Search Results

Ransomware attacks have become increasingly sophisticated, with threat actors leveraging various infection vectors to gain initial access to systems. In this blog, we'll explore three critical infection vectors: RDP (Remote Desktop Protocol) , vulnerabilities , and phishing . Understanding these vectors and how they are exploited is crucial to preventing ransomware attacks. 1. Remote Desktop Protocol (RDP) Why is RDP a Major Threat? Lack of Awareness : Many organizations do not fully recognize the threat posed by open RDP services. Critical Servers at Risk : RDP is often left open on critical servers, making them easy targets. Weak Security Measures : Common issues include weak password policies, no Multi-Factor Authentication (MFA), and no lockout policies. Key Consideration : Any RDP service exposed to the internet will face constant brute-force attacks. Organizations often avoid lockout policies to prevent legitimate accounts from being locked out, but this opens the door to attackers. Tracking RDP via Event Logs Use event IDs to monitor RDP activity. Common event IDs associated with RDP use include. Restricting RDP Activity Group Policy Objects (GPOs) : Disable RDP on hosts where it is not required. Firewall Rules : Implement rules to block inbound and outbound RDP traffic based on both port numbers and detected application protocols. Security Policies : Establish and enforce policies that prohibit unnecessary RDP use. Verification : Check firewall logs and Windows event logs, especially from an external to internal perspective, to ensure RDP restrictions are effective. 2. Exploiting Vulnerabilities Understanding Zero-Day Attacks What is a Zero-Day? : A zero-day vulnerability is an unknown flaw in software with no available patch. However, once a patch is available, it stops being a zero-day. Case Study - REvil and Kaseya (2021) : The REvil group exploited zero-day vulnerabilities in Kaseya's software, leading to widespread attacks. Why Are Exploits Successful? Slow Patch Cycles : Organizations often take too long to patch vulnerabilities. Poor Asset Management : Many companies lack a solid asset management system, leading to unpatched devices and services. Abandoned Services : Unused and unpatched services create easy entry points for attackers. Example of Exploits : The Log4Shell vulnerability in 2021 highlighted how unmonitored third-party libraries can become major security risks. Resources : Track the most exploited vulnerabilities via below link. https://github.com/fastfire/deepdarkCTI/blob/main/cve_most_exploited.md Identification : Look for “contextual evidence” when identifying vulnerability exploitation as the infection vector. For example, non-related process running under a service-related process is a red flag. Service- and appliance-related processes serving as parents for non related processes is a bad sign. 3. Phishing - The Most Common Infection Vector How Phishing Works Email Attacks : Phishing emails aim to deliver malware or harvest credentials. Attackers often bypass MFA by using stolen credentials to log in to remote services like VPNs and RDP. Malspam Campaigns : These campaigns rely on sheer volume to succeed. Emails may contain malicious attachments (maldocs) or links designed to download malware. Hunting for Phishing Attachments Web Browsers : Analyze web browser artifacts using tools like DB Browser  to identify downloaded files. Outlook Content : Cached emails and attachments in Outlook are valuable for hunting phishing artifacts. Malicious processes launched from Office applications are often a tell-tale sign. (/inetcache/content.outlook/) Windows Explorer : Look for evidence of ZIP files opened by users, which may contain malware. Windows Registry : The Windows Registry is a veritable cornucopia of data pertaining to user actions within the operating system. If a user opens a maldoc, they may be required to enable macros. Unsurprisingly, many users take this action without question. When they do, the action is logged in the “Trusted Documents” section of the Registry. Phishing Links Direct Downloads : Some phishing emails bypass DNS-level protection by using direct IP addresses or URL shorteners ( e.g., bit.ly, tinyurl ). File Sharing Sites : Attackers often use legitimate file-sharing sites like Google Drive or Dropbox to host malicious content, making detection harder. Mitigation : Organizations should block or at least monitor access to file-sharing sites and flag suspicious activity. Additional concepts: The Role of CVEs and Exploit Code in Ransomware Campaigns Newly Announced CVEs : Darknet Discussions : Newly disclosed CVEs are often discussed on darknet forums, where threat actors share and sell exploits. Rapid Spread of POC Code : In today's digital age, Proof of Concept (POC) code spreads quickly on public platforms like GitHub and private channels alike. It's not uncommon for ransomware actors to log into a victim's network, open a web browser, and download tools or POC code from GitHub the same day it becomes available. Exploits for Sale : Darknet Marketplaces : While some security researchers publish POC code publicly, threat actors often develop and sell exploit code on darknet marketplaces. Occasionally, researchers purchase this code to bring awareness to the threat, but this also highlights the accessibility of such exploits to malicious actors. Example - PrintNightmare : Commodity Malware and Malware as a Service (MaaS) Commodity Malware : Infostealers : These are commonly used in ransomware attacks to gather information and lay the groundwork for further exploitation. MaaS : MaaS has become a significant tool in ransomware campaigns. Originally starting as "banking trojans" or "info stealers," these tools have evolved into what are now often referred to as "loaders," capable of delivering additional payloads onto a compromised machine. Emotet : A Notorious Example : Emotet, one of the most well-known MaaS families, had a significant impact on the cyber threat landscape. After a law enforcement raid led to its temporary disappearance, the group re-emerged in mid-2022, revamping its operations. Cryptolaemus : A group of researchers known as "Cryptolaemus" has dedicated itself to combating the Emotet threat. They regularly post information on Emotet campaigns, including IPs and URLs they have detected. https://x.com/Cryptolaemus Resource for Live Malware Samples : For live samples of various MaaS families and loaders, https://github.com/jstrosch/malware-samples Conclusion Understanding these infection vectors is crucial for building robust defenses against ransomware. By focusing on key areas such as RDP, vulnerabilities, and phishing, organizations can significantly reduce their risk of falling victim to these attacks. Regular monitoring, patching, and enforcing strict security policies are essential steps in this process.

Why Sysmon? Sysmon provides detailed information about process creations, network connections, and changes to file creation time. This can be incredibly valuable for security monitoring, incident response, and forensic investigations. Some key features include: Process Creation Monitoring:  This is essential for tracking the execution of potentially malicious software. Network Connection Logging:  Captures details about outbound and inbound connections. File Creation Time Changes:  Helps identify when files were created or modified, aiding in malware detection. Installation and Configuration Installing Sysmon is straightforward. You can download Sysmon from Microsoft’s official site , which includes documentation and the executable file. Download Sysmon:  Get the Sysmon executable from the link provided. Prepare Configuration File:  Download a configuration file (e.g., sysmonconfig-export.xml). Install Sysmon:  Execute the following command in the command prompt to install Sysmon with your configuration file sysmon.exe -accepteula -i sysmonconfig-export.xml This command installs the Sysmon driver and service, which will start logging immediately. Viewing Sysmon Logs After installation, Sysmon logs can be found in the Event Viewer under: Event Viewer (Local) → Applications and Services Logs → Microsoft → Windows → Sysmon → Operational This location provides easy access to the detailed logs generated by Sysmon. Recommended Resources To get the most out of Sysmon, leverage these valuable resources: Michael Hagg’s Sysmon Repository:  This GitHub repo contains a wealth of resources and configurations for Sysmon https://github.com/MHaggis/sysmon-dfir Ultimate Windows Event Log Configuration Guide:  Yamato Security’s guide helps enable specific non-default log types useful for ransomware response: https://github.com/Yamato-Security/EnableWindowsLogSettings Awesome Event IDs:  Mathias Stuhlmacher’s curated list of useful event IDs, detailing how to log relevant events: https://github.com/stuhli/awesome-event-ids?tab=readme-ov-file#event-id-databases Important Logs to Collect For comprehensive monitoring and threat detection, ensure you are collecting logs from the following sources: Firewall Logs, VPN Logs, VMware/Citrix Logs, Cloud Logs, Web Logs ,Email Logs ,DNS Logs , Database Logs Conclusion Sysmon helps you monitor, detect, and respond to security threats more effectively. Coupled with the resources and guides mentioned, you can configure Sysmon to meet your specific security needs and improve your overall threat detection and response efforts. Akash Patel

What is Log-MD? Log-MD is a security tool tailored for Windows systems. It audits log settings and advanced audit policy configurations, guiding users to enable and configure these settings for better security and detection . By gathering artifacts from malicious activity, Log-MD speeds up the investigation process, validating the integrity of systems, and facilitating quicker malware analysis. Key Features Audit Checks:  Validates audit settings and ensures they are configured to capture necessary security events. Malicious Discovery:  Collects artifacts related to malware, such as process details, file changes, and registry modifications. Enhanced Logging:  Provides recommendations to improve Windows logging, capturing more detailed and useful data. Compliance Reporting:  Generates audit reports to ensure systems meet compliance standards like WLCS, CIS, USGCB, and AU ACSC. Comparing Log-MD Versions Log-MD comes in three versions: Free, Professional, and Consulting. Here’s a breakdown of their features: Feature Free Professional Consulting Audit Check ✔ ✔ ✔ Bypass Audit Check ✔ ✔ ✔ PowerShell version and audit log checks ✔ ✔ ✔ WLCS & CIS Compliance ✔ ✔ ✔ USGCB & AU ACSC Compliance ✔ ✔ ✔ Create Audit Report ✔ ✔ ✔ Specify Output Directory ✔ ✔ Harvest Windows Log Events ✔ ✔ ✔ Process Tree of Parent-Child Processes ✔ ✔ Custom PowerShell report with configurable settings file to hunt for suspicious PowerShell commands ✔ ✔ Harvest Sysmon Service Events ✔ ✔ Whitelist Processes, Command Line, and IPs ✔ ✔ ✔ Whitelist Files, Paths, & Reg Keys ✔ ✔ ✔ Detailed Log Data Reports 16 30 30 File Hash Baseline ✔ ✔ ✔ File Hash Compare to Baseline ✔ ✔ ✔ Whitelist by File, Location, or Hash ✔ ✔ Master-Digest ✔ ✔ Locked Files Report ✔ ✔ ✔ Locked Files Compare to Baseline ✔ ✔ Registry Baseline ✔ ✔ ✔ Registry Compare to Baseline ✔ ✔ ✔ Evaluate Imported Hives ✔ ✔ ✔ Whitelist Keys & Values ✔ ✔ Large Reg Keys Details ✔ ✔ ✔ Load Hives from other systems ✔ ✔ ✔ Large Reg Key Summary ✔ ✔ WhoIs data for IPs in the IP Connections reports ✔ ✔ Command line WhoIs lookups of IPv4 addresses ✔ ✔ ✔ Harvest SRUM data - Netflow data by Application (Win 8.1 and 10 only) ✔ ✔ List of AutoRuns Report ✔ ✔ ✔ AutoRuns exclude results using Master Digest and Whitelist ✔ ✔ AutoRuns of all WMI namespaces ✔ ✔ ✔ List of Running Processes and Modules Report ✔ ✔ ✔ Running Process and Modules exclude results using Master Digest and Whitelist ✔ ✔ Query only WMI namespaces ✔ ✔ VirusTotal lookups of hashes and/or files from reports ✔ ✔ Automatic VirusTotal lookups when running Autoruns ✔ ✔ Automatic VirusTotal lookups when checking Running Processes and their modules ✔ ✔ 10 VirusTotal reports can be generated from log reports and Sysmon ✔ ✔ For Consultants ✔ Transferrable 90-Day License ✔ Special Artifact Hunting Features ✔ ✔ Sticky Key Exploit Interesting Artifact Report ✔ ✔ null byte in a registry value Interesting Artifact Report ✔ ✔ Unicode character in filename Interesting Artifact Report ✔ ✔ Manual pages 23 70 70 LOG-MD-Pro Slack Channel Community ✔ ✔ Here is an example of the detailed output you can expect from Log-MD: Conclusion Log-MD is an invaluable tool for anyone tasked with Windows system security. Whether you're a small business or a large enterprise, Log-MD offers a cost-effective solution to enhance your malicious discovery and logging capabilities. Akash Patel

In the world of ransomware analysis and incident response, having the right tools at your disposal can make all the difference. Manual Collection Tools Several tools are essential for collecting forensic artifacts, each with unique capabilities that make them indispensable for incident response: Kroll Artifact Parser & Extractor (KAPE) : This tool simplifies the collection of forensic artifacts. It's versatile and can be run locally on machines or deployed across an environment using Group Policy Objects (GPOs) in Active Directory, System Center Configuration Manager (SCCM), or other deployment tools. CyLR : Another powerful tool for live response collection. Like KAPE, CyLR can be deployed via GPOs, SCCM, or other methods, making it an excellent choice for comprehensive artifact collection. Kansa : A PowerShell-driven tool that uses PowerShell Sessions (PSSessions) for remote execution. It relies on PowerShell Remoting (PSRemoting), which might be disabled in many organizations for security reasons. Enabling PSRemoting should be carefully considered, as it can introduce new vulnerabilities. Deploying Collection Tools These tools can be deployed in various ways to ensure they are ready for immediate use when needed: Local Execution : Running the tools directly on the machine where the incident occurred. Remote Deployment : Using GPOs, SCCM, or other deployment tools to push the tools across the network. Mounting Drives : For "dead disk" analysis, where you need to collect artifacts from a drive that is not currently mounted. This can be done by mounting the drive as read-only and running the collection tool. For those who do not have a software deployment tool, PDQ Deploy is a recommended option. Avoiding Memory Stomping It's crucial to have a collection tool or method in place before an incident occurs t o avoid memory stomping , which can overwrite valuable forensic evidence. Pre-installing the tool across devices can help mitigate this risk. Additionally, collecting from shadow copies or using tools like FTK Imager Lite can help bypass issues with locked files. Learning and Resources To deepen your understanding of these tools, here are my blogs: KAPE : https://www.cyberengage.org/post/kape-a-detailed-exploration CyLR : https://www.cyberengage.org/post/ransomware-analysis-a-examiner-s-guide-part1 Kansa : https://www.cyberengage.org/post/power-of-kansa-a-comprehensive-guide-to-incident-response-and-threat-hunting Parsing Collected Artifacts Once artifacts are collected, they need to be parsed. Various tools are available for this purpose, with Eric Zimmerman's suite being a popular choice. However, there are many other tools available, find the best fit for your needs. The Best Commercial Tool: Magnet AXIOM For those seeking an easy-to-use, comprehensive forensics tool for ransomware response, I recommend Magnet's AXIOM. Scaling Artifact Collection: Collecting artifacts from a single host is straightforward, but when you need to analyze data at scale, it becomes crucial to have efficient tools and methodologies. Methodologies for Scalable Artifact Collection 1. Secure FTP (SFTP) Servers: Purpose:  Commonly used to warehouse artifacts collected via deployed tools or scripts. Make sure to enhanced security. Create an account with only write access (no read access) for pushing collections to the server 2. KAPE and CyLR: Both KAPE and CyLR come with built-in SFTP capabilities, making it easy to push collections to a server within your environment. Example Commands: For CyLR: CyLR.exe -u yourUsername -p yourPassword -s 8.8.8.8:22 For Kape: Kape.exe --tsource C: --tdest D:\ --target !SANS_Triage -scs[server] --scp[22/port] --scu [User] --scpw[pwd] --vhdx Leveraging Velociraptor for Advanced Collection Velociraptor Overview: Purpose:  An advanced digital forensic and incident response tool that enhances visibility into endpoints. Capabilities:  Allows remote navigation of file systems, refreshing directories, accessing them live, and performing live parsing on data. Advantages:  Versatile and powerful, offering more than just collection. I haven’t delved into Velociraptor yet, but I plan to learn it in the future. Once I have a good grasp of it, I’ll create a detailed blog post to help you understand and use this tool effectively. Conclusion Being prepared with the right tools and knowledge is essential for effective ransomware analysis and incident response. By leveraging tools like KAPE, CyLR, and Kansa, and deploying them effectively, you can ensure that your response is swift and thorough. For more detailed insights and tool reviews, you can visit the Tool Hub page on my website, where I've created a large number of blogs dedicated to these tools. Akash Patel

Windows environment variables are one such critical component that forensic analysts must be familiar with. These variables function like shortcuts to specific system locations, and they play a pivotal role in both legitimate and malicious activities. What are Environment Variables? Environment variables in Windows are dynamic values that the operating system and applications use to determine various settings and locations on the computer. These variables are often used to point to directories, system paths, and configuration settings. They can be predefined by the operating system or created by users and administrators. Common Windows Environment Variables Here are some commonly used environment variables and their typical paths: %APPDATA% : Points to the current user's Roaming profile directory. Example: C:\Users\noransom\AppData\Roaming This directory is used for storing application data that should roam with the user profile across different machines. %LOCALAPPDATA% : Points to the current user's Local profile directory. Example: C:\Users\noransom\AppData\Local Data in this directory stays local to the machine and does not roam. %TEMP% : Points to the temporary files directory. Example: C:\Users\noransom\AppData\Local\Temp This is where temporary files are stored and is often targeted by malware for temporary storage. %ComSpec% : Points to the command prompt executable . Example: C:\Windows\system32\cmd.exe %ProgramData% : Points to the application data folder that is shared among all users. Example: C:\ProgramData Why Environment Variables Matter in Forensics Environment variables are crucial in forensic investigations for several reasons: Tracing User Activity : By examining the paths pointed to by environment variables, forensic analysts can trace the activities of users on the system. For example, the %APPDATA% directory can contain configuration files and logs of applications that provide insights into user actions. Identifying Malicious Behavior : Attackers often exploit environment variables to obfuscate their activities. They might create custom variables to hide malicious files or chain multiple variables to execute commands without leaving obvious traces. Streamlining Analysis : Knowing how to reference environment variables can streamline the forensic analysis process. Analysts can quickly navigate to relevant directories and files by using these shortcuts. How Attackers Exploit Environment Variables Attackers frequently use environment variables to their advantage in several ways: Persistence Mechanisms : Malware often stores configuration files and executables in directories referenced by environment variables like %APPDATA% or %TEMP%, ensuring they persist across reboots. Command Obfuscation : By creating and chaining environment variables, attackers can obfuscate their commands. For example, an attacker might create a variable %MALWARE% pointing to their payload and then execute it by referencing %MALWARE%. Evasion Techniques : Using environment variables can help malware evade detection by traditional file path-based security mechanisms. Listing Environment Variables To view all environment variables accessible by your current account, you can use the following commands: Command Prompt : set PowerShell : ls env: Practical Example Let's say an attacker has placed a malicious script in the %APPDATA% directory and is using an environment variable to run it. You can quickly check what the %APPDATA% variable points to by running: echo %APPDATA% This command will display the full path, helping you navigate to the directory and investigate further. Conclusion These variables provide valuable insights into user activities and are often manipulated by attackers to obfuscate their actions. By familiarizing yourself with common environment variables and how they are used, you can enhance your ability to detect, analyze, and respond to security incidents effectively. Akash Patel

When it comes to forensic analysis, Windows is an incredibly revealing operating system. It leaves behind numerous traces that can provide critical insights into ransomware incidents. Windows Event Logs (WEL) Windows Event Logs are a treasure trove of information for forensic analysis. They record a wide range of events, from logins and logoffs to application crashes and security incidents. By analyzing these logs, you can reconstruct a timeline of activities and identify potential indicators of compromise. Endpoint Detection & Response (EDR) Many organizations rely heavily on EDR during incident response because of the depth of insights it provides. While EDR is crucial, remember to collect artifacts beyond what EDR offers. File and Folder Access Windows keeps detailed records of file and folder access. Every time a user accesses a file, several forensic artifacts are created, documenting what was accessed, when, and where it was located. These artifacts are invaluable for understanding the scope and impact of an incident. NTFS Metadata Analyzing NTFS metadata, such as $MFT, $UsnJrnl:$J, and $Logfile , can reveal a lot about the activities that occurred within the Windows file system. These metadata files track changes to files and directories , helping you piece together what happened during the ransomware attack. Registry Hives The Windows registry is a central repository for configuration data. Collecting and analyzing registry hive files is essential for identifying persistence techniques. Evidence of Execution Prefetch files, UserAssist entries, ShimCache, and Amcache. These artifacts can show what programs were run, when they were run, and even how often they were executed. Web Browser Databases Web browsers store a wealth of information, including search history, bookmarks, downloads, and more. Analyzing browser databases can provide insights into an attacker’s online activities, such as searching for specific tools or visiting malicious websites. Most common artifact that must be collected and Tool CyLR collect below artifact automatically. Tools: Me personally prefer Kape. But this was another very useful tool or collecting forensic artifacts is CyLR . This tool can be configured to gather a wide range of files and logs from a Windows system. The default collection paths used by CyLR are a good starting point for your analysis. Check it out : https://github.com/orlikoski/CyLR#windows Info About tool: CyLR, short for Cyber Live Response, is an open-source collection tool developed to assist forensic analysts and incident responders. It automates the collection of critical system artifacts, reducing the time. CyLR supports both Windows and Linux environments, making it versatile for various incident response scenarios. How to Use CyLR Using CyLR is straightforward. Here’s a step-by-step guide: Download and Prepare: Download CyLR Extract the tool and copy it to a USB drive/Remotely or a secure location on your forensic workstation. Deploy on Target System: Insert the USB drive into the compromised system. Open a command prompt with administrative privileges. Run CyLR: Navigate to the directory containing CyLR. CyLR.exe -o  (for Windows) ./CyLR -o  (for Linux) CyLR will start collecting artifacts and save them to the specified output directory. Outputs: Kindly Note: Few artifact will be in raw format. For example $MFT, $LogFile. You have to parse them manually or using other tools. Kape will do that for you. Stay prepared, stay vigilant, and let tools be your ally in the fight against ransomware. Akash Patel

Ransomware attacks continue to evolve, and so do the tactics used by ransomware actors. One of the key components in their operations is the infrastructure they use, often hosted on what are known as bulletproof hosting (BPH) sites. In addition to BPH, these actors also utilize virtual private servers (VPSs) and have sophisticated affiliate programs to expand their reach. What is Bulletproof Hosting (BPH)? Bulletproof hosting (BPH) providers offer hosting services without any concern for the type of content being hosted. This makes them ideal for cybercriminals, including ransomware operators, who need to host malicious infrastructure. These providers often operate in countries that have lenient privacy policies and no extradition agreements with countries like the United States. Why BPH?  Unlike regular hosting providers that respond to abuse reports, BPH providers ignore these reports, allowing illegal activities to continue. Finding BPH : These services are often advertised and purchased on darknet forums. https://intel471.com/blog/top-bulletproof-hosting-providers-yalishanda-ccweb-brazzzers-2021 Virtual Private Servers (VPS) In addition to BPH, ransomware actors frequently use virtual private servers (VPS) from companies like DigitalOcean and Vultr. These servers offer more flexibility and anonymity. How it works : Attackers spin up a VPS, use it for a few attacks, and then shut it down to avoid detection. This process is repeated multiple times. Identifying VPS : Sometimes, a whois lookup on an IP address used by attackers can reveal its VPS origin. For instance, Vultr uses Choopa autonomous system numbers (ASNs), which can be identified by the prefix "CHOOPA-ASN." Ransomware Affiliate Programs Ransomware groups have professionalized their operations by creating affiliate programs. These programs are similar to business partnerships where the ransomware developers and affiliates share profits from successful attacks. Evolution : Initially, these programs were informal partnerships. Today, they are structured programs managed by project managers. Rules and Marketing : Ransomware groups often provide specific rules for their affiliates and market their programs to attract skilled partners. Example: Notable Ransomware Affiliate Programs One of the well-known ransomware groups with an affiliate program is the BlackCat/ALPHV group. Their affiliate program is frequently cited as a sophisticated example of how ransomware operations are run like businesses. BlackCat/ALPHV : This group offers a well-structured affiliate program. For more detailed information, you can read Group-IB’s analysis titled “Fat Cats: An analysis of the BlackCat ransomware affiliate program” https://www.group-ib.com/blog/blackcat/ Conclusion By staying informed about these tactics and adopting strong security practices, organizations can better protect themselves against these evolving threats. Akash Patel

In my previous blog, A Deep Dive into Plaso Log2Timeline Forensic Tools, I covered how to use Plaso Log2Timeline on Ubuntu and parse the timeline . However, I understand that Ubuntu might not be feasible for everyone, so in this post, we'll discuss how to run Plaso on Windows. Note that all command parsers will be the same as in the previous blog. Blog Link :- https://www.cyberengage.org/post/a-deep-dive-into-plaso-log2timeline-forensic-tools Getting Started with Docker Desktop To run Plaso/Log2Timeline on Windows, you'll need Docker Desktop. Follow these steps to get started: Download Docker Desktop : Docker Desktop Install Docker : No need to sign in. Just follow the installation prompts and configure it as you would with any other application. Installing Plaso with Docker There are two ways to install Plaso with Docker: Manual Installation : Follow the documentation. https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html Docker Pull : Simply search for plaso2timeline in Docker and pull the image. Choose the method that suits you best. Testing Your Plaso Docker Image To test your Plaso Docker image, run the following command in PowerShell (ensure Docker is running with administrator privileges): (PowerShell Only) docker run log2timeline/plaso log2timeline.py --version If you get an output, it means Plaso is running successfully. Lets start-------With Main Stuff :) Collecting Artifacts The first step in analysis is to collect artifacts. I recommend using KAPE, which simplifies the process. If possible, collect data in .vhdx format. Mount the Drive : After collecting the artifacts, mount the drive. Analysis Methods Once collection done y ou can Parse/analyze the artifacts in two ways as per me : Parse all artifacts separately using Eric Zimmerman's tools , then collect all outputs into one .plaso file for analysis. This method is time-consuming but effective. Parse most artifacts with Plaso and the $MFT with Eric Zimmerman's MFTECmd tool , then merge them together. Although Plaso can parse the $MFT, I prefer using MFTECmd. Will Proceed with Second Step: 1. Parsing Artifacts with Plaso To parse all artifacts except the $MFT, use the following command in PowerShell: docker run -v E:/C:/data -v D:/Plaso:/output log2timeline/plaso log2timeline.py --parsers '!mft,!usnjrnl,!filestat' --hashers md5 --status_view window --storage_file /output/akash.plaso /data Explanation : -v E:/C:/data: Maps the E:\C directory to /data  in the Docker container. (E: is drive \C folder inside drive) -v D:/Plaso:/output: Maps the D:\Plaso directory to /output in the Docker container. log2timeline/plaso: Specifies the Docker image. log2timeline.py: The command to run inside the container. --parsers '!mft,!usnjrnl,!filestat': Excludes the MFT, USN Journal, and file statistics parsers. --hashers md5: Uses MD5 hashing. --status_view window: Sets the status view to a windowed interface. --storage_file /output/akash.plaso: Specifies the output file path inside the Docker container. /data: The source directory inside the Docker container. This command will run Plaso on the contents of E:\C and save the output to D:\Plaso\akash.plaso. 2. Parsing the $MFT with MFTECmd To parse the $MFT using MFTECmd, run the following command in CMD: MFTECmd.exe --body D:\Plaso --bodyf D:\Plaso\HOSTNAME.mft.bodyfile --bdl C -f "E:\C\$MFT" Explanation : D:\Plaso: Output directory. --bodyf: Specifies the file name in .mft.body. --bdl C: Specifies the drive letter to use with the bodyfile. -f "E:\C\$MFT": Path to the MFT file. 3. Adding MFT Data to the Plaso File Parse the MFT bodyfile and add the data to your Plaso file (in my case akash.plaso) with the following command: (PowerShell) docker run -v D:/Plaso:/output log2timeline/plaso log2timeline.py --parsers 'mactime' --hashers md5 --status_view window --storage_file /output/akash.plaso /output/HOSTNAME.mft.bodyfile Explanation : docker run: Starts a Docker container. -v D:/Plaso:/output: Mounts the D:/Plaso directory to /output inside the container. log2timeline/plaso: Specifies the Docker image. log2timeline.py: Command to run inside the container. --parsers 'mactime': Specifies the parsers to include. --hashers md5: Uses MD5 hashing. --status_view window: Sets the status view type. --storage_file /output/akash.plaso: Specifies the storage file for the timeline. /output/HOSTNAME.mft.bodyfile: Input bodyfile. You now have a final akash.plaso file that includes the MFT data as parsed by MFTECmd and all other artifacts parsed by log2timeline parser. After this you can do with this output, transfer this output into Elasticsearch or Any tool you want or you can parse it into csv format for further analysis using timeline explorer. 4. Importing the Plaso File into Elasticsearch for Timesketch To import the Plaso file into Elasticsearch for use with Timesketch, use the following command: PowerShell docker run -v D:/Plaso:/output log2timeline/plaso psort.py -o elastic --index_name example_host --server 127.0.0.1 --port 9200 /output/akash.plaso Alternatively, you can use the Timesketch importer: timesketch_importer -u [username] -p [password] --host http://127.0.0.1 --index_name HOSTNAME --sketch_name EXAMPLE --timeline_name HOSTNAME /output/akash.plaso 4.1 Exporting to CSV for Timeline Explorer You can also parse the akash.plaso file and create a CSV output for analysis with Timeline Explorer: PowerShell docker run -v D:/Plaso:/output log2timeline/plaso psort.py --output-time-zone utc -o l2tcsv -w /output/timeline.csv /output/akash.plaso Explanation : docker run: Starts a Docker container. -v D:/Plaso:/output: Mounts the D:/Plaso directory to /output inside the container. log2timeline/plaso: Specifies the Docker image. log2timeline.py: Command to run inside the container. --output-time-zone for TimeZone to include. -l2tcsv format for analysis -w /output/timeline.csv: storing the output in writeable format /output/akash.plaso: output which will be converted into csv. Additional Notes For detailed information on commands such as using a time range for analysis, parsers, and filters, refer to my previous blog. You can adjust the commands for running Plaso on Docker as needed. https://www.cyberengage.org/post/a-deep-dive-into-plaso-log2timeline-forensic-tools By following these steps, you can efficiently run Plaso on Windows and perform comprehensive forensic analysis. Happy analyzing! Akash Patel

The darknet is a hidden part of the internet where anonymity is paramount. It's a favorite spot for ransomware operators and other cybercriminals to communicate and share data. Downloading Large Data Leaks Over Tor Downloading large data leaks over Tor can be challenging due to its slow speeds and the size of the files. However, there's a detailed guide that can assist you in this process. https://0ut3r.space//2022/09/30/big-files-from-tor/ Communication Channels Used by Ransomware Groups Tox : Tox is an encrypted instant messaging system that uses Tor circuits to anonymize communications. Ransomware groups like LockBit 3.0 prefer Tox for its real-time, anonymous chat capabilities. https://tox.chat/ Telegram and RocketChat : These messaging platforms are popular among ransomware operators for their encryption and ease of use. They provide a way for threat actors to communicate and coordinate their activities without revealing their identities. Darknet Forums : Darknet forums are critical hubs for ransomware communications. Some of the most popular forums include: XSS.is Exploit.in RAMP Hack Forums BreachForums CryptBB These forums are where cybercriminals share information, tools, and services. While anyone can create an anonymous account on most of these forums, it’s crucial to exercise strict operational security (OpSec) practices to avoid detection and tracking. Operational Security (OpSec) Tips When accessing darknet forums or communicating with threat actors, always adhere to OpSec principles: Use a VPN and Tor : Ensure all your online activities are anonymized through a combination of VPN and Tor. This adds layers of encryption and anonymity. Avoid Personal Information : Never use your real name, email, or any identifiable information. Be Cautious in Conversations : Be mindful of what you discuss. Criminals on these forums are often adept at analyzing behavior and communication patterns. Anonymize Your Typing Style : Even the way you type and the words you use can be traced back to you. Be consistent and avoid using distinctive language or emojis. Latest Developments in Ransomware Communications In 2024, the ransomware landscape continues to evolve. Here are some of the latest trends: Increased Use of AI : Some ransomware groups are leveraging AI to automate parts of their operations, from initial infiltration to data exfiltration. Sophisticated Phishing Campaigns : Ransomware groups are using more advanced phishing techniques to gain access to networks. These include deepfake voice phishing (vishing) and highly personalized spear-phishing emails. Ransomware-as-a-Service (RaaS) : The RaaS model is growing, with more groups offering ransomware kits to affiliates. This model allows less technically skilled criminals to launch sophisticated attacks. Double and Triple Extortion : Beyond just encrypting data, attackers now also steal and threaten to release it (double extortion). Some go further by adding DDoS attacks to the mix (triple extortion), creating multiple layers of pressure on victims. Collaboration Between Groups : There’s an increasing trend of collaboration between different ransomware groups. They share resources, intelligence, and even jointly execute attacks to maximize impact. Conclusion Navigating the darknet and understanding the communication methods of ransomware operators is crucial for cybersecurity professionals. By staying informed about the latest trends and practicing strong OpSec, you can better protect yourself and your organization from these evolving threats. Akash Patel

Ransomware attacks are a major threat today, constantly evolving to keep victims under pressure. Types of Ransomware Extortion Data Encryption : The most common form of ransomware attack involves encrypting the victim's data . This means the data and services are inaccessible until a ransom is paid. Data Extortion : Made popular by the MAZE Team, this method involves stealing (exfiltrating) data from the victim . The attackers then threaten to release this data publicly if the ransom isn't paid. This led to the creation of Data Leak Sites (DLSs) where stolen data is published. Multi-Extortion : This advanced method combines several forms of pressure. Attackers may contact the victim's suppliers, partners, regulatory bodies, or VIPs. They might also launch Distributed Denial of Service (DDoS) attacks, making it even harder for the victim to recover. Double Extortion : This is a combination of data encryption and data extortion . Attackers not only lock the victim's data but also steal it, threatening to release it if the ransom isn't paid. The MAZE Team popularized this method in 2019. Data Leak Sites (DLSs) DLSs, also known as "shaming sites," are used by ransomware groups to advertise their breaches. These sites list the stolen data and threaten to release it publicly. Organizations fear these sites because they can lead to significant business and reputational damage. The Ransom Watch site provides a group index, recent DLS posts, group profiles, and statistic/graph pages: https://ransomwatch.telemetry.ltd/#/README 2. The Ransom Look site provides a group index, forum and market links, a listing of data leaks, telegram messages, and statistic/graph pages. The team also maintains a GitHub repo that you can review: https://www.ransomlook.io/ https://github.com/RansomLook/RansomLook 3. The Ransom.Wiki site focuses more on allowing users to search for recent victims and/or ransomware groups by name: https://ransom.wiki/ 4. Dark Feed provide s several resources for identifying ransomware DLS and blog information: https://darkfeed.io/ransomwiki/ https://darkfeed.io/ransomgroups/ 5. Fastfire’s deepdarkCTI GitHub repo provides and maintains a list of ransomware group sites called “ransomware_gang.md”: https://github.com/fastfire/deepdarkCTI/blob/main/ransomware_gang.md 6. The “Ransomware Group Sites” Wiki is a .onion site and must be accessed via Tor. This site provides links to various data leak and victim portal sites: http://ransomwr3tsydeii4q43vazm7wofla5ujdajquitomtd47cxjtfgwyyd[.]onion/ Conclusion Always stay updated with the latest developments in ransomware tactics to safeguard your data and services. Akash Patel

Ransomware is a constantly changing threat. It's like a game of whack-a-mole for researchers: as soon as you think you've understood one group, they rebrand or change tactics. Ransomware Groups: Names and Tactics Ransomware groups often change their names and tactics. It's like how fashion trends change, but much more dangerous. For example, a group might start as "Group A," then change to "Group B" after a few months. This makes it hard for researchers to keep track. Each group has its own tactics, techniques, and procedures (TTPs). These are like the group's signature moves. Over time, these TTPs can change, making it even harder to track them. Tracking Ransomware Groups Researchers use various methods to track these groups. One helpful resource is the "Ransomware Playbook," a Google Sheet maintained by Seongsu Park. This sheet lists the TTPs of different groups. You can check it out here . However, it’s not always straightforward. Affiliates (the people who help spread the ransomware) don't stick to one group. They might use the same TTPs for different groups, adding to the confusion. Group Evolution Over Time (2024 Update) Original Group Evolution 1 Evolution 2 Evolution 3 Evolution 4 Cerber GandCrab REvil (Sodinokibi) - - BitPaymer Doppel Paymer Grief - - Wasted Locker Hades Phoenix Macaw - MAZE Sekhmet Egregor - - DarkSide BlackMatter BlackCat/ALPHV - - Defray777 RansomEXX - - - Mount Locker Astro Locker Xing Locker - - Vasa Locker Babuk Payload.bin Groove - SynACK El_Cometa - - - Prometheus Spook - - - Nemty Nefilim Karma - - Hermes Ryuk Conti BlackBasta, Karakurt, & others - Quantum DAGON Locker - - - Chaos Yashma ONYX SolidBit - MedusaLocker Medevil - - - SunCrypt MoonCrypt - - - FiveHands EvilCorp - - - Key Changes in 2024: Phoenix  evolved into Macaw . BlackCat/ALPHV  emerged from BlackMatter . ONYX  evolved into SolidBit . Groove  emerged from Payload.bin . BlackBasta, Karakurt  continued evolving from Conti . New Ransomware Groups in 2024: Raspberry Robin : New ransomware variant targeting industrial control systems. HydraCrypt : Known for its sophisticated encryption methods and targeting financial institutions. NightSky : Focuses on healthcare and has caused significant disruptions in hospitals. PolarBear : Targeting cloud infrastructure with advanced evasion techniques. SilverStorm : Primarily targets government entities and critical infrastructure. Top Five Industries Hit in 2024: Healthcare Financial Services Manufacturing Education Government Top Five Active Ransomware Groups in 2024: BlackCat/ALPHV : Continues to evolve with new tactics and significant impact. BlackBasta : Increased activity targeting a variety of sectors. Conti : Despite setbacks, remains active with new offshoots like Karakurt. Raspberry Robin : New but highly disruptive, especially in industrial sectors. SilverStorm : Notable for targeting critical infrastructure with advanced methods. Few more known ransomware groups as per 2024: Akash Patel

Introduction Welcome back to our series on Ransomware-as-a-Service (RaaS)! In this post, we will explore RaaS dashboards and the role of darknet marketplaces in facilitating ransomware attacks. Understanding these components will give you a deeper insight into how ransomware operations are managed and executed. Let’s dive in! RaaS Dashboards: A Command Center for Cybercriminals RaaS dashboards provide affiliates with an overview of their ransomware activities. These dashboards are packed with features that help affiliates monitor and manage their attacks effectively. Here’s what you can typically find on a RaaS dashboard: Key Features of RaaS Dashboards Deployment Effectiveness:  Affiliates can track how well their ransomware is spreading. Statistical Analysis:  Dashboards display statistics by country, operating system, and more. Communication Tools:  Some dashboards allow direct communication with victims for negotiation purposes and many more.. Darknet Marketplaces: Buying and Selling Access Initial Access Brokers (IABs) and other cybercriminals use darknet marketplaces to trade access to victim networks and stolen data. Let’s take a closer look at how these transactions work. Key Marketplaces Odin:  Focuses on selling remote access to victim networks. Marketo:  Specializes in selling and auctioning stolen data. These marketplaces have evolved to be more anonymous. Initially, they provided detailed information about the victim organizations, but researchers began scraping this data and notifying potential victims. Now, the details are more generic, often including only the top-level domain, hosting provider, operating country, and access type. Buying and Selling Access Marketplaces are filled with forum posts where actors buy and sell access. For example: Sellers:  Offer access to various organizations, including corporations, institutions, and even governments. Access types include RDP, VNC, cPanel, SSH, and more. Buyers:  Seek access to organizations, primarily in the US, EU, and UK. Some buyers avoid targeting hospitals, governments, and educational institutions. To avoid scams, many forums offer escrow services, ensuring that payments are held until both parties fulfill their part of the deal. Some forums even have dispute resolution systems similar to courts to handle disagreements between users. Zero-Day Exploits and Social Engineering The threats posed by RaaS operations extend beyond selling access and ransomware. Let’s look at some concerning trends. Zero-Day Exploits IABs sometimes offer zero-day exploits, which are vulnerabilities that have not been disclosed or patched. These exploits can provide remote code execution capabilities, making them highly valuable to ransomware groups. Social Engineering Cybercriminals also use social engineering tactics to trick employees into installing ransomware within their company's network. For example, an email might offer a share of the ransom payment in exchange for helping to deploy the ransomware. LockBit, a notorious ransomware group, has been known to use this method. Proofpoint's 2022 Social Engineering report highlights such tactics, demonstrating the ongoing threat of social engineering in ransomware attacks. Conclusion Understanding the intricacies of RaaS dashboards and darknet marketplaces is crucial in grasping the full scope of ransomware operations. In our next post, we’ll continue to explore the complex world of RaaS, focusing on how these operations impact organizations and what steps can be taken to mitigate these threats. Stay informed, stay vigilant, and stay safe. Akash Patel