The Ransomware Threat: Tracking the Digitial Footprints

•Download as PPTX, PDF•

0 likes•286 views

This document discusses tracking ransomware through digital footprints. It describes prominent ransomware variants like CryptoLocker, TorrentLocker, Alpha/TeslaCrypt and CryptoWall. It outlines how ransomware infects systems through phishing, compromised domains or malvertising. Ransomware uses geolocation calls and command and control exchanges. Services like Malwr.com and Virustotal.com can be used to identify related domains and track ransomware activity. Training systems to identify previously seen ransomware domains can help block future infections.

Technology

Kevin Bottomley
@k3v_b0t
The Ransomware Threat:
Tracking the Digital
Footprints

2CONFIDENTIA
L
About Me
• Studied Computer Networking and
Information Security at CCSF
• Security Analyst @OpenDNS
• Past speaking events include: BSidesSF
2015, BSidesLA 2015, NASA Ames
Security Week, and BSidesNYC 2016.

Overview
• Prominent Variants
• Vectors of Compromise
• C2 Setup/Design
• Tracking

4CONFIDENTIA
L
Classic FBI Lock
Screen Ransomware
• Reveton Family
• Fake Lock Screen
• Easily removed through safe-mode

6CONFIDENTIA
L
CryptoLocker
Infected attached and network storage
devices
• AES-2048 Encryption
• What every *crypt* infection is called
today

CryptoLocker
• Started to appear around Sept 2013
• Delivered mainly through GoZ Botnet
• Used Domain Generated Algorithm(DGA)
• Thousands of domains created
• Ex: xcqampjqalpxxk[.]ru

CryptoLocker
• Mid 2014 GoZ is taken down
• With it goes CryptoLocker
• Keys recovered from server allow for decryption
• New variants emerge around the same time

TorrentLocker
• Seen mainly in .au, .nz, and .eu regions
• Phishing emails disguised as red-light tickets or tax
notices

11CONFIDENTIA
L
TorrentLocker
Used common naming convention
• *(aus|nsw)*-*(post|gov)*.(org|biz|net|info|etc)
• ex: database-nsw-gov.org
• ex: aus-post.com
• Could mass block by using every .tld
extension

Alpha/TeslaCrypt
• Started out attacking video game extensions
• In the beginning used DGA based domains for C2
• ex: fjgkdlslj.sdsfg834mfuuw.com
• Changed up in later versions

14CONFIDENTIA
L
Alpha/TeslaCrypt
TeslaCrypt 1.0 used symmetric AES key
• Allowed TALOS Group to release
TeslaDecrypt
• Flaw fixed in TeslaCrypt 2.0

16CONFIDENTIA
L
CryptoWall
Came out swinging end of 2014
• Compromised servers and exploit kit
• Tor/I2P

Chain of Events
Any number of events can start the
infection. Common methods include:
• Phishing
• Compromised domain
• Malvertising

Typical CryptoWall
Request
• Exploit Kit fires, starting the process
• Geolocation call
• C2 exchange

Raw IP Address
• Used for Geolocation
• Exclude code execution or perform different operation based on global position
• Attempt to display message in native language
• Unique Identifier
• Added to hash with other system info
• {<Request ID>|campaign|<MD5>|<OS Info>|IP Address}
• Can restrict one infection per IP address
• Identify possible researching attempts

Malwr.com
Open Sandbox for anyone to
use
• Search/Submit
• No real usable API

26CONFIDENTIA
L
Virustotal.com
Virustotal Intelligence allows hunting with
Yara rules
• Can set up a running JSON/RSS feed
• Only available through VTI

Virustotal.com
Alpha/TeslaCrypt
CryptoWall
CryptoWall
Alpha/TeslaCrypt
CryptoWall

Co-Occurences & Related Domains
• Co-Occurence
• Same endpoint requests two or more domains in a short time
• Related Domain
• Same endpoint queries two or more domains around the same
time

31CONFIDENTIA
L
Co-Occurences &
Related Domains
Example
• Can use ip-addr.es as pivot point
• Actors selected the least noisiest of
all geolocation services
• Thanks
• Really.

Training Process
Removing False Positives is Key
Run Script against
ip-addr.es
Has domain been
seen before?
Yes
pass
No
Notification SentValidation determinedIf bad:
block
Training
Set
updated
Run Script against
ip-addr.es

Take-aways
• Able to identify 2905 *Locker* based domains using this
method
• Bonus included finding various EK domains
• Angler Exploit Kit
• Neutrino Exploit Kit
• Rig Exploit Kit

Prevent/Restore
• Keep backups often and disconnected from network
when not in use.
• Adblock/No-Script
• Train end-users about Social Engineering
techniques(ex: phishing, phishing, and…phishing).
• Never pay the ransom.

39CONFIDENTIA
L
Kevin Bottomley – Security Analyst
@k3v_b0t

What's hot

Threat actors, criminal groups have traditionally been ahead of the detection curve; circumventing automate defenses and stealthily compromising an entire enterprise. As defenders, its crucial to adopt an offensive mindset to level the playing field. In this presentation, we will first discuss on the various types of techniques used by threat actors which can aid them to stealthily compromise an entire organisation . Next we will look at detection. With the use of open source tooling, we will discuss how defenders can hunt for evidence of compromise by adopting an offensive mindset.

Threat hunting in_windows

Chung Wee Jing

Central Iowa Linux Users Group May 2020 Meeting: WireGuard

Andrew Denner

Kali linux

afraalfalasii

When your job is to act as a malicious attacker on a daily basis for the good of helping organizations, you can’t help but wonder “What if I decided to embrace the evil within?” What if one day I woke up evil? Every day as a pentester, I compromise organizations through a variety of ways. If I were to wake up one day and decide to completely throw my ethics out the window, how profitable could I be, and could I avoid getting caught? In this talk I will walk through a detailed methodology about how I personally would go about exploiting organizations for fun and profit, this time not under the “white hat.” Non-attribution, target acquisition, exploitation, and profitization will be the focal points. Blue teamers will get a peek into the mindset of a dedicated attacker. Red teamers will learn a few new techniques for their attack methodologies.

Fade from Whitehat... to Black

Beau Bullock

To keep up with the growing demand of always-on and available-anywhere connectivity, the use of cellular, in comparison to its wireless mobile connectivity counterpart in the electromagnetic spectrum, is rapidly expanding. My research in the IoT space led me down the path of discovering a variety of vulnerabilities related to cellular devices manufactured by Sierra Wireless and many others. Proper disclosures have occurred; however, many manufactures have been slow to respond. This led into examining numerous publicly disclosed vulnerabilities that were considered "low-hanging-fruit" against cellular devices and other cellular-based network modems that are often deployed as out of band management interfaces. The research expanded through the details provided in configuration templates available by each device including the following: - Wireless Network Information - IPSec Tunnel Authentication Details - Connected devices and services Focusing on an obfuscated series of examples to protect the organizations, people, and companies identified; this presentation focuses on the services and systems information of the following, commonly deployed cellular-connected devices to provide an in-depth look at what is easily possible: - Emergency Response systems - Resource collection systems - Transportation Safety - Out of band management

Snooping on Cellular Gateways and Their Critical Role in ICS

Priyanka Aash

kali linux.pptx

anumeha bhatnagar

Zero Day Malware Detection/Prevention Using Open Source Software

MyNOG

This session will provide insight into highly disruptive breaches that MANDIANT investigated over the past year. It describes how threat actors have destroyed system infrastructure and taken companies offline for weeks. The threat actors are split into two categories for this talk and focused on the SHAMOON cases. I will also talk about highlights from Incident Response cases of 2017. Financially motivated vs Non Financially motivated. I will talk about how recent attacks with SHAMOON differ - their motives compared to financially motivated threat actors. Highlights from a couple of 2017 IRs - Overview of TTPs of the important State Sponsored Attacks seen in 2017.

Shamoon

Shakacon

Apple introduced a new set of features in iOS 8 and Yosemite under the name "Continuity". These features allow iPhones to work with other iDevices such as Macs and iPads in new ways. Handoff, Instant hotspot and Airdrop are some of the new services offered by Continuity. Among these new services is one named "Call Relay". Essentially, it allows one to make and receive phone calls via iDevices and route them through the iPhone. This is not your typical VOIP service but a P2P connection based on a proprietary protocol. Apple's security white-paper is short and vague on this particular topic. Only four paragraphs are dedicated to explain how Call Relay works and the only security relevant information is as follows: "The audio will be seamlessly transmitted from your iPhone using a secure peer-to-peer connection between the two devices." I reverse engineered the protocol to understand how it works. The goal was to see if Apple's design was secure and find vulnerabilities focusing on ways to eavesdrop phone calls. In this presentation, I will start by explaining all the details of this protocol and the process of reverse engineering it. Once the protocol is understood by the audience, I will discuss the thread surface and the different attack vectors possible. I will focus on what worked and demonstrate with demos. We will see how it is possible to abuse the protocol to spy on victims by leaving their mic open. We can also troll victims by dropping or preventing them from picking up phone calls. Last, I will explain how an attacker can abuse multi-party calls to impersonate other callers. Once we understand the vulnerabilities, we will discuss how it can be weaponized to build an amateur (insert 3 letters here)-spy program. This presentation covers CVE-2016-4635, CVE-2016-4721, CVE-2016-4722 and CVE-2016-7577

Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol

Martin Vigo

Layer one 2011-sam-bowne-layer-7-dos

fangjiafu

Path of Cyber Security

Satria Ady Pradana

penetration test using Kali linux ppt

AbhayNaik8

Andrew Brandt, Symantec Back in 2014 and 2015, the Dyre (sometimes called Dyreza) Trojan was a distinctive crimeware tool for the simple reason that it appeared to employ, and experiment with, a whole range of sophisticated tactics, techniques and procedures: It was the first Trojan which exclusively employed HTTPS for its C2 traffic; It operated on a modular basis with a small cadre of other malware families, such as the Upatre downloader, which seemed to support it exclusively, as well as email address scraping tools and spam mail relayers; and it was at least as interested in profiling the environment it had infected as it was in exfiltrating any data it could find on the victim's machine. Then it disappeared suddenly, but re-emerged this year in the form of a Trojan now called Trickbot (aka Trickybot), completely rewritten but with many of the same features. In the lab, we permit Trickbot samples to persist on infected machines for days to weeks in order to perform man-in-the-middle SSL decryption on their C2 traffic. In this session, attendees will get a detailed forensic analysis of the content of some of this C2 traffic and the endpoint behavior of various machines (virtual and bare-metal) when left infected for an extended period of time. Finally, we will share what we know about the botnet's C2 infrastructure and its historical reputation. By understanding how Trickbot functions, and to where it communicates, we hope we can help identify infections more rapidly and, maybe, interpret the motives of whoever is operating this shadowy botnet to predict its next course of action.

BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...

BlueHat Security Conference

Attacking VPN's

n|u - The Open Security Community

2016 TTL Security Gap Analysis with Kali Linux

Jason Murray

Yacin Nadji, Georgia Institute of Technology Any individual that re-registers an expired domain implicitly inherits the residual trust associated with the domain’s prior use. We find that adversaries can, and do, use malicious re- registration to exploit domain ownership changes—undermining the security of both users and systems. In fact, we find that many seemingly disparate security problems share a root cause in residual domain trust abuse. With this study we shed light on the seemingly unnoticed problem of residual domain trust by measuring the scope and growth of this abuse over the past six years. During this time, we identified 27,758 domains from public blacklists and 238,279 domains resolved by malware that expired and then were maliciously re-registered. To help address this problem, we propose a technical remedy and discuss several policy remedies. For the former, we develop Alembic, a lightweight algorithm that uses only passive observations from the Domain Name System (DNS) to flag potential domain ownership changes. We identify several instances of residual trust abuse using this algorithm, including an expired APT domain that could be used to revive existing infections.

BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...

BlueHat Security Conference

Chaz Lever, Georgia Institute of Technology Both the operational and academic security communities have used dynamic analysis sandboxes to execute malware samples for roughly a decade. Network information derived from dynamic analysis is frequently used for threat detection, network policy, and incident response. Despite these common and important use cases, the efficacy of the network detection signal derived from such analysis has yet to be studied in depth. This paper seeks to address this gap by analyzing the network communications of 26.8 million samples that were collected over a period of five years. Using several malware and network datasets, our large-scale study makes three core contributions. (1) We show that dynamic analysis traces should be carefully curated and provide a rigorous methodology that analysts can use to remove potential noise from such traces. (2) We show that Internet miscreants are increasingly using potentially unwanted programs (PUPs) that rely on a surprisingly stable DNS and IP infrastructure. This indicates that the security community is in need of better protections against such threats, and network policies may provide a solid foundation for such protections. (3) Finally, we see that, for the vast majority of malware samples, network traffic provides the earliest indicator of infection—several weeks and often months before the malware sample is discovered. Therefore, network defenders should rely on automated malware analysis to extract indicators of compromise and not to build early detection systems.

BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...

BlueHat Security Conference

(03 2013) guide to kali linux

julius77

Penetration Testing has become a part of every security program to some degree over the last several years. Additionally, many standards and regulations require them for compliance as do contractual obligations and pen testing is a well-known best practice for the IT security industry. One of the main issues with Penetration Testing is that very few entities have the knowledge, resources or time to address this in-house. As a result, this task is often outsourced to a third party, who employ “white-hat” hackers with the supposed expertise to complete the task in order to meet business and regulatory needs. The question is “How do you tell the difference between a seasoned group of pen-testing professionals and a low-rent firm whose simply handing over the reports from a canned tool?” In this presentation, Jason Broz and Tom Eston from SecureState will address the following issues: • Pitfalls of pen-testing clients • Games that some firms may play • What to look for in a quality pen test firm • Provide the audience with a checklist of questions to ask when choosing a pen-test firm.

Assessing a pen tester: Making the right choice when choosing a third party P...

Jason Broz, CIPP/US

What's hot (19)

Threat hunting in_windows

Central Iowa Linux Users Group May 2020 Meeting: WireGuard

Kali linux

Fade from Whitehat... to Black

Snooping on Cellular Gateways and Their Critical Role in ICS

kali linux.pptx

Zero Day Malware Detection/Prevention Using Open Source Software

Shamoon

Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol

Layer one 2011-sam-bowne-layer-7-dos

Path of Cyber Security

penetration test using Kali linux ppt

BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...

Attacking VPN's

2016 TTL Security Gap Analysis with Kali Linux

BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...

BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...

(03 2013) guide to kali linux

Assessing a pen tester: Making the right choice when choosing a third party P...

Similar to The Ransomware Threat: Tracking the Digitial Footprints

Crypto Miners in the Cloud

Teri Radichel

The dark-web including TOR, FreeNet and I2P, is that part of the Internet that is not indexed by traditional search engines and where anonymity and confidentiality is enforced at the root. For these characteristics, cyber- criminals started abusing the dark-web to conduct illicit or malicious activities like illegal trading, malware hosting, and more recently targeted attacks. In this talk, we explore the cyber-criminal ecosystem in the dark-web and provides insights on its activities against hidden services and other users.

Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...

Codemotion

Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...

Codemotion

Malware cryptomining uploadv3

Setia Juli Irzal Ismail

TABLETOP SCENARIO: Your organization regularly patches, uses application whitelisting, has NextGen-NG™ firewalls/IDS’s, and has the latest Cyber-APT-Trapping-Blinky-Box™. You were just made aware that your entire customer database was found being sold on the dark web. Go. Putting too much trust in security products alone can be the downfall of an organization. In the 2015 BSides Tampa talk “Pentest Apocalypse” Beau discussed 10 different pentesting techniques that allow attackers to easily compromise an organization. These techniques still work for many organizations but occasionally more advanced tactics and techniques are required. This talk will continue where “Pentest Apocalypse” left off and demonstrate a number of red team techniques that organizations need to be aware of in order to prevent a “Red Team Apocalypse” as described in the tabletop scenario above.

Red Team Apocalypse

Beau Bullock

Cloud hosting providers, such as Amazon AWS, Google Cloud, DigitalOcean, Microsoft Azure, and many others, have to respond to a regular barrage of abuse complaint reports from all around the world when their customers virtual private servers are used for malicious activity. This activity can happen knowingly by the "renter" of the system or on behalf of an attacker if the server becomes infected. Although by no means the end all, one way of measuring the trust posture of a cloud hosting provider is by analyzing the amount of time between shared hosts beginning to attack other hosts on the Internet and the activity ceasing, generally by way of forced-decommissioning, quarantining, or remediation of the root-cause, such as a malware infection. In this talk, we discuss using the data collected by GreyNoise, a large network of passive collector nodes, to measure the time-to-remediation of infected or malicious machines. We will discuss methodology, results, and actionable takeaways for conference attendees who use shared cloud hosting in their businesses.

Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams

Andrew Morris

AtlSecCon 2016

Earl Carter

Security events in 2014

Chong-Kuan Chen

Securing your Cloud Environment v2

ShapeBlue

Cloud Security Engineering - Tools and Techniques

Gokul Alex

Virus Bulletin 2012

Cloudflare

Ransomware - a malicious software used by hackers to block access to a computer system until a ransom is paid. Attackers contact the user with ransom demands. Most attackers request payment in Bitcoin (the crypto-currency). Even if you pay the ransom, the attackers may not deliver the key to unencrypt files. As ransomware attacks continue to grow in number and sophistication, individual PC users and organizations should reassess their current security strategy. There is a common misconception that adding layers of automated defence technologies will reduce the risk of falling victim to ransomware attacks. While endpoint security products and secure email gateways can offer some level of protection, sooner or later a phishing email, which is the most widely-used attack vector, will penetrate defences and user will be faced with determining whether or not an email is legitimate or part of an attack.

Ransomware- What you need to know to Safeguard your Data

Inderjeet Singh

Layer one 2011-sam-bowne-layer-7-dos

fangjiafu

The vast majority of cloud security threats are from misconfigured IaaS instances, compromised accounts, and insider threats but there's emerging threats on the rise as well. And you’ll need deep visibility into your workloads and containers to fight back. Join us for a live webinar with James Condon, Director of Research at Lacework on the current and emerging threats to public cloud and how best to automate security and compliance across AWS, Azure, and GCP, including: Current and emerging threats to AWS, Azure, and Google Cloud environments Recommendations on how to prevent, detect, analyze, and respond to cloud cyber attacks How to move away from a network-centric mindset and adopt a cloud approach How Lacework can help you automate security and compliance across AWS, Azure, GCP, and private clouds

Top 10 Threats to Cloud Security

SBWebinars

Malware analysis

Prakashchand Suthar

Security News Bytes (Aug Sept 2017)

Apurv Singh Gautam

Securing your Cloud Environment

ShapeBlue

How to stay protected against ransomware

Sophos Benelux

Issa jason dablow

ISSA LA

Zombie browsers spiced with rootkit extensions - DefCamp 2012

DefCamp

Similar to The Ransomware Threat: Tracking the Digitial Footprints (20)

Crypto Miners in the Cloud

Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...

Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...

Malware cryptomining uploadv3

Red Team Apocalypse

Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams

AtlSecCon 2016

Security events in 2014

Securing your Cloud Environment v2

Cloud Security Engineering - Tools and Techniques

Virus Bulletin 2012

Ransomware- What you need to know to Safeguard your Data

Layer one 2011-sam-bowne-layer-7-dos

Top 10 Threats to Cloud Security

Malware analysis

Security News Bytes (Aug Sept 2017)

Securing your Cloud Environment

How to stay protected against ransomware

Issa jason dablow

Zombie browsers spiced with rootkit extensions - DefCamp 2012

Recently uploaded

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

Paul Groth

In this session, we will showcase how to revolutionize automated testing for your software, automation, and QA teams with UiPath Test Suite. In part 1 of UiPath test automation using UiPath Test Suite – developer series, we will cover, Software testing overview What is software testing Why software testing is required Typical test types and levels Continuous testing and challenges Introduction to UiPath Test Suite UiPath Test Suite family of products Speaker: Atul Trikha, Chief Technologist & Solutions Architect, Peraton and UiPath MVP Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

UiPath Test Automation using UiPath Test Suite series, part 1

DianaGray10

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Sri Ambati

НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»

QADay

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.

"Impact of front-end architecture on development cost", Viktor Turskyi

Fwdays

Knowledge engineering: from people to machines and back

Elena Simperl

I'm excited to share my latest predictions on how AI, robotics, and other technological advancements will reshape industries in the coming years. The slides explore the exponential growth of computational power, the future of AI and robotics, and their profound impact on various sectors. Why this matters: The success of new products and investments hinges on precise timing and foresight into emerging categories. This deck equips founders, VCs, and industry leaders with insights to align future products with upcoming tech developments. These insights enhance the ability to forecast industry trends, improve market timing, and predict competitor actions. Highlights: ▪ Exponential Growth in Compute: How $1000 will soon buy the computational power of a human brain ▪ Scaling of AI Models: The journey towards beyond human-scale models and intelligent edge computing ▪ Transformative Technologies: From advanced robotics and brain interfaces to automated healthcare and beyond ▪ Future of Work: How automation will redefine jobs and economic structures by 2040 With so many predictions presented here, some will inevitably be wrong or mistimed, especially with potential external disruptions. For instance, a conflict in Taiwan could severely impact global semiconductor production, affecting compute costs and related advancements. Nonetheless, these slides are intended to guide intuition on future technological trends.

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Peter Udo Diehl

ODC, Data Fabric and Architecture User Group

CatarinaPereira64715

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Product School

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

Essentials of Automations: Optimizing FME Workflows with Parameters

Safe Software

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

UiPath Test Automation using UiPath Test Suite series, part 3

DianaGray10

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Abida Shariff

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

Recently uploaded (20)

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

UiPath Test Automation using UiPath Test Suite series, part 1

Designing Great Products: The Power of Design and Leadership by Chief Designe...

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

"Impact of front-end architecture on development cost", Viktor Turskyi

Knowledge engineering: from people to machines and back

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

ODC, Data Fabric and Architecture User Group

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Essentials of Automations: Optimizing FME Workflows with Parameters

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

UiPath Test Automation using UiPath Test Suite series, part 3

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Key Trends Shaping the Future of Infrastructure.pdf

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

The Ransomware Threat: Tracking the Digitial Footprints

1. Kevin Bottomley @k3v_b0t The Ransomware Threat: Tracking the Digital Footprints

2. 2CONFIDENTIA L About Me • Studied Computer Networking and Information Security at CCSF • Security Analyst @OpenDNS • Past speaking events include: BSidesSF 2015, BSidesLA 2015, NASA Ames Security Week, and BSidesNYC 2016.

3. Overview • Prominent Variants • Vectors of Compromise • C2 Setup/Design • Tracking

4. 4CONFIDENTIA L Classic FBI Lock Screen Ransomware • Reveton Family • Fake Lock Screen • Easily removed through safe-mode

5. CryptoLocker

6. 6CONFIDENTIA L CryptoLocker Infected attached and network storage devices • AES-2048 Encryption • What every *crypt* infection is called today

7. CryptoLocker • Started to appear around Sept 2013 • Delivered mainly through GoZ Botnet • Used Domain Generated Algorithm(DGA) • Thousands of domains created • Ex: xcqampjqalpxxk[.]ru

8. CryptoLocker • Mid 2014 GoZ is taken down • With it goes CryptoLocker • Keys recovered from server allow for decryption • New variants emerge around the same time

9. TorrentLocker

10. TorrentLocker • Seen mainly in .au, .nz, and .eu regions • Phishing emails disguised as red-light tickets or tax notices

12. Alpha/TeslaCrypt

13. Alpha/TeslaCrypt • Started out attacking video game extensions • In the beginning used DGA based domains for C2 • ex: fjgkdlslj.sdsfg834mfuuw.com • Changed up in later versions

14. 14CONFIDENTIA L Alpha/TeslaCrypt TeslaCrypt 1.0 used symmetric AES key • Allowed TALOS Group to release TeslaDecrypt • Flaw fixed in TeslaCrypt 2.0

15. CryptoWall

16. 16CONFIDENTIA L CryptoWall Came out swinging end of 2014 • Compromised servers and exploit kit • Tor/I2P

17. Exploitation

18. Chain of Events Any number of events can start the infection. Common methods include: • Phishing • Compromised domain • Malvertising

19. Typical CryptoWall Request • Exploit Kit fires, starting the process • Geolocation call • C2 exchange

20. Geolocation

21. Raw IP Address • Used for Geolocation • Exclude code execution or perform different operation based on global position • Attempt to display message in native language • Unique Identifier • Added to hash with other system info • {<Request ID>|campaign|<MD5>|<OS Info>|IP Address} • Can restrict one infection per IP address • Identify possible researching attempts

22. Malwr.com Open Sandbox for anyone to use • Search/Submit • No real usable API

23. Malwr.com

24. Malwr.com

25. Virustotal.com

26. 26CONFIDENTIA L Virustotal.com Virustotal Intelligence allows hunting with Yara rules • Can set up a running JSON/RSS feed • Only available through VTI

27. Virustotal.com Alpha/TeslaCrypt CryptoWall CryptoWall Alpha/TeslaCrypt CryptoWall

28. Virustotal.com

29. Observation

30. Co-Occurences & Related Domains • Co-Occurence • Same endpoint requests two or more domains in a short time • Related Domain • Same endpoint queries two or more domains around the same time

31. 31CONFIDENTIA L Co-Occurences & Related Domains Example • Can use ip-addr.es as pivot point • Actors selected the least noisiest of all geolocation services • Thanks • Really.

32. Training

33. Training Process Removing False Positives is Key Run Script against ip-addr.es Has domain been seen before? Yes pass No Notification SentValidation determinedIf bad: block Training Set updated Run Script against ip-addr.es

34. Results

35. Take-aways • Able to identify 2905 *Locker* based domains using this method • Bonus included finding various EK domains • Angler Exploit Kit • Neutrino Exploit Kit • Rig Exploit Kit

36. Prevent/Restore • Keep backups often and disconnected from network when not in use. • Adblock/No-Script • Train end-users about Social Engineering techniques(ex: phishing, phishing, and…phishing). • Never pay the ransom.

37. Geo-distribution

38. Questions?

39. 39CONFIDENTIA L Kevin Bottomley – Security Analyst @k3v_b0t

The Ransomware Threat: Tracking the Digitial Footprints

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to The Ransomware Threat: Tracking the Digitial Footprints

Similar to The Ransomware Threat: Tracking the Digitial Footprints (20)

Recently uploaded

Recently uploaded (20)

The Ransomware Threat: Tracking the Digitial Footprints