As the detection logics of AV vendors improve, threat actors employ countermeasures to evade them. One of the most common ways in which threat actors hide from detection and carry out their malicious activities is by abusing legitimate tools. We believe that "legitimate tools" can be classified into three categories below, with a marked increase in the number of cases in which "commercial tools" are being abused: - MS native tools, such as PsExec, PowerShell, and WMI. - Legitimate penetration testing tools, including Cobalt Strike, Metasploit, and Mimikatz. - Commercial tools, such as Atera, AnyDesk, and Splashtop. Regarding MS native tools, techniques such as LOLBAS and LOLBIN are well-researched, while AV vendors are making efforts to detect penetration testing tools. We feel that threat actors are likely to abuse commercial tools these days as the tools are highly functional and commonly used in corporate operations. There is, however, little research on the exact functionalities of these tools, the traces they leave behind when abused, and countermeasures to prevent such abuse. Therefor, in this presentation, we will focus on actual incident cases where commercial tools were abused and try to explain the details based on the following three points: Chapter 1: Introducing actual incident response cases we have supported in which commercial tools were abused and describing their functionalities. Chapter 2: Explaining the traces and artifacts left behind when the tools are abused in an attack, so that the audience can use this information in their actual incident response investigations. Chapter 3: Describing effective countermeasures against attacks that exploit the tool, which will be useful for containment during incident response and for considerations during normal operations.

Ransomware attacks are a constant threat faced by many organisations. In 2022 The DFIR Report continued to observe a number of ransomware related attacks facilitated by a variety of initial access brokers. This talk will provide practical insights into attack lifecycle trends, initial access detections, new techniques observed and the continued use of familiar tools. We'll share detection opportunities for quick wins on identifying attackers on your network. Explore new and emerging discovery tools, and how detecting the adversary early in the attack lifecycle is key to stopping a ransomware attack unfolding. All details are based on 'Real Intrusions by Real Attackers, The Truth Behind the Intrusion.' It will serve as a practical guide for defenders to understand a typical attack. - Initial access by threat actors - Race to compromise, - Attack objectives - Can you detect and respond?, - Who is on your network? - Understanding human behaviours, - Attacker Tooling - New and old discovery techniques

Nearly three years since ransomware actors were first observed targeting virtualization infrastructure in August 2020, ‘hypervisor jackpotting’ has emerged as a key tactic in Big Game Hunting (BGH) campaigns. More than half of ransomware incidents observed by CrowdStrike Intelligence since the start of 2022 have featured ESXi encryption. This presentation will provide consolidated insights from dozens of incidents into the Tactics, Techniques, and Procedures (TTPs) leveraged by ransomware adversaries to target ESXi hypervisors. The presentation will begin with a short recap of VMware virtualization infrastructure, then provide statistics and trends observed across relevant ransomware activity over the last three years, before taking a detailed look at what attackers are doing on ESXi servers. TTPs will be mapped to the MITRE ATT&CK framework, highlighting which tactics provide the best opportunities for detection and the techniques most commonly used to achieve them.

The Ransomware-as-a-Service (RaaS) environment has evolved markedly since the introduction of the double extortion method; a technique that alone rocked the threat intelligence and wider cybersecurity industry as it prepared to contend with not just the encryption of data, but the exfiltration of sensitive information. The double extortion technique has found such success that RaaS programmes, as well as private ransomware operations, have relied heavily on it for their success. We have even observed a recent shift in resources, with operators seemingly spending fewer resources on their ransomware binaries, and more time on the surrounding phases that increase the chances of a successful attack; such as initial access, credential access, lateral movement, and exfiltration. In this talk, PwC analysts present a look at the evolving RaaS space, analysing the techniques that appear to have become more homogenous across phases of the individual operations; from initial access, to credential access to lateral movement, through to encryption. We also focus on the codebases of the most prolific RaaS binaries – where the threat actor thought process is most visible – in order to highlight how the malware development has seemingly taken a back seat in the overall ransomware operation. The purpose of this talk is to provide defenders with practical solutions to combatting the ransomware threat by highlighting techniques that have become almost “industry standard” through both malware and endpoint detection rules. We also take this opportunity to offer a higher-level, but still evidenced based, overview of the behaviours of these ransomware actors within an ever-changing environment; appropriate for the C-Suite or Board level.

Through this discussion I plan on leverage lessons learned and examples from having the opportunity to be responsible for these decisions for a large amount of ransomware incidents from a forensics and recovery viewpoint. The debate over whether to cut off internet access during a ransomware investigation is complex and depends on various factors, including the nature of the attack and the organization's security posture. Real-world examples show how leaving the internet open during an investigation can lead to continued exfiltration and compromise, while cutting off internet access can enable more rapid investigation and provide valuable intelligence. The discussion should focus on what level of maturity companies need to properly maintain internet access during an attack and what scenarios warrant cutting off access. Adequate visibility and basic controls, such as segmented backups, active directory backup, and EDR coverage, are essential for making informed decisions. Ultimately, the decision requires careful consideration and planning to mitigate the risks and protect sensitive data.

Telephone-oriented attack delivery (TOAD) also known as callback phishing is a novel distribution method with an end objective to drop ransomware. Conti, the now defunct cybercriminal group, pioneered this technique in 2021 for initial access and drop BazarLoader. This TOAD method of dropping Bazar Loader, referred as BazarCall, was a precursor to infection with Conti ransomware. Three splinter groups emerged from Conti post its shutdown and employed TOAD as an attack vector. In this presentation, we will explore the method of callback phishing and its evolution since 2021. We will examine the three splinter groups that emerged out of Conti and how they have created their own version of the method to drop ransomware and or conduct extortion. Lastly, this presentation will provide recommendations on what organizations can do to deal with such novel techniques.

In the last years, ransomware groups have been knocking companies offline across the world, demanding ever-increasing sums of money for a key to unlock encrypted machines and data. From a technical perspective, the biggest challenge is to decrypt the hostage data held for ransom, without a valid decryption key. Some say that this is close to impossible. But reverse engineers (RE) are here to prove the contrary. Besides the encryption algorithms that a ransomware group uses (e.g., original or modified versions of RSA, AES-256 and ChaCha20), they also use “anti-analysis” techniques (e.g., packing, string obfuscation and dynamic API loading). Therefore, the challenge of REs is to bypass anti-analysis techniques and find flaws in the encryption algorithms used by a ransomware group. We succeeded in both challenges while fighting against the LockBit ransomware group. This was the most prevalent ransomware group of Q3 2022 (i.e., 22% of all global ransomware attacks), according to Mandiant. In this presentation, we will explain how we have bypassed their anti-analysis techniques and cracked their encryption algorithm. In addition to this, we will publicly demonstrate and release the decryption tool that we created against LockBit Black. Our main goal with this presentation is to shed light on our approach, and to incentivize the community to use it to fight back against ransomware groups.

Ransomware is one of the most destructive and lucrative forms of cyber crime. While encryption is the hallmark of ransomware, negotiation is the critical phase of the attack where attackers interact with the victim and negotiate a ransom payment. In this talk, GroupSense experts Bryce Webster-Jacobsen and Sean Jones will delve deep into the tactics that ransomware operators use during negotiation and explore their impact on organizations. They will examine the psychological tactics used by attackers, their use of social engineering, and the tools they use to manipulate victims. The session will conclude with practical advice for businesses to mitigate the risks of ransomware attacks. Outline: Introduction Explanation of the negotiation phase of a ransomware attack; review of what Bryce and Sean experience through negotiation Importance of understanding negotiation tactics Tactics Used by Ransomware Operators During Negotiation Psychological tactics Fear, uncertainty, and doubt (FUD) Building rapport with the victim Social engineering tactics Impersonation and deception Pretexting and phishing Tools used by ransomware operators during negotiation Cryptocurrency transactions Dark web communication platforms Impact of Ransomware Negotiation Tactics on Organizations Financial impact Ransom payments Business interruption Reputational impact Public perception of the organization Loss of customer trust IV. Conclusion A. Recap of the tactics and impact of ransomware negotiation B. Final thoughts and recommendations for businesses to protect themselves from ransomware attacks.

In 2022, Cyentia published a two-volume series analyzing data behind nearly 1,300 ransomware incidents since 2019 in partnership with Arete Advisors—a global cyber risk management company specializing in ransomware negotiation. In volume 1 (Mitigating Ransomware’s Impact), we explored questions about typical ransom demands and payments, payment rates, percent demand paid, payment reasons, and more. We further analyzed potential influencing factors, such as victim industry and presence—or absence—of various defensive measures. Readers also benefit from firsthand accounts of investigators and negotiators in the trenches. Of particular interest to this crowd, volume 2 (Reining In Ransomware) investigated trends among prominent ransomware families, including their associated ATT&CK techniques, related mitigations, and how these may affect demand and payment amounts. I believe the audience would benefit from many of these data points, in essence by learning from others’ experiences. They can expect to be equipped with the data needed to effectively prioritize organizational protections, and—in the worst case—inform their own high-stakes negotiation strategies.