Presentation information

Welcome to the VB2021 conference!

Welcome to the VB2021 conference!

A deep dive into Water Roc, one of the most relentless ransomware groups

A deep dive into Water Roc, one of the most relentless ransomware groups

Feike Hacquebord (Trend Micro), Fernando Merčes (Trend Micro) & Ian Kenefick (Trend Micro)
partner message

Calling all Hackers!

https://www.ise.io/careers/#op-470256-hacker-midseniorprincipal

We are hiring mid-senior-principal level hackers!

Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication

partner message

We don’t just talk about sharing. We do it every day.

https://www.cyberthreatalliance.org/about-cta

Learn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.

We are a greater team when we work together; our collective efforts magnifies our success and

ensures that we are and remain cyber resilient.

partner message

QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity

https://ti.qianxin.com/marketing/vb2021/

QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products

and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and

Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.

partner message

Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions

https://www.farsightsecurity.com/get-started-guide/

DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated

web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.

partner message

Amazon Information Security - come build the future with us!

https://www.amazon.jobs/en-gb/team/infosec

Do you want to work on privacy and security challenges at unprecedented scale?

We have Privacy and Information Security opportunities available now across

the United States, Dublin, Ireland, and Sydney, Australia.

partner message

Stay ahead of threats with VirusTotal

https://www.virustotal.com/

Stay ahead of the next generation of threats and get relevant insights to solve

the most critical security challenges.

partner message

Ransomware prevention starts with zero

https://www.zscaler.com/solutions/security-transformation/ransomware-protection

Ransomware attacks are increasing 500% year-over-year.

Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk

at every stage of a ransomware attack.

partner message

VirusTotal: Actionable crowdsourced threat intelligence

https://www.virustotal.com/

Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.

partner message

Do you like doing work that matters to you… and really frustrates the bad guys?

https://talosintelligence.com/careers

At Talos, our mission is to make the internet a safer place and fight the good fight for our customers

and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,

we’d like to talk.

partner message

Threat Intelligence and Cyber Resilience

https://vblocalhost.com/programme/#TIPS

Join the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,

and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective

when addressing today's dynamic threat landscape.

partner message

F5 helps find malware hiding in plain sight

https://www.f5.com/company/blog/half-the-world-s-malware-is-now-encrypted

Encrypted malware is becoming increasingly common, and daisy-chaining security devices is neither

cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with

F5’s innovative products.

partner message

IoT security begins with your Smart TV

https://chomar.link/smarttv

CHOMAR Smart TV Security.

Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.

partner message

Looking for performance validation for your product?

https://www.virusbulletin.com/testing/

Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification

programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service

offering valuable performance feedback for R&D. Email [email protected].

Downloads

For businesses, the threat of ransomware is escalating rapidly. This is largely due to two distinct cybercriminal operations: 1) Ransomware as a Service (RaaS) groups who specialize in developing ransomware - and their symbiotic relationship with 2) Access as a Service (AaaS) groups who specialize in providing access to victim organizations.
In this talk we outline the modus operandi of one particular RaaS group we call Water Roc, that has been active since at least March 2020. Water Roc is notable in how it targets multi-billion-dollar organizations using ransomware, while trying to maximize payouts through the use of double-extortion. Not only does this group make computer networks unusable and files inaccessible, it also relentlessly releases stolen sensitive information on victims and continues to leak more data for many months after the initial compromise.

In this talk we outline the details of the techniques, tactics and procedures of Water Roc, which we have learned from research spanning more than a year and data obtained from several incident response cases. We will talk about ways the ransomware group gains initial access to a network, the lateral movement phase, data exfiltration of sensitive data, the launching of ransomware, and finally double extortion through the publishing of stolen sensitive data.

We will also compare the particular RaaS of Water Roc with a dozen other Ransomware-as-a-Service groups. Not all of the RaaS groups are organized to the same level as Water Roc. We will point out that several of these RaaS groups have weak points in their operational security that may lead to clues for researchers and law enforcement to take action against them. We also talk about how to utilize aspects of their known mode of operation for better protection and defence against their ransomware attacks.

Got a question about this presentation? To get in touch with the speakers, find Fernando on Discord under the nickname merces#8301 or contact the speakers on Twitter at @FeikeHacquebord, @mer0x36 and @ian_kenefick.
Feike Hacquebord
Trend Micro

Feike Hacquebord has more than 15 years experience in threat research as a senior threat researcher. Since 2004, he has been a regular advisor of international law enforcement agencies and has assisted in several high-profile investigations. Hacquebord is the author of more than a dozen blog postings and papers on advanced cyber attacks. Prior to joining Trend Micro, he earned a Ph.D. in theoretical physics from the University of Amsterdam.

Fernando Merčes
Trend Micro

Fernando is a senior threat researcher at Trend Micro, where he acts as a cybercrime investigator making use of reverse engineering and threat intelligence skills to research cyber attacks. He is also the creator of some open-source security tools and runs Mente Binária, a non-profit organisation to teach security and programming in Brazil. Fernando has spoken at conferences including BlackHat, DCC, H2HC and others.

Ian Kenefick
Trend Micro

Ian is a senior cybersecurity engineer and member of the 'Blue Team' at Trend Micro EMEA - where he is responsible for internal security operations in Europe. Ian enjoys threat hunting, analysing malware campaigns and implementing solutions to mitigate the latest attack techniques. Prior to this, Ian provided managed detection & response services to Trend Micro clients in Europe.