My key takeaways
- PC Cyborg AIDS trojan in 1998 => first known ransomware
- $189 asked as ransom
- CryptoLocker, 2013
- first to ask for Bitcoin
- "Ransomware 2.0", from 2019
- made backups less of a protection
- the access to the victim becomes the "gold"
- Todays ransomware workflow
- stager
- look around (trickbot) and calling home (C2 server)
- if detected by virustotal, tells the ransomware to reencrypt itself! <- almost undetectable by AV/EDR software
- Collect passwords
- Notify C2 about new intrusion
- dwells up to 8-12 month
- Hacker come in, assess and analyze the victim
- Steal valuable data
- Encrypt and ask for ransom
- LOL (living of the land) so mimic normal admin tools and traffic <- makes it even harder to detect as anomalie
- double extortion (encryption and threat to publish stolen data) is the new norm now
- Ransomware gangs now also have PR departments puting out press releases
- There are approx 100-200 active ransomware groups
- RaaS (Ransomware as a Service) makes it easy for criminals to join in
- Ransomware gangs are also used by nation states as cyber weapons
- New trend: Ransomware gangs are becoming access brokers
- New trend: putting cryptominers in the victims network for some extra bling
- New trend: DDoS, instead of encryption <- make backups worthless again
- New trend: more and more LOL and changing tactics "on-the-fly"
- Might we end up in a good bot vs bad bot world regarding ransomware?
- Ransomware is not the real problem, it’s how ransomware got in and become admin! <- stop the root cause
- 50% of all ransomware attacks might be rooted to social engineering
- top 3 causes:
- social engineering
- unpatched software
- password issues
- top 3 causes:
- Ransomware is also spread by Google Ads
Env
-
Provided by KnowBe4
-
Speaker
additional links
- https://www.coveware.com/blog/2021/7/23/q2-ransom-payment-amounts-decline-as-ransomware-becomes-a-national-security-priority
- https://www.upguard.com/blog/what-is-ransomware-as-a-service
- https://www.bloomberg.com/news/articles/2021-06-11/russian-hackers-thrive-as-putin-prepares-to-meet-with-u-s-president-biden
- https://krebsonsecurity.com/2021/12/who-is-the-network-access-broker-babam
- https://krebsonsecurity.com/2022/01/who-is-the-network-access-broker-wazawaka
- https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims
- https://www.cisa.gov/uscert/ncas/alerts/aa21-265a
- https://blog.reasonlabs.com/2018/07/19/ransomware-or-cryptomining-malware-rakhni-is-both/
- https://www.techradar.com/news/ransomware-actors-target-voip-service-with-another-wave-of-ddos-attacks
- https://arstechnica.com/gadgets/2021/09/canacdian-voip-provider-hit-by-ddos-attack-phone-calls-disrupted/
- https://www.speartip.com/resources/ddos-and-ransomware-a-disastrous-combination/
- https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation
- https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
- https://info.knowbe4.com/rogue-urls
- https://info.knowbe4.com/pesky-password-problem