My key takeaways
- 3 types of ransomware
- encrypt hard drive
- steal files and data and threat to release them
- both 1 & 2
- Ransomware gangs usually have great customer support
- it has become a serious business
- It doesn’t matter if you consider your organsiation a valuable target, if at least some money could be extorted from you, you will become a target
- Deception has become essential
- Attivo Netwoks, Honeypots, Red Canary,….
- HoneyDocs
- HoneyAccounts
- be aware to log in to it so the last login time is not empty!
- needs to be enabled
- Use RITA
- market verticals calling themself "unique" are creating excuses for not doing the "right" thing
- ransomware deletes all shadow copies using vssadmin pretty often; raccine may help here
- there is some built-in ransomware protection in Windows, but not enabled by default
Env
- Provided by BHIS
- Presenter: John Strand
additional links
- https://wildwesthackinfest.com/training/active-defense-cyber-deception-john-strand/
- https://github.com/thinkst/canarytokens-docker
- https://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html
- https://github.com/jqreator/honeydoc
- https://github.com/dafthack/DomainPasswordSpray
- https://mergene.medium.com/defeating-ransomware-by-using-sysmon-and-powershell-b671920f3bb1
- Kerberos
- https://www.activecountermeasures.com/free-tools/rita/
- https://en.wikipedia.org/wiki/Regulatory_capture
- https://github.com/Neo23x0/Raccine