.       -
 


軠  ,     ,       ,         . ,    ,     ,   .

    -    , , - ,        .  Group-IB,  2021   -      200%.

        -. ʠ,          2021     (!) .

         ,    ,    .   ,   ,    .         , -堖  .

   -    -       .

  (          ),     ,      -頖       ,   ,          ,    ,     .

               ,      ,   -.





  -;

  :  ,  ;

   -.





,   ,   ,     .





 

:    -



  

   

  

  . 

 . 

 . 

  . , . , . 



  .         () .  ,  ,  ,  ,  ,       .  ,   ,    ,  ,        ,     ,  ,     .

,     ,  ,  ,      () ,      ,   .



Copyright 2022 Packt Publishing

, .   λ, 2022


* * *








    Group-IB,     ,  ,      .     Packt    .           .










    ,        ,  ,  ,      ,        Netflix,  ,    2022.,    Conti    -.

      -      .   1.          Toshiba  Colonial Pipeline,    . -          (     !)  ,       ,    . Ƞ    -    , , - ,        .  Group-IB,  2021.   -      200%.    2022        I  2021.   () ,    ()  ,  .       .     Group-IB   ,        .        ,    .        ,        . 㠖   ,          : Conti, OldGremline, LockBit, Hive, REvil.     -,  ,   ,  ,   .      ,  ,   , ,    .



Group-IB







 -             頖           .

       -.     ,       ,   ,  .


   ?

      ⠖ ,  ,            ,      -,  .


Π  ?

1     -      -  .



2      -     ,       -.



3       ,    -.



 4  -        -.



5 ,   ,   -   , ,  ,     ,   -.



6   ,  -        ,    -.



 7            ,         .



 8         ,  .



 9      ,  .



 10        .



 11   -     -.



 12      -     ,   ,  -.


  

PDF-     ,   ,    https://static.packt-cdn.com/downloads/9781803240442_ColorImages.pdf (https://static.packt-cdn.com/downloads/9781803240442_ColorImages.pdf).


 

      .

     ,    ,  ,  ,  , , URL-,    Twitter, :    GUID {E97EFF8F-1C38433C-97154F53424B4887}.  ,   586A97.exe   C: \Windows\SYSVOL\domain\scripts.

  .








       ,      .








       .








    ,   ,   , ,    , : ,      21 (  ) 25 (  ).


 

    .



 .       ,    customercare@packtpub.com (mailto:customercare@packtpub.com),     .



.    ,     ,  .     ,   ,     . ,    https://www.packtpub.com/support/errata (https://www.packtpub.com/support/errata).



.         ,        -  copyright@packt.com (mailto:copyright@packt.com).



 .          , ,   authors.packtpub.com (http://authors.packtpub.com/).


 

,   ,  ,    .    ,       .     ,       .       ,  . ,   ,   ,        .             .


  

      .   https://www.amazon.com/Incident-Response-Techniques-Ransomware-Attacks/dp/180324044X (https://www.amazon.com/Incident-Response-Techniques-Ransomware-Attacks/dp/180324044X)   .

      ,      .




01.    -














1

    -


  -    COVID-19  2020. , ,  .     ,       .

    ,       -,  WannaCry NotPetya.    -,      .    -    -      .

     -,  .           ,  ,    -, - .


   :

?2016.: - SamSam.

?2017.: - BitPaymer.

?2018.: - Ryuk.

?2019.  : - .


2016. - SamSam

 SamSam   2016.     ,  -.       ࠖ   ,    ,       ,   ,     .

    ,        .      ( ),    2018.  ,   ,    $2,7.

,     ,   JBOSS,    RDP-,      .     ,       ,    Mimikatz,      .    SamSam   ,     ,     -          PsExec.

    .        ,  - (.1.1).

 Sophos, 20162018.    $6 (: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf (https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf)).






.1.1.   SamSam  [1 - #   ?      RSA-2048 . RSA-  Google.#  ?RSA    .        . ,       .    .#   ?   ,    . 1:   1,7     28    . 2:      1,7 ,       .*    3:      .       ,     . :  -: (    28    ,      .)(     14 ,  14  ( ),   ,    .)  ?   ,     TOR     .  TOR   .  Google  onion-.#        ,    .#        Western Union  ,        .#        ,         .]



  - SamSam?

28 2018.   ,    - SamSam       .






.1.2.    



  .              SamSam.

    ,   -     ,     .    - BitPaymer.


2017. - BitPaymer

- BitPaymer  Evil Corp  , , ,   . Ѡ  -     ,  ,   .

   2017.,   BitPaymer      NHS Lanarkshire      $230000, 53 .

     ,       Dridex.     PowerShell Empire   ,       ,    Mimikatz,   SamSam.

  -  ,    ,          -.

     ,   -.






.1.3.   BitPaymer  [2 -   .        .    ,     .Ӡ       .       .    readme.    readme.  readme.   ,      .      ,   :  BTC:     :       .  ,    ,        .    . LOCK.     .]



  2019.   - DoppelPaymer,  BitPaymer. ,      Evil Corp (: https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/).



 - BitPaymer

13 2019.   ,      Dridex        .






.1.4.    



           .  ,     $5.

, Dridex   ,   -,  .    Trickbot,   - Ryuk.


2018. - Ryuk

- Ryuk      .   -,   Trickbot,   Wizard Spider,  .

 AdvIntel,         $150 (: https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders (https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders)).

  Ryuk   ,      Emotet,   Trickbot, ,  ,       -.  Trickbot    PowerShell Empire Cobalt Strike Beacon       .

          Bazar. ,      ( ).      ,       ,   ,   .    ,       Microsoft Office,    ,     Bazar.   Trickbot,      蠖   Cobalt Strike.

     Ryuk,     PsExec   .      ,     ,    onion-Tor.






.1.5. ,   [3 - 1. TOR.2.    TOR 3. ,  :     .    .]



 - Ryuk -  ,  AdvIntel HYAS,    $150 (: https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders (https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders)).



  - Ryuk?

4 2021.   ,   ,   ,   ,     Trickbot.

  ,  Ryuk,    Emotet.    2021.      , , , , , ,  .        .

     Emotet.






.1.6.    Emotet



  ,       .       - .


2019.  : -  (RaaS)

2019.     - ,   -   .   -          .

REvil, LockBit, Ragnar Locker, Nefilim    -,   - . Ƞ        -,  ,      .

         :      -.     2019.  - Maze.      ,   ,       (Data Leak Site, DLS).

  DLS,   - DoppelPaymer.






.1.7. DLS DoppelPaymer[4 -       ,    DoppelPaymer.      . Ƞ    .   URL-: : 25293 / : 2021050615:21:06 / : 2021062522:01:50 URL-: : 11879 / : 2021021106:50:41 / : 2021062418:40:38]



        ,    . ,      ,       .          ()     ,     -   .

,  ,     .     20%,  蠖  50%,   ࠖ 10%,    ,   .

-     .   Group-IB Ransomware Uncovered 2020/2021 (https://www.group-ib.com/resources/research-hub/ransomware-2021/ (https://www.group-ib.com/resources/research-hub/ransomware-2021/)), 64%   - 2020.   ,  RaaS.



  - ?

 ,  - NetWalker,  -,  ,     2021. ,        $27,6.

   ,  - Egregor,      ,     .

   ,  - Clop,          2021.

 , -    ꠫   젖  ,    .       -,  , .




         -   ,   ,  -蠖   ,    .

       ,  -,    蠖      -.




2

     -


  -    ,        . ,     ,    ,     .                .

   1     -, -     ,    .   ? ,     ,        ,       蠖        -  .

         -,  ,            .


      :

?  .

?.

? .

? -.


  

     .        VPN,     ,      -      (     ).

     蠖         (RDP),      .

        - II  2021. ,  Coveware (: https://www.coveware.com/blog/2021/7/23/q2-ransom-payment-amounts-decline-as-ransomware-becomes-a-national-security-priority (https://www.coveware.com/blog/2021/7/23/q2-ransom-payment-amounts-decline-as-ransomware-becomes-a-national-security-priority)).






.2.1.     -,  Coveware



     .



       (RDP)

    RDP        . 1     -   ,      ꠖ  SamSam. , SamSam  .        ⠖   ,  - Dharma,     REvil.

               ,      ,   -.

,      Shodan   3389 (  RDP),    .






.2.2.  ,     3389



    ⠖   ,          -.

       ,      .  -     -,          .      ,         ( 10%)   .

  -     ,      . , , ,   Threat Intelligence andAttribution




  .


   .

   ,     (https://www.litres.ru/pages/biblio_book/?art=68872686)  .

      Visa, MasterCard, Maestro,    ,   ,     ,  PayPal, WebMoney, ., QIWI ,       .



notes








1


#   ?

      RSA-2048 . RSA-  Google.

#  ?

RSA    .        .

 ,       .

    .

#   ?

   ,    .

 1:   1,7     28    .

 2:      1,7 ,       .

*   

 3:      .       ,     .

 : 

 -: 

(    28    ,      .)

(     14 ,  14  ( ),   ,    .)

  ?

   ,     TOR     .

  TOR   

.  Google  onion-.

# 

       ,    .

#  

      Western Union  ,        .

# 

       ,         .




2


  .

        .

    ,     .

Ӡ       .

       .

    readme.

    readme.

  readme.

   ,      .

      ,   : 

 BTC: 

    :

       .

  ,    ,        .

    . LOCK.     .




3




1. TOR.

2.    TOR 

3. ,  : 

    .

    .




4


      ,    DoppelPaymer.      . Ƞ    .

   

URL-:

 

: 25293 / : 2021050615:21:06 / : 2021062522:01:50

 

URL-:

 

: 11879 / : 2021021106:50:41 / : 2021062418:40:38


