Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What the Kidnapping & Ransom Economy Teaches Us About Ransomware

1,603 views

Published on

Ransomware is center stage, as campaigns are practically guaranteed financial gain. Cyber-criminals profit hundreds of millions of dollars by selling our data back to us. If you look closely, the ransomware economic dynamics closely follow the real-world kidnapping and ransom industry. We’ll explore the eerie similarities, where ransomware is headed, and strategies we can bring to the fight.

Published in: Technology
  • Be the first to comment

What the Kidnapping & Ransom Economy Teaches Us About Ransomware

  1. 1. WHAT THE KIDNAPPING & RANSOM ECONOMY TEACHES US ABOUT RANSOMWARE JEREMIAH GROSSMAN CHIEF OF SECURITY STRATEGY @jeremiahg https://www.jeremiahgrossman.com/ http://blog.jeremiahgrossman.com/ http://sentinelone.com/
  2. 2. BIO WHO I AM… ▸Professional Hacker ▸Black Belt in Brazilian Jiu-Jitsu ▸Founder of WhiteHat Security
  3. 3. MY FIRST ‘PERSONAL’ EXPERIENCE WITH CYBER-EXTORTION 2005
  4. 4. “THE FBI RECENTLY PUBLISHED THAT RANSOMWARE VICTIMS PAID OUT $209 MILLION IN Q1 2016 COMPARED TO $24 MILLION FOR ALL OF 2015.” LA Times THE BIRTH OF A BILLION DOLLAR CYBER-CRIME INDUSTRY JUST OVER 10 YEARS LATER…
  5. 5. DEC 11, 1989: 20,000 ENVELOPES CONTAINING 5 1/4" FLOPPY DISKS LOADED W/ THE FIRST KNOWN RANSOMWARE (‘AIDS') WERE MAILED.
  6. 6. MEDICAL CARE TRANSPORTATION GOVERNMENT EDUCATION POLICE IOT SECURITY PEOPLE HOTELS
  7. 7. “FAMILY MEMBER'S TV IS BRICKED BY ANDROID MALWARE. #LG WONT DISCLOSE FACTORY RESET. AVOID THESE "SMART TVS" LIKE THE PLAGUE.” TWITTER INTERNET OF THINGS
  8. 8. “A 'RANSOMWARE' PROGRAM HAD INFECTED HIS COMPUTER ALLOWING THE HACKERS TO FILM HIM THROUGH THE WEBCAM. HE HAD BEEN FILMED IN A COMPROMISING SITUATION. NOW THEY WANTED MONEY.” ABC AU PEOPLE
  9. 9. “ONE OF EUROPE'S TOP HOTELS HAS ADMITTED THEY HAD TO PAY THOUSANDS IN BITCOIN RANSOM TO CYBERCRIMINALS WHO MANAGED TO HACK THEIR ELECTRONIC KEY SYSTEM, LOCKING HUNDREDS OF GUESTS OUT OF THEIR ROOMS UNTIL THE MONEY WAS PAID.” The Local HOTELS
  10. 10. “A RANSOMWARE ATTACK TOOK TICKET MACHINES FOR SAN FRANCISCO'S LIGHT RAIL TRANSIT SYSTEM OFFLINE ALL DAY SATURDAY DURING ONE OF THE BUSIEST SHOPPING WEEKENDS OF THE YEAR, BUT RATHER THAN SHUTTING DOWN, THE AGENCY DECIDED INSTEAD TO LET USERS RIDE FOR FREE.” USA TODAY TRANSPORTATION
  11. 11. “CRIMINALS INFECTED 70 PERCENT OF STORAGE DEVICES TIED TO CLOSED- CIRCUIT TVS IN WASHINGTON DC EIGHT DAYS BEFORE THE INAUGURATION OF PRESIDENT DONALD TRUMP.” The Register EVENT SECURITY
  12. 12. “THE ATTACK FORCED DEPARTMENTS SUCH AS THE LICKING COUNTY 911 CENTER, COUNTY AUDITOR'S OFFICE AND CLERK OF COURTS TO PERFORM THEIR JOBS WITHOUT THE USE OF COMPUTERS OR OFFICE TELEPHONES.” Newark Advocate EMERGENCY SERVICES
  13. 13. “LOST DATA GOES BACK TO 2009. DATA FROM THAT PERIOD BACKED UP ON DVDS AND CDS REMAINED INTACT. WHILE ARCHIVED DATA HAS ITS IMPORTANCE, MORE WORRYING IS THAT THE DEPARTMENT LOST DATA FROM ONGOING INVESTIGATIONS.” Bleeping Computer LAW ENFORCEMENT
  14. 14. “THE TRUST DID NOT PAY ANY RANSOM AS A RESULT OF THE ATTACK BUT IT DID HAVE TO CANCEL 2,800 PATIENT APPOINTMENTS DURING 48 HOURS WHEN IT SHUT DOWN SYSTEMS.” The Telegraph MEDICAL CARE
  15. 15. INDUSTRY REPORTS, DATA, AND ANECDOTES
  16. 16. IBM SECURITY’S X-FORCE 70% OF ENTERPRISE RANSOMWARE VICTIMS PAID UP. 20% OF COMPROMISED ORGANIZATIONS PAID RANSOMS OF MORE THAN $40,000 (USD). 25% HAVE PAID BETWEEN $20,000 (USD) AND $40,000 (USD). (DEC, 2016)
  17. 17. SENTINELONE OVER THE PAST 12 MONTHS, 50% OF ORGANIZATIONS HAVE RESPONDED TO A RANSOMWARE CAMPAIGN. THOSE ORGANIZATIONS THAT SUFFERED A RANSOMWARE ATTACK IN THE PAST 12 MONTHS, 85% STATED THAT THEY WERE HIT WITH THREE OR MORE ATTACKS. (NOV, 2016)
  18. 18. KASPERSKY LAB THE NUMBER OF RANSOMWARE INFECTIONS SUFFERED BY COMPANIES UP 3-FOLD FROM JANUARY TO SEPTEMBER. 1-IN-5 BUSINESSES WORLDWIDE HAS BEEN VICTIMS OF A RANSOMWARE AND THE RATE OF RANSOMWARE ATTACKS INCREASED FROM ONE EVERY 2-MIN TO ONE EVERY 40-SEC. (DEC, 2016)
  19. 19. KASPERSKY LAB
  20. 20. THE RANSOMWARE LANDSCAPE ▸Not all critical systems are backed-up ▸Your Anti-Virus software SUCKS ▸Infection rates rising fast (still) ▸Rising ransom demands ▸CFOs - or their law firms - must learn how to transact in Bitcoin ▸Innovation in business models, victim targeting, and malware ▸Cyber-Insurance reimbursement
  21. 21. KIDNAPPING & RANSOM “K&R” REPORTEDLY A $500 MILLION (USD) MARKET
  22. 22. ”IN 75 BCE, 25-YEAR-OLD JULIUS CAESAR WAS SAILING THE AEGEAN SEA WHEN HE WAS KIDNAPPED BY CILICIAN PIRATES. WHEN THE PIRATES ASKED FOR A RANSOM OF 20 TALENTS OF SILVER, CAESAR LAUGHED AT THEIR FACES. THEY DIDN'T KNOW WHO THEY HAD CAPTURED, HE SAID, AND DEMANDED THAT THEY ASK FOR 50 (1550 KG OF SILVER), BECAUSE 20 TALENTS WAS SIMPLY NOT ENOUGH.”
  23. 23. “ON OCT 22, THE FAMILY OF BILLIONAIRE PEARL ORIENTAL OIL CHAIRMAN WONG YUK-KWAN PAID TAIWANESE KIDNAPPERS $1.68 MILLION (USD) IN BITCOIN AFTER THEY THREATENED TO “DIG OUT THE EYEBALLS OR CHOP OFF THE LEGS” OF YUK-KWAN.”
  24. 24. "MOST OF SOMALIA'S MODERN-DAY PIRATES ARE FISHERMEN WHO TRADED NETS FOR GUNS. THEY'VE LEARNED THAT RANSOM IS MORE PROFITABLE THAN ROBBERY, AND RATHER THAN SQUANDERING THEIR LOOT, THEY REINVEST IN EQUIPMENT AND TRAINING."
  25. 25. “AN ORDINARY SOMALI EARNS ABOUT $600 (USD) A YEAR, BUT EVEN THE LOWLIEST FREEBOOTER CAN MAKE NEARLY 17 TIMES THAT — $10,000 (USD) — IN A SINGLE HIJACKING. NEVER MIND THE RISK; IT'S LESS DANGEROUS THAN LIVING IN WAR- TORN MOGADISHU.”
  26. 26. “FEWER THAN 1-IN-3 HIJACK ATTEMPTS IS SUCCESSFUL. A SAVVY CAPTAIN CAN WARD OFF MARAUDERS BY MANEUVERING THE SHIP TO CREATE A TURBULENT WAKE WHILE CALLING FOR HELP. IF THE ATTACKERS DON'T BOARD WITHIN 15-MIN, A NEARBY NAVAL SHIP MIGHT SEND A HELICOPTER GUNSHIP. ONCE THE PIRATES CONTROL THE VESSEL, THOUGH, IT'S GAME OVER: LIKE CONVENIENCE- STORE CLERKS, CREWS ARE TRAINED NOT TO RESIST.”
  27. 27. HIGH SEAS PIRACY PIRACY MISSION SET-UP & COSTS ▸$50K-$250K (USD) in seed capital ▸Crew of 12-24 men (varied skills) ▸Speed boats, larger ship to launch boats, caterer, ladders, ropes, intelligence, weapons, communications, etc ▸Select targets by the cargo, owner, and port of origin ▸“Trustworthy” financial system for money-laundering
  28. 28. DIVISION OF LABOR BACK OFFICE LOGISTICS ▸Tribe Elders: Liaisons with the outside world. ▸Financiers: Capital comes from local businessmen as well as the Islamist militant group. ▸Commander: Marshal resources, recruits crew, and organizes operations. ▸Security Squad: Protects the commander, ferries supplies and backs up attackers. ▸Mother Ship Crew Attack Squad: Extends the marauders' reach hundreds of miles out to sea; Carries attack squad made up of fishermen. ▸Negotiators: English speaking; Point of contact for the hostage takers.
  29. 29. IT’S JUST BUSINESS NEGOTIATION PROCESS ▸May take days, weeks, months — sometimes years ▸Negotiations by professional K&R consultants (ex- military, law enforcement, or intelligence) ▸No “supernormal profits.” "Pirates routinely demand far more than they expect to receive. For catches with valuable cargo, bargaining can open at 10 times the previously highest settlement. The limiting factor is time: With each passing day, chances increase that a hostage will die or the ship will become damaged, and the likelihood of a peaceful resolution — and a fat bag of cash — dwindles."
  30. 30. “ONE NEW TECHNIQUE IS TO AIRDROP THE MONEY. A MILLION DOLLARS IN $100 NOTES WEIGHS ABOUT 29 POUNDS. IT IS PLACED INTO A CONTAINER LIKE AN INFLATABLE BALL AND DROPPED OUT OF AN AIRPLANE USING A PARACHUTE GUIDED BY A GLOBAL POSITIONING SYSTEM.”
  31. 31. GETTING PAID DIVVYING UP THE BOOTY ▸Reimbursement of supplier(s) ▸Financiers: 30-70% of the ransom ▸Elders: 5-10 %of the ransom (anchoring rights) ▸Crew: Remaining sum divided up by shares “ Gullestrup's ship and crew were returned safely, although the pirates didn't actually want to get off the ship right away. That's because they were afraid of getting robbed by other pirates on their way back to shore, Gullestrup says, so he gave them a ride north, dropping them closer to home.”
  32. 32. PREVENTION AND RESPONSE HIGH-SEAS PIRACY PREVENTION ▸Armed private security guards on board ships ▸Shippers harden vessels or take evasive action ▸A change in Somalia at national and local level ▸Pre-emptive action by combined navies in the region ▸Britney Spears “It lasted just a few minutes, with a helicopter crew launching from a ship just offshore and raking beached and unmanned pirate speedboats - known as "skiffs" - with machine-gun fire. Fuel stores and other equipment were also fired on, but EU Navfor says there were no casualties on either side and there were no European "boots on the ground".
  33. 33. “HER SONGS WERE CHOSEN BY THE SECURITY TEAM BECAUSE THEY THOUGHT THE PIRATES WOULD HATE THEM MOST. THESE GUYS CAN'T STAND WESTERN CULTURE OR MUSIC, MAKING BRITNEY'S HITS PERFECT. AS SOON AS THE PIRATES GET A BLAST OF BRITNEY, THEY MOVE ON AS QUICKLY AS THEY CAN." NBC News LAW ENFORCEMENT
  34. 34. KIDNAPPING & RANSOM INSURANCE ORIGINATED FOLLOWING THE KIDNAPPING OF CHARLES LINDBERGH’S BABY IN 1932. THE BOOST IN POLICIES BEGAN IN THE LATE 70’S.
  35. 35. “K&R INSURANCE IS DESIGNED TO PROTECT INDIVIDUALS AND CORPORATIONS OPERATING IN HIGH-RISK AREAS AROUND THE WORLD. LOCATIONS MOST OFTEN NAMED IN POLICIES INCLUDE MEXICO, VENEZUELA, HAITI, AND NIGERIA, CERTAIN OTHER COUNTRIES IN LATIN AMERICA, AS WELL AS SOME PARTS OF THE RUSSIAN FEDERATION AND EASTERN EUROPE.” Wikipedia KIDNAPPING & RANSOM INSURANCE
  36. 36. “THE INSURANCE BUSINESS IS A GAMBLE. INSURERS KNOW THAT SOME SHIPS WILL BE HIJACKED, FORCING THE COMPANIES TO DISPENSE MULTIMILLION-DOLLAR SETTLEMENTS. HOWEVER, THEY KNOW THE CHANCE OF THIS HAPPENING IS MINUSCULE, WHICH BY THE CALCULATIONS OF THEIR INDUSTRY MAKES IT WORTH ISSUING POLICIES.”
  37. 37. AIG TRAVELERS HISCOX CHUBB XL CATLIN CHARTIS “K&R” INSURANCE CARRIERS
  38. 38. K&R REIMBURSEMENT K&R INSURANCE COVERAGE ▸ Ransom Amount ▸ Transportation Costs ▸ Accidental Death or Dismemberment ▸ Legal Liability ▸ Medical Expenses ▸ Crisis Response Team ▸ Lost Wages ▸ Replacement Personnel Costs ▸ Extortionist Bounty
  39. 39. “ALL KIDNAPPING INSURANCE IS EITHER WRITTEN OR REINSURED AT LLOYD’S OF LONDON. WITHIN THE LLOYD’S MARKET, THERE ARE ABOUT 20 FIRMS (OR “SYNDICATES”) COMPETING FOR BUSINESS. THEY ALL CONDUCT RESOLUTIONS ACCORDING TO CLEAR RULES. THE LLOYD’S CORP. CAN EXCLUDE ANY SYNDICATE THAT DEVIATES FROM THE ESTABLISHED PROTOCOL AND IMPOSES COSTS ON OTHERS. OUTSIDERS DO NOT HAVE THE NECESSARY INFORMATION TO PRICE KIDNAPPING INSURANCE CORRECTLY.”
  40. 40. FINE-PRINT HISTORY AND PROVISIONS ▸Price vary: $500 a year for $1M (USD) of liability coverage. $50,000 for $25M (USD) in coverage. ▸Policy Confidentiality ▸Ransom is reimbursed, not paid directly ▸Customer Training
  41. 41. WHAT THE KIDNAPPING & RANSOM ECONOMY TEACHES US ABOUT RANSOMWARE?
  42. 42. K&R VS RANSOMWARE SIMILARITIES ▸Sentient adversary ▸When you are a victim, you know it (unlike traditional malware) ▸Time is on the adversaries side ▸Adversaries leverage fear and anxiety ▸Bilateral monopoly (1 buyer, 1 seller) ▸Market value of the ‘asset’ is subjective and very little info ▸Victims are targeted (Not always in ransomware) ▸If adversaries break an agreement, they'll ruin the business for everyone
  43. 43. K&R VS RANSOMWARE DIFFERENCES ▸Ransomware requires far less upfront costs and logistics ▸Ransomware is less risky for adversaries (attribution) ▸Ransomware hostage (the data) is not a witness ▸Ransomware scales ▸Ransomware negotiation process is way faster ▸Ransomware is easier to pay logistically (Bitcoin vs cash)
  44. 44. WHERE RANSOMWARE IS HEADING RANSOMWARE TRENDS ▸Ransomware campaigns increasingly professionalized and funded ▸Emergence of professional ransomware negotiators ▸Cyber-insurers require clients to keep ransomware policies secret ▸Adversaries will increasingly target backup systems
  45. 45. RANSOMWARE PREVENTATIVE AND RESPONSE ACTIONS ▸Backups! Test your backups! (DO NOT destroy encrypted data) ▸Fast system recovery via virtualization ▸Patch, disable MS Office macros, etc ▸Law enforcement investigate and arrest ransomware groups ▸Formation of insurance “syndicates” for ransomware pricing (ie Lloyd’s of London) ▸Listen to your cyber-insurer (security guidance)
  46. 46. “IN 2010, $148 MILLION OF RANSOMS WERE PAID TO PIRATES. ON THE OTHER HAND, $ 1.85 BILLION DOLLARS WERE SPENT ON INSURANCES TO COVER PIRACY, THAT’S 10 TIMES MORE THAN THE ACTUAL RANSOMS THAT ARE GIVEN TO PIRATES.” Yahoo News RANSOMWARE HAS ARRIVED
  47. 47. THANK YOU Jeremiah Grossman @jeremiahg https://www.facebook.com/jeremiahgrossman https://www.linkedin.com/in/grossmanjeremiah https://www.jeremiahgrossman.com/ http://blog.jeremiahgrossman.com/

×