Cyber Safeguard Workshop:

Building Resilience Together

Exclusive Lunch Event

23th of Aug, 2023
Welcome Opening
Brigitta Prisca

Event Host

protergo.id
Welcome Speech
Marco Cioffi

Co-Founder
Protergo Cyber Security
The Largest Cyber
Security Company in
Indonesia
 About Our
Company
Protergo is a cyber security company focusing on delivering cyber
security world-class solutions and services to various market segments
and one of our key focus areas is the financial service industry.

We are here to Protect Indonesia from Cyber Threat.

protergo.id
 Wide Media Coverage

©2023 PT. PROTERGO SIBER SEKURITI, ALL RIGHT RESERVED protergo.id

 Why Protergo is Unique?
Service Level Agreement-driven Indonesian cyber security company
Trusted by >80 clients all around Indonesia and with same professional founding team of Data Center Indonesia
Trusted for the largest penetration testing project in Indonesia for a telecom provider

Most advanced experience in penetration testing and security operation center

Our competitors focus on Security Operation Center but we offer Professional Response Playbooks and Digital Forensics
Our competitors offer standard Penetration testing but we are ready for Red Teaming (simulating phishing, physical and real attack)

Trusted by industry standards

Protergo's pen.test and SOC have been used by many banks for BI/OJK compliance, and received 0 complaints
Protergo has ISO27001 certification, OSCP, CEH, for its penetration testers and CySa+, CHFI for security operation center

©2023 PT. PROTERGO SIBER SEKURITI, ALL RIGHT RESERVED protergo.id

Cyber Safeguard Workshop:
Building Resilience Together

Exclusive Lunch Event

23th of Aug, 2023
 Agenda for Today

12 2 32
Recent Cyber-Security Hacking Simulation Protergo’s Solutions
Incidents
 Recent Cyber-Security Incidents

Reza Ahmad N.

Head of Pre-Sales
Protergo Cyber Security

©2023 PT. PROTERGO SIBER SEKURITI, ALL RIGHT RESERVED protergo.id

 Indonesia Cyber Security Landscape In 2022

Top 10 sources of anomalies Top 10 destinations of anomalies

USA Singapore Indonesia Netherlands

213.451.490 11.193.352 539.933.976 6.669.047

Indonesia United Kingdom USA Russia

193.250.972 10.894.478 117.504.939 6.449.615

Netherlands Germany Germany China

27.857.574 8.809.948 13.906.055 4.657.653

China South Korea Singapore United Kingdom

22.894.253 8.712.496 12.226.894 3.793.598

Russia France Canada France

13.111.832 7.705.614 8.463.939 3.785.477

https://bssn.go.id/lanskap2022/
 Annual Report of the Honeynet Project Year 2022

Malware Attack
Recaps per month
In million

BSSN
 Indonesia Cyber Security Landscape In 2022

https://bssn.go.id/lanskap2022/
 Indonesia Cyber Security Landscape In 2022

https://bssn.go.id/lanskap2022/
 Ransomware Activity

H1 2022 H2 2022 Q1 2022

LockBit 364 LockBit 368 LockBit 272
REvil 253 BlackBasta 176 Vice Society 164
Conti 173 BlackCat 113 BlackCat 85
BlackCat 100 Royal 74 Cl0p 84
Vice Society 54 BianLien 72 Royal 65
Other 384 Other 539 Other 212

Top five ransomware groups by the number of published victims

*https://securelist.com/new-ransomware-trends-in-2023/109660/
Ransomware Activity

FREQUENCY
Announced victim counts so far in 2023.
*SOCRadar
 LockBit Impact

1500 $34.8 $7.3

victim announcement
million million
mitigation
revenue loss expenses

*Atento report on Lockbit attack impact on 2021

 LockBit Impact

it can exceed
billions of dollars
 LockBit History

LockBit Begins working

(ABCD) Jan with Maze gang Sep LockBit v2.0 Aug
Launched 2020 2020 Debuts 2021

Sep Begins RaaS May Creates own Jun Accenture

2019 Affiliate 2020 Leak Site 2021 Attack
Program
advertising on
XSS
LockBit v1.1

• IP-based geolocation • First ransom note version

• Persistence via COM interface task • Debug file
scheduling and Windows registry hive • High CPU usage during encryption
• Appending encrypted files with .abcd • Use of exact copy of PhobosImpostor mutex
 LockBit v1.2

• Extension changed from .abcd to

.lockbit
• Debug function removed
• Packed ransomware
• Mutexes changed from static to
dynamic
• Digitally signed

LockBit v1.3

• Ransom note updated

 Standard LockBit v2.0 Infection Chain

LockBit v2.0

• Released June 2021

• Now uses double extortion via StealBit
malware
• Uses group policy update to encrypt
networks
• Faster encryption
• Print bombing
• Wake-on-LAN feature
• New desktop wallpaper
• UAC bypass
LockBit 2.0
Accenture
Aug 2021

Ransomware operators have stolen databases containing over 6 TB of data and

are demanding a $50 million ransom from the company.
https://cybernews.com/security/the-lockbit-2-0-ransomware-attack-ag
ainst-accenture-time-is-running-out/
 Restarted Affiliated Program

• Affiliates set own ransom

• Choose method of payment
• Collect 80% of ransom
• Don’t work in Commonwealth of Independent States (CIS) countries
• Only experienced pentesters (penetration testers) need apply
• Affiliate receives payment directly from victim, then pays LockBit gang
Features of the Affiliated Program
LockBit3.0 Changes and New Features

LockBit 3 ransomware leaks site

LockBit has also added an instant search tool to their leaks site:
Typical LockBit Operation
LockBit 3.0 Payloads and Encryption

PEStudio view of LockBit 3.0 Payload

LockBit 3.1 Payloads and Encryption

PEStudio view of LockBit 3.1 Payload

LockBit 3.0 Payloads and Encryption

LockBit 3.0 Desktop Wallpaper

LockBit 3.1 Payloads and Encryption

LockBit 3.1 Desktop Wallpaper

 LockBit 3.0 - 3.1 Payloads and Encryption

The extension appended to newly encrypted files will also differ per campaign or sample. For example, we
have seen “HLJkNskOq” and “ddbPFTiN9”. Both encrypted files and the ransom notes will be prepended
with the campaign specific string.
LockBit 3.0 Payloads and Encryption

LockBit 3.0 Ransom Note Excerpt

LockBit Real Case
 LockBit Ransomware Real Case #1

● Initial Access Point

According to the data obtained from the victim; Lockbit affiliate members used the BlueKeep (CVE-2019-0708)
vulnerability and valid credentials of a Local Admin user to gain access to the victim network via abusing the publicly
facing Remote Desktop Protocol (RDP) on a Windows 7 installed device.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-168a
 LockBit Ransomware Real Case #1

● First execution
 LockBit Ransomware Real Case #1

● Ransom note wallpaper and .ico file write into C:\ProgramData\:

Dropped wallpaper

.ico file for changing the icon of

encrypted files
 LockBit Ransomware Real Case #1

● WriteFile Operation for the creation of README.txt and icon file

 LockBit Ransomware Real Case #1

● Killing the Windows Defender and tempering Windows Event Log

 LockBit Ransomware Real Case #1

● After the registry key change, Enabled key set to 0 and new Security Descriptor (O:BAG:SYD:
(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) add it to temper the Event Logs.
 LockBit Ransomware Real Case #1

● Encrypted File Structure

Decryption ID Marker
LockBit Impact
 Impact of LockBit 3.0

Data Data Service Inhibit Internal Defacement

Destruction Encrypted Stop System Recovery
 Agenda for Today

12 2 32
Recent Cyber-Security Hacking Simulation Protergo’s Solutions
Incidents
 Recent Data Privacy Incidents

2021 2022
Mobile App XYZ Bank
Privacy Controversy Data Breach

Unauthorized data Improper use of Potential identity Financial Fraud

sharing customer information theft

protergo.id
Examples of Cybersecurity Breaches and Consequences

protergo.id
protergo.id
 Common Cyber
Risk & Threat

Phishing Malware Ransom Data Breaches DDoS

Hacker Intrusion Social Engineering Viruses Lost Backup Tape

protergo.id
Live Demonstration
Hacking Simulation
 Agenda for Today

12 2 32
Recent Cyber-Security Hacking Simulation Protergo’s Solutions
Incidents
 About Protergo
Faiz Wirananda

Head of Sales
Protergo Cyber Security

©2023 PT. PROTERGO SIBER SEKURITI, ALL RIGHT RESERVED protergo.id

ABOUT PROTERGO

protergo.id
PROTERGO CYBER
SECURITY

DATA LEAKAGE: WHAT WE CAN LEARN FROM THE UBER CASE AND HOW TO PLAN THE BUDGET FOR NEXT YEAR
54
Our Certifications

protergo.id
Our World Class Partners

protergo.id

Security Operations Center
service
Protergo team will monitor and
analyze the traffic within an
organization’s infrastructure for
24/7 to block any cyber-attacks.
Our Innovative Solutions
OUR NEW PRODUCT
Threat intelligence service
Gather, process, and analyze
data in the dark web and in the
underground forums to identify
or detect data leakages.
Consulting Services
Next-generation antivirus Penetration testing
Specialize in three key areas:
and endpoint protection
service Identify vulnerability points
IT Assessment, Cyber Securitywithin aMaturity
web application, mobile
Review and Pre-Audit Assessment
Protect end-devices from application, APIs, and
cyber attacks. infrastructure.
protergo.id
Our Innovative Solutions
OUR NEW PRODUCT

Consulting Services

Specialize in three key areas:

IT Assessment, Cyber Security Maturity
Review and Pre-Audit Assessment

protergo.id
Cyber Safeguard Workshop:
Building Resilience Together

Exclusive Lunch Event

23th of Aug, 2023
 SCAN TO FILL
EVENT FEEDBACK FORM
Sleep well,
We got you covered.

www.protergo.id
Contact Us
info@protergo.id