Want to make some money? A little bitcoin on the side? In this session we’ll take you through a few of the ways that Ransomware works. Probably one of the fastest growing forms of cybercrime - we’ll explore the motivations (it’s not all about money) how a typical attack occurs , how your actions and inactions help make the problem worse and generally educate you on the ransomware-as-a-service business that could easily be coming to a server near you. Take the time to see how your CI/CD pipelines can be vulnerable and what you can do to make your application safer and your data more secure. Some say ransomware is simply a cost of doing business - whether thats true or not ransomware is not going away any time soon This talk will help you get up to speed and started on your journey of improving your defences.

1. @spoole167
Java and Ransomware
- what’s in it for you?
Steve Poole
Sonatype
@spoole167
sonatype.com/devsignup

2. @spoole167
Let’s be clear

3. @spoole167
Let’s be clear
Ransomware is a Crime

4. @spoole167
Let’s be clear
Ransomware is a Crime
Robbery, Blackmail, Extortion, Revenge
Murder …

5. @spoole167
Outline
• The Crime Scene
• The Crime
• Motive
• Means
• Opportunity
• Consequences
• Q&A

6. @spoole167
The Crime Scene

7. @spoole167
Files won’t open
“There is no application set to open the document”
“Windows can’t open this file ”

8. @spoole167
Systems won’t start
“Unable to read config files”
‘missing dll”

9. @spoole167
Unexpected files on the system
micro
https://techdator.net/ransomware-file-extensions/
zepto
locky
cerber
cryp1
osiris
crypz
locked
decrypt2017
r5a
enigma
surprise
evillock
fu*ked

10. @spoole167
Signing in blocks

11. @spoole167
Explicit
information

12. @spoole167
You’re the victim of a Ransomware Attack

13. @spoole167
Somewhere is a link to a cryptocurrency wallet and an
amount you must pay.

14. @spoole167
How does it start?
Mostly phishing, malware, mostly targeted at Windows clients
Malware
Installer
Malware Malware

15. @spoole167
Not your usual Phishing…

16. @spoole167
DEAR SIR/MA'AM.
YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER DELIVERY
COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO ACKNOWLEDGE THIS
MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER DELIVERY COMPANY TOLD US IS
NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR ATM CARD OF $10.5 MILLION DOLLARS ANY
LONGER.
DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE.
YOURS FAITHFULLY.
YOURS SINCERELY,
MR MARK WRIGHT,
DIRECTOR FOREIGN REMITTANCE
ATM CARD SWIFT PAYMENT DEPARTMENT
ZENITH BANK OF NIGERIA.
😀

17. @spoole167
Federal Bureau of Investigation (FBI)
Anti-Terrorist And Monitory Crime Division.
Federal Bureau Of Investigation.
J.Edgar.Hoover Building Washington Dc
Customers Service Hours / Monday To Saturday
Office Hours Monday To Saturday:
Dear Beneficiary,
Series of meetings have been held over the past 7 months with the secretary general of the
United Nations Organization. This ended 3 days ago. It is obvious that you have not received
your fund which is to the tune of $16.5million due to past corrupt Governmental Officials who
almost held the fund to themselves for their selfish reason and some individuals who have
taken advantage of your fund all in an attempt to swindle your fund which has led to so many
losses from your end and unnecessary delay in the receipt of your fund.for more information
do get back to us.
….
Upon receipt of payment the delivery officer will ensure that your package is sent within 24
working hours.
😀

18. @spoole167
From <your boss>
I’ve spoken to the XYZ company CEO and they will send us the goods if we
pay $3M immediately. Details below.
I’m off to the golf course – no distractions please.

19. @spoole167
an email from an international
transport company urging
recipients to open a waybill

20. @spoole167
Many Ransomware attacked are specifically targeted at
certain types of organisation
0 2 4 6 8 10 12 14 16 18 20
Government
Education
Services
Healthcare
Technology
Manufacturing
Retail
Utilities
Finance
Other
% Attacks
Attacks

21. @spoole167
Many are specifically targeted at a single company or
organisation
With personalized attacks you invest more and make it compelling.
Your victims views on Facebook about their boss, how busy they are,
important deals coming up. It all helps to craft that million dollar attack…

22. @spoole167
Other vectors: vulnerabilities

23. @spoole167
Other vectors: supply chain attacks
Hack software delivery
systems - upstream

24. @spoole167
The aim, as always is
Remote Code Execution

25. @spoole167
Once in the malware calls back home for encryption keys

26. @spoole167
And uses
sophisticated
techniques to
encrypt your system.
One file at a time
Least used first ..

27. @spoole167
While copying critical data out,
disguised as normal traffic
Sometimes hidden in other
payloads, protocols
Sometimes as responses to
‘legitimate’ requests
Almost always via botnets

28. @spoole167
The crime – motive
why the defendant committed the crime

29. @spoole167
Many motives
• Data kidnapping? - pay up or or we release the data to other bad guys
• Blackmail? - we have evidence of what you did
• Revenge? - Cripple your systems. Cause you pain
• Competitor actions? wipe you out. steal your secrets
• Something much worse? Weaponized attacks: it’s not personal, its just
practice.
Mostly money of course

30. @spoole167
5 years a go I said things like this
@spoole167

31. @spoole167
Organized Cybercrime is the most profitable type of
crime
Cybercrime was estimated to be worth 445 Billion Dollars a Year
United Nations Office on Drugs and Crime (UNODC) estimated globally the illicit
drug trade was worth 435 Billion Dollars
• Guess which one has the least risk to the criminal?
• Guess which is growing the fastest?
• Guess which one is the hardest to prosecute?
• Guess which one is predicted to reach 2100 Billion Dollars by 2019
• Guess which one is predicted to reach 6000 Billion Dollars by 2021

32. 0
1000
2000
3000
4000
5000
6000
2013 2014 2015 2016 2017 2018 2019 2020 2021
Cybercrime Drug trade

33. @spoole167
What’s the status today?

34. @spoole167
Ransomware alone is worth 6 Trillion Dollars

35. @spoole167
Overall it’s much worse than predicted …
As a developer your world is going to change rapidly
as we begin to tackle this problem
@spoole167

36. @spoole167
Ransomware:
It’s not all about money

37. @spoole167
Weaponised Cybercrime
Nation states are preparing for the next war – and
that all about software
@spoole167

38. @spoole167
Cyber Attacks are rising in number and sophistication
Nation states are preparing for the next war – and that all about software
The aim is to infiltrate infrastructure and essential services…
sonatype.com/devsignup

39. @spoole167
And manipulate or terminate
sonatype.com/devsignup

40. @spoole167
Ransomware can often be a visible test of an attack
methodology
plus of course, if you pay, you helped fund it

41. @spoole167
On that note
• Cybercrime is already almost impossible to prosecute
• Anonymous Cryptocurrencies make it almost impossible to track the
money
A big motive is – you’re don’t think your going to get caught!

42. @spoole167
The crime – means
the ability of the defendant to commit the crime

43. @spoole167
Top 10 RaaS

44. @spoole167
Whatever your motive..
It’s easy to buy an attack
monthly subscriptions. One-time fees, percentage of
every ransom payout
Supply chain ransomware attacks are climbing fast

45. @spoole167

46. @spoole167
We’re in a new
world
Are state funded
Professionally developed
Regularly exercised
Very sophisticated
And extremely lucrative

47. @spoole167
The crime – opportunity
whether or not the defendant had the chance to commit the crime

48. @spoole167

49. @spoole167
Cybercriminals used to search for vulnerabilities

50. Now they make their own
Typosquatting
A lookalike
domain,
dependency with
one or two wrong
or different
characters
Open source
repo attacks
Build Tool
attacks
Attempts to get
malware or
weaknesses
added into
dependency
source via social
or tools
Attempts to get
malware into the
tools that are
used to produce
dependencies
Dependency
confusion
Attempts to get a
Different version
added into a binary
repository
Often “latest”
@spoole167

51. @spoole167
Put a
different
way…
Payroll App V1

52. @spoole167
Most
applications
are 90%
open
source
Dependencies
Payroll App V1

53. @spoole167
Bad guys used to
look for code
weaknesses here
Dependencies
Payroll App V1

54. @spoole167
Now they
are adding
their own
upstream
Dependencies
Tools Runtimes
Platforms
Payroll App V1
Code
generators

55. @spoole167
Many are
designed to
stay hidden
until
needed
Dependencies
Tools Runtimes
Platforms
Payroll App V1
Code
generators

56. @spoole167
Consequences

57. @spoole167
Ransomware is a crime
• It’s not just the money
• It’s the consequence of being out of action
• for a week, 10 days to a month
• of sending patients to other hospitals
• It’s the cost of recovery – you can expect that
you’ll need to work hard to get back to the status
Q.
• Data recovery is never 100%

58. @spoole167
It’s a very personal crime
• It’s the recriminations afterwards. The finger
pointing, the guilty feelings
• Ransomware makes people feel powerless,
angry. Stupid.
• Then there’s the feeling of being invaded, of
not trusting your security systems

59. @spoole167
Guess what – Ransomware can be a smoke screen for
something else.
• It’s not only about stealing data. it’s about
adding data in. Of secretly modifying data.
• How do you know that the data you just
paid to get back is really your data?

60. @spoole167
Don’t be smug.
Ransomware is everywhere
https://techcrunch.com/2020/06/04/tycoon-java-ransomware/

61. @spoole167
Don’t be smug. We help ransomware get installed

62. @spoole167
Log4J downloads from Maven central since 9th Dec 2021
43 191 474 36%

63. @spoole167
Thank you.
Questions?