Breaking the Ransomware Tool Set – When a Threat Actor Opsec Failure Became a Threat Intel Goldmine

Recordings

https://www.youtube.com/watch?v=SAqqc7jczqQ&list=PL8N5HiRDvZ-dVdLNXf6kC3WDi8AWBS27g&index=10

View Recording

Slides

/files/slides/001-09_LVFGUT - Nicklas Keijser_Breaking the Ransomware Toolset.pdf

View Slides

Abstract

During a recent incident response engagement, I was assigned to reverse engineer the RAT that the threat actor had deployed in the environment. When analyzing the malware to unpack it, a suspicious string was found in the memory - and ip number with a list.txt . The list contained a not only a complete inventory that the threat actor had, but also a link to the full repository of all their tools, almost 5 GB / over 100 files and scripts of content covering every part for an intrusion -from reconnaissance to impact and everything in between. This led to an interesting labyrinth of research on all the aspects of this tooling.

Nicklas Keijser

Nicklas is a Threat Research Analyst, a role that involves much reverse engineering and looking into all things malware. Nicklas is also a subject matter expert in industrial control systems and anything related to its security. He started his career programming PLCs, SCADA systems, and almost anything else possible within the industry. Before joining Truesec, Nicklas worked at the Swedish National CERT in the Swedish Civil Contingencies Agency.