What the Kidnapping & Ransom Economy Teaches Us About Ransomware
-
Upload
jeremiah-grossman -
Category
Technology
-
view
607 -
download
1
Transcript of What the Kidnapping & Ransom Economy Teaches Us About Ransomware
SESSIONID:SESSIONID:
#RSAC
JeremiahGrossman
WhattheKidnapping&RansomEconomyTeachesUsAboutRansomware
SEM-M03
Chief of Security Strategy SentinelOne @jeremiahg
#RSAC
SentinelOne
THEBIRTHOFA$BILLIONCYBER-CRIMEINDUSTRY
2
“THE FBI RECENTLY PUBLISHED THAT RANSOMWARE VICTIMS PAID OUT $209 MILLION IN Q1 2016 COMPARED TO $24 MILLION FOR ALL OF 2015.”
#RSAC
SentinelOne 5
Dec 11, 1989: 20,000 envelopes containing 5 1/4" floppy disks loaded w/ the first known ransomware (‘AIDS') were mailed.
#RSAC
SentinelOne
InternetofThings
8
“FAMILY MEMBER'S TV IS BRICKED BY ANDROID MALWARE. #LG WONT DISCLOSE FACTORY RESET. AVOID THESE "SMART TVS" LIKE THE PLAGUE.”
#RSAC
SentinelOne
People
“A 'RANSOMWARE' PROGRAM HAD INFECTED HIS COMPUTER ALLOWING THE HACKERS TO FILM HIM THROUGH THE WEBCAM. HE HAD BEEN FILMED IN A COMPROMISING SITUATION. NOW THEY WANTED MONEY.”
9
#RSAC
SentinelOne
Hotels
“ONE OF EUROPE'S TOP HOTELS HAS ADMITTED THEY HAD TO PAY THOUSANDS IN BITCOIN RANSOM TO CYBERCRIMINALS WHO MANAGED TO HACK THEIR ELECTRONIC KEY SYSTEM, LOCKING HUNDREDS OF GUESTS OUT OF THEIR ROOMS UNTIL THE MONEY WAS PAID.”
10
#RSAC
SentinelOne
Transportation
“A RANSOMWARE ATTACK TOOK TICKET MACHINES FOR SAN FRANCISCO'S LIGHT RAIL TRANSIT SYSTEM OFFLINE ALL DAY SATURDAY DURING ONE OF THE BUSIEST SHOPPING WEEKENDS OF THE YEAR, BUT RATHER THAN SHUTTING DOWN, THE AGENCY DECIDED INSTEAD TO LET USERS RIDE FOR FREE.”
11
#RSAC
SentinelOne
EventSecurity
“CRIMINALS INFECTED 70% OF STORAGE DEVICES TIED TO CLOSED-CIRCUIT TVS IN WASHINGTON DC EIGHT DAYS BEFORE THE INAUGURATION OF PRESIDENT DONALD TRUMP.”
12
#RSAC
SentinelOne
EmergencyServices
“THE ATTACK FORCED DEPARTMENTS SUCH AS THE LICKING COUNTY 911 CENTER, COUNTY AUDITOR'S OFFICE AND CLERK OF COURTS TO PERFORM THEIR JOBS WITHOUT THE USE OF COMPUTERS OR OFFICE TELEPHONES.”
13
#RSAC
SentinelOne
LawEnforcement
“LOST DATA GOES BACK TO 2009. DATA FROM THAT PERIOD BACKED UP ON DVDS AND CDS REMAINED INTACT. WHILE ARCHIVED DATA HAS ITS IMPORTANCE, MORE WORRYING IS THAT THE DEPARTMENT LOST DATA FROM ONGOING INVESTIGATIONS.”
14
#RSAC
SentinelOne
MedicalCare
“THE TRUST DID NOT PAY ANY RANSOM AS A RESULT OF THE ATTACK BUT IT DID HAVE TO CANCEL 2,800 PATIENT APPOINTMENTS DURING 48 HOURS WHEN IT SHUT DOWN SYSTEMS.”
15
#RSAC
SentinelOne
IBMSecurity’sX-Force(Dec,2016)
17
70% of Enterprise Ransomware Victims Paid Up.
20% of compromised organizations paid more than $40,000 (USD).
25% have paid between $20,000 (USD) and $40,000 (USD).
#RSAC
SentinelOne
SentinelOne(Nov,2016)
18
Over the past 12 months, 50% of organizations have responded to a ransomware campaign.
Those organizations that suffered a ransomware attack in the past 12 months, 85% stated that they were hit with three or more attacks.
#RSAC
SentinelOne
KasperskyLab(Dec,2016)
19
The number of ransomware infections suffered by companies 3-fold up from January to September.
1-in-5 businesses worldwide has been victims of a ransomware and the rate of ransomware attacks increased from one every 2-min to one every 40-sec.
#RSAC
SentinelOne
TheRansomwareLandscape
21
Not all critical systems are backed-up
Your Anti-Virus software SUCKS
Infection rates rising fast (still)
Rising ransom demands
CFOs - or their law firms - must learn how to transact in Bitcoin
Innovation in business models, victim targeting, and malware
Cyber-Insurance reimbursement
#RSAC
SentinelOne 24
”IN 75 BCE, 25-year-old Julius Caesar was sailing the Aegean Sea when he was kidnapped by Cilician pirates. when the pirates asked for a ransom of 20 talents of silver, Caesar laughed at their faces. They didn't know who they had captured, he said, and demanded that they ask for 50 (1550 kg of silver), because 20 talents was simply not enough.”
#RSAC
SentinelOne 25
“On OCT 22, the family of billionaire Pearl Oriental Oil chairman Wong Yuk-Kwan paid Taiwanese kidnappers $1.68 million (USD) in bitcoin after they threatened to “dig out the eyeballs or chop off the legs” of Yuk-Kwan.”
#RSAC
SentinelOne 26
"Most of Somalia's modern-day pirates are fishermen who traded nets for guns. They've learned that ransom is more profitable than robbery, and rather than squandering their loot, they reinvest in equipment and training."
#RSAC
SentinelOne 27
“An ordinary Somali earns about $600 (USD) a year, but even the lowliest freebooter can make nearly 17 times that — $10,000 (USD) — in a single hijacking. Never mind the risk; it's less dangerous than living in war-torn Mogadishu.”
#RSAC
SentinelOne 28
“Fewer than 1-in-3 hijack attempts is successful. A savvy captain can ward off marauders by maneuvering the ship to create a turbulent wake while calling for help. If the attackers don't board within 15-min, a nearby naval ship might send a helicopter gunship. Once the pirates control the vessel, though, it's game over: Like convenience-store clerks, crews are trained not to resist.”
#RSAC
SentinelOne
HighSeasPiracyMissionSet-up&Costs
29
$50K-$250K (USD) in seed capital
Crew of 12-24 men (varied skills)
Speed boats, larger ship to launch boats, caterer, ladders, ropes, intelligence, weapons, communications, etc.
Select targets by the cargo, owner, and port of origin
“Trustworthy” financial system for money-laundering
#RSAC
SentinelOne
BackOfficeLogistics
30
Tribe Elders: Liaisons with the outside world
Financiers: Capital comes from local businessmen as well as the Islamist militant group
Commander: Marshal resources, recruits crew, and organizes operations
Security Squad: Protects the commander, ferries supplies and backs up attackers
Mother Ship Crew Attack Squad: Extends the marauders' reach hundreds of miles out to sea; Carries attack squad made up of fishermen
Negotiators: English speaking; Point of contact for the hostage takers
#RSAC
SentinelOne
NegotiationProcess
31
May take days, weeks, months — sometimes years
Negotiations by professional K&R consultants (ex-military, law enforcement, or intelligence)
No “supernormal profits.”
"Pirates routinely demand far more than they expect to receive. For catches with valuable cargo, bargaining can open at 10 times the previously highest settlement. The limiting factor is time: With each passing day, chances increase that a hostage will die or the ship will become damaged, and the likelihood of a peaceful resolution — and a fat bag of cash — dwindles."
#RSAC
SentinelOne 32
“One new technique is to airdrop the money. A million dollars in $100 notes weighs about 29 pounds. It is placed into a container like an inflatable ball and dropped out of an airplane using a parachute guided by a Global Positioning System.”
#RSAC
SentinelOne
DivvyingUptheBooty
33
Reimbursement of supplier(s)
Financiers: 30-70% of the ransom
Elders: 5-10 %of the ransom (anchoring rights)
Crew: Remaining sum divided up by shares
“Gullestrup's ship and crew were returned safely, although the pirates didn't actually want to get off the ship right away. That's because they were afraid of getting robbed by other pirates on their way back to shore, Gullestrup says, so he gave them a ride north, dropping them closer to home.”
#RSAC
SentinelOne
HighSeasPiracyPrevention
34
Armed private security guards on board ships
Shippers harden vessels or take evasive action
A change in Somalia at national and local level
Pre-emptive action by combined navies in the region
“It lasted just a few minutes, with a helicopter crew launching from a ship just offshore and raking beached and unmanned pirate speedboats - known as "skiffs" - with machine-gun fire. Fuel stores and other equipment were also fired on, but EU Navfor says there were no casualties on either side and there were no European "boots on the ground.”
#RSAC
Kidnapping&RansomInsuranceOriginatedfollowingthekidnappingofCharlesLindbergh’sbabyin1932.Theboostinpoliciesbeganinthelate70’s.
#RSAC
SentinelOne
Kidnapping&RansomInsurance
36
“K&R INSURANCE IS DESIGNED TO PROTECT INDIVIDUALS AND CORPORATIONS OPERATING IN HIGH-RISK AREAS AROUND THE WORLD. LOCATIONS MOST OFTEN NAMED IN POLICIES INCLUDE MEXICO, VENEZUELA, HAITI, AND NIGERIA, CERTAIN OTHER COUNTRIES IN LATIN AMERICA, AS WELL AS SOME PARTS OF THE RUSSIAN FEDERATION AND EASTERN EUROPE.”
#RSAC
SentinelOne 37
“The insurance business is a gamble. Insurers know that some ships will be hijacked, forcing the companies to dispense multimillion-dollar settlements. However, they know the chance of this happening is minuscule, which by the calculations of their industry makes it worth issuing policies.”
#RSAC
SentinelOne
K&RInsuranceCoverage
39
Ransom Amount
Transportation Costs
Accidental Death or Dismemberment
Legal Liability
Medical Expenses
Crisis Response Team
Lost Wages
Replacement Personnel Costs
Extortionist Bounty
#RSAC
SentinelOne 40
“All kidnapping insurance is either written or reinsured at Lloyd’s of London. Within the Lloyd’s market, there are about 20 firms (or “syndicates”) competing for business. They all conduct resolutions according to clear rules. The Lloyd’s Corp. can exclude any syndicate that deviates from the established protocol and imposes costs on others. Outsiders do not have the necessary information to price kidnapping insurance correctly.”
#RSAC
SentinelOne
CostsandFine-Print
41
Price varies: $500 a year for $1M (USD) of liability coverage; $50,000 for $25M (USD) in coverage
Policy Confidentiality
Ransom is reimbursed, not paid directly
Customer Training
LA Times
#RSAC
SentinelOne
Similarities
43
Sentient adversary
When you are a victim, you know it (unlike traditional malware)
Time is on the adversaries side
Adversary’s leverage fear and anxiety
Bilateral monopoly (1 buyer, 1 seller)
Market value of the ‘asset’ is subjective and very little info
Victims are targeted (not always in ransomware)
If adversaries break an agreement, they'll ruin the business for everyone
LA Times
#RSAC
SentinelOne
Differences
44
Ransomware requires far less upfront costs and logistics
Ransomware is less risky for adversaries (attribution)
Ransomware hostage (the data) is not a witness
Ransomware scales
Ransomware negotiation process is way faster
Ransomware is easier to pay logistically (Bitcoin vs cash)
LA Times
#RSAC
SentinelOne
Trends
45
Ransomware campaigns increasingly professionalized and funded
Emergence of professional ransomware negotiators
Cyber-insurers require clients to keep ransomware policies secret
Adversaries will increasingly target backup systems
LA Times
#RSAC
SentinelOne
PreventionandResponseActions
46
Backups! Test your backups! (DO NOT destroy encrypted data)
Fast system recovery via virtualization
Patch, disable MS Office macros, etc
Law enforcement investigates and arrests
Formation of insurance “syndicates” for ransomware pricing (ie Lloyd’s of London)
Listen to your cyber-insurer (security guidance)
LA Times
#RSAC
SentinelOne 47
“IN 2010, $148 MILLION OF RANSOMS WERE PAID TO PIRATES. ON THE OTHER HAND, $ 1.85 BILLION DOLLARS WERE SPENT ON INSURANCE TO COVER PIRACY, THAT’S 10 TIMES MORE THAN THE ACTUAL RANSOMS THAT ARE GIVEN TO PIRATES.”
#RSAC
SentinelOne 48
“RANSOMWARE PROTECTION MARKET TO REACH $17 BILLION BY 2021 - ANALYSIS BY SOLUTION, SERVICE, APPLICATION, DEPLOYMENT, ORGANIZATION SIZE, VERTICAL & REGION - RESEARCH AND MARKETS”