Speaker: Steve Poole

Twitter: @spoole167

Link to table of contents

———————

Ransomware crimes

• robbery
• blackmail
• extortion
• revege
• murder – ex: hospital attacks

Symptoms

• files gone
• files corrupt
• unexpected files on system – obvious so believe it is real
• prevent logging on
• threats to delete or publish data
• link to cryptocurrency wallet and amount – hard to trace

How get into system

• Phishing – Impersonate boss, etc. Significant targetted social engineering. Understand business/context. Attachment with malware
• Malware – mostly Windows
• Government #1 target. Then education/services/health care/tech/manufacturing/retail/utilities/finance
• Target single company or org. Look for poor security hygene
• Vulnerabiliteis/CVEs
• Suply chain attacks
• Remote code execution

Once have access

• Pull encrypton keys
• Encrypt files not used often first
• Then encrypt files used in memory so works until restart
• Gigabytes/terrabytes of data – takes time
• Would notice if network got slow so sneaky
• Copy critical data out disguised as normal traffic. Hide in other payloads
• Sometimes responses to ”legit” request
• Almost always via botnets
• Paying helps fund more
• Rare to shut down. Instance of giving up decryption keys when one group folded

Motive

• Data kidnapping – pay or release data
• Blackmail – dirty payments, porn
• Revenge – disgruntled employee, cripple systems
• Competitor – wipe you out/steal secrets
• Worse – weaponsized attacks from nation states
• Some of these cases do not intend to give data back
• Cybercrime beat drugs in value
• Ransomware is worth 6 trillion

War

• Can be test case to see if can get in
• Goal is to infiltrate infrastructure and essential serices quietly so can manipulate/terminate when need
• Break supply chain

Attacks

• Used to wait for vulnerability to be announced and build attack. Now create own.
• Open source repo attacks – attempts to get malware into source
• Typosquatting – lookalike domain/dependency with minor typo
• Build tool attacks – attempts to get malware into tools tat produce dependency
• Dependency confusion – later version ex ”latest”
• Designed to stay hidden until needed

General

• Dependency confusion, typosquatting and malicious code injection increased 650% in 2021
• New world – state funded, professionally developed, regularly exercised very sophisticated and exeremely lucrative
• Could even be someone at conference – have to gain the skills

Costs

• Being out of action
• Recovery
• Data loss – data recovery never 100%
• Human cost – finger pointing, guilty feelings, feeling of being invaded/not trusting security systems
• Data integrity – can modify/inject data when return

Java

• Attack via Java image format
• Deep Panda hackers injected rootkit using log4shell to get into system

Log4j

• Still lots of log4j downloads (thru 4/11/22)
• 36% on a day in April were vulnerable
• Need right tools – check dependencies, not just your pom or in fat jar
• Try dependabot
• Write test cases and see if your tool can find

My take

Good collection of info and supporting data. Wrapped in a compelling story. Security talks are often scary and first conference in a while provided more time for bad things to happen!