Webinar takeaway – Nuclear Ransomware 3.0: We Thought It Was Bad and Then It Got Even Worse

My key takeaways

• PC Cyborg AIDS trojan in 1998 => first known ransomware
  • $189 asked as ransom
• CryptoLocker, 2013
  • first to ask for Bitcoin
• "Ransomware 2.0", from 2019
  • made backups less of a protection
  • the access to the victim becomes the "gold"
• Todays ransomware workflow
  1. stager
  2. look around (trickbot) and calling home (C2 server)
  3. if detected by virustotal, tells the ransomware to reencrypt itself! <- almost undetectable by AV/EDR software
  4. Collect passwords
  5. Notify C2 about new intrusion
  6. dwells up to 8-12 month
  7. Hacker come in, assess and analyze the victim
  8. Steal valuable data
  9. Encrypt and ask for ransom
• LOL (living of the land) so mimic normal admin tools and traffic <- makes it even harder to detect as anomalie
• double extortion (encryption and threat to publish stolen data) is the new norm now
• Ransomware gangs now also have PR departments puting out press releases
• There are approx 100-200 active ransomware groups
  • RaaS (Ransomware as a Service) makes it easy for criminals to join in
• Ransomware gangs are also used by nation states as cyber weapons
• New trend: Ransomware gangs are becoming access brokers
• New trend: putting cryptominers in the victims network for some extra bling
• New trend: DDoS, instead of encryption <- make backups worthless again
• New trend: more and more LOL and changing tactics "on-the-fly"
• Might we end up in a good bot vs bad bot world regarding ransomware?
• Ransomware is not the real problem, it's how ransomware got in and become admin! <- stop the root cause
• 50% of all ransomware attacks might be rooted to social engineering
  • top 3 causes:
    1. social engineering
    2. unpatched software
    3. password issues
• Ransomware is also spread by Google Ads

Env

• Provided by KnowBe4

• Speaker

  • Roger Grimes

additional links

• https://www.coveware.com/blog/2021/7/23/q2-ransom-payment-amounts-decline-as-ransomware-becomes-a-national-security-priority
• https://www.upguard.com/blog/what-is-ransomware-as-a-service
• https://www.bloomberg.com/news/articles/2021-06-11/russian-hackers-thrive-as-putin-prepares-to-meet-with-u-s-president-biden
• https://krebsonsecurity.com/2021/12/who-is-the-network-access-broker-babam
• https://krebsonsecurity.com/2022/01/who-is-the-network-access-broker-wazawaka
• https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims
• https://www.cisa.gov/uscert/ncas/alerts/aa21-265a
• https://blog.reasonlabs.com/2018/07/19/ransomware-or-cryptomining-malware-rakhni-is-both/
• https://www.techradar.com/news/ransomware-actors-target-voip-service-with-another-wave-of-ddos-attacks
• https://arstechnica.com/gadgets/2021/09/canacdian-voip-provider-hit-by-ddos-attack-phone-calls-disrupted/
• https://www.speartip.com/resources/ddos-and-ransomware-a-disastrous-combination/
• https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation
• https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
• https://info.knowbe4.com/rogue-urls
• https://info.knowbe4.com/pesky-password-problem