ResponderCon 2022 Ransomware Videos (Batch 1)

A review of the first three talks at ResponderCon - Investigating Ransomware

November 7, 2022

We held our first ResponderCon event back on Sept 13 and we’re now releasing videos from the event. The event was enjoyed by hundreds of people in the D.C. area, with 15 talks from community submissions on the topic of DFIR and ransomware. The talks ranged from process to threat intelligence to free tools. 

We’re going to release the videos in four batches, in the order of the agenda. This blog summarizes the first three talks of the day. The videos are on the Cyber Triage YouTube channel and you can subscribe for future updates. 

What’s Happening in 2023?

Before we dive into what happened a couple of months back, let’s first address next year. We’ve been getting many questions about the Open Source Digital Forensics Conference (OSDFCon): Is it coming back, are we doing both, or only ResponderCon? At this point, the answer is that we don’t know.  

There were many people from the incident response world who liked the focus of ResponderCon. But we also heard from non-IR people who missed learning about free tools that could be helpful to them. 

We’re going to do our best in 2023 to make as many forensics people as happy as possible. It’s always been our goal to help the cyber first responders out there. 

Talk #1 — Anatomy of an Attack: Using Attack Phases In Your Ransomware Investigation 

I (LinkedIn) had the honor of opening the event and my goal was to give an overview of ransomware for those who did not live every day in the trenches. The talk started with an overview of five attacks as documented in public sites (notably DFIRReport.org), so that attendees can get some insight about what happens before the encryption. 

It then moved on to focus on a framework we’ve been using for our training, which is to group a ransomware attack into eight phases:

  • Initial Access – When the attacker gains access to the internal network
  • Install Primary C2 – When the attacker (sometimes) gets a command and control system setup (such as Cobalt Strike)
  • Install Secondary C2 – When the attacker (sometimes) creates a backup backdoor (such as creating a user account or installing some other remote access software)
  • Privilege Escalation/Credential Access – When the attacker gets admin credentials
  • Infrastructure Discovery – When the attacker looks around to find sensitive files and servers
  • Data Discovery/Exfil – When the attacker copies data out of the network for a double extortion
  • Propagate Ransomware – When the attacker spreads ransomware to many computers on the network
  • Encrypt Data – When the sensitive data is ultimately encrypted

We use this as a checklist to make sure that responders know how the attacker performed each phase of the attack. If they don’t have evidence of a phase, then they should keep looking. The plan is to integrate this knowledge into Cyber Triage to help responders keep track of what they know so far.

You can watch that video below or read the slides here

Talk #2 — Ransomware: Stop Focusing on the EXE

The second talk was full of energy and interaction from Harlan Carvey (LinkedIn) at Huntress. The main theme was that there is more to an attack than just the specific ransomware EXE. By focusing on what happens before the ransomware deployment, we can better support hunt, detection, and prevention teams. 

We didn’t plan it this way, but Harlan’s talk tied nicely into the themes from mine, since seven of the eight phases above all happen before the ransomware EXE is deployed. 

Harlan touched on some recent examples that could be used for hunting, such as alerting when:

  • Users are created via the “net” command
  • Mounting ISO files
  • Changing OS settings to enable passwords to be stored unencrypted

The basic message is that it’s good for everyone to share as much information about how an attack happened as possible. 

You can watch that video below or read the slides here

Talk #3 — The De-RaaSing of Ransomware 

The third talk was from Allan Liska (LinkedIn) at RecordedFuture. He focused on the changing behaviors of ransomware groups, notably how some groups are no longer offering their ransomware executables as a service to affiliates. Instead, they’re doing the attacks themselves. 

The talk also covered:

  • The increase in new ransomware variants and which sectors are impacted the most
  • While there are lots of new variants, the previous steps in the attack are similar, which ties in to Harlan’s and my talks. These include Cobalt Strike, ADFind, and Mimikatz. 
  • Another plug for DFIRReport (third talk in a row)
  • The impact of Russian sanctions
  • His tattoos

Allan’s comments about how it’s good for companies to get law enforcement involved came back up later in the day at the law enforcement panel. Besides the usual benefits, the topic of law enforcement’s whack-a-mole skills and the possibility of drone strikes came up. 

Attendees were able to get a free copy of his “Ransomware: Understand. Prevent. Recover” book from the RecordedFuture table. 

Unfortunately, Allan “the Sommelier” had a flight to catch and left before the happy hour at the end of the day. He was not able to provide a review of the hotel wines. 

You can watch that video below or read the slides here

More Videos To Come

We’ll have more fantastic videos coming in three groups before the end of the year. Subscribe to the Cyber Triage YouTube channel to view all of the videos. You can also sign up for information on future conferences at https://ResponderCon.io/