The Great Sandbox Escape

Explore the evolution of ransomware attacks in this 36-minute webinar presented by Vikas Singh at NULLCON. Delve into the sophisticated techniques employed by cybercriminals, including the novel approach of deploying virtual machines for full-scale ransomware attacks. Learn about the MegaCortex and Snatch ransomware families, their infection methods, and lateral movement strategies. Discover how attackers bypass endpoint protection using various techniques, and understand the Ragnar Locker ransomware's unique approach of leveraging virtual machines. Gain insights into five warning signs that indicate an impending attack, equipping yourself with valuable knowledge to enhance your organization's cybersecurity posture.

Intro
MegaCortex
Snatch From Breach to Encryption . Brute-forced credentials on a Windows Server in Microsoft Azure • Initial access via RDP • Lateral movement to Active Directory domain controller • Surveillance via WMI (for several weeks)
Snatch The Ransomware * Ransomware binary is registered as a service in the Windows Registry (the service is not immediately started)
Robbin Hood Destroying endpoint protection with RE Kill file in 7 ways and kill process - from ring 0; tamper protection is ineffective
Ragnar Locker Preparing the Physical Machine
Ragnar Locker Virtual Machine
Five signs you're about to be attacked 1. You find a network scanner like AngryIP or Advanced Port Scanner