Skip to main content


Incident response case study featuring Ryuk and Trickbot (part 2)

This is part 2 of our recent incident response study encountering a Trickbot infection.

Initial compromise Right after tricking a user into running the malicious Office macro on their machine, thus gaining code execution, the first stage Trickbot executable is downloaded and executed. The first stage payload is responsible for three things: First, Trickbot tries to disable Windows Defender by running these commands:    cmd.exe /c sc stop WinDefend
    cmd.exe /c sc delete WinDefend
    cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
The next step is to unpack itself to all users' AppData/Roaming directory under a less-than-suspicious folder name (such as WinDefrag, WinSocket, GPUDriver, msnet, etc.).Last, but not least, it creates persistence. As we have already mentioned in the first part of this series, Trickbot does not need advanced persistence mechanisms; creating Scheduled task, installing a Service or even a simple Run registry persistence is sufficien…

Startup Safari - Incident Communication

Startup Safari - Incident Communication

In recent years more and more data breaches seem to have reached world-wide publicity. Rightly so: after all, most companies collect and store vast amounts of PII for their services (see all the GDPR scare and hissy fit for proof), thus a compromise usually means the loss, or worse, the possible theft and abuse of highly sensitive personal data. In other words: many people are put in the awkward position, where they know they should be worried and are angry with the company - even though the victim of the actual crime is the company itself.
I find this modern sociological phenomenon fascinating; and when the CEO-s, representatives and communication people of said companies clash with their customers during a case like this is usually even more interesting. Sometimes I honestly get the feeling that most companies still haven't realised that being "hacked" (more precisely, being a victim of any kind of cyber-crime, be it a financially motivated ransomware or a sophisticated case of corporate espionage) is not a question of "if", it is a question of "when".
Therefore, my friend and colleague, Janos and I decided to take a look at the way large corporations handle this unique PR situation - only to find that they usually do not handle it well at all. So, we took the worst of the worst and tried to analyse and compare them, in order to determine the DOs, and especially the DON’Ts of cyber incident communication. And though our findings seem completely obvious, even recent examples seem to prove that this needs to be thought through – because when the storm hits, there will be no time for that.
(All right, we did put in some good examples as well - they do exist, you know! Just take the Maersk case in 2017, or Norsk Hydro this March. And some say you do not even have to have "rsk" in your company name to get it right!)
This was the presentation we delivered on the Start-up Safari event in April, to a room full of (by the end at least) interested and interactive youngsters, and it was excellent fun. Many thanks to the organisers, and our great audience - we really hope to see you again next year!