From Red to Black and Beyond – Evolution of a ransomware strain
A new ransomware family called EpsilonRed made its debut just before last summer. It relied on a set of different PowerShell scripts for distribution, which, at the time, was becoming a more common way for ransomware affiliates to deploy ransomware into corporate environments. Apart from being written in the Go programming language, EpsilonRed showcased some unique attributes and seemed to disappear just as quickly as it came; no one reportedly saw it after the first confirmed attack.
In this talk we will present how different ransomware families – such as EpsilonRed, BlackCocaine, and more – share the very same roots on the binary level, we’ll discuss which current obfuscation technics they utilize, and show how they’ve started to develop a method of combining C and Golang together to make analysis even more challenging. New ransomware strains appearing on the scene, doing their fair share of infection rounds, then quickly fading away was nothing new last year. The renewed interest shown by law enforcement agencies and some fruitful efforts resulting in raids, often made affiliates and creators of ransomware reconsider their actions. Officially, they seized operations, except often they really did not.
In this presentation, we will demonstrate how certain ransomware families are almost a one-to-one copy or a ‘rebrand’ of another existing family, their recent evolution involving obfuscation and anti-analysis technics, and some recent development approach that involves the combination of Golang and C.
Robert Neumann
Robert Neumann is the head of the Cyber Protection Operations Center at Acronis. Besides managing teams to counterbalance the fight against cybercriminals, he is focusing on various short and long-term research projects, ranging from small scale malicious campaigns through niche malware and file formats to in-depth investigations and threat actor attribution.
Robert is a long-time security researcher, working in IT – and especially in IT security – for most of his career. His previous experiences at companies such as Virusbuster, Sophos and Forcepoint enabled him to understand and respond to cybersecurity challenges on different levels.
Albert Zsigovits
Albert joins Acronis from a traditional, security blue-team background, kickstarting his cyber-career analyzing security events as a SOC IDS/SIEM Analyst, and later investigating cybercrime activity and data breaches as a Senior Incident Responder in a Fortune 50 company’s internal CERT.
Following this, he joined a respected anti-virus company to set his foot in malware analysis and reverse engineering.
His specialties include cyber threat hunting, memory forensics, and signature development.
He enjoys the challenge of connecting the dots between cybercrime and criminal rings leveraging threat intelligence and open-source intelligence techniques.
He is very keen on publishing malware analysis reports and takes pleasure in publishing educative content on malware.
Albert is also a former conference speaker at BSidesVienna, DisobeyFi, Hacktivity, SEC-T, and VirusBulletin.