Free Workshop: Investigating Insider Threats — February 20-27

ResponderCon 2022 Ransomware Videos (Batch 2)

A review of three talks at ResponderCon - Investigating Ransomware

December 16, 2022

The second batch of ResponderCon: Investigating Ransomware videos is out and I summarize them in this blog. If you want to skip the text and go right to the videos, you can find them on the Cyber Triage YouTube channel.

The blog about the first batch can be found here.

This batch has videos on:

  • A ransomware case study about a school attack that shows what kinds of techniques were used in an attack. It’s a great overview of what an attack may look like.
  • An interesting law enforcement panel that covers questions about how they can help out during a ransomware attack.  There were panelists from the FBI, USSS, and Portland Police. 
  • A talk about the use of ISO and LNK files to perform phishing attacks. This technique became popular when Office macros started to become disabled by default. 

Thanks to Dennis, Joel, Aaron, Kyriakos, and Joseph for their talks. 

Talk #4 When Ransomware Attacks a School District, You Get Detention

The fourth talk of the day was a case study by Dennis Labossiere (Linkedin) at KPMG. The main theme of this talk was a deep dive into a specific ransomware incident at a school that Dennis responded to. 

We wanted to put this talk early in the day to ensure that audience members who did not have exposure to ransomware cases could get some insight into what happens during an attack. 

The main themes and take aways of this talk are:

  • Benefits of having good telemetry, continuous monitoring, or EDR
  • Steps the attacker went through (dumping credentials, anti-forensics, exfil, etc.)
  • Mapping techniques back to MITRE ATT&CK

You can find the video below and the slides here

 

Talk #5 Panel: How Law Enforcement Gets Involved With Ransomware Cases

I have historically avoided panels at our conferences because I often find they don’t deliver a lot of new information. But, I made an exception for ResponderCon because I wanted to have a way for law enforcement and responders to interact about the best way for them to work together during an incident. It turned out to be a great panel that I think we should continue each year. 

The panel members were:

  • Joel Parsons (USSS)
  • Aaron Sparling (was at Portland Police, now at NCFI)
  • Kyriakos Vassilako (FBI)

We had lots of audience questions in addition to some openers from myself.  Listen to the video to hear about: 

  • How law enforcement gets involved with corporate responses
  • If case size matters if law enforcement gets involved
  • Tools that they use 
  • How involving law enforcement can change punishments if you pay ransom to someone on the OFAC list
  • Cases they are most proud of
  • Changes in the US law that could help them better protect citizens

I thought two of the biggest takeaways were:

  • One big benefit of getting law enforcement involved is that if the FBI or USSS is able to extract money from Bitcoin wallets used by ransomware actors, they need to know who to give the money back to.
  • Law enforcement cares a lot about attribution. They won’t get in your way with recovering your systems. They just want to get evidence about who did it so that they can track the actors down. 

Watch the full video here (the audio in the first minute is not the best because the mic was turned off). 

Talk #6 Malware Forensics for Uncommon Payloads: LNK Files and the Ransomware Ecosystem

After lunch, Joseph Edwards (Linkedin) from ReversingLabs gave a presentation on the new trend of ISO and LNK file attachments. This attack method started once Office macros were disabled. This was a great technical talk about how the attack works and obfuscation techniques that attackers are using to start a ransomware attack.

Specific themes included:

  • Quantum Builder tool to create attack payloads
  • How the attack works, involving ISO, HTA, and Powershell
  • Obfuscation techniques, including classical cipher techniques and lots of encoding
  • How to hunt in your environment for the traces of these attacks

It’s important to understand how this kind of attack can be performed in your environment and Joseph walks you through the details. 

You can watch the video below or read the slides here

More Videos To Come

There will be two more batches of videos coming from the conference. You can subscribe to the YouTube channel below to get updates. You can also sign up for information on future conferences at https://respondercon.io/