The days before R-Day: ransomware toolsets

Gabor Szappanos (Sophos) & Vikas Singh (Sophos)
live only
17:45 UTC on Day 1
WEDNESDAY 30 SEPTEMBER
Ransomware attacks are well documented from the point of the execution of the payload, including details of how organizations are damaged by the hit and the various options for recovery.

We know much less about what happens in the days before an organization is alerted by the appearance of ransom notes.

Contemporary ransomware attacks are not simple hit-and-run campaigns triggered by phishing emails. The attackers gain a foothold within the organization, they spend days, if not weeks, disabling protection software, then gathering information and performing lateral movement in order to establish access to as many systems as possible. When they are ready to deploy the ransomware with a quick and devastating blow, the preparations have already been made to disable large parts of the organization, making a stronger case for the organization to pay the ransom.

Our research is based on information collected from actual attacks. We have uncovered the toolset and techniques prolific ransomware groups use in the preparation phase of their attacks. This presentation will provide very detailed coverage of the toolsets used by different ransomware groups, and the typical infection procedures we have observed in the field. We hope this knowledge helps organizations recognize and stop the attacks before the damage is done.

Key points:

Case study 1: Netwalker
  • Initial access to the organization (Tomcat, Weblogic exploitation)

  • Privilege escalation

  • Disabling security software (legacy tools)

  • Tools and methods of information gathering (Mimikatz, NLBrute, WinPwn)

  • Mapping the network (Network Scanner)

  • Lateral movement

  • Ransomware deployment


Case study 2: Dharma (Threat actor A and B)
  • Initial access to the organization (RDP)

  • Privilege escalation

  • Disabling security software (Gmer, Process Hacker)

  • Tools and methods of information gathering (Mimikatz, NLBrute)

  • Mapping the network (Advanced IP Scanner)

  • Lateral movement

  • Ransomware deployment
Gabor Szappanos
Sophos Gabor graduated from the Eotvos Lorand University of Budapest with a degree in physics. His first job was in the Computer and Automation Research Institute, developing diagnostic software and hardware for nuclear power plants. He started anti-virus work in 1995, and began developing freeware anti-virus solutions in his spare time. Gabor joined VirusBuster in 2001, where he was responsible for taking care of macro virus and script malware and became Head of the virus lab in 2002. In 2008 he became a member of the Board of Directors of AMTSO (Anti Malware Testing Standards Organization) and, in 2012, joined Sophos as a principal malware researcher.
Vikas Singh
Sophos Vikas Singh is currently working as a senior malware escalations specialist at Sophos. He has more than eight years of experience in multiple areas of the information security domain. His prime focus has been investigating critical malware incidents and identifying novel and advanced adversarial tools, tactics and procedures in close co-operation with experts at SophosLabs.
arrow left Back

The days before R-Day: ransomware toolsets

17:45 - 18:15 UTC Wed 30 Sept 2020
Gabor Szappanos (Sophos) & Vikas Singh (Sophos)
Ransomware attacks are well documented from the point of the execution of the payload, including details of how organizations are damaged by the hit and the various options for recovery.

We know much less about what happens in the days before an organization is alerted by the appearance of ransom notes.

Contemporary ransomware attacks are not simple hit-and-run campaigns triggered by phishing emails. The attackers gain a foothold within the organization, they spend days, if not weeks, disabling protection software, then gathering information and performing lateral movement in order to establish access to as many systems as possible. When they are ready to deploy the ransomware with a quick and devastating blow, the preparations have already been made to disable large parts of the organization, making a stronger case for the organization to pay the ransom.

Our research is based on information collected from actual attacks. We have uncovered the toolset and techniques prolific ransomware groups use in the preparation phase of their attacks. This presentation will provide very detailed coverage of the toolsets used by different ransomware groups, and the typical infection procedures we have observed in the field. We hope this knowledge helps organizations recognize and stop the attacks before the damage is done.

Key points:

Case study 1: Netwalker
  • Initial access to the organization (Tomcat, Weblogic exploitation)

  • Privilege escalation

  • Disabling security software (legacy tools)

  • Tools and methods of information gathering (Mimikatz, NLBrute, WinPwn)

  • Mapping the network (Network Scanner)

  • Lateral movement

  • Ransomware deployment


Case study 2: Dharma (Threat actor A and B)
  • Initial access to the organization (RDP)

  • Privilege escalation

  • Disabling security software (Gmer, Process Hacker)

  • Tools and methods of information gathering (Mimikatz, NLBrute)

  • Mapping the network (Advanced IP Scanner)

  • Lateral movement

  • Ransomware deployment
Gabor Szappanos
Sophos Gabor graduated from the Eotvos Lorand University of Budapest with a degree in physics. His first job was in the Computer and Automation Research Institute, developing diagnostic software and hardware for nuclear power plants. He started anti-virus work in 1995, and began developing freeware anti-virus solutions in his spare time. Gabor joined VirusBuster in 2001, where he was responsible for taking care of macro virus and script malware and became Head of the virus lab in 2002. In 2008 he became a member of the Board of Directors of AMTSO (Anti Malware Testing Standards Organization) and, in 2012, joined Sophos as a principal malware researcher.
Vikas Singh
Sophos Vikas Singh is currently working as a senior malware escalations specialist at Sophos. He has more than eight years of experience in multiple areas of the information security domain. His prime focus has been investigating critical malware incidents and identifying novel and advanced adversarial tools, tactics and procedures in close co-operation with experts at SophosLabs.