Ransomware is center stage, as campaigns are practically guaranteed financial gain. Cyber-criminals profit hundreds of millions of dollars by selling our data back to us. If you look closely, the ransomware economic dynamics closely follow the real-world kidnapping and ransom industry. We’ll explore the eerie similarities, where ransomware is headed, and strategies we can bring to the fight.

1. SESSION ID:SESSION ID:
#RSAC
Jeremiah Grossman
What the Kidnapping & Ransom
Economy Teaches Us About
Ransomware
SEM-M03
Chief of Security Strategy
SentinelOne
@jeremiahg

2. #RSAC
SentinelOne
THE BIRTH OF A $BILLION CYBER-CRIME INDUSTRY
“THE FBI RECENTLY PUBLISHED
THAT RANSOMWARE VICTIMS
PAID OUT $209 MILLION IN Q1
2016 COMPARED TO $24
MILLION FOR ALL OF 2015.”

3. #RSAC
SentinelOne 3

4. #RSAC
SentinelOne 4

5. #RSAC
SentinelOne 5
Dec 11, 1989: 20,000
envelopes containing 5
1/4" floppy disks loaded
w/ the first known
ransomware (‘AIDS')
were mailed.

7. MEDICAL CARE TRANSPORTATION GOVERNMENT
EDUCATION POLICE IOT
SECURITY PEOPLE HOTELS

8. #RSAC
SentinelOne
Internet of Things
8
“FAMILY MEMBER'S TV IS
BRICKED BY ANDROID
MALWARE. #LG WONT
DISCLOSE FACTORY RESET.
AVOID THESE "SMART TVS" LIKE
THE PLAGUE.”

9. #RSAC
SentinelOne
People
“A 'RANSOMWARE' PROGRAM HAD
INFECTED HIS COMPUTER
ALLOWING THE HACKERS TO FILM
HIM THROUGH THE WEBCAM. HE
HAD BEEN FILMED IN A
COMPROMISING SITUATION. NOW
THEY WANTED MONEY.”
9

10. #RSAC
SentinelOne
Hotels
“ONE OF EUROPE'S TOP HOTELS HAS
ADMITTED THEY HAD TO PAY THOUSANDS
IN BITCOIN RANSOM TO CYBERCRIMINALS
WHO MANAGED TO HACK THEIR
ELECTRONIC KEY SYSTEM, LOCKING
HUNDREDS OF GUESTS OUT OF THEIR
ROOMS UNTIL THE MONEY WAS PAID.”
10

11. #RSAC
SentinelOne
Transportation
“A RANSOMWARE ATTACK TOOK TICKET
MACHINES FOR SAN FRANCISCO'S LIGHT
RAIL TRANSIT SYSTEM OFFLINE ALL DAY
SATURDAY DURING ONE OF THE BUSIEST
SHOPPING WEEKENDS OF THE YEAR, BUT
RATHER THAN SHUTTING DOWN, THE
AGENCY DECIDED INSTEAD TO LET USERS
RIDE FOR FREE.”
11

12. #RSAC
SentinelOne
Event Security
“CRIMINALS INFECTED 70% OF
STORAGE DEVICES TIED TO
CLOSED-CIRCUIT TVS IN
WASHINGTON DC EIGHT DAYS
BEFORE THE INAUGURATION OF
PRESIDENT DONALD TRUMP.”
12

13. #RSAC
SentinelOne
Emergency Services
“THE ATTACK FORCED DEPARTMENTS
SUCH AS THE LICKING COUNTY 911
CENTER, COUNTY AUDITOR'S OFFICE
AND CLERK OF COURTS TO PERFORM
THEIR JOBS WITHOUT THE USE OF
COMPUTERS OR OFFICE
TELEPHONES.”
13

14. #RSAC
SentinelOne
Law Enforcement
“LOST DATA GOES BACK TO 2009. DATA
FROM THAT PERIOD BACKED UP ON DVDS
AND CDS REMAINED INTACT. WHILE
ARCHIVED DATA HAS ITS IMPORTANCE,
MORE WORRYING IS THAT THE
DEPARTMENT LOST DATA FROM ONGOING
INVESTIGATIONS.”
14

15. #RSAC
SentinelOne
Medical Care
“THE TRUST DID NOT PAY ANY
RANSOM AS A RESULT OF THE
ATTACK BUT IT DID HAVE TO CANCEL
2,800 PATIENT APPOINTMENTS
DURING 48 HOURS WHEN IT SHUT
DOWN SYSTEMS.”
15

16. #RSAC
Industry Reports and Anecdotes

17. #RSAC
SentinelOne
IBM Security’s X-Force (Dec, 2016)
17
70% of Enterprise Ransomware Victims Paid Up.
20% of compromised organizations paid more than $40,000 (USD).
25% have paid between $20,000 (USD) and $40,000 (USD).

18. #RSAC
SentinelOne
SentinelOne (Nov, 2016)
18
Over the past 12 months, 50% of organizations have responded to a
ransomware campaign.
Those organizations that suffered a ransomware attack in the past 12
months, 85% stated that they were hit with three or more attacks.

19. #RSAC
SentinelOne
Kaspersky Lab (Dec, 2016)
19
The number of ransomware infections suffered by companies 3-fold up
from January to September.
1-in-5 businesses worldwide has been victims of a ransomware and the
rate of ransomware attacks increased from one every 2-min to one
every 40-sec.

20. #RSAC
SentinelOne 20

21. #RSAC
SentinelOne
The Ransomware Landscape
21
Not all critical systems are backed-up
Your Anti-Virus software SUCKS
Infection rates rising fast (still)
Rising ransom demands
CFOs - or their law firms - must learn how to transact in Bitcoin
Innovation in business models, victim targeting, and malware
Cyber-Insurance reimbursement

22. #RSAC
Kidnapping & Ransom
“K&R”
REPORTEDLY A $500 MILLION (USD) MARKET

23. #RSAC
SentinelOne
Hollywood
23 LA Times

24. #RSAC
SentinelOne 24
”IN 75 BCE, 25-year-old Julius Caesar was
sailing the Aegean Sea when he was kidnapped
by Cilician pirates. when the pirates asked for a
ransom of 20 talents of silver, Caesar laughed
at their faces. They didn't know who they had
captured, he said, and demanded that they ask
for 50 (1550 kg of silver), because 20 talents
was simply not enough.”

25. #RSAC
SentinelOne 25
“On OCT 22, the family of billionaire
Pearl Oriental Oil chairman Wong
Yuk-Kwan paid Taiwanese
kidnappers $1.68 million (USD) in
bitcoin after they threatened to “dig
out the eyeballs or chop off the
legs” of Yuk-Kwan.”

26. #RSAC
SentinelOne 26
"Most of Somalia's modern-day pirates are fishermen who traded nets for
guns. They've learned that ransom is more profitable than robbery, and
rather than squandering their loot, they reinvest in equipment and
training."

27. #RSAC
SentinelOne 27
“An ordinary Somali earns about $600 (USD)
a year, but even the lowliest freebooter can
make nearly 17 times that — $10,000 (USD)
— in a single hijacking. Never mind the risk;
it's less dangerous than living in war-torn
Mogadishu.”

28. #RSAC
SentinelOne 28
“Fewer than 1-in-3 hijack attempts is successful. A savvy captain can ward
off marauders by maneuvering the ship to create a turbulent wake while
calling for help. If the attackers don't board within 15-min, a nearby naval
ship might send a helicopter gunship. Once the pirates control the vessel,
though, it's game over: Like convenience-store clerks, crews are trained
not to resist.”

29. #RSAC
SentinelOne
High Seas Piracy Mission Set-up & Costs
29
$50K-$250K (USD) in seed capital
Crew of 12-24 men (varied skills)
Speed boats, larger ship to launch boats, caterer, ladders, ropes,
intelligence, weapons, communications, etc.
Select targets by the cargo, owner, and port of origin
“Trustworthy” financial system for money-laundering

30. #RSAC
SentinelOne
Back Office Logistics
30
Tribe Elders: Liaisons with the outside world
Financiers: Capital comes from local businessmen as well as the Islamist
militant group
Commander: Marshal resources, recruits crew, and organizes operations
Security Squad: Protects the commander, ferries supplies and backs up
attackers
Mother Ship Crew Attack Squad: Extends the marauders' reach
hundreds of miles out to sea; Carries attack squad made up of fishermen
Negotiators: English speaking; Point of contact for the hostage takers

31. #RSAC
SentinelOne
Negotiation Process
31
May take days, weeks, months — sometimes years
Negotiations by professional K&R consultants (ex-military, law
enforcement, or intelligence)
No “supernormal profits.”
"Pirates routinely demand far more than they expect to receive. For catches
with valuable cargo, bargaining can open at 10 times the previously highest
settlement. The limiting factor is time: With each passing day, chances
increase that a hostage will die or the ship will become damaged, and the
likelihood of a peaceful resolution — and a fat bag of cash — dwindles."

32. #RSAC
SentinelOne 32
“One new technique is to airdrop the money. A
million dollars in $100 notes weighs about 29
pounds. It is placed into a container like an
inflatable ball and dropped out of an airplane using
a parachute guided by a Global Positioning System.”

33. #RSAC
SentinelOne
Divvying Up the Booty
33
Reimbursement of supplier(s)
Financiers: 30-70% of the ransom
Elders: 5-10 %of the ransom (anchoring rights)
Crew: Remaining sum divided up by shares
“Gullestrup's ship and crew were returned safely, although the pirates didn't
actually want to get off the ship right away. That's because they were afraid
of getting robbed by other pirates on their way back to shore, Gullestrup
says, so he gave them a ride north, dropping them closer to home.”

34. #RSAC
SentinelOne
High Seas Piracy Prevention
34
Armed private security guards on board ships
Shippers harden vessels or take evasive action
A change in Somalia at national and local level
Pre-emptive action by combined navies in the region
“It lasted just a few minutes, with a helicopter crew launching from a ship
just offshore and raking beached and unmanned pirate speedboats - known
as "skiffs" - with machine-gun fire. Fuel stores and other equipment were
also fired on, but EU Navfor says there were no casualties on either side and
there were no European "boots on the ground.”

35. #RSAC
Kidnapping & Ransom Insurance
Originated following the kidnapping of Charles Lindbergh’s baby in
1932. The boost in policies began in the late 70’s.

36. #RSAC
SentinelOne
Kidnapping & Ransom Insurance
36
“K&R INSURANCE IS DESIGNED TO PROTECT
INDIVIDUALS AND CORPORATIONS OPERATING IN
HIGH-RISK AREAS AROUND THE WORLD.
LOCATIONS MOST OFTEN NAMED IN POLICIES
INCLUDE MEXICO, VENEZUELA, HAITI, AND
NIGERIA, CERTAIN OTHER COUNTRIES IN LATIN
AMERICA, AS WELL AS SOME PARTS OF THE
RUSSIAN FEDERATION AND EASTERN EUROPE.”

37. #RSAC
SentinelOne 37
“The insurance business is a gamble.
Insurers know that some ships will be
hijacked, forcing the companies to dispense
multimillion-dollar settlements. However,
they know the chance of this happening is
minuscule, which by the calculations of their
industry makes it worth issuing policies.”

38. #RSAC
SentinelOne 38
AIG TRAVELERS HISCOX
CHUBB XL CATLIN CHARTIS
“K&R” Insurance Carriers

39. #RSAC
SentinelOne
K&R Insurance Coverage
39
Ransom Amount
Transportation Costs
Accidental Death or Dismemberment
Legal Liability
Medical Expenses
Crisis Response Team
Lost Wages
Replacement Personnel Costs
Extortionist Bounty

40. #RSAC
SentinelOne 40
“All kidnapping insurance is either written or reinsured at Lloyd’s of
London. Within the Lloyd’s market, there are about 20 firms (or
“syndicates”) competing for business. They all conduct resolutions
according to clear rules. The Lloyd’s Corp. can exclude any syndicate
that deviates from the established protocol and imposes costs on
others. Outsiders do not have the necessary information to price
kidnapping insurance correctly.”

41. #RSAC
SentinelOne
Costs and Fine-Print
41
Price varies: $500 a year for $1M (USD) of liability coverage; $50,000 for
$25M (USD) in coverage
Policy Confidentiality
Ransom is reimbursed, not paid directly
Customer Training
LA Times

42. #RSAC
What Does the Kidnapping & Ransom
Economy Teaches Us About Ransomware?

43. #RSAC
SentinelOne
Similarities
43
Sentient adversary
When you are a victim, you know it (unlike traditional malware)
Time is on the adversaries side
Adversary’s leverage fear and anxiety
Bilateral monopoly (1 buyer, 1 seller)
Market value of the ‘asset’ is subjective and very little info
Victims are targeted (not always in ransomware)
If adversaries break an agreement, they'll ruin the business for everyone
LA Times

44. #RSAC
SentinelOne
Differences
44
Ransomware requires far less upfront costs and logistics
Ransomware is less risky for adversaries (attribution)
Ransomware hostage (the data) is not a witness
Ransomware scales
Ransomware negotiation process is way faster
Ransomware is easier to pay logistically (Bitcoin vs cash)
LA Times

45. #RSAC
SentinelOne
Trends
45
Ransomware campaigns increasingly professionalized and funded
Emergence of professional ransomware negotiators
Cyber-insurers require clients to keep ransomware policies secret
Adversaries will increasingly target backup systems
LA Times

46. #RSAC
SentinelOne
Prevention and Response Actions
46
Backups! Test your backups! (DO NOT destroy encrypted data)
Fast system recovery via virtualization
Patch, disable MS Office macros, etc
Law enforcement investigates and arrests
Formation of insurance “syndicates” for ransomware pricing (ie Lloyd’s
of London)
Listen to your cyber-insurer (security guidance)
LA Times

47. #RSAC
SentinelOne 47
“IN 2010, $148 MILLION OF RANSOMS
WERE PAID TO PIRATES. ON THE OTHER
HAND, $ 1.85 BILLION DOLLARS WERE
SPENT ON INSURANCE TO COVER PIRACY,
THAT’S 10 TIMES MORE THAN THE ACTUAL
RANSOMS THAT ARE GIVEN TO PIRATES.”

48. #RSAC
SentinelOne 48
“RANSOMWARE PROTECTION
MARKET TO REACH $17 BILLION BY
2021 - ANALYSIS BY SOLUTION,
SERVICE, APPLICATION,
DEPLOYMENT, ORGANIZATION SIZE,
VERTICAL & REGION - RESEARCH
AND MARKETS”

49. #RSAC
Thank You!
@jeremiahg
https://www.facebook.com/jeremiahgrossman
https://www.linkedin.com/in/grossmanjeremiah
https://www.jeremiahgrossman.com/
http://blog.jeremiahgrossman.com/