Name: Inside the Threat: Secureworks CTU Analysis | Episode 1
Uploaded: 2025-03-27T12:46:05.083Z
Duration: 1 h 4 s
Description: Inside the Threat: Secureworks CTU Analysis | Episode 1

Transcript for "Inside the Threat: Secureworks CTU Analysis | Episode 1": Good morning and afternoon, everyone. My name is Tim Mitchell, and I'm a senior security researcher in the counter threat unit in Secureworks. A counter threat unit or CTU is a team of researchers whose day job is to understand the threat to Secureworks customers from both hostile state and cybercrime actors. This means we collect process and analyse all available threat information to generate contextual intelligence, reputation databases and countermeasures that are relevant to Secureworks customers which allow allow them to take action. So this means we maintain prioritized intelligence requirements to ensure we are collecting the right information and also track clusters of activity as threat groups. In addition to creating and curating the threat indicator databases and countermeasures used to protect our customers, We also provide subject matter expertise to incident response and security operations teams, which helps them understand what they are seeing in customer environments. We also maintain beneficial public sector relationships, for example, with government organizations and law enforcement agencies, and we engage in private sector information sharing initiatives. So my own particular focus is on cybercrime, and I spend a lot of my time looking at the threat from ransomware specifically. That's why it's me talking to you today about all things LockBit, how the ransomware group evolved to become the most prolific operator, the recent law enforcement takedown, its impact, and how you can best defend against it and activity like it. So first, I'm gonna set the scene by talking about the origins of the LockBit ransomware group and its operating model, which would add it to list by far the most number of victims. And these are facts which might explain why it was so important for law enforcement to take accident action against the group. I'll describe the actions that they took, and describe some of the unique elements of that that we've not actually seen before. And then I'll cover the immediate reaction to the takedown, that we in c the CTU observed on underground forums. So, basically, what are cyber criminals saying about it, which will then lead me onto the impact of the takedown. What was the immediate impact? What have we observed a couple of weeks out from it? And what do we think the future will hold? I'll then talk about our own observations on the activities of LockBit affiliates from 22 incident response engagements. So that's how they gain access to networks and conduct post compromise activity. And then finally, I'm going to share with you, our recommendations for protecting against threats like LockBit, based on the understanding we've gained from those engagements, and then cover how we're using to protect our customers. So first, let's set the scene. We track the activities of a LockBit ransomware operators under a threat group named, Gold Mystic, and this chart shows the number of named victims, since LockBit started naming them on a leak site in 09/22/2020, sorry. And the group was not the first to use name and shame tactics, so that's threatening to name victims on a leak site and publish stolen stolen data in addition to encrypting networks to add pressure to victims to pay, but it did take it up with enthusiasm albeit after a relatively slow start. So in fact it was not until June 2021 with the release of LockBit two point o, a more advanced form of the ransomware with improved capabilities that it really picked up the pace of targeting and naming victims. And we can see that prior to the takedown, LockBit had named over two and a half thousand victims on its leak site across a 14 different countries. So what does that translate to in terms of total victim numbers? So we know that leak sites contain the names of victims who didn't pay, so these numbers will not include those who did. It's impossible to determine definitively, but we know that in the case of Hive ransomware, the number of victims claimed by the FBI was actually eight times larger than the number of names listed on their leak site. So does that mean that potentially LockBit targeted 20,000 victims? It's certainly possible. So how does LockBit compare with other ransomware groups? Well, the figures here are from 2023, and we can see that nearly a thousand, named victims, per year. LockBit posted almost three times as many victims name victim names as the next most prolific group and more than the total number of the rest of the top five groups combined. And this chart comparing the totals of the top five groups since lockbit started in September 2020 shows that it's not just about volume but also longevity so while groups like Conti and other prolific operators disappeared, LockBit continued to regularly post high numbers of victim names. Other groups emerged along the way but could rarely match it. Incidentally, those large yellow spikes that exceed lock the activity in March, June, and July 2023 are actually the exception that proved the rule, because they relate to large numbers of victims named by a CLOP ransomware group following their use, of zero days to exploit managed file transfer services, like GoAnywhere and then move it, to steal data and hold it to ransom. But importantly, they were purely data theft operations. There was no ransomware deployed in those cases. And to give another sense of scale, in February 2023, Canada's cybersecurity agency claimed that LockBit was responsible for 44% of all global ransomware attacks throughout 2022. So how was LockBit able to achieve such dominance? The key lies in its affiliate program. So in groups that operate ransomware as a service, such as LockBit, the core members do not actually gain access to networks or deploy the ransomware. They simply supply the ransomware and sometimes other tools to the affiliates or partners who then perform that activity on their behalf, And the operators will then get a cut, normally around 10 or 20%, of ransomware payments that they receive as a result of the compromise. And in the case of LockBit, this payment was 20%, and access to the program was available to anyone prepared to drop a 1 Bitcoin deposit into the LockBit wallet. But there were some key differences in their approach to other groups that allowed them to scale. The LockBit operating model is devolved. So what does that really mean? So it means that unlike other groups, it has ceded much of its control to affiliates, making them responsible for both negotiations with victims and handling the subsequent payments. Taking on the extra work might not sound like an attractive proposition, but it really appeals to affiliates for one key reason, and that's that it protects them from being scammed out of money by the operator. So if they are responsible for conversing with victims, they know what payment has been agreed. And then if they handle the payment, they can be assured that they're getting the money they deserve. This is obviously not true in models where the operator is in control, which is actually the way most ransomware as a service operations are run. So attracting affiliates enable the group to scale operations significantly, And there are some rules of engagement that most groups prescribe in their affiliate programs, and this was true true for a lot bit. However, these rules are obviously more difficult to enforce when you relinquish control, so some chaos did appear in the operation. For example, in December 2023, an affiliate targeted, sorry, 2022, an affiliate targeted the Children's Hospital Toronto before the LockBit operator was forced to apologize and issued a decryption key for free before banning the affiliate. And then in 2023, a LockBit affiliate targeted Royal Mail. However, the LockBit admin who goes by the LockBit and LockBit sub personas and underground forums and private communications channels didn't seem to be aware that the an affiliate was responsible for the attack, and they originally denied it, had denied it that it was involved. The company was one of its victims. But then, obviously, after making some inquiries with their affiliates, they claimed it was a legitimate LockBit attack. So it wasn't just the devolved model that facilitated its expansion. Branding became a very important element of the LockBit operation. It seems clear the LockBit administrator became less concerned about the use of its own tools and really just looked to get any affiliates to use the LockBit infrastructure and post victims. For example, they were keen to use anywhere any ransomware in their operations, offering to buy lockers from other developers. They also tried to attract affiliates, and their existing victims following the, Alfie or black cat takedown in December and the no escape ransomware exit scam that occurred in the same month. And we're also aware of affiliates operating independently, and then subsequently using LockBit to publicize the breach and leak data, so effectively using the LockBit brand to increase pressure on victims to pay. And, again, the brand arguably became the most important element of the operation. And this was probably most obviously expressed when the LockBit admin offered to pay people $1,000 in Bitcoin to get LockBit tattoos, and sadly some people were only too willing to oblige. And the full list of the personas who got a tattoo is available on GitHub, if anyone is interested. And in their report on LockBit's finances, Chainalysis were actually able to identify specific Bitcoin wallets in receipt of the tattoo payments. So it's against this backdrop that law enforcement, took action against the group. The first stage of its takedown happened at approximately 6PM Eastern Standard Time on Monday, February 19, when the LockBit Leak Site landing page was replaced with a seizure notice, and this announced that control of the site had been taken over by an international law enforcement operation called Operation Kronos and this was led by The UK's National Crime Agency. And this image included a statement that more information would become available at at this location on Tuesday, February at o 06:30 EST. And revisiting the site at this time did indeed reveal the next stage of the takedown announcement, and this is what it looked like at this time. It really was cleverly done, and presented a series of actions that were taken in the exact start of the LockBit leak site, and it was clear even at this stage that this takedown was different from those previously undertaken by law enforcement. And this is what part of that leak site looked looked like a few days later, after more tiles were added to explain the takedown. And investigating each individual tile revealed more. It involved real coordination of a number of different elements across multiple agencies across the world. So I'll go through some of these in more detail. So first, the takedown was announced in coordinated press releases by the key agencies. So first, the NCA announced the operation as the lead agency. The US Department of Justice also detailed the activity that US agency agencies had undertaken in the takedown and also Europol, which represented the role of another number of, European agencies, the role they performed. And a series of tiles detailed the alleged extent of the seizure actually claiming total compromise. So this included a compromise of the back end infrastructure, and it used screenshots of a LockBit admin panel and source code of the blog or the leak site and other core core elements. It included capture of infrastructure associated with SteelBit and its source code. So Stillbit is a custom data exfiltration tool that LockBit encouraged its affiliates to use and unlike other exfiltration tools it actually automatically uploaded stolen data to LockBit infrastructure and it also included takedown of affiliate infrastructure that was identified through compromise of LockBit. But the takedown itself did not just target LockBit infrastructure. However, some individuals were identified and targeted in associated activity. So a suspect was arrested in Poland, that was related to money laundering activities. Another suspect was arrested in Ukraine, but this time for unspecified reasons. And the French issued three arrest warrants. The US Department of Justice unsealed indictments against two suspected LockBit affiliates, while the Treasury, Department named those same individuals in sanctions. And alongside this, I guess, real world activity, the NCA provided a list of nearly 200 affiliate nicknames and presented affiliates with a warning when they logged into the LockBit panel, naming them where where their names were known and suggesting they might be targeted by law enforcement in the future. Law enforcement also provided the victim assistance as part of Operation Kronos. So this included offering decryption keys to victims, where they had them and also providing an address to contact depending on where in the world the victim was. And they provided a free file, file recovery tool. This was designed by the Japanese police with Europol support. And they also took the opportunity to reemphasize the importance of reporting cyberattacks. I think because the knowledge gained from ransomware incidents provides valuable insight about operating models and infrastructure that facilitates takedowns like this. But it was clear that psy ops or psychological operations also played an important part in the law enforcement operation. Undermining faith in LockBit and sowing distrust in the community was seen as crucial and this this really represents a real departure from previous operations. It probably represents a response, to Western law enforcement's inability to arrest individuals in unpropository jurisdictions like Russia or or other countries in the Commonwealth of Independent States. So in addition to mocking LockBit by mirroring the presentation of the leak site, they also seem to revel in using the language of forums to announce the ban of the LockBit administrator, LockBitSUP, from their own leak site. And they referenced the bans of the persona on both the exploit and XSS underground forums. They were that was that was caused, by problems with an affiliate arbitration issue. And law enforcement also added a title that hinted that the real world identity of LockBitSup would be revealed. And it turned out this wasn't the case. When eventually exposed after a four day countdown, there was no real revelation there. Law enforcement hinted that they knew the identity of LockBit Supp, but provided no smoking gun proof. They also suggested that this persona had, and I quote, engaged with law enforcement. So what was the reaction to the takedown in the cyber criminal community on underground forums? Were there any early indications of the psyops, psychological operations had been successful? Discussions on underground forums was mostly limited to XSS, there was little chatter elsewhere including on the two other main forums exploit and ramp But first, one affiliate clearly responded exactly as law enforcement would have wanted, and took to Twitter and NowX, to express their frustration at Logbit, and they appear to have been spooked by being personally addressed when they logged into the affiliate panel. And another user, this time on the XSS underground forum, suggested that anyone working with LockBit should now run away from the program. Then speculation started about what what might have led to LockBit's downfall, with a few users suggesting that an alleged alleged collaboration with Black Cat, a group subject to law enforcement disruption itself in in December, may have played a role. However, the bulk of discussions we observed really involved speculation about how the infrastructure was compromised in the first place. So early on, LockBit Suck, the LockBit administrator, suggested that a PHP vulnerability was exploited for access, and this idea quickly took hold on forums. And now following the revelation of the who is lock bits up tile, users jump to the conclusion likely intended by law enforcement that lock bits up themselves might be an informant, and the use of the language in that announcement was probably deliberately ambiguous. So that's some of the early commentary we observed in underground forums, but what was the short term impact of the takedown, and what might we see net what what might we see next? So after the takedown of the leak site, the LockBit site persona posted a series of updates to their tox account status that suggested they were working on standing up new infrastructure to support their operations. And their initial status showed that they were obviously keen to ensure the PHP vulnerability was eliminated from the new server. Excuse me. And then they posted daily updates about progress over the course of the following three days. And then finally, on February, they went live with a new leak site. And this site was identical in appearance and structure to the leak site used before the takedown. It initially listed 12 victims, some of which had countdowns to data release, while others, already claimed that data have been published. And the number of victims has increased since then, now stands at around 60, I think. Again, it's a strange mix of old and new victims. Some of these date back as far as October 2023, and it's not quite clear why the admin is taking this approach. But it appears like it's an attempt, albeit slowly, to restore store the site to its former content. And you'll see that one of these tiles was actually for the FBI. So this doesn't mean, of course, that the FBI was a victim of lock a LockBit ransomware attack. The admin just used this tile to point to the old LockBit victim data archive, which was actually not taken down, under operation Kronos. And it also included a statement in English and Russian, giving LockBit's view of what enabled the takedown and what they had done about it. It's fairly long, and much of it reads like a disconnected rant, and it even includes an unfounded conspiracy theory about law enforcement's motives for the takedown. So now the infrastructure is back up. We are likely to see affiliates continue to deploy LockBit. There are already some some samples on VirusTotal that contain ransom notes with the URLs to the new infrastructure, including the leak site and negotiation portal. This suggests the ransomware has been observed in victim environments, since the takedown. And the point really here is that even if LockBit the LockBit operation is diminished by the takedown, many of its affiliates are likely to continue deploying ransomware for the other, ransomware as a service schemes. And this really means the threat is not going away anytime soon. So because of that, I now wanna talk through some of the affiliate trade craft we've seen. Observing and understanding it is essential to protecting our customers. But first I'll re I'll recap. So the Gold Mystic Threat Group has operated their LockBit naming shown ransomware service scheme since mid twenty nineteen, although only pasting its first victim around September 2020 and then becoming really active in mid twenty twenty one. Over the course of that period it obviously gained unauthorised access to thousands of organisations to deploy ransomware and extort victims with stolen data And Secureworks incident responders investigated over that same period 22 compromises that featured LockBit ransomware. So that's from July 2020 through January 2024. And you may have noticed that Secureworks had a tile on the seized lock bit site, and behind that was a link to our blog that we published at the same time that covered our insights from those 22 engagements. And I'll go over a few of these incidents here by way of example. So in mid twenty twenty twenty three, we saw a threat to aggregate sensitive files, into a single folder on the network for exfiltration using the files at a tool before they then uninstall the Cisco secure endpoint solution. And this is obviously designed to try to evade detection of any further activity. And then four and a half hours after the first observed malicious behavior, the threat actor deployed ransomware, and they did this from two domain controllers, probably using batch scripts that actually went to multiple hosts in the environment. And the affiliate toolkit here included the advanced port scanner, which is an off the shelf tool that's used to identify open ports and also determine software versions that are running on a system. They used Impacket, a collection of Python modules, that enable for remote code remote code execution, credential dumping, Kerberos manipulation, and also read air attacks. They used, they collected passwords from the network using lasagna, and then used Filezilla, as I've said, which is a free open source file transfer protocol solution for transferring files. And, of course, they then deployed the LockBit ransomware. And in a second instance, this time in early twenty twenty two, we saw a network administrator, an organization in The Middle East, download cracked software that contained the Redline info stealer. And Redline, like any other info stealer, collects system information, alongside credentials, cookies, and sessions, session tokens that are stored in the web browser. And then one week later, we saw those stolen credentials used to access Citrix app server and then move laterally within, RDP. So you move move laterally using remote desktop protocol to enumerate domain controllers with an NL test. The threat actor then spent a day exploring multiple files on the network in search of sensitive information to exfiltrate. So the toolset they used this time, obviously, in addition to the red light red light in post editor Steelve's credentials, was the software perfect network, scanner, which is an open source tool, that enables for identification of open ports on a network. They use Mimikatz to, harvest credentials. They used AD Find to query the active directory and then deployed ps exec, which is a legitimate sysinternals utility, and it's used for remote code execution. They used Cleanwipe, again, to disable antivirus, in this case Symantec. And they also use SteelBit, which I mentioned is a tool developed by Gold Mystic to facilitate data exfiltration in LockBit ransomware intrusions. And then they deployed, on this occasion, LockBit version two. And this was used to to encrypt devices on the victim's network. And then we've also seen, LockBit target affiliates using, VMware ESXi compatible, versions of the of the of the ransomware. And they launched their version in late twenty twenty. A number of other groups have done the same. And this can sidestep defenses seen on Windows systems like antivirus and endpoint detection response solutions, and it can have a fairly devastating impact by encrypting all virtual hosts simultaneously. And, obviously, this depends how an organization has their virtualized environments configured. So in one incident, we saw LockBit, access a network via a Fortinet VPN before conducting discovery on the network and then encrypting a single VMware ESXi host with 25 virtual machines on it. And then in another incident, we actually saw a training device with no end endpoint detection and response rolled out on it. From there, they were able to authenticate to a domain controller, conduct some network discovery, and lateral movement, again, using remote desktop protocol before they installed MobaXterm on the domain controller and then managed to encrypt three VMware ESXi hosts. But not all affiliates seek to encrypt systems. So in late twenty twenty three, we saw the Citrix bleed, buffer overflow vulnerability in Netscaler ADC, and Netscaler gateway exploited for access before the soft perfect network scanner was used for network discovery. We then saw Zoho assist, used for persistent remote access, and then they can they're threatened to conduct a reconnaissance, which included establishing a list of current users and domain controllers. And then they distributed the ransom note via a very, very simple batch script. And importantly, this ransomware note made no mention of encryption. That wasn't the aim of this operation. It was simply to steal data and hold it to ransom. And we're also aware of copycats. So given the power of the LockBit brand, it's actually not surprising that we've seen individuals looking to use LockBit the LockBit name, sorry, to extort, and or or commit fraud against victims. So we've observed two forms of copycatting. One in one case, the threat actor would deploy ransomware and then invoke the LockBit brand even though ransomware their LockBit ransomware has not necessarily been used, and they they invoke the LockBit brand for credibility. And in the second case, they threaten an attack, on this occasion, by email, again, citing the LockBit brand, but they haven't actually performed an attack. And this threat lacks obvious credibility, and it's likely that template is used to to attempt to restore a number of different organizations. And we also saw in one incident at the end of twenty twenty two, an affiliate deployed the LockBit, three point o ransomware. But, importantly, the ransomware note that was deployed in this case didn't reference the usual negotiation channels. And we assessed at this time, this was likely a rogue actor that was using the lock the leaked, LockBit three point o bill three point o builder, and I think that was leaked in September 2023, a couple of months before this intrusion took place. And we've also observed some other activity, so other threat actors have actually constructed fake leak sites that are designed to mimic the lockbit brand. So we've we've had many more examples of, Trowcroft that we outlined in this document I've already referenced. And it also includes the recommendations our incident responders, make, in in their investigations and analyses. So I think it's clear that LockBit has not gone away. And while the impact might be reduced, some affiliates will continue to operate or even go to other ransomware as a service operations, ensure that ransomware threat is clearly clearly still there. So what recommendations do Secureworks instant responders make to customers in the wake of ransomware attacks? So for the most part, LockBit's affiliates use generally the same tactics, techniques, and procedures and tools as other groups engaged in ransomware. So detecting precursor activity is crucial to defending against the threat. During LockBit engagements, Secureworks incident responders have provided detailed recommendations for victims of ransomware or data theft. And the guidance focuses on three key areas. So that is preventing initial access, preventing or detecting post compromise activity, and implementing changes that will enable the proper assessment of root cause that that can then facilitate, successful remediation. So in terms of preventing initial access, you should implement a patch management program. Ensuring that services and applications are running the most up to date versions is critical in defending against hostile vulnerability scanning and exploitation as is identifying end of life services and replacing or removing them, is also crucial. Regular vulnerability scanning against the perimeter is important for identifying such services. You should also limit access to services or devices from external resources. So only make services accessible from the Internet if absolutely necessary. Should also block downloads from untrusted sources. So allow listing sources or using a software management tool prevents the download and installation of unauthorized applications. Should implement a robust access policy, so in strong enforcing strong multifactor authentication across all Internet facing services and ensure that any old or legacy accounts are removed because they might not have been involved in the MFA rollout. Should use a password manager and preferably preferably save locally rather than in the cloud, to store passwords. And saving passwords in a browser is a real no no as it significantly increases the risk of exposing corporate credentials as browsers are specifically targeted by malware like Infostate and Postdealers. You should also educate users on the current trends in phishing, social engineering, other malware delivery techniques. For example, IT staff in particular should be aware of social engineering involving bogus user password resets that can be facilitated by SIM swapping. And you should regularly test, security frameworks through penetration testing or tabletop exercises. So you should also harden VMware ESXi hosts as part of preventing post compromise activity. VMware ESXi provides us a high value asset targeted by multiple ransomware groups including LockBit affiliates, and the use of endpoint detection and response agents if on those services, if compatible, and native log logging exported to a SIEM can provide warnings of threat actor activity. VMware publishes hardening guidelines for many of its product suites, which you should closely follow if you have these services on your network. You should restrict application or tool usage to specific, users and or hosts. So regular users should not be able to execute certain code, for example, PowerShell on their systems if there is no business requirement for them to do so. You should also create application allow lists for users dictated by business needs and restrict software that can be accessed by users to limit the use of a legitimate and potentially dangerous software. So in terms of remediation, creating reliable backups is very sensible. So having data properly backed up is pretty much essential to quickly recovering from ransomware attacks and often removes the perceived need to negotiate payment in return for a decryption key. And ransomware groups are known to target backups. For example, LockBit ransomware attempts to delete shadow copies on execution to ensure that backups are air gapped or isolated from production environments. You should also centralize event logging, and ensure that the correct information is collected. Logs are critical to identifying the root cause and full extent of an intrusion. Without them, it's not always possible to identify and remediate all access vectors, which could allow a threat actor to reenter the environment. And you should you should also engage incident response as early as possible after suspecting a compromise, thoroughly investigating activity before reimaging devices to ensure forensic analysis is possible, which allows the identification of root cause and for more full remediation of an intrusion is essential. And you might have noticed one thing I haven't mentioned as an essential recommendation in all three of these elements, and that's to deploy an extended detection and response solution like Tejas. So having site of activity on endpoints and receiving timely alerts are crucial elements for identifying activity, in the in the run up to ransomware attacks. And even a very small window of opportunity can be enough to take action and prevent devastating impact. So you need to ensure that any XDR or EDR solution is rolled out robustly and does not overlook devices that might be used to stage activity. For example, Secureworks instant responders have observed lock affiliates exploiting, network training devices and a proof of concept server that that were not enrolled in in in end endpoint detection response solution. And importantly here, we in the CTU build our understanding of these threats, so that our customers, benefit, and our learning is baked into the Tagus platform through various countermeasures. And, obviously, we're now sharing this information with the wider community in this presentation. So there are a couple of questions in the chat, and I'll answer some of those here, but we'll follow-up on on any we don't get to, in in email or or with direct contact with the with the questioner. So, the first question is let me read this. You mentioned that the takedown operation has had an impact, but from a law enforcement perspective, what do you think success looks like? And do you think that is likely to be achieved? I I think success is pretty difficult to measure. There will almost certainly be some organizations that won't become victims as a result of this action, which is obviously a good thing. But for longer term impact, I think this is probably where the psychological operation side of side of things come in. Obviously, individuals haven't been arrested, but the but the the core operators haven't been arrested. So will it end up being effective in undermining the lock operation and or putting affiliates off involvement in RentSmurant altogether. I think it's certainly possible LockBit will not return to its former status. I I'd be surprised if all all of all affiliates return or if it's able to attract as many as it had previously. But, obviously, that in itself does not necessarily translate into a reduction of the ransomware threat per se. I think it's likely that some, maybe most of those affiliates will go elsewhere. I mean, the real test will be the impact in overall victim numbers over time across all ransomware groups. And whether or not it there's a permanent drop as a result of the action, remains to be seen. I think there might be some long term impact, but I don't think it will ultimately be all that significant necessarily. So another question. You talked about multiple affiliates compromising environments in the IR engagements you observed, but were you able to identify any that involve the same affiliate? Is it possible to do that? So we did have engagements with some common indicators. So we had a couple where the threat actor used the same desktop. So the the the the there was a common name in the in the desktop name that the threat actor used probably on their their virtual machine. But that alone probably wasn't enough to confirm attribution. Obviously, with the diamond model, you you wanna see in other indicators for active trade craft, kind of, I guess, a model of targeting, although in run somewhere, that's quite difficult because with targeting, it's fairly opportunistic and indiscriminatory. We do see a lot of common tools across engagements, but attribution, again, is fairly challenging where we see common tools because ransomware operations, they very often share common playbooks. So the same tools will be used, sometimes even identical hashes or versions of software. And we saw that in, I think it was run about August 2022, the Conti ransomware group. There was a leak of, their playbook, and it provided quite prescribed activity their affiliates could take. So the tools they should use to gain access, the tools they should then use in their post compromise activity, and also some of those tools are legitimate. They're what are they're kind of living off the land binaries, things that might already exist on a on a victim environment. And in those cases, obviously, it's very difficult to draw conclusions about the use of those tools when we see them used across a number of different affiliates, on a number of different ransomware as a service schemes. We might also see some shared infrastructure, although that's likely, and that would probably give us the best indicator of whether or not it's the same group. So, for example, with Citrix bleed, the exploitation we saw, we did see some of that act activity. Although it didn't result actually in lock bit in some cases because it was our our platforms alerted customers quickly enough to that activity, so they're able to take remediation action. But, obviously, with the infrastructure, it can be quite challenging because they might also share, say, the same IPS servers or or or virtual servers in in support of their operations. So I think I'll I'll I'll leave the questions there. There are a couple of others, that we'll get to get to offline. So with that, I'll I'll end the podcast. But before I go quickly, sorry. I'll end the webinar. Before I go quickly, I'll just drop a reminder in for attendees looking to get their CPE creds through ICS ISC two. All you have to do is click on the request CPE credit module. So with that, I will sign off and wish you a great day. Thanks very much.