Everything happens for a reason the choices made by ransomware operators – Jono Davis (PwC)
Presented at the VB2023 conference in London, 4 – 6 October 2023.
↓ Slides:
↓ Paper: N/A
→ Details:
✪ PRESENTED BY ✪
• Jono Davis (PwC)
✪ ABSTRACT ✪
The ransomware environment is one that is ever evolving, adapting, and being shaped to the world that it operates in. New tools, techniques, and procedures (TTPs) are observed constantly across consolidated and newer programmes alike, and with an environment that has seen few hurdles in terms of operational disruption since the dissolution of the Conti Ransomware-as-a-Service (RaaS) programme, there are now more consolidated players than ever.
Whilst forecasting the future evolutions of the current ransomware milieux is challenging, the two consistencies between the most established ransomware operations are a) the affiliate programmes, and b) the ransomware binary used for encryption. This is a talk that will look at these two constants in detail across two of the newer – but now consolidated – players in this space: Akira, Rhysida, alongside one of the more established players: Black Basta.
We will spend time analysing the Ransomware-as-a-Service (RaaS) binaries that are provided to affiliates, detailing the relevant, significant changes that have been made, and what these indicate in terms of how the operator approaches the relationship with their affiliates. This will be a technical deep dive into the ransomware binaries, highlighting the key adoptions made by the ransomware developers, and will provide potential reasoning as to why these choices were made. We will also provide TTPs that have been observed being used by affiliates of these ransomware programmes during their operations (as seen through incident response cases), providing some practical takeaways in terms of techniques that are consistently observed across the ransomware space, and how they can be detected. This also provides an opportunity to view the more human, hands-on-keyboard, behaviour of affiliates, demystifying the aura that ransomware operations are often afforded.
In delving into malware at this low level, using both static and dynamic analysis for the purposes of outlining where binaries have undergone substantial alterations, we hope to provide the audience with both a more in-depth knowledge into how ransomware operators approach their product, as well as high-level conclusions as to what these observable changes mean for the future of the ransomware environment.
[ad_2]
source
