Offensive testing in organizations has shown a tremendous value for simulating controlled attacks. While cyber extortion may be one of the main high ROI end goals for the attacker, surprisingly few tools exist to simulate ransomware operations. Racketeer is one such tool. It is an offensive agent coupled with a C2 base, built to help teams to prototype and exercise a tightly controlled ransomware campaign. We walk through the design considerations and implementation of a ransomware implant which emulates logical steps taken to manage connectivity and asset encryption and decryption capabilities. We showcase flexible and actionable ways to prototype components of fully remote ransomware operation including key and data management, as well as data communication that is used in ransomware campaigns. Racketeer is equipped with practical safeguards for lights out operations, and can address the goals of keeping strict control of data and key management in its deployment, including target containment policy, safe credential management, and implementing operational security in simulated operations. Racketeer can help gain better optics into IoCs, and is helpful in providing detailed logs that can be used to study the behavior and execution artifacts of a ransomware agent.

1. Prototyping Controlled Ransomware Operations
DEFCON 29
@Op_Nomad
Racketeer

2. $ who –m
Dimitry Snezhkov
Attack & Pen Team
Tools, research, automation

3. Ransomware: A Problem of Winning Business Model
• 330% YoY growth in 2020 – high
• Return on capital speed vs. other cyber channels – high
• Cost of customer acquisition per unit of attack – low
• Stealth mode to holding period to monetization – hours+
• Paying customer base, funding and feature iteration – days
• Barrier of entry – low
• Monetization activation path – fast
• Attribution vs. Investment (technical and operational) – moderate
Ransomware is an efficient economic exit activity.

4. Ransomware: Disrupting the Lifecycle
ü Preventive and Detection Controls
ü Disaster Recover Drills
ü Incident Response Triage
ü External Negotiation
Realistic Victim Goal: Increase Mean Time Between Failures
Achieved by:
- Knowing Your Assets and Data
- Checking Process via Simulation and Feedback

5. Objective: Help with the Steps to Create / Refine Process
Pick your color:
• Tabletop and IR kickoff (Purple)
• Optics and IOCs (Blue)
• Reference implementation for last mile objectives in campaigns (Red)
• SLAs and verified asset recovery, online and offline (Org)
• Protection of data access and authentication (Org)
• Precise targets - leave customer mostly intact, testing is goal (Org)
• Stealth is a balance (Red / Blue maturity dial)
Racketeer Strategic Goals: Better Simulation and Feedback

6. Ransomware Simulation to address technical specifics:
• Correct asset lock/unlock (encryption, decryption)
• Reliable Life-Time Key Management
• Realtime vs. offsite asset unlock capabilities
• Dormancy and Activation
• Flexibility (comms, targets, connectivity)
Racketeer: Attack Lifecycle Alignment
Let’s Build it

7. Construction: Tactical Features
Assets / Targets
• Windows (agent)
• Local files
• Ability to remote on Internal Net
• Tight Control of execution

8. • KeyGen (offline)
• LTKM
• Encrypt/decrypt mode
• Policies / Profiles
• Offline asset recovery
• Commander
Construction: Tactical Features

9. • Communication emulation
• Transmission Layer encrypt
• Appl-level message encrypt
• REST endpoints
Construction: Tactical Features

10. • Policy Hot Patching
(real-time, remote)
• Credential Shielding
• Asset Connectivity
Authentication Maps
Construction: Tactical Features

11. • Flexible Operations
• Mutual Authentication of Base and Agents (Sites)
• Delivery options and Trigger Control
• Config File
• Embedded Rsrc
• Trigger on-launch or Dormant
• Memory Log Ring Buffer
• Destaging /Cleanup
Construction: Tactical Features

12. Construction: Tactical Features

13. Racketeer Toolkit Demo

14. Offensive Summary
ü Simulate controlled ransomware lifecycle
ü Deliver last mile monetization module for teams
ü Facilitate existence of response process, align with it and refine it.
ü Verify offensive and defensive triage deficiencies in approaches

15. Notes to Defenders
• Don’t signature the tool, pay attention to behaviors
• Artifacts may be minimal
• IOCs tied to implementation. Test agent is weakened on purpose
• Instrument environments
• correlate operational, performance, security messages

16. EOF
Thank you!
https://github.com/dsnezhkov/racketeer