It's not FINished: The Evolving Maturity in Ransomware Operations

Conference:  BlackHat EU 2020



The presentation discusses the tactics and techniques used by cybercriminals in 2020, focusing on the Catbot and Double Payment malware campaigns.
  • Catbot and Double Payment are highly effective malware campaigns used by cybercriminals in 2020
  • Catbot is modular and allows attackers to selectively choose which modules to load based on their objectives
  • Double Payment removes the ability for users to access their systems, making it a high-impact ransomware campaign
  • Cobalt Strike is a popular secondary persistence mechanism used by cybercriminals
  • Web inject modules are still being used for financially motivated attacks and to capture user credentials
The presentation describes how the Double Payment malware campaign works by enumerating all local users on a system and resetting their passwords with a pre-configured string. It then identifies a core Windows service running in system32 and makes a copy of it, appending it with '-1'. The Double Payment binary is then copied across and overwrites the legitimate binary for the original service. This allows Double Payment to run as a core service, even in safe mode, and encrypt all files upon reboot. The only way to recover is to restore from backup or deal with the operators.


Ransom demands are becoming larger, attackers smarter, and intrusions longer. Ransomware threat actors are hitting European companies hard with more effective ransomware deployment resulting in devastating impacts to victim organisations. When they strike, their ransomware deployments are more complete, more effective, and they are crippling many organisations to the point where there is often no clear path back to business.We will be sharing tradecraft we've seen ransomware threat actors employ across Europe in 2020. We cover how we're seeing ransomware crews leverage high-profile critical vulnerabilities to gain footholds in as many victims networks as possible, only to come back weeks or even months later to leverage those footholds into full-scale ransomware deployments.Not only are intrusion tactics improving, but attackers are also transitioning and developing sleek ransomware-as-a-service platforms. Threat actors are professionalising and streamlining their platforms. These platforms are being used by threat actors to generate malware, to communicate and negotiate with victims, and in some cases, for payment processing and decryption utility delivery.



Post a comment

Related work

Conference:  Defcon 31
Authors: Andréanne Bergeron Cybersecurity Researcher, GoSecure, Olivier Bilodeau Cybersecurity Research Director at GoSecure

Conference:  RSA Conference 2023
Authors: Jonathan Baker, Abhijith B R, Daniel DeCloss, Jorge Orchilles

Conference:  RSA Conference 2022