REDTEAM RAW, EPISODE #4: Dhruv Bisani on his journey to becoming the Head of Red Teaming at a UK Cyber Security Consultancy

In the fourth episode of RedTeam Raw, Picnic’s Director of Global Intelligence, Manit Sahib, sits down with Dhruv Bisani, the Head of Red Teaming at a leading UK Consultancy, Eurofins Cyber Security (AKA Commissum).

Dhruv Bisiani talks through his day in the life of a Covert Ethical Hacker (Red Teamer), maintaining good Operational Security to fly under the radar and go undetected (OPSEC), some Red Team war stories, breaking into a Zero Trust environment, Phishing & leveraging Social Engineering. We also run through tips for those looking to get into Cyber Security, the difference between the Red Teaming and Penetration Testing (commonly confused) and the evolution and increase of Purple Teaming and Threat Intelligence.

We explore Dhruv Bisani’s journey of being an international employee (and its challenges and misconceptions), gaining a VISA and sponsorship to work in the UK for a big 4 consultancy PwC, the value of CREST Certifications, CCT APP, CCT INF, CCSAS, CSSAM, and becoming the Red Team Lead for Eurofins Cyber Security. We also explore challenges in the work environment and how to deal with them.

Like and subscribe for future episodes of RedTeam Raw here.

REDTEAM RAW, EPISODE #3: Dimitris Pallis on how he became an experienced penetration tester, ethical hacker, and current Security Consultant at Claranet

In the third episode of RedTeam Raw, Picnic’s Director of Global Intelligence, Manit Sahib, sits down with experienced penetration tester, ethical hacker, and current Security Consultant at Claranet (previously Sec-1), Dimitris Pallis!

We discuss Ukrainian IT army cyberwarfare, Dimitris’ journey to becoming an ethical hacker, how to keep your OpSec when sending out your personal info in your CV, Dimitris’ tips for people wanting to level up in the industry and best resources for preparing to get a job, how to manage time when getting your certifications, red team stories with an important lesson from Dimitris, skills needed to be a good ethical hacker, the problem of social engineering, where things are going in the industry, the need for companies to reduce their attack surface/presence online, tools for OSINT reconnaissance, the need for basic awareness about giving out personal info with two recent dangerous examples from LinkedIn, the lifecycle of a ransomware incident, and final tips from Dimitris.

Like and subscribe for future episodes of RedTeam Raw here: https://www.youtube.com/channel/UCVn3…

Ransomware: Stealing your data for fun and profit

Ransomware is a form of malicious cyberattack that uses malware to encrypt the files and data on your computer or mobile devices. As the name suggests, the cyber-criminals behind the malware then make demands for a ransom in order to release your data or access to your data.

Typically, you will be given instructions for payment and will in return be given a decryption key. The ransom amount may range from a couple of hundred to thousands of dollars, though you will most likely have to pay the cyber-fraudsters in cryptocurrency such as Bitcoin.

3 Types of Ransomware

Ransomware attacks range from a mild to very serious. Here are the three types most often encountered:

Scareware

Contrary to its name, Scareware may be the least scary of the three. It involves a tech support cyber-scam via rogue security software. In this scenario, you may see a pop-up message on your screen claiming the security software has detected malware on your device and you can only get rid of it if you pay a fee.

If you do not pay, they will continue to bombard you with the same pop-up. But annoyance is the extent of the threat. Your files and device are absolutely safe and unaffected.

Note that legitimate cyber-security software will never solicit its users in this way. Real security systems don’t charge you on a per threat basis. They would never ask you for any payment to remove a ransomware infection. Afterall, you already paid them when you purchased the software. And logically speaking, if you never bought the software, how could it detect an infection on your device?

Screen Lockers

More of a real threat than scareware, screen lockers, can lock you out of your PC entirely. If you restart your computer, you may see a bogus, full screen United States Department of Justice or FBI seal with a message.

The message states that “they” have detected some sort of illegal activity on your computer, and you must pay the penalty fine. It should go without saying that neither the FBI nor any other government entity will lock you out of your device and/or demand money to compensate for illegal activity. Real suspects of crimes, whether perpetrated online or not, will always be prosecuted through legal channels.

Encrypting Ransomware

Unlike the other two, this ransomware mimics real, offline ransoms. In this scenario, cybercriminals snatch your files, encrypt them, and demand you pay a ransom if you wish ever to see your data again.

What makes this variation of ransomware attack so dangerous is once the cyber-fraudsters take your files, no security or system can really restore them. In theory, abiding by the ransom demands will return you data, but there are no guarantees. If they have your data and your money, you don’t have much leverage over them anymore. You can only hope these criminals are true to their word. It’s not a good bet.

How does Ransomware Work?

One of the most common methods to deliver ransomware is via a phishing scam. This is an attack when ransomware comes as an attachment within an email masquerading as a trusted source. Once you download the attachment, the ransomware takes over your computer. For example, NotPetya exploits loopholes in the system’s security to infect it. Some ransomware attachments come with social engineering tools to trick you into allowing them administrative access.

There are several actions ransomware might perform but the most common of them is to encrypt some or all of your files. You will get a message on your screen that your files got encrypted, and you can only decrypt them once you send an untraceable payment via cryptocurrency, usually Bitcoin. The only thing that can decrypt data is a mathematical key – that is in the possession of the cyber-criminal.

Another variation of ransomware attack is known as doxware or leakware. In this form of attack, the hacker will threaten to publically release sensitive data found on your hard drive unless you pay the ransom money. This is less common purely because finding sensitive data is often difficult and labor-intensive for cybercriminals.

Who Can Be a Ransomware Target?

Ransomware attackers choose the victims (individuals or companies) they target using several ways. The combination of the right victim and the loosest security will often drive a criminal’s decision.

For example, cyber-hackers may target universities or colleges because these institutions tend to deploy smaller security protocols. Additionally, they have disparate users relying on a lot of file sharing, making it easier for attackers to penetrate the defenses.

In other instances, some large corporations of organizations are tempting targets as they might be more likely to pay a ransom. For example, medical facilities and government agencies often require immediate access to their systems and files and can’t operate without access to their data.

Law firms and other agencies dealing with sensitive data will be more willing to pay to cover up the news of the ransomware attack on their network and database. These are also the organizations more prone to leakware attacks due to the sensitivity of information and data they carry.

However, even if you don’t fit any of the above categories, do not delude yourself. Some ransomware attacks are automatic and spread randomly without discrimination.

In Case You Are under Ransomware Attack

If you ever fall prey to a ransomware attack, the number one rule to remember is “Never Pay the Ransom.” This is also endorsed advice by the FBI. If you pay, all it is going to do is encourage these cyber-fraudsters to launch further attacks against you or others.

Does that mean you are stuck? Yes and No. You may still be able to decrypt or retrieve some of your infected files using free decryptors such as Kaspersky. However, many ransomware attacks use sophisticated and advanced encryption algorithms that fall outside of available decryptors. Even worse, using a wrong decryption script may further encrypt your files. Pay close attention to the ransomware message and seek an IT/security expert’s advice on what should be your next step or course of action.

An alternate method may be to download security software known for remediation. It will scan your computer to remove the ransomware threat. It is only a partial solution as this will clean up your system from all infections, but you may not be able to recover your locked or lost files.

A screen-locking ransomware attack often leaves little choice other than full system restoration. If this happens, you can always try scanning your computer using a USB drive or a bootable CD.

To thwart a ransomware attack in action, stay extremely vigilant. If your computer is slowing down for no apparent reason, disconnect it from the Internet and shut it down. Once you re-boot your computer (still offline), the malware will not be able to receive or send any commands from its control server. Without a channel to extract payment or a key for encryption, the ransomware infection may stay idle. At this point, download and/or install security software and run a full computer scan to quarantine the threat.

Specific Steps for Ransomware Removal

In case your computer comes under a ransomware attack, you must regain access and control of your device. Here are some simple steps you must follow, depending on whether you use Windows, MacOS, or a mobile device.

Windows 10 Users

  • Reboot your PC in safe mode
  • Install anti-malware software
  • Scan your system to detect the ransomware file
  • Restore your system to a previous state

MacOS

In the past, the rumor was that Macs were “unhackable” due to their architecture. Sadly, this is not the case. Cyber-criminals dropped the first ransomware bomb on MacOS in 2016, known as KeRanger. This ransomware infected an app known as Transmission that, and once launched, copied the malicious files which kept running covertly in the background. After three days of this stealth operation, it encrypted the user’s files.

Apple did come up with a solution to this issue known as XProtect. The lesson learned was that Mac ransomware is not theoretical anymore. However, Mac users are reliant on Apple to come up with solutions if problems occur.

Mobile Ransomware

It was not until the popularity of CryptoLocker in 2014 that ransomware became a common threat for mobile devices. Apps are the common delivery method for malware on phones. Typical mobile ransomware attacks display a message that your smartphone has been locked due to illegal activity and you will have to pay to unlock your device. In case you fall prey to such malware, you must boot your smartphone in safe mode and delete the malicious app to retrieve control.

How to Prevent Ransomware?

You can take several defensive measures that not only help prevent ransomware attacks but other social engineering attacks as well.

  • Keep the security software of your computer’s operating system up-to-date and patched. This simple practice will resolve many vulnerabilities and exploitations.
  • Do not install any software or grant it any administrative rights unless you are sure about what it does with those privileges.
  • Install an antivirus program to detect malicious programs (and apps) in real-time. A good antivirus may also offer you a whitelist feature (where you can allow rights to certain trusted software for automatic execution) to prevent unauthorized software from auto-execution in the first place.
  • Last but not least, back up your files automatically and frequently (preferably in a cloud). It won’t prevent a ransomware attack but it can control the damage and prevent permanent loss of your files.

In any event, in case you are not a tech-savvy individual or company, seek advice from IT and cyber-security experts in your locale. The best experts are up-to-date with current, commonly active ransomware as well as security software you should be using.