Talk F-1: From Infection to Encryption: A Deep Dive into Threat Actors Malicious Code

Wednesday 28.02.2024 | 13:30 - 14:15
Presentation
Auditorio: Sala Multiusos
Av. la ConstituciĆ³n 1, 38003 Santa Cruz de Tenerife Canarias, Spain

Accessible: Yes

In most attacks, there is some custom code; we need to understand exactly what it does, what persistence it creates, how it encrypts the files, how it calls home and all things the threat actor doesn't want to reveal.
In this talk Alexander and Nicklas will walk you through some of the most recent malware used in ransomware attacks we have investigated and start the presentation by doing a live demo of tooling to disable protection and then running a ransomware from a real case. The presentation will follow the Kill Chain from how the threat actors get in, with some unqie insights into the DarkGate loader, to methods that threat actor use to stay undetected and disable your EDR and AV utilizing Bring Your Own Vulnerable Driver (BYOVD); then finish of with a deep insight into the Crytox ransomware and how files can be restored even after they have been encrypted.

Speakers
OCSC_Nicklas_Keijser
Nicklas Keijser
Threat Research Analyst at Truesec
Sweden
OCSC_Alexander_Andersson
Alexander Andersson
Principal Forensic Consultant at Truesec
Sweden