ResponderCon 2022 Ransomware Videos (Batch 3)

A review of three talks at ResponderCon - Investigating Ransomware

March 27, 2023

This is the third batch of ResponderCon 2022 videos! This blog is a quick summary of the videos. If you want to skip the text and go right to the videos, you can find them on the Cyber Triage YouTube channel.

The blog about the first batch can be found here, and the second batch is here.

Unfortunately, we have had to break chronological order because a few videos require audio cleanup. However, we will do our best to post all the videos soon.

This batch has videos on:

  • A fun approach to tracking ransomware and attackers with free tools.
  • Steps any organization can take to mitigate the risk and to limit the damage from ransomware.
  • How a prepare before a big incident.

Talk #7 — Tracking Ransomware Operator Lateral Movement and Recovering Deleted Files

Ryan Chapman (at Blackberry at the time, now at Palo Alto) could not join us in person at ResponderCon, but he closed out the conference with an excellent talk on using free tools to track adversaries through a network.

In this talk Ryan breaks down the most common methods used by intruders (Spoiler alert: PSExec Smbexec) and offers some resources for better understanding these methods. He then discusses some of the tools intruders use to scan the network and then how to identify where they went in the network.

Topics covered:

  • Resources for investigators looking for lateral network movement
  • Commons signs of a breach and lateral network movement
  • Demo of LogOnTracer and MFTEcmd

You can find the video here.

Talk #8 — Successful DFIR From Preparation and Monitoring

From preparation to practicing a response to an attack, organizations can take steps to mitigate the risk and limit the damage from ransomware.

In this talk, Dennis Allen from Stratascale reviews some of the strategies and tactics that organizations have at their disposal to handle the threat posed by ransomware. He also looks at data from previous ransomware attacks to offer suggestions on how organizations can prioritize various aspects of their defense and response.

Dennis then walks through some scenarios to illustrate how an incident and investigation might transpire.

He also talks about a really cool tool named Cyber Triage!

In this talk:

  • Ransomware landscape
  • Ransomware preparation
  • A scenario walk-through

You can find the video here.

Talk #9 — Host-Based Ransomware Indicators

This session focused on how a new investigator can level up before they are faced with their first ransomware investigation.

When taking any case, there is always a shortage of accurate data. Dan Ianotti (Arete Incident Response at the time, now at Rapid7) walks through what data investigators tend to be given vs what they really need to solve a case. He also covers how to prioritize data and finding malicious activity.

Ransomware investigation topics covered:

  • Open RDP
  • Internal lateral movement
  • Vulnerable applications
  • Program execution
  • Master File Table (MFT)
  • Data access
  • Persistence

You can find the video here.