Detecting & Hunting Ransomware Operator Tools: It Is Easier Than You Think!

Ryan Chapman, SANS Instructor and author of SANS FOR528: Ransomware for Incident Responders, provides an overview of tools leveraged often by ransomware operators. Though a multitude of ransomware operations and affiliate groups exist, we see a great deal of overlap between the tools leveraged by these groups (and that's an understatement!).
- Are you following and utilizing projects such as Living Off Trusted Sites (LOTS) and Bring Your Own Vulnerable Driver (BYOVD)?
- Are you looking for Bloodhound/SharpHound?
- Do you know how PsExec-like tools work at a forensic level (e.g., smbexec)? Are you hunting for rogue installations of Remote Monitoring & Maintenance (RMM) tools?
- Did you know that data exfiltration tools like Winzip, 7Zip, WinSCP, FileZilla, Rclone, and MEGAsync often leave forensic artifacts that are absolute snitches that are just phenomenal for us cyber defenders?
In this session he will discuss these tools, and show you how they work, and share tips & tricks related to preventing, detecting, and hunting them!

About FOR528: Ransomware for Incident Responders course

About Ryan Chapman

Ryan is a Principal Incident Response Consultant with Palo Alto Networks. He has worked in the Digital Forensics & Incident Response (DFIR) realm for over 10 years. He is the author of the new SANS course on ransomware FOR528: Ransomware for Incident Responders and he has also taught the SANS FOR610: Reverse Engineering Malware. During his career, Ryan has worked in Security Operations Center and Cyber Incident Response Team roles that handled incidents from inception through remediation. With Ryan, it's all about the blue team, including sifting through Packet Captures, researching domains and IPs, hunting through log aggregation utilities, analyzing malware, and performing host and network forensics.