WEBVTT 1 00:00:00.160 --> 00:00:04.879 Imagine, imagine, if you will, that you're holding a Russian 2 00:00:04.960 --> 00:00:08.359 nesting doll, you know, Matriasha. On the outside, it looks 3 00:00:08.439 --> 00:00:12.119 totally innocent, maybe a bit decorative painted wood, nothing scary 4 00:00:12.119 --> 00:00:15.439 at all. Yeah, but then you crack it open, expecting 5 00:00:15.480 --> 00:00:18.640 to find whatever the prize is inside, but instead you 6 00:00:18.760 --> 00:00:20.640 just find, well, another doll. 7 00:00:20.719 --> 00:00:22.800 It's identical, just a little smaller exactly. 8 00:00:22.960 --> 00:00:25.280 So you pry that one open, and there's another one, 9 00:00:25.320 --> 00:00:27.679 and then another. It isn't until you get three or 10 00:00:27.719 --> 00:00:31.000 four layers deep past all these decoys that you actually 11 00:00:31.079 --> 00:00:32.719 find the heart of the object. 12 00:00:32.960 --> 00:00:36.079 It's a classic analogy. Yeah, but in the context of 13 00:00:36.079 --> 00:00:39.560 what we're covering today, that final object isn't a prize. 14 00:00:39.640 --> 00:00:40.439 It's a weapon. 15 00:00:40.679 --> 00:00:46.039 Yeah, a repin Welcome to the deep dive. Today we're unpacking, 16 00:00:46.119 --> 00:00:48.920 and I mean literally unpacking, a piece of digital malware 17 00:00:48.960 --> 00:00:51.640 that absolutely terrorized the corporate world. We are talking about 18 00:00:51.679 --> 00:00:54.759 the Agrigor ransomware Gregor. Yeah, and we aren't just you know, 19 00:00:54.920 --> 00:00:57.840 skimming the headlines or reading a Wikipedia summary for you. Today. 20 00:00:57.840 --> 00:01:00.159 We're going straight to the source. We are walking looking 21 00:01:00.280 --> 00:01:04.359 through a highly technical forensic analysis report from the team 22 00:01:04.439 --> 00:01:05.200 at LIFARS. 23 00:01:05.480 --> 00:01:09.519 That's right, The report is titled Malware Analysis Unpacking of 24 00:01:09.640 --> 00:01:13.920 Eggregore Ransomware, and unpacking really is the operative word here. 25 00:01:14.560 --> 00:01:16.959 The life Fars team actually got their hands on a 26 00:01:17.000 --> 00:01:21.079 live sample of eggregor during a real incident response. They 27 00:01:21.079 --> 00:01:23.519 didn't just watch it run in a sandbox. They reverse 28 00:01:23.560 --> 00:01:26.239 engineered it. They took it apart, bite by bite, layer 29 00:01:26.280 --> 00:01:27.840 by layer, just to see what makes it tick. 30 00:01:28.159 --> 00:01:31.760 And what they found reads like a like a detective 31 00:01:31.840 --> 00:01:35.439 story where the villain just keeps changing disguises. This isn't 32 00:01:35.439 --> 00:01:37.840 your average I clicked a bad link and now my 33 00:01:37.920 --> 00:01:41.879 computer is slow kind of virus. This is a high stakes, 34 00:01:41.920 --> 00:01:45.120 targeted extortion tool designed to take down absolute giants. So 35 00:01:45.359 --> 00:01:46.280 let's just jump right in. 36 00:01:46.480 --> 00:01:46.920 Let's do it. 37 00:01:46.920 --> 00:01:49.760 The analysts get this file, they're ready to see the code. 38 00:01:49.840 --> 00:01:51.879 What is the very first thing they notice? 39 00:01:52.040 --> 00:01:54.560 Well, the first surprise is really the format itself. I mean, 40 00:01:54.560 --> 00:01:58.400 we are conditioned to think of viruses as executable files, right, 41 00:01:58.480 --> 00:02:01.719 like a dot x exactly, virus dot xity. But the 42 00:02:01.760 --> 00:02:04.840 sample they were covered was a DLL. Specifically, it was 43 00:02:04.920 --> 00:02:06.719 named klang dot dq l LA. 44 00:02:06.719 --> 00:02:10.800 Klang dot dll. Now I know just enough to be 45 00:02:10.919 --> 00:02:15.199 dangerous here, But klang is a legitimate compiler, right. It's 46 00:02:15.240 --> 00:02:17.639 a tool developers used to write and build code. 47 00:02:18.199 --> 00:02:21.479 It is, and that's exactly why it's such good camouflage. 48 00:02:21.759 --> 00:02:24.560 If assistant administrator is just scrolling through a massive list 49 00:02:24.560 --> 00:02:27.439 of files on a developer's machine, and they see Clang 50 00:02:27.800 --> 00:02:29.039 dot dl. 51 00:02:28.960 --> 00:02:30.719 DBIL, that's probably wouldn't even blink. 52 00:02:30.759 --> 00:02:32.719 It just looks like a standard helper library, right. 53 00:02:32.759 --> 00:02:35.639 It blends right in. But the analysts they didn't just 54 00:02:35.639 --> 00:02:37.479 look at the name. They used a tool called Kappa. 55 00:02:37.680 --> 00:02:38.199 Kappa. 56 00:02:38.319 --> 00:02:42.319 Yes, it's a tool that analyzes a file's capabilities, hence 57 00:02:42.360 --> 00:02:45.520 the name Kapa, rather than just relying on its signature. 58 00:02:45.599 --> 00:02:47.479 It looks at what the code is actively trying to do. 59 00:02:47.879 --> 00:02:49.919 And when they ran that Klang dot dl through Kappa, 60 00:02:50.360 --> 00:02:53.080 a massive red flag popped up almost immediately. 61 00:02:53.199 --> 00:02:53.960 What was the flag? 62 00:02:54.159 --> 00:02:57.599 The memory permissions. This entirely innocent looking DLL was requesting 63 00:02:57.599 --> 00:02:59.919 to allocate memory with RWX. 64 00:02:59.319 --> 00:03:03.120 Protections RWX So that's read write execute correct. Okay, let's 65 00:03:03.199 --> 00:03:05.639 unpack this a bit for everyone listening. Why is that 66 00:03:05.680 --> 00:03:08.919 specific combination the read, write, and execute such a massive 67 00:03:08.919 --> 00:03:12.560 warning sign for security teams Because in modern computing, and 68 00:03:12.639 --> 00:03:16.319 specifically in the Windows security architecture. You almost never want 69 00:03:16.360 --> 00:03:19.159 a program to be able to write data and execute 70 00:03:19.159 --> 00:03:21.879 code in the exact same place, right It's a fundamental 71 00:03:21.919 --> 00:03:27.919 security principle called wkret X or write x or execute. 72 00:03:28.520 --> 00:03:31.080 The idea is you either write data to a space 73 00:03:31.680 --> 00:03:34.400 or you run code from a space. You do not 74 00:03:34.479 --> 00:03:36.159 do both in the same spot because if you can 75 00:03:36.199 --> 00:03:38.039 do both, If you can do both, you can literally 76 00:03:38.080 --> 00:03:40.680 rewrite your own instructions while you are running. You can 77 00:03:40.759 --> 00:03:41.919 change your own code on the fly. 78 00:03:41.960 --> 00:03:43.560 Which is incredibly chaotic. 79 00:03:43.639 --> 00:03:46.639 It's chaotic and it's dangerous. Yeah, but malware loves it. 80 00:03:47.240 --> 00:03:50.199 If a program asks for read, write, and execute permission 81 00:03:50.560 --> 00:03:53.280 all in one chunk of memory, it almost always means 82 00:03:53.319 --> 00:03:56.400 it's preparing to unpack or decrypt a hidden payload and 83 00:03:56.479 --> 00:03:57.240 run it right there. 84 00:03:57.319 --> 00:04:00.479 It's basically clearing out a private workspace to build to bomb. 85 00:04:00.560 --> 00:04:04.719 Precisely that rwx slag confirmed the analyst that clig dot 86 00:04:04.759 --> 00:04:07.840 Deal wasn't the ransomware itself. It was a loader. Its 87 00:04:07.840 --> 00:04:10.400 only job is to smuggle the real malware past the 88 00:04:10.400 --> 00:04:13.599 security bouncers, set up a safe space in the computer's memory, 89 00:04:13.759 --> 00:04:15.360 and then launch the next stage. 90 00:04:15.520 --> 00:04:18.399 So we are at the very first layer of our 91 00:04:18.439 --> 00:04:21.319 mesting doll here. But before this loader even gets to 92 00:04:21.319 --> 00:04:24.879 do its job, the report mentioned something really weird. A 93 00:04:25.000 --> 00:04:27.839 kill switch, yes, but a very specific one. 94 00:04:27.920 --> 00:04:31.160 Oh, this part is fascinating. While the analysts were looking 95 00:04:31.199 --> 00:04:33.959 at the code strings inside the loader, they found a 96 00:04:34.000 --> 00:04:35.439 hard coded file path. 97 00:04:35.920 --> 00:04:36.839 What was it? 98 00:04:36.839 --> 00:04:40.720 It was looking for c drive, Python two seven DLLs, 99 00:04:41.040 --> 00:04:44.040 Underscore SPCs, ORPA dot pi. 100 00:04:44.439 --> 00:04:47.759 A Python script hiding inside an old Python two point 101 00:04:47.759 --> 00:04:48.480 seven folder. 102 00:04:48.720 --> 00:04:51.759 Very specific Python script. Yeah. The malware actually checks to 103 00:04:51.800 --> 00:04:54.759 see if this exact file exists on the computer it's currently. 104 00:04:54.439 --> 00:04:55.639 Infecting, and if it does. 105 00:04:55.759 --> 00:04:58.800 If it finds that file, nothing happens. The malware just 106 00:04:58.879 --> 00:05:01.319 stops completely. It refuses to run. 107 00:05:01.399 --> 00:05:03.199 Wait, so if I just happen to have a dummy 108 00:05:03.199 --> 00:05:06.199 file with that exact name on my computer, I'd be immune. 109 00:05:05.879 --> 00:05:08.480 To eggregor theoretically, yes, you would be. 110 00:05:08.600 --> 00:05:10.399 Why on earth would they build that in? Is it 111 00:05:10.480 --> 00:05:11.480 just a programming bug? 112 00:05:11.639 --> 00:05:14.560 No, it's very intentional. It's likely a safety mechanism for 113 00:05:14.600 --> 00:05:15.680 the attackers themselves. 114 00:05:16.399 --> 00:05:16.560 Yeah. 115 00:05:16.639 --> 00:05:20.000 To remember, these people are writing, compiling, and testing this 116 00:05:20.160 --> 00:05:24.399 highly destructive code on their own machines. Oh right, They 117 00:05:24.439 --> 00:05:27.480 do not want to accidentally double click their own creation 118 00:05:27.680 --> 00:05:30.519 and encrypt their own hard drives. That would be disastrous 119 00:05:30.560 --> 00:05:33.600 for them, so they place this dummy file on their 120 00:05:33.639 --> 00:05:36.959 own systems. It effectively acts as it do not detonate. 121 00:05:36.639 --> 00:05:40.079 Sign Wow, it's literally a vaccine for the creator. 122 00:05:40.199 --> 00:05:42.959 That is wild. It is, and it could also be 123 00:05:42.959 --> 00:05:46.879 a way to mark specific servers within a victim's network 124 00:05:46.920 --> 00:05:49.079 that they want to keep alive. What we mean, well, 125 00:05:49.160 --> 00:05:52.399 for example, if they're using a specific compromise server to 126 00:05:52.480 --> 00:05:56.240 exltrate gigabytes of data back to their headquarters, they don't 127 00:05:56.240 --> 00:05:59.040 want to encrypt that specific server mid heist. It would 128 00:05:59.040 --> 00:06:02.000 cut off their own cannet, So they dropped this Python 129 00:06:02.079 --> 00:06:04.439 file there to mark that machine as safe. 130 00:06:04.560 --> 00:06:07.680 That shows a level of operational discipline. I really wasn't expecting. 131 00:06:07.800 --> 00:06:11.240 It's not just random destruction. It's highly controlled exactly. Okay, 132 00:06:11.279 --> 00:06:14.319 So assuming that magic Python file isn't there, the loader 133 00:06:14.360 --> 00:06:17.879 proceeds and the report talks about a technique called reflective 134 00:06:17.959 --> 00:06:22.040 DLL loading. That sounds incredibly fancy. What does that actually 135 00:06:22.079 --> 00:06:24.040 mean for the person trying to stop the attack. 136 00:06:24.199 --> 00:06:27.600 It's a very advanced stealth technique. Traditionally, if you want 137 00:06:27.639 --> 00:06:29.480 to run a program, you save the file to the 138 00:06:29.480 --> 00:06:32.680 hard drive and you double click it, right, But antivirus 139 00:06:32.759 --> 00:06:37.120 software scans the hard drive constantly. It watches every single 140 00:06:37.160 --> 00:06:40.800 file that touches the disc. Reflective loading bypasses the hard 141 00:06:40.839 --> 00:06:44.839 drive entirely. The malware allocates that RWX memory we talked 142 00:06:44.839 --> 00:06:47.560 about earlier, and it manually writes the next stage of 143 00:06:47.600 --> 00:06:49.279 the attack directly into the RAM. 144 00:06:49.480 --> 00:06:52.240 So it's like a ghost. It never actually touches the floor. 145 00:06:52.279 --> 00:06:53.439 It just floats through the room. 146 00:06:53.519 --> 00:06:55.399 That's a great way to put it. It uses native 147 00:06:55.439 --> 00:06:58.959 Windows functions like virtual allock and virtual protect to trick 148 00:06:59.000 --> 00:07:02.839 the operating system into treating this blob of raw data 149 00:07:02.920 --> 00:07:07.319 in the RAM as a legitimate running program sneaky very 150 00:07:07.399 --> 00:07:09.879 and the analysts actually found proof of this happening in 151 00:07:09.879 --> 00:07:13.439 the code through a really nerdy detail involving indianness. 152 00:07:13.720 --> 00:07:17.079 Oh indian ness. I love that word. That's about byte ordering, right, 153 00:07:17.160 --> 00:07:18.639 like how computers read numbers. 154 00:07:19.160 --> 00:07:22.439 Yes, exactly. It refers to the order of bytes in memory. 155 00:07:22.759 --> 00:07:25.360 Some computer architectures read left to right, some read right 156 00:07:25.399 --> 00:07:28.480 to left. We call them big Indian and little Indian. Now, 157 00:07:28.519 --> 00:07:31.560 every single Windows executable file starts with a standard header 158 00:07:31.959 --> 00:07:36.120 marked by two letters M and Z MZ right for 159 00:07:36.199 --> 00:07:36.959 Marx s. Pokowski. 160 00:07:37.000 --> 00:07:39.000 You got it. But when the analysts looked at the 161 00:07:39.000 --> 00:07:43.959 code in memory, they didn't see MZ. They saw ZM 162 00:07:44.079 --> 00:07:47.920 dyslexic malware. No, just the indian ness the bytes were 163 00:07:47.959 --> 00:07:51.360 reversed in memory. Seeing ZM and EP instead of MZ 164 00:07:51.480 --> 00:07:54.519 and PE confirmed to the analysts that the code was 165 00:07:54.560 --> 00:07:57.920 actively parsing a Windows executable header right there in the memory. 166 00:07:58.000 --> 00:07:59.759 It was the smoking gun exactly. 167 00:08:00.240 --> 00:08:02.639 It proved that the ghost was taking a physical form, 168 00:08:02.680 --> 00:08:04.800 functionally speaking, inside the ram. 169 00:08:04.959 --> 00:08:07.480 Okay, so they successfully impact this first layer. They've got 170 00:08:07.480 --> 00:08:09.720 the ghost in a jar. They look inside fully expecting 171 00:08:09.720 --> 00:08:12.040 to find the ransomware, and what do they find instead? 172 00:08:12.279 --> 00:08:15.680 Layer two? Another DLL. This one was named payload one. 173 00:08:15.639 --> 00:08:19.360 Dot D another loader, another loader, but this one had 174 00:08:19.399 --> 00:08:22.600 a serious surprise waiting for them. When the analyst tried 175 00:08:22.600 --> 00:08:24.800 to run it in a sandbox, which is a safe 176 00:08:24.879 --> 00:08:28.759 isolated environment used for automated testing, it just wouldn't run. 177 00:08:29.360 --> 00:08:30.360 It just sat there. 178 00:08:30.120 --> 00:08:31.360 Playing dead in a way. 179 00:08:31.439 --> 00:08:33.799 Yeah, yeah, it had a unique lock on it. The 180 00:08:33.840 --> 00:08:37.559 analyst discovered that this second DLL checked the command line 181 00:08:37.600 --> 00:08:40.799 arguments used to launch it. It was actively looking for 182 00:08:40.840 --> 00:08:43.840 a specific parameter starting with dash. 183 00:08:43.600 --> 00:08:46.240 P dash P like for password exactly. 184 00:08:46.840 --> 00:08:49.360 The text following that dash pe wasn't just a random 185 00:08:49.399 --> 00:08:53.039 command flag, it was a cryptographic password. If you didn't 186 00:08:53.039 --> 00:08:55.559 type the correct password into the command line when launching 187 00:08:55.559 --> 00:08:58.679 the malware, the decryption would just fail. The payload would 188 00:08:58.679 --> 00:09:01.200 basically scramble itself in the GARB code. It wouldn't detonate. 189 00:09:01.399 --> 00:09:03.799 This totally blows my mind because we usually think of 190 00:09:03.919 --> 00:09:06.799 viruses as these automated things, you know, worms that crawl 191 00:09:06.799 --> 00:09:09.720 through the network on their own, infecting everything they touch automatically. 192 00:09:09.799 --> 00:09:13.440 But this dash pee thing implies a human touch. 193 00:09:13.679 --> 00:09:16.639 That is the crucial takeaway here. This implies a human 194 00:09:16.679 --> 00:09:20.039 operator on the keyboard. Greg wor isn't designed to just 195 00:09:20.039 --> 00:09:22.799 spread wildly like the flu. It is designed for a 196 00:09:22.879 --> 00:09:26.840 highly skilled hacker to break into a network, move around quietly, 197 00:09:27.360 --> 00:09:30.840 maybe steal some admin credentials, and then only when they're 198 00:09:30.879 --> 00:09:34.840 absolutely ready, they manually tack that password to detonate the 199 00:09:34.919 --> 00:09:36.840 ransomware on the target machines. 200 00:09:36.919 --> 00:09:38.919 It's a controlled demolish, it really is. 201 00:09:39.240 --> 00:09:43.799 And it's brilliant for evading security systems. Automated sandboxes don't 202 00:09:43.799 --> 00:09:46.840 know the password right, how could they exactly So if 203 00:09:46.879 --> 00:09:49.600 an anti virus system grabs this file and tries to 204 00:09:49.679 --> 00:09:51.960 run it in a test environment to see if it's malicious, 205 00:09:52.200 --> 00:09:55.159 it fails. It looks total harmless. It only becomes a 206 00:09:55.159 --> 00:09:58.559 weapon when the thief is standing right there holding the key. 207 00:09:59.000 --> 00:10:01.679 So how did the life team get the password to 208 00:10:01.720 --> 00:10:04.120 open it? Did they guess it? You know? Password one, 209 00:10:04.159 --> 00:10:04.720 two three? 210 00:10:04.919 --> 00:10:08.320 No, brute forcing high level encryption isn't really feasible in 211 00:10:08.360 --> 00:10:11.519 a timeframe like that. They got lucky. The report mentions 212 00:10:11.559 --> 00:10:13.960 they obtained the sample from colleagues who were responding to 213 00:10:14.000 --> 00:10:17.840 an actual live incident. They likely recovered the password from 214 00:10:17.879 --> 00:10:20.279 the command line logs or the memory dumps of a 215 00:10:20.360 --> 00:10:23.120 victim's machine where the attackers had already typed it in. 216 00:10:23.200 --> 00:10:25.600 Okay, so they have the password, they type dash P 217 00:10:25.879 --> 00:10:28.960 and the secret code. The second layer finally cracks open 218 00:10:29.639 --> 00:10:31.240 and inside finally we. 219 00:10:31.240 --> 00:10:37.159 Get to stage three payload two dot DLL. This is 220 00:10:37.200 --> 00:10:40.759 the beast. This is the actual Igregor ransomware. 221 00:10:40.360 --> 00:10:42.519 The thing that makes it. Admins want to cry. 222 00:10:42.799 --> 00:10:46.320 Yes, and it is heavy duty. The analysts looked at 223 00:10:46.320 --> 00:10:50.159 the encryption capabilities using the windcrypt library in Windows. They 224 00:10:50.200 --> 00:10:52.879 found a call to cryptgen key with a parameter size 225 00:10:52.919 --> 00:10:54.440 of two thousand and forty eight bits. 226 00:10:54.600 --> 00:10:56.720 Two forty eight bits, that's. 227 00:10:56.679 --> 00:10:59.720 RSA twenty forty eight And the report also notes they 228 00:10:59.759 --> 00:11:03.519 used the Chahaw stream cipher for the actual file encryption, 229 00:11:03.639 --> 00:11:06.919 which is incredibly fast, so they use both. Basically, they 230 00:11:07.000 --> 00:11:09.600 use the super secure RSA key to lock the super 231 00:11:09.600 --> 00:11:10.639 fast Chatchat. 232 00:11:10.360 --> 00:11:12.840 Keys, and in plain English for everyone listening. 233 00:11:12.519 --> 00:11:15.360 In plain English, this is military grade encryption. If you 234 00:11:15.360 --> 00:11:17.840 don't have the private key held by the attackers, you're 235 00:11:17.879 --> 00:11:19.879 not getting your data back. You can't just math your 236 00:11:19.919 --> 00:11:20.759 way out of this one. 237 00:11:20.840 --> 00:11:23.720 So once it launches, it just starts locking files. But 238 00:11:23.799 --> 00:11:27.000 the report pointed out something really interesting, almost rude, honestly, 239 00:11:27.720 --> 00:11:30.559 before it encrypts your files, it goes on a targeted 240 00:11:30.639 --> 00:11:33.840 killing spree. It has a hit list of programs it 241 00:11:33.919 --> 00:11:35.879 hunts down and terminates. 242 00:11:35.480 --> 00:11:38.360 Right And there's a very specific technical reason for this. 243 00:11:38.879 --> 00:11:42.039 In Windows, if a file is open and being actively 244 00:11:42.159 --> 00:11:45.080 used by a program, the operating system locks it. 245 00:11:45.320 --> 00:11:47.519 You can't modify it exactly. 246 00:11:47.080 --> 00:11:49.200 You can't change it, and you certainly can't encrypt it. 247 00:11:49.559 --> 00:11:53.559 So to ensure absolute maximum damage, the malware has to 248 00:11:53.639 --> 00:11:57.000 force close any program that might be holding your valuable 249 00:11:57.039 --> 00:11:57.960 data open. 250 00:11:58.120 --> 00:12:00.360 And the list of targets is pretty eclectic. I'm looking 251 00:12:00.360 --> 00:12:03.679 at the report details here. It kills sql server, Okay, 252 00:12:03.679 --> 00:12:06.000 that makes sense. That's databases. That's the crown jewels for 253 00:12:06.000 --> 00:12:09.840 a company, right. It kills Outlook and Thunderbird Okay, email archives, 254 00:12:09.840 --> 00:12:12.120 got it. But then it kills Steam. 255 00:12:12.360 --> 00:12:15.000 Yes, Steam and a bunch of other gaming related processes too. 256 00:12:15.120 --> 00:12:18.679 It feels so personal. You're hacking a multinational corporation. Why 257 00:12:18.759 --> 00:12:19.879 do you care about Steam? 258 00:12:20.240 --> 00:12:24.759 Well? Context is everything here. Remember that agregor was notoriously 259 00:12:24.879 --> 00:12:26.960 used to target major gaming studios. 260 00:12:27.360 --> 00:12:28.279 Ah right. 261 00:12:28.440 --> 00:12:32.480 If you're a game developer, your database isn't just financial spreadsheets, 262 00:12:32.679 --> 00:12:35.080 it's the three D game assets, the source code, the 263 00:12:35.120 --> 00:12:38.440 project files. All of those are opening your development tools. 264 00:12:38.879 --> 00:12:42.360 If the gregor wants to lock those mathsive assets, it 265 00:12:42.360 --> 00:12:43.679 has to kill the tools first. 266 00:12:43.840 --> 00:12:44.919 That makes total sense. 267 00:12:45.000 --> 00:12:47.679 So seeing Steam and various game engines on the kill 268 00:12:47.679 --> 00:12:50.279 list is a direct reflection of who they were hunting 269 00:12:50.320 --> 00:12:50.759 at the time. 270 00:12:51.000 --> 00:12:53.600 It's not just looking for word docs, it's looking for 271 00:12:53.799 --> 00:12:57.919 anything valuable to that specific victim. And speaking of killing tools, 272 00:12:58.000 --> 00:13:00.919 it doesn't just kill user apps, right, it goes after 273 00:13:00.960 --> 00:13:02.279 the cops too, it does. 274 00:13:02.360 --> 00:13:07.080 It explicitly hunts for forensic tools. The report list processes 275 00:13:07.159 --> 00:13:12.519 like prochmapron, process monitor, wire shark, specifically dump cap and process. 276 00:13:12.200 --> 00:13:14.919 Explorer, the exact tools an analyst would use. 277 00:13:15.039 --> 00:13:17.559 Yes, these are the tools a security analyst or an 278 00:13:17.600 --> 00:13:19.840 incident responder would launch to see what the malware is 279 00:13:19.840 --> 00:13:20.919 actually doing on the system. 280 00:13:21.080 --> 00:13:24.519 It's literally blinding the surveillance cameras while it robs. 281 00:13:24.200 --> 00:13:27.600 The bank exactly. It shows that the malware authors fully 282 00:13:27.639 --> 00:13:31.039 anticipate a fight. They know security teams will be watching, 283 00:13:31.279 --> 00:13:33.919 and they have automated camera measures ready to blind them. 284 00:13:33.960 --> 00:13:35.240 The second they try to look. 285 00:13:35.360 --> 00:13:37.000 It's actively fighting back. 286 00:13:37.840 --> 00:13:38.879 That is terrifying. 287 00:13:39.440 --> 00:13:42.720 So the malware runs, the apps closed, the files get locked. 288 00:13:42.759 --> 00:13:45.600 You're left with a digital brick. But the encryption is 289 00:13:45.720 --> 00:13:48.200 really only half the story with a gregorger, isn't it. 290 00:13:48.720 --> 00:13:51.879 The report goes into some os and open source intelligence 291 00:13:52.000 --> 00:13:53.240 about what happens next. 292 00:13:54.200 --> 00:13:56.519 This is the massive shift we've seen in the ransomware 293 00:13:56.600 --> 00:13:59.919 landscape over the last few years. We call it double extortion. Right. 294 00:14:00.200 --> 00:14:02.360 It's no longer just pay us to get your files back. 295 00:14:02.639 --> 00:14:06.159 It's pay us or we show everyone your deepest secrets. 296 00:14:06.320 --> 00:14:09.279 The report describes the ransom note directing victims to a 297 00:14:09.320 --> 00:14:11.759 dot onion website on the tour network. 298 00:14:11.399 --> 00:14:14.799 The dark web. Correct, and on this site, the attackers 299 00:14:14.799 --> 00:14:17.360 maintain what they boldly call a hall of shame. 300 00:14:17.559 --> 00:14:18.440 A hall of shame. 301 00:14:18.600 --> 00:14:21.120 Wow, it's a public dashboard of the companies they have 302 00:14:21.200 --> 00:14:23.960 successfully hacked. But it's worse than just a simple list. 303 00:14:24.279 --> 00:14:26.879 Next to each company name, they list the percentage of 304 00:14:26.960 --> 00:14:29.120 data they have disclosed or leaked so far. 305 00:14:29.360 --> 00:14:32.919 So it's basically a progress bar of humiliation exactly. 306 00:14:33.000 --> 00:14:37.120 It applies immense psychological pressure to the victim. Even if 307 00:14:37.120 --> 00:14:40.080 a company has perfect backups and says we don't need 308 00:14:40.120 --> 00:14:42.720 to pay you to unlock our files, we can restore 309 00:14:42.759 --> 00:14:44.039 them ourselves. 310 00:14:43.759 --> 00:14:45.320 The attackers still have leverage. 311 00:14:45.399 --> 00:14:48.840 The attackers say, fine, but do you want your customer database, 312 00:14:48.879 --> 00:14:52.080 your internal emails, and your proprietary trade secrets posted on 313 00:14:52.120 --> 00:14:54.480 the open Internet for your competitors to see. 314 00:14:54.639 --> 00:14:58.639 That is absolutely brutal. And the report mentors a specific 315 00:14:58.679 --> 00:15:01.080 section of the site called the wh Whole of the Month. 316 00:15:01.200 --> 00:15:03.360 Yes, whole of the month. They really have a twisted 317 00:15:03.399 --> 00:15:05.759 sense of humor, they really do. In the timeframe of 318 00:15:05.759 --> 00:15:10.720 this specific report, that section featured two very large gaming companies, 319 00:15:11.360 --> 00:15:15.279 But there was an incredibly chilling detail added to that entry. 320 00:15:15.399 --> 00:15:19.559 The attackers left of ps PostScript warning users to think 321 00:15:19.559 --> 00:15:22.519 about possible backdoors in those companies products. 322 00:15:22.639 --> 00:15:25.159 WHOA, let's unpack that for a second. They aren't just 323 00:15:25.200 --> 00:15:28.480 saying we stole the source code. They're heavily implying we 324 00:15:28.600 --> 00:15:30.399 might have modified the code before we left. 325 00:15:30.519 --> 00:15:33.080 Precisely, if you are a software company, that is an 326 00:15:33.120 --> 00:15:35.200 absolute death sentence for your reputation. 327 00:15:35.320 --> 00:15:36.399 Yeah, of course it is. 328 00:15:36.480 --> 00:15:39.919 If your users think your next game update or software 329 00:15:39.960 --> 00:15:43.279 patch might contain a virus because the source code was compromised. 330 00:15:43.679 --> 00:15:47.720 That destroys trust instantly. And the insidious part is whether 331 00:15:47.720 --> 00:15:51.399 the attackers actually planted backdoors or were just bluffing. The 332 00:15:51.480 --> 00:15:54.159 thread alone causes massive damage. 333 00:15:54.320 --> 00:15:57.279 It forces the company to basically audit every single line 334 00:15:57.279 --> 00:15:59.279 of code before they can release anything ever. 335 00:15:59.360 --> 00:16:03.759 Again, exactly, it's pure psychological warfare. It attacks the brand, 336 00:16:03.919 --> 00:16:07.480 not just the server infrastructure. And the report wrapped up 337 00:16:07.519 --> 00:16:11.720 by connecting Aggregor to another infamous ransomware. 338 00:16:11.200 --> 00:16:15.240 Family, right, yeah, the Maze ransomware. The analysts noted that 339 00:16:15.240 --> 00:16:18.240 Egregre shares a lot of similarities with Maize, particularly in 340 00:16:18.279 --> 00:16:20.720 the offustation techniques they used to hide the code. 341 00:16:20.840 --> 00:16:23.960 Maze was huge. They were the ones who essentially pioneered 342 00:16:23.960 --> 00:16:25.960 this entire double extortion tactic. 343 00:16:26.200 --> 00:16:28.600 Right and when the Maze group suddenly announced they were 344 00:16:28.600 --> 00:16:31.320 shutting down, Eggregor appeared almost immediately after. 345 00:16:31.559 --> 00:16:34.799 It strongly suggests a migration of talent the affiliates, the 346 00:16:34.799 --> 00:16:37.559 core developers that they didn't retire, They just rebranded and 347 00:16:37.639 --> 00:16:38.720 launched a new product. 348 00:16:38.519 --> 00:16:39.879 A software book date for criminals. 349 00:16:40.080 --> 00:16:42.639 It's a stark reminder that even when law enforcement or 350 00:16:42.639 --> 00:16:46.000 the industry defeats one ransomware group, the knowledge and the 351 00:16:46.039 --> 00:16:48.279 codebase just evolve into a new form. 352 00:16:48.399 --> 00:16:50.360 It's a hydra. You cut off one head and ag 353 00:16:50.360 --> 00:16:51.559 Grigor grows right in its. 354 00:16:51.399 --> 00:16:54.639 Place, exactly and usually the new head is smarter, faster, 355 00:16:54.759 --> 00:16:55.759 and much harder to kill. 356 00:16:56.000 --> 00:16:57.960 So let's bring this all back to the start. We 357 00:16:58.039 --> 00:17:00.840 began with a nesting ball. We had klang Deal, the 358 00:17:00.919 --> 00:17:07.160 camouflage loader allocating that highly suspicious RWX memory inside that payload. 359 00:17:07.400 --> 00:17:10.119 One dot Deal the lock box that needed a manual, 360 00:17:10.240 --> 00:17:14.039 human typed password to even open, and inside that payload, 361 00:17:14.039 --> 00:17:17.359 two dot Deal the rsa encrypted weapon that ruthlessly kills 362 00:17:17.400 --> 00:17:19.559 everything from SQL databases to steam. 363 00:17:19.880 --> 00:17:21.880 That is the technical journey. Yes, for you. 364 00:17:22.160 --> 00:17:25.039 Looking at this life fars report as an expert, what 365 00:17:25.200 --> 00:17:27.119 is the one thing that really sticks with you? What's 366 00:17:27.119 --> 00:17:29.039 the core takeaway you want people to remember? 367 00:17:29.319 --> 00:17:31.359 For me, it has to be that dash pee parameter, 368 00:17:31.599 --> 00:17:34.720 the password. Yeah, it represents a fundamental shift in how 369 00:17:34.759 --> 00:17:37.839 we have to think about enterprise defense. We aren't just 370 00:17:37.920 --> 00:17:42.119 fighting automated dumb scripts anymore. We are fighting intelligent human 371 00:17:42.160 --> 00:17:44.359 adversaries who are hands on keyboard. 372 00:17:44.559 --> 00:17:45.519 They're inside the house. 373 00:17:45.640 --> 00:17:49.799 They're navigating our networks, learning our specific systems, figuring out 374 00:17:49.799 --> 00:17:53.680 what we value most, and choosing the exact perfect moment 375 00:17:53.759 --> 00:17:57.160 to strike. They are manually entering a password to destroy 376 00:17:57.240 --> 00:18:00.920 your business. That means our defenses can't just be set 377 00:18:00.960 --> 00:18:05.559 and forget automated antivirus, right. We need human threadhunters who 378 00:18:05.640 --> 00:18:09.599 can spot that subtle behavior, the lateral movement, the quiet 379 00:18:09.640 --> 00:18:12.359 reconnaissance before that password ever gets typed. 380 00:18:12.960 --> 00:18:15.400 That is a very sobering thought. It's not a robot 381 00:18:15.440 --> 00:18:18.599 knocking at the door. It's a skilled burglar with a 382 00:18:18.640 --> 00:18:21.119 lock pick set who has been quietly living in your 383 00:18:21.160 --> 00:18:21.759 attic for. 384 00:18:21.680 --> 00:18:23.799 Two weeks and he already has the keys. 385 00:18:23.640 --> 00:18:25.319 And For me, the thing that sticks out is that 386 00:18:25.400 --> 00:18:27.759 image of the Hall of Shame. It reminds us that 387 00:18:27.799 --> 00:18:31.160 security isn't just an it problem about keeping the servers running. 388 00:18:31.319 --> 00:18:34.960 It's fundamentally about brand reputation. It's about trust. 389 00:18:35.119 --> 00:18:35.680 Absolutely. 390 00:18:35.880 --> 00:18:38.200 When you see Steam listed right next to seql server 391 00:18:38.279 --> 00:18:40.799 and a malware kill list, it's a reminder that everything 392 00:18:40.839 --> 00:18:43.720 in our networks is connected. Your fun Friday night gaming 393 00:18:43.759 --> 00:18:46.759 session and your crucial Monday morning financial reports are all 394 00:18:46.839 --> 00:18:50.359 living on the exact same, fragile digital ecosystem. 395 00:18:50.400 --> 00:18:53.680 Well said, the old network parameter is gone. Data is 396 00:18:53.680 --> 00:18:57.240 the ultimate asset, and trust is the only currency that matters. 397 00:18:57.480 --> 00:18:59.319 So here is a thought to leave you all with. 398 00:18:59.799 --> 00:19:02.599 In the old days, a burglar would break in steal 399 00:19:02.640 --> 00:19:05.680 your TV and maybe your jewelry. It was bad, but 400 00:19:05.759 --> 00:19:08.920 it was replaceable. A grigor doesn't just steal your diary, 401 00:19:09.079 --> 00:19:11.279