SESSIONID:SESSIONID:

#RSAC

JeremiahGrossman

WhattheKidnapping&RansomEconomyTeachesUsAboutRansomware

SEM-M03

Chief of Security Strategy SentinelOne @jeremiahg

#RSAC

SentinelOne

THEBIRTHOFA$BILLIONCYBER-CRIMEINDUSTRY

2

“THE FBI RECENTLY PUBLISHED THAT RANSOMWARE VICTIMS PAID OUT $209 MILLION IN Q1 2016 COMPARED TO $24 MILLION FOR ALL OF 2015.”

#RSAC

SentinelOne 3

#RSAC

SentinelOne 4

#RSAC

SentinelOne 5

Dec 11, 1989: 20,000 envelopes containing 5 1/4" floppy disks loaded w/ the first known ransomware (‘AIDS') were mailed.

MEDICAL CARE TRANSPORTATION GOVERNMENT

EDUCATION POLICE IOT

SECURITY PEOPLE HOTELS

#RSAC

SentinelOne

InternetofThings

8

“FAMILY MEMBER'S TV IS BRICKED BY ANDROID MALWARE. #LG WONT DISCLOSE FACTORY RESET. AVOID THESE "SMART TVS" LIKE THE PLAGUE.”

#RSAC

SentinelOne

People

“A 'RANSOMWARE' PROGRAM HAD INFECTED HIS COMPUTER ALLOWING THE HACKERS TO FILM HIM THROUGH THE WEBCAM. HE HAD BEEN FILMED IN A COMPROMISING SITUATION. NOW THEY WANTED MONEY.”

9

#RSAC

SentinelOne

Hotels

“ONE OF EUROPE'S TOP HOTELS HAS ADMITTED THEY HAD TO PAY THOUSANDS IN BITCOIN RANSOM TO CYBERCRIMINALS WHO MANAGED TO HACK THEIR ELECTRONIC KEY SYSTEM, LOCKING HUNDREDS OF GUESTS OUT OF THEIR ROOMS UNTIL THE MONEY WAS PAID.”

10

#RSAC

SentinelOne

Transportation

“A RANSOMWARE ATTACK TOOK TICKET MACHINES FOR SAN FRANCISCO'S LIGHT RAIL TRANSIT SYSTEM OFFLINE ALL DAY SATURDAY DURING ONE OF THE BUSIEST SHOPPING WEEKENDS OF THE YEAR, BUT RATHER THAN SHUTTING DOWN, THE AGENCY DECIDED INSTEAD TO LET USERS RIDE FOR FREE.”

11

#RSAC

SentinelOne

EventSecurity

“CRIMINALS INFECTED 70% OF STORAGE DEVICES TIED TO CLOSED-CIRCUIT TVS IN WASHINGTON DC EIGHT DAYS BEFORE THE INAUGURATION OF PRESIDENT DONALD TRUMP.”

12

#RSAC

SentinelOne

EmergencyServices

“THE ATTACK FORCED DEPARTMENTS SUCH AS THE LICKING COUNTY 911 CENTER, COUNTY AUDITOR'S OFFICE AND CLERK OF COURTS TO PERFORM THEIR JOBS WITHOUT THE USE OF COMPUTERS OR OFFICE TELEPHONES.”

13

#RSAC

SentinelOne

LawEnforcement

“LOST DATA GOES BACK TO 2009. DATA FROM THAT PERIOD BACKED UP ON DVDS AND CDS REMAINED INTACT. WHILE ARCHIVED DATA HAS ITS IMPORTANCE, MORE WORRYING IS THAT THE DEPARTMENT LOST DATA FROM ONGOING INVESTIGATIONS.”

14

#RSAC

SentinelOne

MedicalCare

“THE TRUST DID NOT PAY ANY RANSOM AS A RESULT OF THE ATTACK BUT IT DID HAVE TO CANCEL 2,800 PATIENT APPOINTMENTS DURING 48 HOURS WHEN IT SHUT DOWN SYSTEMS.”

15

#RSAC

IndustryReportsandAnecdotes

#RSAC

SentinelOne

IBMSecurity’sX-Force(Dec,2016)

17

70% of Enterprise Ransomware Victims Paid Up.

20% of compromised organizations paid more than $40,000 (USD).

25% have paid between $20,000 (USD) and $40,000 (USD).

#RSAC

SentinelOne

SentinelOne(Nov,2016)

18

Over the past 12 months, 50% of organizations have responded to a ransomware campaign.

Those organizations that suffered a ransomware attack in the past 12 months, 85% stated that they were hit with three or more attacks.

#RSAC

SentinelOne

KasperskyLab(Dec,2016)

19

The number of ransomware infections suffered by companies 3-fold up from January to September.

1-in-5 businesses worldwide has been victims of a ransomware and the rate of ransomware attacks increased from one every 2-min to one every 40-sec.

#RSAC

SentinelOne 20

#RSAC

SentinelOne

TheRansomwareLandscape

21

Not all critical systems are backed-up

Your Anti-Virus software SUCKS

Infection rates rising fast (still)

Rising ransom demands

CFOs - or their law firms - must learn how to transact in Bitcoin

Innovation in business models, victim targeting, and malware

Cyber-Insurance reimbursement

#RSAC

Kidnapping&Ransom“K&R”

REPORTEDLY A $500 MILLION (USD) MARKET

#RSAC

SentinelOne

Hollywood

23 LA Times

#RSAC

SentinelOne 24

”IN 75 BCE, 25-year-old Julius Caesar was sailing the Aegean Sea when he was kidnapped by Cilician pirates. when the pirates asked for a ransom of 20 talents of silver, Caesar laughed at their faces. They didn't know who they had captured, he said, and demanded that they ask for 50 (1550 kg of silver), because 20 talents was simply not enough.”

#RSAC

SentinelOne 25

“On OCT 22, the family of billionaire Pearl Oriental Oil chairman Wong Yuk-Kwan paid Taiwanese kidnappers $1.68 million (USD) in bitcoin after they threatened to “dig out the eyeballs or chop off the legs” of Yuk-Kwan.”

#RSAC

SentinelOne 26

"Most of Somalia's modern-day pirates are fishermen who traded nets for guns. They've learned that ransom is more profitable than robbery, and rather than squandering their loot, they reinvest in equipment and training."

#RSAC

SentinelOne 27

“An ordinary Somali earns about $600 (USD) a year, but even the lowliest freebooter can make nearly 17 times that — $10,000 (USD) — in a single hijacking. Never mind the risk; it's less dangerous than living in war-torn Mogadishu.”

#RSAC

SentinelOne 28

“Fewer than 1-in-3 hijack attempts is successful. A savvy captain can ward off marauders by maneuvering the ship to create a turbulent wake while calling for help. If the attackers don't board within 15-min, a nearby naval ship might send a helicopter gunship. Once the pirates control the vessel, though, it's game over: Like convenience-store clerks, crews are trained not to resist.”

#RSAC

SentinelOne

HighSeasPiracyMissionSet-up&Costs

29

$50K-$250K (USD) in seed capital

Crew of 12-24 men (varied skills)

Speed boats, larger ship to launch boats, caterer, ladders, ropes, intelligence, weapons, communications, etc.

Select targets by the cargo, owner, and port of origin

“Trustworthy” financial system for money-laundering

#RSAC

SentinelOne

BackOfficeLogistics

30

Tribe Elders: Liaisons with the outside world

Financiers: Capital comes from local businessmen as well as the Islamist militant group

Commander: Marshal resources, recruits crew, and organizes operations

Security Squad: Protects the commander, ferries supplies and backs up attackers

Mother Ship Crew Attack Squad: Extends the marauders' reach hundreds of miles out to sea; Carries attack squad made up of fishermen

Negotiators: English speaking; Point of contact for the hostage takers

#RSAC

SentinelOne

NegotiationProcess

31

May take days, weeks, months — sometimes years

Negotiations by professional K&R consultants (ex-military, law enforcement, or intelligence)

No “supernormal profits.”

"Pirates routinely demand far more than they expect to receive. For catches with valuable cargo, bargaining can open at 10 times the previously highest settlement. The limiting factor is time: With each passing day, chances increase that a hostage will die or the ship will become damaged, and the likelihood of a peaceful resolution — and a fat bag of cash — dwindles."

#RSAC

SentinelOne 32

“One new technique is to airdrop the money. A million dollars in $100 notes weighs about 29 pounds. It is placed into a container like an inflatable ball and dropped out of an airplane using a parachute guided by a Global Positioning System.”

#RSAC

SentinelOne

DivvyingUptheBooty

33

Reimbursement of supplier(s)

Financiers: 30-70% of the ransom

Elders: 5-10 %of the ransom (anchoring rights)

Crew: Remaining sum divided up by shares

“Gullestrup's ship and crew were returned safely, although the pirates didn't actually want to get off the ship right away. That's because they were afraid of getting robbed by other pirates on their way back to shore, Gullestrup says, so he gave them a ride north, dropping them closer to home.”

#RSAC

SentinelOne

HighSeasPiracyPrevention

34

Armed private security guards on board ships

Shippers harden vessels or take evasive action

A change in Somalia at national and local level

Pre-emptive action by combined navies in the region

“It lasted just a few minutes, with a helicopter crew launching from a ship just offshore and raking beached and unmanned pirate speedboats - known as "skiffs" - with machine-gun fire. Fuel stores and other equipment were also fired on, but EU Navfor says there were no casualties on either side and there were no European "boots on the ground.”

#RSAC

Kidnapping&RansomInsuranceOriginatedfollowingthekidnappingofCharlesLindbergh’sbabyin1932.Theboostinpoliciesbeganinthelate70’s.

#RSAC

SentinelOne

Kidnapping&RansomInsurance

36

“K&R INSURANCE IS DESIGNED TO PROTECT INDIVIDUALS AND CORPORATIONS OPERATING IN HIGH-RISK AREAS AROUND THE WORLD. LOCATIONS MOST OFTEN NAMED IN POLICIES INCLUDE MEXICO, VENEZUELA, HAITI, AND NIGERIA, CERTAIN OTHER COUNTRIES IN LATIN AMERICA, AS WELL AS SOME PARTS OF THE RUSSIAN FEDERATION AND EASTERN EUROPE.”

#RSAC

SentinelOne 37

“The insurance business is a gamble. Insurers know that some ships will be hijacked, forcing the companies to dispense multimillion-dollar settlements. However, they know the chance of this happening is minuscule, which by the calculations of their industry makes it worth issuing policies.”

#RSAC

SentinelOne 38

AIG TRAVELERS HISCOX

CHUBB XL CATLIN CHARTIS

“K&R”InsuranceCarriers

#RSAC

SentinelOne

K&RInsuranceCoverage

39

Ransom Amount

Transportation Costs

Accidental Death or Dismemberment

Legal Liability

Medical Expenses

Crisis Response Team

Lost Wages

Replacement Personnel Costs

Extortionist Bounty

#RSAC

SentinelOne 40

“All kidnapping insurance is either written or reinsured at Lloyd’s of London. Within the Lloyd’s market, there are about 20 firms (or “syndicates”) competing for business. They all conduct resolutions according to clear rules. The Lloyd’s Corp. can exclude any syndicate that deviates from the established protocol and imposes costs on others. Outsiders do not have the necessary information to price kidnapping insurance correctly.”

#RSAC

SentinelOne

CostsandFine-Print

41

Price varies: $500 a year for $1M (USD) of liability coverage; $50,000 for $25M (USD) in coverage

Policy Confidentiality

Ransom is reimbursed, not paid directly

Customer Training

LA Times

#RSAC

WhatDoestheKidnapping&RansomEconomyTeachesUsAboutRansomware?

#RSAC

SentinelOne

Similarities

43

Sentient adversary

When you are a victim, you know it (unlike traditional malware)

Time is on the adversaries side

Adversary’s leverage fear and anxiety

Bilateral monopoly (1 buyer, 1 seller)

Market value of the ‘asset’ is subjective and very little info

Victims are targeted (not always in ransomware)

If adversaries break an agreement, they'll ruin the business for everyone

LA Times

#RSAC

SentinelOne

Differences

44

Ransomware requires far less upfront costs and logistics

Ransomware is less risky for adversaries (attribution)

Ransomware hostage (the data) is not a witness

Ransomware scales

Ransomware negotiation process is way faster

Ransomware is easier to pay logistically (Bitcoin vs cash)

LA Times

#RSAC

SentinelOne

Trends

45

Ransomware campaigns increasingly professionalized and funded

Emergence of professional ransomware negotiators

Cyber-insurers require clients to keep ransomware policies secret

Adversaries will increasingly target backup systems

LA Times

#RSAC

SentinelOne

PreventionandResponseActions

46

Backups! Test your backups! (DO NOT destroy encrypted data)

Fast system recovery via virtualization

Patch, disable MS Office macros, etc

Law enforcement investigates and arrests

Formation of insurance “syndicates” for ransomware pricing (ie Lloyd’s of London)

Listen to your cyber-insurer (security guidance)

LA Times

#RSAC

SentinelOne 47

“IN 2010, $148 MILLION OF RANSOMS WERE PAID TO PIRATES. ON THE OTHER HAND, $ 1.85 BILLION DOLLARS WERE SPENT ON INSURANCE TO COVER PIRACY, THAT’S 10 TIMES MORE THAN THE ACTUAL RANSOMS THAT ARE GIVEN TO PIRATES.”

#RSAC

SentinelOne 48

“RANSOMWARE PROTECTION MARKET TO REACH $17 BILLION BY 2021 - ANALYSIS BY SOLUTION, SERVICE, APPLICATION, DEPLOYMENT, ORGANIZATION SIZE, VERTICAL & REGION - RESEARCH AND MARKETS”

#RSAC

ThankYou!

@jeremiahg

https://www.facebook.com/jeremiahgrossman

https://www.linkedin.com/in/grossmanjeremiah

https://www.jeremiahgrossman.com/

http://blog.jeremiahgrossman.com/