Turn and Face the Strange: Ch-Ch-Changes in Ransomware Techniques

Presented at Disobey 2023, Feb. 18, 2023, 11:30 a.m. (30 minutes).

Ransomware actors continue to evolve their tools and TTPs; innovation by cybercriminals in response to global and local events is nothing new. However, recently we have observed several interesting innovations - some very successful for the threat actors, some not so much. We will present case studies, including technical deep-dives on a few of these, including: ALPHV's Morph AV-evasion tool, usage of an access token to prevent chat hijacking, ARM locker and blog of indexed victim files, LockBit's adoption of the BlackMatter code, PLAY ransomware's evolution to use ROP, and multiple actors' implementations of intermittent file encryption. We will also discuss what made some of these new TTPs effective for the threat actors' business, and what made them less successful, both at the technical and human intelligence levels. During the talk, we will highlight particular areas that created the most trouble for threat actors, and often made them easier to track. Finally, we will discuss how defenders can adapt to these changing TTPs, and how we expect the ransomware landscape to continue to evolve in the future.

Presenters:

• Lindsay Kaye - Senior Director of Advanced Reversing, Malware, Operations and Reconnaissance (ARMOR) at Recorded Future
  Lindsay Kaye is Senior Director of Advanced Reversing, Malware, Operations and Reconnaissance (ARMOR) at Recorded Future. Her primary focus is the creation of actionable intelligence - providing endpoint, and network detections that can be used to detect threats. Lindsay's passion is malware analysis and reverse engineering. She received a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.Twitter: @TheQueenofELF
• James Niven - Principal Threat Researcher at Recorded Future
  James Niven is a Principal Threat Researcher at Recorded Future. Previously, James was a Red Teamer and now uses his knowledge to develop defensive approaches to detecting malicious behavior employed by threat actors.Twitter: @stuffedinlocker

Links:

• https://disobey.fi/2023/profile/turn_and_face_the_strange

Similar Presentations:

• BSides Austin 2017 / Defending against ransomware: You already have the capability, why are we not using it? This method stopped our attacks cold. Now let me show you how to do it. And it’s FREE, you don’t have to purchase anything.
• REcon 2022 / Malware Wars: DarkSide Strikes Back as BlackMatter
• Black Hat Europe 2020 Virtual / It's not FINished: The Evolving Maturity in Ransomware Operations