• Mapping an attack to detection opportunities
• Understanding human behaviors
• Spotting the adversary
• Useful resources for defenders

It seems to us that we're losing ground against the ransomware problem, and so fresh and diverse perspectives are needed. In this presentation we step away from purely technical perspectives to explore how the discipline of criminology can help us understand the current ransomware threat as what it really is, a crime, and through this lens develop fresh ideas on how we can disrupt the ongoing threat. We employ a classical criminological framework called "Routine Activity Theory" (yes: RAT) that has been successfully applied to online crimes in the past. The framework describes three pillars (motivated offender, suitable target & the absence of a capable guardian) that increase the likelihood for a crime to take place. To make this examination "real," we have collected ransomware leak site data from the dark web and have identified, classified, and documented over 4,200 victims posted on these sites between January 2020 and February 2022. Combined with the over 200,000 messages disclosed through ContiLeaks, and over 200 unique contextual data points collected from negotiation chats, press releases and ransomware leak sites within a period of 12 months, we have a rich set of powerful data through which the formal theory can be refined and tested. By applying the Routine Activity Theory framework, we argue that if only one of the three pillars is disrupted, the likelihood for a crime to occur decreases significantly. With this knowledge, we then look at each pillar, developing strategies to disrupt one or several crime components to disrupt ransomware as a whole. We also propose the term "cyber extortion" be used instead of "ransomware" to cater for the development and nuances of the crime, and to help us avoid the trap of seeing it through a purely technical filter.

The Ransomware threat landscape has evolved markedly since the first big "players" entered the scene in 2019. 2022 has seen a continuation of the themes of 2021, where the Ransomware-as-a-Service (RaaS) market has dominated both discussion in the security community and mainstream headlines. In this presentation, we will talk about the most infamous Ransomware-as-a-Service (RaaS) operator of 2021: BlackMatter/Darkside: a threat actor PwC's threat intelligence team tracks as White Apep. The group has become infamous for its resilience, having undergone multiple rebrands in the face of operational crackdowns by US law enforcement. We also present evidence that supports the theory that the operations of White Apep have continued in the form of a new RaaS known in open source as BlackCat, or ALPHV-NG; with the operator of this affiliate program tracked by PwC as White Dev 101. We present these findings as a unique case study of advanced and successful techniques, tools, and procedures (TTPs), alongside an affiliate program that has proven to be difficult to eliminate. This session is a chance to expose how the ransomware itself evolved as it became necessary for White Apep: and then potentially White Dev 101 to alter the binary so as to maintain its corner of the RaaS market. We will detail the elements that we assess are unique features of the ransomware codebase, which allow us to draw similarities between BlackMatter and BlackCat, as well as those features that are more common to other ransomware binaries. In doing so, we hope to provide useful information for both technical and strategic analysts when it comes to the tracking and analyzing of RaaS binaries, as well as the pitfalls of common TTPs that could be misread as unique.

In this session, Bryce Webster-Jacobsen and Samira Pakmehr of GroupSense will discuss the implications of cryptocurrency in cybercrime, including ransomware operations and regular dark web transitions. They will discuss the difficulties of obtaining large amounts of cryptocurrency, review how financial institutions are increasingly  scrutinizing large dollar cryptocurrency acquisitions, and how these delays can damage a settlement price as it relates to cybercrimes. We will also explore the compliance aspect of this topic and the future of regulations in this area, including sanctions and complicit cryptocurrency exchanges. And finally, they will cover threat actor evasion methods as well as detection methods to help companies best protect their most valuable assets.

Attendees will learn:

• The role that cryptocurrency plays in cybercrime, including the types of cryptocurrency preferences of the cyber underground
• The state of the ransomware market: the top attack vectors, the evolution of ransomware groups, increase in initial access brokers, and more 
• Why and how compliance can affect cryptocurrency transactions and what future regulations might look like, including SUEX Binance
• How threat actor evasion methods such as privacy coins, mixing/tumbling, gift cards, and other laundering tools can affect transactions 
• What types of detection methods exist: namely, transaction monitoring and know your customer: and how best to implement them

In this presentation, we discuss malicious activity that involved SCADAfence's incident response team, which assists companies during industrial cybersecurity emergencies. Listeners will learn how ransomware infected the victim organization's network and how the incident response team gathered evidence, including where to look first. Then, we'll explain how the evidence was analyzed; what the initial findings were; and how the attackers were caught. Finally, we'll discuss additional attack methods used by cybercriminals so everyone can take appropriate steps to prevent such attacks within their organizations.

Recovering from ransomware has been an important focus for most businesses, however most organizations don't have a clear plan in place or understand the various pitfalls that can delay recovery when it actually happens to them. Through this talk I will provide insight into recovering from ransomware with an incident management lens and how businesses can avoid common pitfalls that lead to an exponential increase in expenditures, excessive business interruption time, and a prolonged and difficult claims process. I will also talk through ways to make recovery more efficient through incident coordination with the different key players (IE: breach counsel, client, vendors, forensics, and negotiations) and how clients can build in efficiencies into their playbook approach when working through an incident. Due to being able to work on 5-10 ransomware cases a month with a variety of teams (forensics, breach counsel, recovery, negotiations, etc.) and a range of industries and business sizes I've been able to pull out nuggets to continuously improve our tactics to get businesses up and running in the fastest and most safe and secure manner. While many teams understand the technical aspects of recovery, few have managed the overarching incident management process to create efficiencies for all of the teams involved. This talk will provide security teams with key takeaways they can use if impacted and also continue to push for a strong standard around incident management.

Ransomware attacks are one of the biggest challenges for a lot of organizations. Threat actors have graduated to multifaceted extortion tactics to maximize their probability of making money. Threat Actors give their victims additional incentives to pay the ransom to avoid the leak or auction of the exfiltrated data. As per reports from multiple Security vendors, over 80% of ransomware attacks involve the theft of corporate data in addition to file encryption. Threat actors use various techniques to perform exfiltration. This talk will cover the different tools like 7zip, MegaSync, Megatools, FileZilla, rlcone used by Threat Actors for Data Staging and Data Exfiltration. I will share different Network and Host Forensics artefacts generated by these tools that can help Blue Teamers to answer the most critical questions asked by Management and Legal Counsels: 1) When the data was exfiltrated? 2) How much data was exfiltrated ? 3) What data was exfiltrated? 4) From where (systems) the data was exfiltrated?

On July 2,2020, Virginia Tech's IT Security Office responded to reports of strange files being created on machines in multiple areas across campus. It was determined that the machines impacted were all connected to a departmental Kaseya server. This server was compromised in the attack that impacted an 800 to 1500 businesses world wide. This talk will explain the general path of exploitation, the response by Virginia Tech to the Ransomware incident. It will also discuss the lessons learned during the Incident Response and improvements that needed to be made to prepare for any future issues.