Ran into DarkSide a few years back, got contracted to cleanup a ransomeware attack on a utilities client in NH, I wont name who but all the desktops were changed to ransom notes, very interesting stuff
I liked this video! Do more of these investigations of malware that use various persistence mechanisms, and specifically where you analyzing them in AnyRun or other tools and diving into how malware works, These types of videos enlarge my local brain database of what to look out for in suspicious programs and opens new interesting knowledge about cybersecurity 😉
Sql is database stuff more specifically Microsoft sql server. Such as website database for user information and such. Or game servers for some company's. Could be used to store credit card information if used at a company like intuit for example. For those that don't know. Would have to be stopped to be encrypted for ransomware. Atleast as far as I'm aware.
Is there any evidence that it can check if you are trying to decrypt a file and destroy the file if you attempt that - or was that just a complete lie?
Anyrun may be useful but the price is prohibitive. For the free service you get a tiny upload file size by todays standards 16MB. None of the malware I've trapped would be eligible to try on the free service, and some others wouldn't pass the condition for the 100MB file size on the $299/mo plan. Better to teach people how to safely set up and use a dedicated box that runs a virtual machine for analysis purposes.
@@BossModeGod box = computer set-up (commonly called machine). I didn't want to write machine twice as thought it may be confusing. Turns out box is confusing too. Oh well.
I could Image shift used if you have an unknown amount of for example paths to do stuff, so you do operations and then call %SHIFT \1 so %1 is always the path or variable you are working with.
but if they use cypher there's no way that the attackers can restore your data. So they're really bluffing when they say they can give you a couple of files back
I do get always spam email but some of the spam emails getting through what can I do about it and what is the solution even that I cannot share my email or information my privacy where I live but I want some some guidance does emails that I get are fake payments and sometimes call anti-virus but I want to know what can I do I hope that you reaching out my question
It'd be interesting to see if it does any communication if the end user modifies files while booting without internet (safe mode no networking, rebooting with the ethernet unplugged) upon reconnection. Interesting video.
My guess is that there was an ultra specific use case the developer ran into where he needed to run that specific command or just any command that did nothing. We will probably never know what that use case was. However, it does make it a bit easier for malware classification for both signature and behavior based detection.
There are quite a few ways this can be done, but one of the biggest (and easiest for me to explain) examples I can think of is CVE-2024-22254 from earlier this year. To give a very watered-down explanation, if someone can get admin access to one of your VMs, they can use this exploit to trigger an out-of-bounds write and escape the VM to the host machine. Unfortunately, VMware does not provide many details on the method of exploitation, but there may be a proof of concept I missed. Hope that helps!
@@privatechannel1272 I would say it ultimately depends on the malware, but I believe VM escapes are most commonly used for initial access. They are pretty rare, so it’s hard to say for certain. But honestly, in my business environment, I treat all of them as if they have potential to do serious harm to our systems. The reason for this is because even if the VM escape exploit does not cause harm to the machine at all, and is only used to get initial access to the host machine, attackers can then chain other exploits to do malicious activity to the host anyway. (Sorry for any weird formatting, editing comments on mobile is hard)
I always ask myself, how did the malware got admin rights in the first place. User issue? Also I always wanted to use LoL drivers to find one I can use to load drivers without disabling patchguard in windows.
It got admin right thought that driver included within the malware. That driver is signed, meaning that it is a legit thing, but it has vulnerabilities for the actually malware to exploit and escalate the privilege to system level.
Let's put our very important files inside sys32 so they cannot encrypt files inside that because it'll corrupt windows and we'll not be able to see the message lol
Video idea: Using cheat engine to tinker with windows applications to see if you get any interesting results. Example: Using the Windows Drive Letter changing functionality to change it to a unique hex value. (Maybe even just lowercase of the letter). I would but I can't install a VM or I risk being banned from Warzone again.
Sir can u hack someones phone through their number and erase all of his data file everything.....I'm 16 year's old boy and I'm going through online sxtortion I'm getting blackmailed that he will upload my video on social media and also asking money from me can u please² help me..🙏🙏😭😭😭sir PLEASEEEEE HELP ME he gave me 2 days to pay money and if i dont he's gonna upload it so please.........
What I would do is shutoff computer then take the hard drive out and get the encrypted files out and the malware executeable then hire a specialist to make a decryptor
unfortunately it doesn't work that way, there's first the recon stage, bad actors know when best moment to fire of the payload, plus the moment you notice files getting encrypted, it's final stage of a process that started long ago, disconnecting that one pc doesn't mean there the attack is running simultaneously across the network, best bet is having so security best practices in place to contain such threats
@@ekowlloyd I didn't mean a network but I always wondered how ransomware could spread through a network since you would be running it on a non admin account and each accounts drive should have bitlocker
@@tomato.mp4 on a network, the bad actors go through several extend lengths of recon stages to exploit vulnerabilities or find that one colleague that has a file somewhere with passwords stored thinking it's safely hidden, there are tactics to escalate privileges over an extended period, one they gain admin access, they begin the payload. if you are referring to stand-alone device not connected to the network, then indeed pulling the plug might interrupt the payload. ps: no idea why auto-correct messed up my grammar in my first response :p
Wait the whole video isn't just an ad?! John are you okay? We're here if you need to talk. 😢
Ran into DarkSide a few years back, got contracted to cleanup a ransomeware attack on a utilities client in NH, I wont name who but all the desktops were changed to ransom notes, very interesting stuff
How do you go about cleaning up ransomware, do you look for decryption keys in memory or on the file system. What’s the process?
First time I got some thing important form John in 5 minutes
I liked this video! Do more of these investigations of malware that use various persistence mechanisms, and specifically where you analyzing them in AnyRun or other tools and diving into how malware works, These types of videos enlarge my local brain database of what to look out for in suspicious programs and opens new interesting knowledge about cybersecurity 😉
Rrrrr
Rrr
Rrrŕrr
Ŕrŕrrrrrŕ
ok can you stop?
Most respectful blackmailer.
These ones are the craziest. Thank you sir ❤
"your company network has been penetrated" *curb your enthusiasm outro plays*
The probascis has come from the inside
r u sayng arppoisoning is kinda limp?
Giggity
Sql is database stuff more specifically Microsoft sql server. Such as website database for user information and such. Or game servers for some company's. Could be used to store credit card information if used at a company like intuit for example. For those that don't know.
Would have to be stopped to be encrypted for ransomware. Atleast as far as I'm aware.
Do malware code analysis more. it is intresting to see how they stage stuff and try to evade av
Is there any evidence that it can check if you are trying to decrypt a file and destroy the file if you attempt that - or was that just a complete lie?
Probably lies to scare the user.
will there be a Part 2 of this investigation ?
Anyrun may be useful but the price is prohibitive. For the free service you get a tiny upload file size by todays standards 16MB. None of the malware I've trapped would be eligible to try on the free service, and some others wouldn't pass the condition for the 100MB file size on the $299/mo plan.
Better to teach people how to safely set up and use a dedicated box that runs a virtual machine for analysis purposes.
Wym dedicated box ? Sorry i
@@BossModeGod box = computer set-up (commonly called machine). I didn't want to write machine twice as thought it may be confusing. Turns out box is confusing too. Oh well.
@@threeMetreJim oh well. Appreciate it, anyways.
Really fun video John!
I could Image shift used if you have an unknown amount of for example paths to do stuff, so you do operations and then call %SHIFT \1 so %1 is always the path or variable you are working with.
John have u seen the article about malware getting into the bios level.
I JUST GOT YOUR AD FOR DEVSECCON BEFORE THE VIDEO '??? What ??????
That plug 🤌
super cool ty for the content
Great work!!!
but if they use cypher there's no way that the attackers can restore your data. So they're really bluffing when they say they can give you a couple of files back
Amazing Video. Please give us more of these
I do get always spam email but some of the spam emails getting through what can I do about it and what is the solution even that I cannot share my email or information my privacy where I live but I want some some guidance does emails that I get are fake payments and sometimes call anti-virus but I want to know what can I do I hope that you reaching out my question
What is your PC or laptop spces.😅😅😅😅I am Your New Subscriber
It'd be interesting to see if it does any communication if the end user modifies files while booting without internet (safe mode no networking, rebooting with the ethernet unplugged) upon reconnection. Interesting video.
Still no answer to what that SHIFT /@ command’s purpose was
My guess is that there was an ultra specific use case the developer ran into where he needed to run that specific command or just any command that did nothing. We will probably never know what that use case was. However, it does make it a bit easier for malware classification for both signature and behavior based detection.
Kinda wished this was done in live stream but that's just me eh?
I cant use anyrun because I dont have a business email if I recall and that is annoying because I am a broke and learning, I get annoyed by that.
Let’s see how long this advert for flare is …
would be interesting to known how the network has been penetrated ⁉
What a way to open a video 😆
Back up each day, disconnect back up drive. Then restore from backup.
*24:55*
So can a malware "escape" my VM and infect my Host? How is it possible?
There are quite a few ways this can be done, but one of the biggest (and easiest for me to explain) examples I can think of is CVE-2024-22254 from earlier this year.
To give a very watered-down explanation, if someone can get admin access to one of your VMs, they can use this exploit to trigger an out-of-bounds write and escape the VM to the host machine.
Unfortunately, VMware does not provide many details on the method of exploitation, but there may be a proof of concept I missed.
Hope that helps!
@@elementpotato7771 nice sounds interesting
@@elementpotato7771 So just to clarify this up, is a malware able to cause serious damage to my host from the VM, or only minor damage?
@@privatechannel1272 I would say it ultimately depends on the malware, but I believe VM escapes are most commonly used for initial access. They are pretty rare, so it’s hard to say for certain. But honestly, in my business environment, I treat all of them as if they have potential to do serious harm to our systems.
The reason for this is because even if the VM escape exploit does not cause harm to the machine at all, and is only used to get initial access to the host machine, attackers can then chain other exploits to do malicious activity to the host anyway.
(Sorry for any weird formatting, editing comments on mobile is hard)
@@elementpotato7771 Ok thanks for providing a little more info 👍
I guess I could also look up some videos on this topic too.
I click on a john hammond video about ransomware and I get a john hammond ad talking about DevSecCon...youtube knows
can you please share the IOCs?
I always ask myself, how did the malware got admin rights in the first place. User issue?
Also I always wanted to use LoL drivers to find one I can use to load drivers without disabling patchguard in windows.
It got admin right thought that driver included within the malware. That driver is signed, meaning that it is a legit thing, but it has vulnerabilities for the actually malware to exploit and escalate the privilege to system level.
lets go 2 mill so close John i wish I can subscribe 200 thousand more times
so basically remove cipher from you organization and monitor net.exe as always
totally awesome
Let's put our very important files inside sys32 so they cannot encrypt files inside that because it'll corrupt windows and we'll not be able to see the message lol
Video idea: Using cheat engine to tinker with windows applications to see if you get any interesting results. Example: Using the Windows Drive Letter changing functionality to change it to a unique hex value. (Maybe even just lowercase of the letter).
I would but I can't install a VM or I risk being banned from Warzone again.
thanks nerd
WHY??!
it was russia ip not estonia!!!
Easy to restore, ransomware is NOT a problem if you know what you're doing.
lol like the private key is literally in the registry😂
Or better ransomware Protection windows firewall sucks my ass
Sir can u hack someones phone through their number and erase all of his data file everything.....I'm 16 year's old boy and I'm going through online sxtortion I'm getting blackmailed that he will upload my video on social media and also asking money from me can u please² help me..🙏🙏😭😭😭sir PLEASEEEEE HELP ME he gave me 2 days to pay money and if i dont he's gonna upload it so please.........
Bro you’re fucked😅
Stop using AI
Windows is destroyed 😊😊😊 super
Ok
What I would do is shutoff computer then take the hard drive out and get the encrypted files out and the malware executeable then hire a specialist to make a decryptor
unfortunately it doesn't work that way, there's first the recon stage, bad actors know when best moment to fire of the payload, plus the moment you notice files getting encrypted, it's final stage of a process that started long ago, disconnecting that one pc doesn't mean there the attack is running simultaneously across the network, best bet is having so security best practices in place to contain such threats
@@ekowlloyd I didn't mean a network but I always wondered how ransomware could spread through a network since you would be running it on a non admin account and each accounts drive should have bitlocker
@@tomato.mp4 on a network, the bad actors go through several extend lengths of recon stages to exploit vulnerabilities or find that one colleague that has a file somewhere with passwords stored thinking it's safely hidden, there are tactics to escalate privileges over an extended period, one they gain admin access, they begin the payload. if you are referring to stand-alone device not connected to the network, then indeed pulling the plug might interrupt the payload.
ps: no idea why auto-correct messed up my grammar in my first response :p
2nd view
2nd!