Ransomware Characteristics, Attack Chains and Mitigations

I have done a lot of research on ransomware. What you need to know BLUF is that targeted attacks have greatly increased this year, and the bad guys are not just locking up your systems but they are taking your data before they go. And then, they are sharing their ill-gotten goodies on “name and shame” sites to ensure you pay them. Because extortion is paying that ransom these days.

There are at least a dozen operators making money this way, with Maze and their newly formed cartel at the top of the list. Sodinokibi and RagnarLocker have been recently active too.

You want to understand how the attack chain works because ransomware is getting delivered in multi-stage attacks, with initial infections coming via phishing or exploitation via exposed remote desktop protocol RDP. You want to be monitoring for TrickBot and Emotet especially. As for mitigations, have multiple backups and ideally one off the network. Test them. Keep them clean. The attackers are looking for and deleting any online backups or shadow volumes they find.

Here’s the thing: once the ransomware is launched, it’s pretty much game over. You need to be hunting for these guys in your network while they are doing recon and mapping your systems, looking for what is valuable and what to shut down. Catch them when they are going low and slow, stealing legitimate Windows processes to make their own and evade detection.

That said, I’ll share this piece by my friends at TripWire so you can get a more detailed sense of the current ransomware landscape:

Ransomware is a type of malware that prevents users from accessing their system or personal files and demands a “ransom payment” in order to regain access.
— Read on www.tripwire.com/state-of-security/featured/ransomware-characteristics-attack-chains-recent-campaigns/

Got Citrix? Get it patched now

If you work for a major corporation chances are you use Citrix, especially for remote access.

So when these kinds of systems get major vulnerabilities the attackers are waiting in the winds to pounce on and exploit those.

Yesterday multiple vulns were disclosed affecting the Citrix Application Delivery Controller or ADC, often known as NetScalar ADC, and Gateway. These could allow code injection by unauthorized remote attack, denial of service and information access. Nope, not a good day at the office when that happens.

Here’s a link for more details but the twitters are all abuzz. And I’d be a little concerned since Citrix had similar ugly bugs earlier this year. Do not be waiting for patch cycles – fix this sh*t now.

Check Threatpost More details

Covid Bytes Diary

A bevy of lawn signs blooms in tribute to the class of 2020
Finding ways to wish them good-bye and good luck, to send them on their way

I am proud of my graduate. Grateful to the teachers who guided their students through unprecedented times. The celebrations may be small but the accomplishment is mighty. Covid does not get to take that too.

Covid Bytes Diary

Wear a mask damnit!

It’s some day, in a week, in some month after RSA. Without snow. 2020 has been brutal and relentless and it cannot end soon enough. Grateful as I am to live in a land with healthcare, government support and a closed border, the people I love and miss are on the other side of that border which massively sucks.

This year Defcon actually has been cancelled. It’s not funny when it’s for real. For many of us the annual pilgrimage to Vegas is like a massive family reunion. These have been long, hard and lonely months, even for a community of introverts.

Please follow the recommendations: stay 6 feet apart, wash your hands often, avoid big gatherings and wear a mask. We have all lost too much to go through this again.

#SharetheMicinCyber Day

I am going to share my space here with a host of wonderful and inspiring voices. This has needed to happen for a long time and I am so excited to see it in action and be able to support however I can.

Hell yes! For any talk I get to give I would hand that mic over with warmth and encouragement to a Person of Colour so that we all would get the benefit of truly diversifying this community, and broadening our thinking. This is how we grow together.

Systemic Racism Is a Cybersecurity Threat | Council on Foreign Relations

Understanding how systemic racism influences cybersecurity is integral to protecting the American people, deterring U.S. adversaries, and defending American businesses as the United States seeks to return to its position of international leadership.
— Read on www.cfr.org/blog/systemic-racism-cybersecurity-threat

Because there is more we can do. And we need to do more



George Floyd was murdered. There were 4 cops involved. Arrest them all.

Systemic racism and police brutality must be called out and stopped. It is everyone’s problem because it is everywhere.

I am anti-fascist.

Peaceful protests are freedom of speech. They are not the problem. Bigoted officials who defend and empower tyranny and abuse are the problem.

America is literally burning as Trump puts cities under military control, turning soldiers on civilians while citing “law and order”.

8 minutes and 46 seconds. Press pause.

I mourn the lives lost, the families broken. I fear for the safety and well-being of my friends. I weep for a nation neglected and betrayed by those who were entrusted to govern with wisdom and compassion.

Stay safe. Wishing you peace.

Tactical Edge Virtual Event 02/15/2020


I had a great time as a presenter on the Tactical Edge virtual event, sharing scary stories about IoT risks and attacks. This was a terrific and relaxed format, with Ed Rojas using his expert podcasting and interpersonal skills to engage each of the speakers in conversations on a range of topics. The virtual format made this affordable and accessible for the attendees, as the price was free and there was no travel involved. Perfect for students and those with no travel budgets and the learning opportunity – wow!

Presentations included:

Wolfgang Goerhlich on Zero Trust

Cheryl Biswas (me) on attacking enterprise networks via IoT

Timothy de Block on Agile security teams

John Svazic and gamifying tabletop exercises

Adrian Sanabria on dwell time by attackers in networks

Andrea Little Limbago on the global factors driving data protection


 Join me next for the Diana Initiative Leap Day event on Saturday Feb 29 at 11:00 est

ShmooCon 2020

I just got back from another great year at ShmooCon. While technically it is an information security conference, it’s a hacker con in the best sense of the term, a gathering of our friends and hacker family. We live, laugh, learn and love. We spend a lot of time working remote or facing screens, so it’s these special moments when we get actual face time that we can connect, talk long and late into the night, and come away feeling recharged.

Hackers are the most generous and caring people I know. There was a terrific event to support Mental Health Hackers early Saturday night with a big turnout and outpouring of generosity by those attending. It was great to meet some new people there and hug some dear friends. Thank you to Ray Redacted for organizing it, to Amanda Berlin for making this organization to create awareness and support, and to some very generous donors.

Hackers bond well over food and libations, and there were some great meet and eats. Things wrapped up with a grand Sunday brunch and a tableful of great conversations with Chris Kubecka, Helen Negre, Jim Troutman, “SniperBarbie” among others.

Shmoo is a rare time when I am an attendee only, so I indulge my love of learning and take in all the talks I want to see because some of the most cutting-edge and challenging talks are presented here. It’s a feast for my mind and I never leave hungry.

Some talks on my list:

A Firetalk by Jim Troutman on DNS and all we don’t really know. This talk won first prize this year out of all six excellent firetalks. There was so much useful info about where we are exposed and many helpful mitigations for more secure setups.

“Hack the Stars”. All about satellites, their vulnerabilities, juicy targets, so much data in the clear. Space debris and stuff that keeps me up at night. Scary good!

SBOM. A talk on why we need a software bill of materials legislated and enforced in healthcare by Josh Corman and Audie. Because time is a matter of life and death in healthcare. Supply chain, upstream dependencies, lack of visibility. The impact from exploit doesn’t stop at one hop.