Free Workshop: Investigating Insider Threats — February 20-27

ResponderCon 2022 Ransomware Videos (Batch 4)

A review of three talks at ResponderCon - Investigating Ransomware

May 2, 2023

This is the fourth batch of ResponderCon 2022 videos! This blog is a quick summary of the videos. If you want to skip the text and go right to the videos, you can find them on the Cyber Triage YouTube channel.

The blog about the first batch can be found here, the second batch is here, and the third batch is here.

This is the final batch of ResponderCon videos that we plan to release, minus an update on ransomware families that Brian Moran and Brian Carrier will release in the coming months.

This batch has videos on:

  • Ransomware hackers vs. other types of hackers
  • How technical teams can better communicate with leadership during a crisis
  • Alternative ways to detect mimikatz

Talk #10 — Ransomware vs Other Breaches: Similarities & Key Differences by Devin Hill

Devin Hill of Digital Silence shares knowledge and experience from investigating over 50 ransomware incidents. In this talk, he discusses the differences between state-sponsored Advanced Persistent Threat (APT) attacks and extortion-focused Ransomware attacks. Because these attackers have different motivations, they tend to operate in very different ways.

Where state-sponsored attackers tend to cover their tracks and stay silent on networks for months, extortion-focused Ransomware attackers have a “smash and grab” mentality and do not make much effort to cover their tracks. Ransomware attackers tend to use off-the-shelf tools like Mimikatz, Cobalt Strike, PSExec, Adfind.exe, which are counter to APT attackers who want to fly under the radar.

Topics covered:

  • Ransomware hackers tend to “smash and grab,” looking for low-hanging fruit
  • Paying the ransom can be illegal if the hacker is a sanctioned entity
  • The tools Ransomware hackers use are known and should be detected by a good EDR
  • The response must be fast to prevent Ransomware hackers from succeeding

You can find the video here.

Talk #11 — The Crisis Management Stack or Why You Get Told to do Stupid Things During a Response by Dr. Kall Loper

Dr. Kall Loper of Cyderes talks about the long tail of incidents and how the actions taken early in a response impact the organization as it continues the cleanup. He reviews what happens on the victim side of a ransomware attack and how organizations can be resilient.

Most organizations have a hierarchy with executives at the top, a risk management team in the middle, and technical teams with hands on the keyboards at the bottom. However, the executive, risk, and technical teams struggle to communicate with each other. Kall gives tips based on his experience bridging the gap between technical teams and leadership when major incidents occur.

Challenges discussed:

  • Why doing exactly what the executive asks for might not be right: for instance, locking down an essential system
  • Executive leadership has many things on their mind, not just the cyber incident, which will drive their decision making
  • Fast response might require real-world action by executives, like sending employees home or shutting down major systems
  • If a business chooses to pay the ransom, financial teams will have to come up with hard cash immediately, which is often not easy for major corporations

You can find the video here.

Talk #12 — Alternative Ways to Detect Mimikatz by Balazs Bucsay

Balazs Bucsay is a Senior Security Consultant at NCC Group and a researcher on offensive security. He shares some common methods of detecting mimikatz and then dives into some newer approaches that his team at NCC has been researching. Mimikatz is a tool used to obtain passwords.

The common detection methods include signature-based, which is what traditional anti-virus uses, and behavior based, which is what a good EDR will use. However, other methods like Busylight (by Crowdstrike) and the ConDrv method offer some useful alternatives.

Topics covered:

  • Why an alternative approach like Busylight is useful
  • When Busylight appears to work and when it fails
  • Results from testing the ConDrv detection method

You can find the video here.