Research Saturday 9.5.20
Ep 150 | 9.5.20

Going after the most valuable data.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dan Schiappa: Part of the reason we're seeing really kind of aggressive attacks and very sophisticated attacks is a variety of things. One is the attackers themselves are just getting more sophisticated. They're using state-actor-like techniques to get into an environment, to kind of be stealthy, do some recon, find out where the important assets are, and then go after specifically those assets.

Dave Bittner: We're joined by two guests this week. Dan Schiappa is Executive VP and Chief Product Officer at Sophos. Chet Wisniewski is Principal Research Scientist at Sophos. We're discussing a series of articles they've published covering ransomware.

Dave Bittner: And now a word from our sponsor, ExtraHop – securing modern business with cloud native network detection and response. The massive shift to remote work has turned the reality of work on its head with cloud and multi-cloud adoption. Comprehensive visibility is more important than ever. But in order to protect your business, you need more than unified visibility. You need intelligence response workflows so teams can collaborate easily and act quickly.

Dave Bittner: Thanks to our sponsor Reservoir Labs. Reservoir Labs knows that cybersecurity teams need full network visibility to discover new threats, tactics, and behaviors. This is true today more than ever. Reservoir provides solutions based on rock-solid, enterprise-class, high-speed network sensing and spectral hypergraph analytics, using advanced algorithms and mathematics to give experts an advantage. Built for critical commercial and government networks. Learn more at That's And we thank Reservoir Labs for sponsoring Research Saturday.

Dan Schiappa: Kind of run-of-the-mill ransomware is really out for breadth of destruction, where the more modern attackers are really just going after the most valuable data.

Dave Bittner: That's Dan Schiappa.

Dan Schiappa: And one of the things that's helping them, frankly, is the fact that with the COVID pandemic, you know, people jettisoned to work from home, and IT organizations have frantically tried to build environments where they can still get work done. And it wasn't planned. It wasn't, you know, something that they had time to do properly, and there's chinks in the armor. There's gaps in the IT ecosystem, and bad guys find ways to take advantage of chaos. And so, in addition to their kind of newfound skills and state-sponsor-like capabilities, they're taking advantage of a different IT ecosystem than we probably had, you know, six, seven months ago.

Dave Bittner: Yeah, and one of the things you point out, Chester, here in one of your articles, is that we're coming up on an anniversary, what you describe as probably the birth of modern ransomware, which happened back in September of 2013.

Chet Wisniewski: Oh, that's exactly it. And it's rare to see a run this long, right? We're coming up on seven years where this has sort of been the dominant news story in cybersecurity.

Dave Bittner: That's Chet Wisniewski.

Chet Wisniewski: And I don't know that we've seen one thing kind of dominate everything for so long. And I guess it kind of dovetails with the original question and Dan's answer as well, which is, you know, they've kind of refined this process and eliminated any simple way of us getting rid of it, right? When everything was about Web exploitation, if we could just find a way of getting rid of Flash and Java, we could plug this hole. And we did, right? Like, we took a long time and we had to work together really hard, but we got rid of Flash and Java. And, you know, this case, they're not just using nation-state-level tactics to get in, which is very hard to defend against – there's no silver bullet in this case. In addition to that, they've stopped just being technical. And while some of our papers focused on WastedLocker, which is one of the more sophisticated technical groups, there's a major social component to this as well. And I think most defenders think about these as technical problems and maybe don't spend enough time understanding the social side of how initial entry is being gained and that kind of stuff, and, you know, having a comprehensive plan, both technical and social, on how they're going to combat this.

Dave Bittner: Now, is it correct, in my perception, that the ransomware folks have really upped their game when it comes to who they're targeting, the amount of money they try to make, or I suppose Bitcoin that they're trying to make off of individual organizations that they go after?

Chet Wisniewski: Yeah, I think it's pretty clear that there's been a bit of a stratification that's gone on in the last twenty-four to thirty-six months, right? It's no longer a thousand random ransomware crews. The ones we're hearing about day in, day out – the Mazes and Ryuks and WastedLockers and NetWalkers – these brand names that we now hear about so regularly with these multimillion-dollar ransoms is a very small number of people that have an incredible amount of success against very high-value targets. There's still a ton of other stuff – I mean, if you go on the BleepingComputer forums, you'll see all kinds of people's desktops being hit with the STOP ransomware, which most people have never heard of. It's mostly because we stop talking about the three-hundred-dollar ransomware, right? We're all kind of attracted to the shiny object of these ten-million-dollar victims. But the most skilled ones, without question, have approached nation-state-level skills, whereas the other guys are still out there, they're just not making as much of a splash. 

Dave Bittner: Hmm.

Dan Schiappa: Yeah, I think, as well, what's interesting is even with the more advanced techniques – the state-sponsor-like techniques – they're still pretty proficient in how many attacks they could leverage. So, it's not like they do one every six months. It's still at a pretty decent pace, and the return is much higher. But, yeah, as Chet says, there's still the – kind of the everyday kind of run-of-the-mill ransomware out there that's being propagated by ransomware-as-a-service and other aspects. But we're certainly seeing bigger targets being – falling prey to these advanced techniques.

Dave Bittner: Now, you all did some specific research into WastedLocker looking at some of the things that it is up to. Can we go through that together? First of all, can you give us a little bit of the background, the history of what you know about where WastedLocker came from?

Chet Wisniewski: Well, WastedLocker's a reasonably new group. I think we mostly started hearing about them mid-pandemic, if you will – you know, April-May kind of time frame. So it's not one that we necessarily have been following back, although there's a relationship that appears in the code. So there's some speculation that this may be sort of version 2.0 or version 3.0 of Dridex and some other scams we have been tracking in previous years. But the name "WastedLocker" is quite recent – it's only been a few months. And what stood out to us is the incredibly advanced evasion techniques that this group has specifically adopted. We've seen an evolution since around the end of 2019, where different groups have been experimenting with new ways of bypassing anti-ransomware technologies, because I think anti-ransomware tools have gotten pretty good at blocking basic ransomware. So, you know, we saw some groups playing with safe mode, rebooting into safe mode to bypass some security tools. We've seen abuse of legitimately signed Windows drivers by another group to try to sneak past some protections in Windows. And WastedLocker seems to be kind of going down that technical path of finding new innovative ways of turning systems against themselves, or using the built-in Windows functions to get around anti-ransomware technologies. Whereas some of the other groups like Maze have gone the social direction and are going into the "we're going to publish your data and extort you into paying." So there seems to be, you know, different groups kind of testing the waters of different approaches to increase their success rate.

Dave Bittner: Well, let's go through some of the specifics here that you've discovered with WastedLocker. I mean, what are some of the techniques that it uses?

Chet Wisniewski: Well, the most sophisticated one that we surfaced in our research was related to abusing the way Windows handles caching of files. A lot of anti-ransomware technology, one of the ways you check whether something might be ransomware is you monitor files being opened on the file system, and if the file gets opened and then it gets closed and the entropy increase dramatically, then it was probably encrypted, because that's exactly what encryption is designed to do – make something entirely random. And of course, legitimate files, before they're encrypted, have structure. They don't have randomness. So if you're using that sort of a test, you would block most ransomware. And so what these guys are doing is tricking Windows into caching the files into memory, and then they're encrypting those files while they're in-memory, and getting Windows to write them back to the disk encrypted. And of course, nobody's monitoring Windows for that encryption activity – they're monitoring other processes. So it's a way of getting around that type of anti-ransomware monitoring. And it's incredibly clever and shows this level of deep understanding of Windows internals that very few people in the world have.

Dave Bittner: And what sort of insight does that give you? I mean, is that a point to the sophistication of the folks who are creating these things?

Chet Wisniewski: Absolutely. I mean, in my eyes, I've not seen that level of understanding of Windows and sort of abusing those kind of internal uses outside of nation-states. We've certainly seen that type of activity in previous attacks like Stuxnet and Duqu and all kinds of different ones in the past that have been attributed to the United States or Israel or Russia or China. And then those techniques go on to be used by malware authors, you know, regular typical criminal malware authors, after they can kind of steal them or take that idea from somebody who invested millions in developing it. This is kind of the first time we've seen this type of innovation occur in the criminal atmosphere all on its own, right? It wasn't cribbed from another government operation – like, these guys came up with it. And that's certainly atypical.

Dan Schiappa: Yeah, the knowledge of the Windows inner workings is really something beyond just about any kind of run-of-the-mill, even advanced developer. This is real kernel-level stuff, the types of things that legendary people like Mark Russinovich would be educating Microsoft employees on their own product – and of course, he is now one. But it's really that level of understanding that allows them to have these successful attacks.

Dave Bittner: Now, one of the things you point out in your research is the possible connection to BitPaymer, that some there are some things in the code that that led you in that direction. Can you share some of your findings there?

Chet Wisniewski: Yeah. I mean, these things are always guesses, right? I mean, malware code is not digitally signed by its authors, you know, so it's not always that easy to attribute. And it's one of the reasons we don't try to, say, attribute, you know, which nation-state may be behind it, et cetera. There's a million different ways you can have false flags. But there's certain characteristics to how the ransomware code itself works, its internals, sort of the methodology with how files are opened and closed, and the methods of invoking the encryption, and that kind of thing that bear a remarkable similarity to BitPaymer and it seems beyond coincidence. So it's either, you know, one of the BitPaymer authors perhaps was involved in going off into a side project. Or maybe it's, as I said earlier, like kind of a version 2.0. That code-level analysis is always a guess, but it looks a little too close to be a coincidence.

Dave Bittner: Hmm. Now, does the sophistication that you see in WastedLocker, does that run in parallel – does that track along with these folks targeting larger organizations? In other words, is that sophistication being spent, if you will, on the potential of bigger paybacks?

Chet Wisniewski: Yeah, the victims seem to be the very high-dollar victims that we've been hearing about in the press. You know, it's alleged that they were the ones behind the attack on Garmin, which allegedly had a ten-million-dollar ransom. So, you know, these guys are going in super stealth mode, which is what's required to penetrate an enterprise with a sophisticated security team, right? And some of the other, you know, ransomware-as-a-service Dan mentioned earlier, for example, like Dharma, you know, they may get ten- or fifteen-thousand-dollar ransoms, which is, you know, it's a bad day for anybody to get ransomed for any amount of money, especially ten or fifteen thousand dollars. But those crews don't have the stealth technology to be able to breach these big companies where the really high-dollar ransoms are. And that's what we assume that's going on here with WastedLocker, is going into that super stealth mode so that they can go after sort of the crème de la crème of victims that can pay those kind of ransoms.

Dan Schiappa: Yeah, and when they go after the high-value data, like in the Garmin case, for example, it takes an operation down. You know, the whole business was basically sidelined for a period of time. And so the urgency and the sense that the company really has to resort to paying an exorbitant ransom becomes very real. And that's kind of the whole modus operandi of their strategy – let's go after and cause the most damage, not by breadth, but by kind of laser-like precision that's going to impact the business.

Dave Bittner: Well, in the time that we have left together, I want to switch to one of the practical articles that you published here, and this is titled The Five Signs You're About to be Attacked. This I categorize as news you can use. Can we go through this together? I mean, what are some of the things that can be indicators that you may have a ransomware problem?

Chet Wisniewski: Well, if I had to summarize it, Dave, I mean, I look at this, and that we hear these negative outcomes in the news all the time, but we rarely hear the causes, because companies don't want to admit necessarily how they were breached. So, it's really difficult for us to learn from them. So what we did is we went to our rapid response team folks who help victims when they're mid-ransom, if you will, that are doing the analysis, like, where did this begin? And that way we have sort of an anonymous set to hopefully share some advice with people without, you know, making any victims feel bad.

Chet Wisniewski: And there's consistent things, these five points that Peter McKenzie, one of our researchers, put together, seemed to be something that they always start here, if you will. And more and more often, you know, we hear a lot of talk about living-off-the-land. And if I had to kind of summarize it, it's understanding how and when legitimate tools are being misused in your environment is always an early indicator. It's almost impossible to prevent the initial, initial thing, like, you know, the credentials being stolen in a phishing attack that allow them to start trying to log into systems. You can't prevent phishing entirely. So, what do you watch for to know that your initial prevention failed? And that's what these tips are really. These are those first tips you would have that something is wrong. 

Chet Wisniewski: And a lot of the time that's legitimate tools being used either somewhere you wouldn't expect them to be used or being used in a pattern or at a time when they shouldn't be used. And many organizations have, say, a change-control window. I know we do this at Sophos, where we expect certain maintenance to be done on the network and on our computers at certain times, on certain days, and the IT team manages that very carefully. That means we can monitor for all those legitimate tools that our technicians use. If they're being used at any time outside of those windows when it's expected, it's either a rogue staff member or we have a problem. Right? And similarly, you might see something like Nmap that you might – we might use in mapping our own network to see all of our assets and see if there's some undiscovered things laying around. That probably shouldn't be being run from a server in your DMZ. 

Dave Bittner: (Laughs)

Chet Wisniewski: And if you see it on a server in your DMZ, then, well, you, again, either have a very poorly trained IT staff member, or you've got a problem, right? So these are the kinds of things I think companies need to get in the habit of, because I don't think we're really good at that anomaly detection. But if you are, you can stop these guys.

Dave Bittner: Hmm.

Dan Schiappa: And that just shows a couple a couple of key things. And the best defense against this is really a combination of both leveraging high-value technology like AI, but also coupling it with human intelligence. So the combination of those two allow us to have these indicators that something may be going bad by a human looking at it. Nothing has gone bad yet, so technology designed to protect you may not have triggered anything yet, but the human intelligence factor allows us to see these kind of steps building up into something that's highly suspicious, and then the ability to investigate that allows you to intercept these types of activities before they really set foot.

Chet Wisniewski: It's also important to remember you're not doomed from moment one when these guys break in. It takes them time to snoop around your network, identify those assets that are going to cripple your business, and then encrypt them. So if you can get these early indicators, you might have days, or even a week or more, to detect these indicators and still stop them before they can succeed with ransoming you. And that's the advantage of them being human operative, is you have time. It's not an automated thing anymore. So, by watching carefully, it's not that instant doom that you would get if it was just a bot or a script.

Dave Bittner: You know, I think you both point to a really important aspect here, which is that human element. And it makes me wonder, you know, from your point of view, the experience that both of you have, how much of the defense against these sorts of things are people with experience, people the wisdom of years under their belts, being able to just have that feeling like, hey, something's not right here?

Dan Schiappa: Like I said, I think it's a combination of both. You know, years of experience help us build technology that can do some of this stuff. So, for example, we can detect weird use of PowerShell or unauthorized use of PowerShell or abnormal use of PowerShell. You know, so there's definitely technologies that we can use. We can train models using AI to check behaviors, not necessarily check if something's malicious, but just check a set of behaviors collectively that does seem to be suspicious. But when you do couple that with the human intelligence, those analysts who do know what's going on, when they see a shadow somewhere, they know exactly where to go look. That's really hard to replace with technology. That is that human expertise. And so we do believe that the future of combating these things is a combination of kind of artificial intelligence and human intelligence.

Chet Wisniewski: It's defense-in-depth, but it's done differently, right? Like, the machines are great at automating the volume, right? You've got a volume of Windows event IDs coming in, a volume of firewall alerts – that's something humans are not at scale to be able to cope with, and the machines have to help us there. But once – the machines don't have the accuracy that the humans have, right? So the machines winnow it down. And then even on the human side, you talk about experience, Dave, obviously, there's a shortage of security people with insert number here – five, ten, fifteen years experience, say, analyzing these things. And it's not always necessary to have a ton of those people with ten years experience or even the five years experience. I think you end up with a tiered thing of the machines filter the first layer, you know, in the smaller organizations that may not have a lot of full-time security staff, they can depend, you know, lean on their partners, whether that be managed service providers, whether that be companies like Sophos, to be the backstop for when they're not sure. So they can deal with the vast majority of the alerts after the machines have dealt with them. But then for those couple that they're not quite sure about, they can then sort of escalate those to the smaller number of really experienced people that may just be a contractual relationship because you can't afford to have them or you may not be able to find them and hire them.

Dave Bittner: Yeah, that's a really interesting point. I mean, I wonder how much – or how important it is that organizations provide those security teams with the bandwidth, with the time, the resources to be able to dig into these sorts of things. You know, we always hear that the teams are overburdened and nobody has all the time, money, or resources that they would like to have. But providing your team with those things, it seems, could really pay off when it comes to these sorts of things.

Chet Wisniewski: Yeah, I think part of the bandwidth problem in the past was also it was too much information and lack of information. And that may sound weird, but if you get a bunch of alerts without the context for how they happened, then you spend a whole bunch of time trying to figure out if they're real or not. And now, most more advanced organizations, at least now have EDR tools, things like that, deployed on most of their infrastructure, which gives you the context to make good decisions much more quickly. If you send me an alert with the information about how that alert bubbled up, a human can decide that's good or bad in a few seconds. But without that context, that human might spend minutes trying to figure out whether that alert is legitimate or not. So I think we are – we're getting better at figuring out how to get the humans to hold hands with the machines. In the past, they were kind of almost adversarial. And I think we're really moving forward, and I think that's where the successful organizations are finding the wins, is providing the right information to the humans and automating the process of that, and making sure that the machines aren't in any way assuming they're going to replace the human, because they can't. It's making sure the machine is serving the human better.

Dave Bittner: Thanks to ExtraHop for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: Our thanks to Reservoir Labs for sponsoring this week's Research Saturday. Don't forget, you can learn all about them at

Dave Bittner: Our thanks to Dan Schiappa and Chet Wisniewski from Sophos for joining us. We'll have a link to the series of articles covering ransomware in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.