## It's not FINished

###### Mitchell Clarke and Tom Hall


-----

#### § Principal Consultant § London, UK

 § 2.5 years at Mandiant

##### snozberries_au


-----

#### § Principal Consultant § London, UK

 § Five years at Mandiant

##### – thall_sec


-----

### Ransomware Operation Trends

Self Manual
Propagating Detonation

Spray and Targeted
Pray Deployment

Partnership Self
Models Managed


-----

### APT

#### § An attacker has domain admin access to my

##### environment
#### § There are multiple persistence mechanisms § They likely stole business sensitive data


-----

### APT Ransomware

#### § An attacker has domain admin access to my

##### environment
#### § There are multiple persistence mechanisms § They likely stole business sensitive data § All of my IT infrastructure is down § I can’t function as a business


-----

# REvil/Sodinokibi


-----

### REvil Ransomware as a Service

#### § First seen May 2019 § Operated by UNKN § Affiliate model:

###### – Multiple threat actors use the REvil RaaS

 – Affiliates are vetted and buy in

 – Affiliates receive 60% - 75% of payouts depending on
 performance


-----

### REvil Ransomware as a Service

#### § Each affiliate gains access to the RaaS platform:

###### – Malware generation

 – Ransom demands and payment service

 – Victim communications

 – Coin laundering


-----

### Sodinokibi Ransomware

#### § On the most part, ransomed systems remain

##### functional

###### – System-related file extensions and directories are
 untouched
#### § To date, no issues found in crypto § Each infected system has a unique private key:

###### – Encrypted and stored in registry

 – Decrypted with attacker key


-----

### Time to Ransomware Deployment

#### § It depends on the affiliate § For comprehensive domain-wide ransomware

##### deployment:

###### – Up to three to four months

 – Some affiliates appear to have a backlog of victims


-----

# REvil/Sodinokibi


-----

### Initial Compromise

**Establish Foothold**

#### § Mass exploitation of high-profile vulnerabilities for Escalate Privileges

##### internet-facing infrastructure:

**Reconnaissance**

###### – VPN

 – SharePoint

**Lateral Movement**

###### – RDP
 – Remote Access Applications Maintain Presence
#### § Lateral movement via third parties

**Data Theft**

#### § Credential stuffing of internet infrastructure § Phishing Ransomware

**Deployment**


-----

### Establish Foothold

**Establish Foothold**

##### Depends on the affiliate: Escalate Privileges
#### § Cobalt Strike § VPN abuse Reconnaissance § Web shells Lateral Movement

<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>

**Maintain Presence**

<%@ Import Namespace="System.IO" %>
<html>
<script Language="c#" runat="server">

**Data Theft**

private const string AUTHKEY = "VictimOrg";
private const string HEADER = "<html>\n<head>\n<title>command</title>\n<style
type=\"text/css\"><!--\nbody,table,p,pre,form input,form select {\n font-family: **Ransomware**
\"Lucida Console\", monospace;\n font-size: 88%;\n}\n-- **Deployment**
>\n</style></head>\n<body>\n";

private const string FOOTER = "</body>\n</html>\n";


-----

### Escalate Privileges

**Establish Foothold**

#### § Mimikatz Escalate Privileges § ProcDump § Passwords within Group Policy Preferences Reconnaissance § Credentials stored in domain shares Lateral Movement § Credentials stored in user profiles:

**Maintain Presence**

###### – Documents, text files, etc.

**Data Theft**

**Ransomware**

**Deployment**


-----

### Reconnaissance

**Establish Foothold**

#### § Similar tools to what we see in APT/FIN intrusions as Escalate Privileges

##### well as Red Team engagements:

**Reconnaissance**

###### – Advanced IP Scanner

 – SoftPerfect Network Scanner

**Lateral Movement**

###### – Bloodhound
 – Built-in Windows commands Maintain Presence

**Data Theft**

**Ransomware**

**Deployment**


-----

### Lateral Movement

**Establish Foothold**

#### § WMIExec Escalate Privileges § SMBExec § CrackMapExec Reconnaissance § PsExec Lateral Movement § RDP

**Maintain Presence**

**Data Theft**

**Ransomware**

**Deployment**


-----

### Maintain Presence

**Establish Foothold**

#### § Cloud remote desktop software Escalate Privileges § Cobalt Strike Beacon § Web shells Reconnaissance § VPN abuse Lateral Movement § On-premise virtual desktop appliances

**Maintain Presence**

**Data Theft**

**Ransomware**

**Deployment**


-----

### Data Theft

**Establish Foothold**

#### § Data compression tools Escalate Privileges § Cloud data synchronisation platforms

**Reconnaissance**

**Lateral Movement**

**Maintain Presence**

**Data Theft**

**Ransomware**

**Deployment**


-----

### Deploy Ransomware

**Establish Foothold**

#### § Disable antivirus across entire estate Escalate Privileges

**Reconnaissance**

**Lateral Movement**

**Maintain Presence**

**Data Theft**

**Ransomware**

**Deployment**


-----

### Deploy Ransomware

**Establish Foothold**

#### § Disable antivirus across targeted systems Escalate Privileges

@echo off
REM By Robbie Ferguson // baldnerd.com **Reconnaissance**
REM Removes ESET Management Agent (previously named ESET Remote Administrator
Agent) from Windows machines
REM Intended for use as GPO, but could have other applications **Lateral Movement**
REM PLEASE BE MINDFUL - This will remove your connection to your ESMC/ERA server.
Depending on your policies, this could be a very bad thing.
REM This program must be run as administrator

**Maintain Presence**

REM Version 1.01

REM Tested successfully with:

**Data Theft**

REM - ESET Management Agent 7.0.553.0 EEE9596D-3139-4B63-B08B-3F17F0E345F0

echo "Uninstalling ESET Management Agent..." **Ransomware**
echo "Trying version 6 and under..." **Deployment**
wmic product where name="ESET Remote Administrator Agent" call uninstall /nointeractive
echo "Trying version 7 and up..."


-----

### Deploy Ransomware

**Establish Foothold**

#### § Deletion of: Escalate Privileges

###### – File Backups

**Reconnaissance**

###### – Archives

**Lateral Movement**

###### – Virtual Machine snapshots

**Maintain Presence**

**Data Theft**

**Ransomware**

**Deployment**


-----

### Deploy Ransomware

**Establish Foothold**

#### § Creation of open SMB file shares hosting SODINOKIBI Escalate Privileges

##### ransomware

**Reconnaissance**

#### § Deployment of Group Policy Objects to create

##### scheduled tasks to download and execute the

**Lateral Movement**

##### SODINOKIBI ransomware
#### § PsExec for mop-up

**Maintain Presence**

**Data Theft**

**Ransomware**

**Deployment**


-----

[+] Whats Happen? [+]

Your files are encrypted, and currently unavailable. You can check it: all files
on your system has extension <8 unique chars>.

By the way, everything is possible to recover (restore), but you need to follow
our instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

Its just a business. We absolutely do not care about you and your deals, except
getting benefits. If we do not do our work and liabilities - nobody will not
cooperate with us. Its not in our interests.

To check the ability of returning files, You should go to our website. There you
can decrypt one file for free. That is our guarantee.

If you will not cooperate with our service - for us, its does not matter. But you
will lose your time and data, cause just we have the private key. In practice -
time is much more valuable than money.


-----

-----

##### Overview

Maintain Presence Move Laterally

Access to

Remote desktop

additional

software, VPN

networks and

abuse

domains

**Complete the mission**

Identify Targets Initial Compromise Establish Foothold Escalate Privileges Internal Reconnaissance Data Theft Ransom Event

Phishing, credential reuse,

Identify Exploitable Cobalt Strike, VPN abuse, Mimikatz, credentials in Network scanning, Installation of cloud-sync Scheduled task GPO deployment,

compromise of external

Vulnerabilities web shells domain shares Bloodhound software PsExec

infrastructure


-----

## QAKBOT and DOPPELPAYMER


-----

### Partnership Model

#### § QAKBOT initially deployed as a banking trojan

 § In 2020, the partnership model is seen

###### – Ransomware developers are provided access to
 a compromised environment with QAKBOT

 – Negotiations for payment are handled by the
 ransomware developers themselves


-----

**Partner** **Ransomware**
**Organisation** **Developer**

Maintain Presence Move Laterally

QAKBOT, Cobalt PsExec, Remote
Strike Desktop

Identify Targets Initial Compromise Establish Foothold Escalate Privileges Internal Reconnaissance Data Theft Ransom Event

Identify target Phishing QAKBOT, Cobalt Strike Mimikatz, Procdump Identify domains and networks QAKBOT email module DOPPELPAYMER
organisations of interest


-----

### Initial Compromise

#### § QAKBOT campaigns in early 2020 were seen

##### utilising unsophisticated phishing campaigns

###### <a href="https://<redacted>[.]<redacted>/direct/4345091.zip"> ATTACHMENT DOCUMENT</a>


-----

### QAKBOT

#### § QAKBOT is a modular backdoor which allows Email Staging

##### an attacker to select the capabilities required and upload through the default configuration Cobalt Strike

Web Injects


-----

### Email Staging Module

##### § The email module is a standalone binary, Email Staging

###### independent from other QAKBOT modules

##### § The module creates a directory for email staging,

###### and utilises MAPI connections to a local outlook Cobalt Strike instance

 – %USERPROFILE%\EmailStorage_<computer_name>-
 <username>_<timestamp>

Web Injects

##### § Collected data is sent to a hard coded C2 with the

###### data ZLIB compressed and base64 encoded


-----

### Cobalt Strike Module

#### § QAKBOT can load Cobalt Strike in two ways Email Staging

###### – Arbitrary Downloads

Cobalt Strike

###### § The attackers can push the Cobalt Strike loader as
 a file and execute locally

 – Custom module

Web Injects

###### § The Cobalt Strike module can be configured to
 load a pre-configured DLL which downloads and executes the Cobalt Strike payload


-----

### Web Inject Module

##### § The module works by injecting the contents of the Email Staging

###### below file into explorer.exe

 – <install_path>\webinjects.cb
##### § The module iterates through a list of pre-configured Cobalt Strike

###### sites and injects JavaScript elements

##### § Targeting appears related to Northern American

###### organisations, as exampled below Web Injects


-----

### DOPPELPAYMER Four stage process

##### from delivery of ransomware binary to
 § In early 2020, the following delivery mechanisms encryption of files

###### were seen

 – Group Policies

 § Binaries placed in SYSVOL locations and deployed
 across the domain using scripts

 – PsExec

 – BITS Jobs

 – Scheduled Tasks


-----

users and changes
### Stage 1
password

###### § The DOPPELPAYMER variant enumerates all users for the local
 system and changes the password

 § The password is generated with a pre-configured string and
 an MD5 hash of the computer name

 – Preconfigured string: TtXtE9n3

 – Computer name hash: 384DFCCEE8DB9F89ED2859E3F32F6AF5

 – Full password: TtXtE9n3&384DFCCEE8DB9F89ED2859E3F32F6AF5


-----

users and changes
### Stage 2
password

###### § The ransomware copies a legitimate service and replaces
 the original with a copy of itself

2. Registers the
ransomware as a

###### – File: <random>.exe

service

§ Path: %APPDATA%\<random>.exe

§ Note: Copy of DOPPELPAYMER binary

###### – Service: <random_service>

§ Path: %WINDIR%\system32\<random_service>.exe

§ Note: Ransomware Service

###### – Service: <random_service>-1

§ Path: %WINDIR%\system32\<random_service>.exe-1

§ Note: Backup of Service


-----

users and changes
### Stage 3
password

###### § The Boot Configuration database is altered

 – recoveryenabled: no

2. Registers the
ransomware as a

§ Startup repair is disabled

service

###### – safeboot: minimal

§ Ransomware service is started in safeboot

###### – Group policy configured to display a ransom message prior to login

3. Changes Boot
Configuration
Database


-----

users and changes
### Stage 4
password

###### § After rebooting, the DOPPELPAYMER variant will begin
 encrypting files on the system.

2. Registers the

###### – <filename>.doppeled ransomware as a

service

###### – <filename>.how2decrypt.txt

3. Changes Boot
Configuration
Database

4. Reboots the
system and
encrypts files


-----

### Takeaway

#### § Highly effective

###### – QAKBOT has been around for a long time
#### § High impact

###### – DOPPELPAYMER removes access to systems
#### § Highly active

###### – As many as an organisation a day in periods of
 2020


-----

# Conclusion


-----

### A Continuing Problem

#### § Everything is increasing:

###### – Payouts

 – Number of victims

 – Damage to organisations

 – Extortion for stolen data
#### § With so much profit, so many victims, the only trend is

##### upwards
#### § Ransomware is now a boardroom risk


-----

### Improvements to Tradecraft

#### § More stealth, less noise

###### – Ransomware engagements are fast, but they’re loud
#### § Tooling improvements

###### – Less reliance on standard penetration testing tools

 – More bespoke malware
#### § Faster to domain admin § Improved ransomware deployment methods § Increased effectiveness to delete backups


-----

### What’s Next?

#### § Continued focus on mass exploitation of edge-

##### devices
#### § Limiting factors for the attackers:

###### – Too many victims

 – Not enough operators
#### § No downwards pressure until law enforcement

##### intervention

###### – The best organisations can do is to:

 § improve security

 § improve resilience


-----

# Thank you


-----