Presentation information

A deep dive into Water Roc, one of the most relentless ransomware groups

Feike Hacquebord (Trend Micro), Fernando Merčes (Trend Micro) & Ian Kenefick (Trend Micro)
live only
UTC on Day 3
FRIDAY 02 OCTOBER
For businesses, the threat of ransomware is escalating rapidly. This is largely due to two distinct cybercriminal operations: 1) Ransomware as a Service (RaaS) groups who specialize in developing ransomware - and their symbiotic relationship with 2) Access as a Service (AaaS) groups who specialize in providing access to victim organizations.
In this talk we outline the modus operandi of one particular RaaS group we call Water Roc, that has been active since at least March 2020. Water Roc is notable in how it targets multi-billion-dollar organizations using ransomware, while trying to maximize payouts through the use of double-extortion. Not only does this group make computer networks unusable and files inaccessible, it also relentlessly releases stolen sensitive information on victims and continues to leak more data for many months after the initial compromise.

In this talk we outline the details of the techniques, tactics and procedures of Water Roc, which we have learned from research spanning more than a year and data obtained from several incident response cases. We will talk about ways the ransomware group gains initial access to a network, the lateral movement phase, data exfiltration of sensitive data, the launching of ransomware, and finally double extortion through the publishing of stolen sensitive data.

We will also compare the particular RaaS of Water Roc with a dozen other Ransomware-as-a-Service groups. Not all of the RaaS groups are organized to the same level as Water Roc. We will point out that several of these RaaS groups have weak points in their operational security that may lead to clues for researchers and law enforcement to take action against them. We also talk about how to utilize aspects of their known mode of operation for better protection and defence against their ransomware attacks.
Feike Hacquebord
Trend Micro Feike Hacquebord has more than 15 years experience in threat research as a senior threat researcher. Since 2004, he has been a regular advisor of international law enforcement agencies and has assisted in several high-profile investigations. Hacquebord is the author of more than a dozen blog postings and papers on advanced cyber attacks. Prior to joining Trend Micro, he earned a Ph.D. in theoretical physics from the University of Amsterdam.
Fernando Merčes
Trend Micro Fernando is a senior threat researcher at Trend Micro, where he acts as a cybercrime investigator making use of reverse engineering and threat intelligence skills to research cyber attacks. He is also the creator of some open-source security tools and runs Mente Binária, a non-profit organisation to teach security and programming in Brazil. Fernando has spoken at conferences including BlackHat, DCC, H2HC and others.
Ian Kenefick
Trend Micro Ian is a senior cybersecurity engineer and member of the 'Blue Team' at Trend Micro EMEA - where he is responsible for internal security operations in Europe. Ian enjoys threat hunting, analysing malware campaigns and implementing solutions to mitigate the latest attack techniques. Prior to this, Ian provided managed detection & response services to Trend Micro clients in Europe.
arrow left Back

A deep dive into Water Roc, one of the most relentless ransomware groups

Feike Hacquebord (Trend Micro), Fernando Merčes (Trend Micro) & Ian Kenefick (Trend Micro)
For businesses, the threat of ransomware is escalating rapidly. This is largely due to two distinct cybercriminal operations: 1) Ransomware as a Service (RaaS) groups who specialize in developing ransomware - and their symbiotic relationship with 2) Access as a Service (AaaS) groups who specialize in providing access to victim organizations.
In this talk we outline the modus operandi of one particular RaaS group we call Water Roc, that has been active since at least March 2020. Water Roc is notable in how it targets multi-billion-dollar organizations using ransomware, while trying to maximize payouts through the use of double-extortion. Not only does this group make computer networks unusable and files inaccessible, it also relentlessly releases stolen sensitive information on victims and continues to leak more data for many months after the initial compromise.

In this talk we outline the details of the techniques, tactics and procedures of Water Roc, which we have learned from research spanning more than a year and data obtained from several incident response cases. We will talk about ways the ransomware group gains initial access to a network, the lateral movement phase, data exfiltration of sensitive data, the launching of ransomware, and finally double extortion through the publishing of stolen sensitive data.

We will also compare the particular RaaS of Water Roc with a dozen other Ransomware-as-a-Service groups. Not all of the RaaS groups are organized to the same level as Water Roc. We will point out that several of these RaaS groups have weak points in their operational security that may lead to clues for researchers and law enforcement to take action against them. We also talk about how to utilize aspects of their known mode of operation for better protection and defence against their ransomware attacks.
Feike Hacquebord
Trend Micro Feike Hacquebord has more than 15 years experience in threat research as a senior threat researcher. Since 2004, he has been a regular advisor of international law enforcement agencies and has assisted in several high-profile investigations. Hacquebord is the author of more than a dozen blog postings and papers on advanced cyber attacks. Prior to joining Trend Micro, he earned a Ph.D. in theoretical physics from the University of Amsterdam.
Fernando Merčes
Trend Micro Fernando is a senior threat researcher at Trend Micro, where he acts as a cybercrime investigator making use of reverse engineering and threat intelligence skills to research cyber attacks. He is also the creator of some open-source security tools and runs Mente Binária, a non-profit organisation to teach security and programming in Brazil. Fernando has spoken at conferences including BlackHat, DCC, H2HC and others.
Ian Kenefick
Trend Micro Ian is a senior cybersecurity engineer and member of the 'Blue Team' at Trend Micro EMEA - where he is responsible for internal security operations in Europe. Ian enjoys threat hunting, analysing malware campaigns and implementing solutions to mitigate the latest attack techniques. Prior to this, Ian provided managed detection & response services to Trend Micro clients in Europe.