Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
SESSION	ID:SESSION	ID:
#RSAC
Jeremiah	Grossman
What	the	Kidnapping	&	Ransom	
Economy	Teaches	Us	About	
Ransomware
SEM-M03
...
#RSAC
SentinelOne
THE	BIRTH	OF	A	$BILLION	CYBER-CRIME	INDUSTRY
“THE FBI RECENTLY PUBLISHED
THAT RANSOMWARE VICTIMS
PAID OU...
#RSAC
SentinelOne 3
#RSAC
SentinelOne 4
#RSAC
SentinelOne 5
Dec 11, 1989: 20,000
envelopes containing 5
1/4" floppy disks loaded
w/ the first known
ransomware (‘A...
MEDICAL CARE TRANSPORTATION GOVERNMENT
EDUCATION POLICE IOT
SECURITY PEOPLE HOTELS
#RSAC
SentinelOne
Internet	of	Things
8
“FAMILY MEMBER'S TV IS
BRICKED BY ANDROID
MALWARE. #LG WONT
DISCLOSE FACTORY RESET....
#RSAC
SentinelOne
People
“A 'RANSOMWARE' PROGRAM HAD
INFECTED HIS COMPUTER
ALLOWING THE HACKERS TO FILM
HIM THROUGH THE WE...
#RSAC
SentinelOne
Hotels
“ONE OF EUROPE'S TOP HOTELS HAS
ADMITTED THEY HAD TO PAY THOUSANDS
IN BITCOIN RANSOM TO CYBERCRIM...
#RSAC
SentinelOne
Transportation
“A RANSOMWARE ATTACK TOOK TICKET
MACHINES FOR SAN FRANCISCO'S LIGHT
RAIL TRANSIT SYSTEM O...
#RSAC
SentinelOne
Event	Security
“CRIMINALS INFECTED 70% OF
STORAGE DEVICES TIED TO
CLOSED-CIRCUIT TVS IN
WASHINGTON DC EI...
#RSAC
SentinelOne
Emergency	Services
“THE ATTACK FORCED DEPARTMENTS
SUCH AS THE LICKING COUNTY 911
CENTER, COUNTY AUDITOR'...
#RSAC
SentinelOne
Law	Enforcement
“LOST DATA GOES BACK TO 2009. DATA
FROM THAT PERIOD BACKED UP ON DVDS
AND CDS REMAINED I...
#RSAC
SentinelOne
Medical	Care
“THE TRUST DID NOT PAY ANY
RANSOM AS A RESULT OF THE
ATTACK BUT IT DID HAVE TO CANCEL
2,800...
#RSAC
Industry	Reports	and	Anecdotes
#RSAC
SentinelOne
IBM	Security’s	X-Force	(Dec,	2016)	
17
70% of Enterprise Ransomware Victims Paid Up.
20% of compromised ...
#RSAC
SentinelOne
SentinelOne	(Nov,	2016)	
18
Over the past 12 months, 50% of organizations have responded to a
ransomware...
#RSAC
SentinelOne
Kaspersky	Lab	(Dec,	2016)	
19
The number of ransomware infections suffered by companies 3-fold up
from J...
#RSAC
SentinelOne 20
#RSAC
SentinelOne
The	Ransomware	Landscape
21
Not all critical systems are backed-up
Your Anti-Virus software SUCKS
Infect...
#RSAC
Kidnapping	&	Ransom
“K&R”
REPORTEDLY A $500 MILLION (USD) MARKET
#RSAC
SentinelOne
Hollywood
23 LA Times
#RSAC
SentinelOne 24
”IN 75 BCE, 25-year-old Julius Caesar was
sailing the Aegean Sea when he was kidnapped
by Cilician pi...
#RSAC
SentinelOne 25
“On OCT 22, the family of billionaire
Pearl Oriental Oil chairman Wong
Yuk-Kwan paid Taiwanese
kidnap...
#RSAC
SentinelOne 26
"Most of Somalia's modern-day pirates are fishermen who traded nets for
guns. They've learned that ra...
#RSAC
SentinelOne 27
“An ordinary Somali earns about $600 (USD)
a year, but even the lowliest freebooter can
make nearly 1...
#RSAC
SentinelOne 28
“Fewer than 1-in-3 hijack attempts is successful. A savvy captain can ward
off marauders by maneuveri...
#RSAC
SentinelOne
High	Seas	Piracy	Mission	Set-up	&	Costs
29
$50K-$250K (USD) in seed capital
Crew of 12-24 men (varied sk...
#RSAC
SentinelOne
Back	Office	Logistics
30
Tribe Elders: Liaisons with the outside world
Financiers: Capital comes from lo...
#RSAC
SentinelOne
Negotiation	Process
31
May take days, weeks, months — sometimes years
Negotiations by professional K&R c...
#RSAC
SentinelOne 32
“One new technique is to airdrop the money. A
million dollars in $100 notes weighs about 29
pounds. I...
#RSAC
SentinelOne
Divvying	Up	the	Booty
33
Reimbursement of supplier(s)
Financiers: 30-70% of the ransom
Elders: 5-10 %of ...
#RSAC
SentinelOne
High	Seas	Piracy	Prevention
34
Armed private security guards on board ships
Shippers harden vessels or t...
#RSAC
Kidnapping	&	Ransom	Insurance
Originated	following	the	kidnapping	of	Charles	Lindbergh’s	baby	in	
1932.	The	boost	in...
#RSAC
SentinelOne
Kidnapping	&	Ransom	Insurance
36
“K&R INSURANCE IS DESIGNED TO PROTECT
INDIVIDUALS AND CORPORATIONS OPER...
#RSAC
SentinelOne 37
“The insurance business is a gamble.
Insurers know that some ships will be
hijacked, forcing the comp...
#RSAC
SentinelOne 38
AIG TRAVELERS HISCOX
CHUBB XL CATLIN CHARTIS
“K&R”	Insurance	Carriers
#RSAC
SentinelOne
K&R	Insurance	Coverage
39
Ransom Amount
Transportation Costs
Accidental Death or Dismemberment
Legal Lia...
#RSAC
SentinelOne 40
“All kidnapping insurance is either written or reinsured at Lloyd’s of
London. Within the Lloyd’s mar...
#RSAC
SentinelOne
Costs	and	Fine-Print
41
Price varies: $500 a year for $1M (USD) of liability coverage; $50,000 for
$25M ...
#RSAC
What	Does	the	Kidnapping	&	Ransom	
Economy	Teaches	Us	About	Ransomware?
#RSAC
SentinelOne
Similarities
43
Sentient adversary
When you are a victim, you know it (unlike traditional malware)
Time ...
#RSAC
SentinelOne
Differences
44
Ransomware requires far less upfront costs and logistics
Ransomware is less risky for adv...
#RSAC
SentinelOne
Trends
45
Ransomware campaigns increasingly professionalized and funded
Emergence of professional ransom...
#RSAC
SentinelOne
Prevention	and	Response	Actions
46
Backups! Test your backups! (DO NOT destroy encrypted data)
Fast syst...
#RSAC
SentinelOne 47
“IN 2010, $148 MILLION OF RANSOMS
WERE PAID TO PIRATES. ON THE OTHER
HAND, $ 1.85 BILLION DOLLARS WER...
#RSAC
SentinelOne 48
“RANSOMWARE PROTECTION
MARKET TO REACH $17 BILLION BY
2021 - ANALYSIS BY SOLUTION,
SERVICE, APPLICATI...
#RSAC
Thank	You!
@jeremiahg	
https://www.facebook.com/jeremiahgrossman	
https://www.linkedin.com/in/grossmanjeremiah	
http...
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
Nächste SlideShare
Wird geladen in …5
×

What the Kidnapping & Ransom Economy Teaches Us About Ransomware

2.689 Aufrufe

Veröffentlicht am

Ransomware is center stage, as campaigns are practically guaranteed financial gain. Cyber-criminals profit hundreds of millions of dollars by selling our data back to us. If you look closely, the ransomware economic dynamics closely follow the real-world kidnapping and ransom industry. We’ll explore the eerie similarities, where ransomware is headed, and strategies we can bring to the fight.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

What the Kidnapping & Ransom Economy Teaches Us About Ransomware

  1. 1. SESSION ID:SESSION ID: #RSAC Jeremiah Grossman What the Kidnapping & Ransom Economy Teaches Us About Ransomware SEM-M03 Chief of Security Strategy SentinelOne @jeremiahg
  2. 2. #RSAC SentinelOne THE BIRTH OF A $BILLION CYBER-CRIME INDUSTRY “THE FBI RECENTLY PUBLISHED THAT RANSOMWARE VICTIMS PAID OUT $209 MILLION IN Q1 2016 COMPARED TO $24 MILLION FOR ALL OF 2015.”
  3. 3. #RSAC SentinelOne 3
  4. 4. #RSAC SentinelOne 4
  5. 5. #RSAC SentinelOne 5 Dec 11, 1989: 20,000 envelopes containing 5 1/4" floppy disks loaded w/ the first known ransomware (‘AIDS') were mailed.
  6. 6. MEDICAL CARE TRANSPORTATION GOVERNMENT EDUCATION POLICE IOT SECURITY PEOPLE HOTELS
  7. 7. #RSAC SentinelOne Internet of Things 8 “FAMILY MEMBER'S TV IS BRICKED BY ANDROID MALWARE. #LG WONT DISCLOSE FACTORY RESET. AVOID THESE "SMART TVS" LIKE THE PLAGUE.”
  8. 8. #RSAC SentinelOne People “A 'RANSOMWARE' PROGRAM HAD INFECTED HIS COMPUTER ALLOWING THE HACKERS TO FILM HIM THROUGH THE WEBCAM. HE HAD BEEN FILMED IN A COMPROMISING SITUATION. NOW THEY WANTED MONEY.” 9
  9. 9. #RSAC SentinelOne Hotels “ONE OF EUROPE'S TOP HOTELS HAS ADMITTED THEY HAD TO PAY THOUSANDS IN BITCOIN RANSOM TO CYBERCRIMINALS WHO MANAGED TO HACK THEIR ELECTRONIC KEY SYSTEM, LOCKING HUNDREDS OF GUESTS OUT OF THEIR ROOMS UNTIL THE MONEY WAS PAID.” 10
  10. 10. #RSAC SentinelOne Transportation “A RANSOMWARE ATTACK TOOK TICKET MACHINES FOR SAN FRANCISCO'S LIGHT RAIL TRANSIT SYSTEM OFFLINE ALL DAY SATURDAY DURING ONE OF THE BUSIEST SHOPPING WEEKENDS OF THE YEAR, BUT RATHER THAN SHUTTING DOWN, THE AGENCY DECIDED INSTEAD TO LET USERS RIDE FOR FREE.” 11
  11. 11. #RSAC SentinelOne Event Security “CRIMINALS INFECTED 70% OF STORAGE DEVICES TIED TO CLOSED-CIRCUIT TVS IN WASHINGTON DC EIGHT DAYS BEFORE THE INAUGURATION OF PRESIDENT DONALD TRUMP.” 12
  12. 12. #RSAC SentinelOne Emergency Services “THE ATTACK FORCED DEPARTMENTS SUCH AS THE LICKING COUNTY 911 CENTER, COUNTY AUDITOR'S OFFICE AND CLERK OF COURTS TO PERFORM THEIR JOBS WITHOUT THE USE OF COMPUTERS OR OFFICE TELEPHONES.” 13
  13. 13. #RSAC SentinelOne Law Enforcement “LOST DATA GOES BACK TO 2009. DATA FROM THAT PERIOD BACKED UP ON DVDS AND CDS REMAINED INTACT. WHILE ARCHIVED DATA HAS ITS IMPORTANCE, MORE WORRYING IS THAT THE DEPARTMENT LOST DATA FROM ONGOING INVESTIGATIONS.” 14
  14. 14. #RSAC SentinelOne Medical Care “THE TRUST DID NOT PAY ANY RANSOM AS A RESULT OF THE ATTACK BUT IT DID HAVE TO CANCEL 2,800 PATIENT APPOINTMENTS DURING 48 HOURS WHEN IT SHUT DOWN SYSTEMS.” 15
  15. 15. #RSAC Industry Reports and Anecdotes
  16. 16. #RSAC SentinelOne IBM Security’s X-Force (Dec, 2016) 17 70% of Enterprise Ransomware Victims Paid Up. 20% of compromised organizations paid more than $40,000 (USD). 25% have paid between $20,000 (USD) and $40,000 (USD).
  17. 17. #RSAC SentinelOne SentinelOne (Nov, 2016) 18 Over the past 12 months, 50% of organizations have responded to a ransomware campaign. Those organizations that suffered a ransomware attack in the past 12 months, 85% stated that they were hit with three or more attacks.
  18. 18. #RSAC SentinelOne Kaspersky Lab (Dec, 2016) 19 The number of ransomware infections suffered by companies 3-fold up from January to September. 1-in-5 businesses worldwide has been victims of a ransomware and the rate of ransomware attacks increased from one every 2-min to one every 40-sec.
  19. 19. #RSAC SentinelOne 20
  20. 20. #RSAC SentinelOne The Ransomware Landscape 21 Not all critical systems are backed-up Your Anti-Virus software SUCKS Infection rates rising fast (still) Rising ransom demands CFOs - or their law firms - must learn how to transact in Bitcoin Innovation in business models, victim targeting, and malware Cyber-Insurance reimbursement
  21. 21. #RSAC Kidnapping & Ransom “K&R” REPORTEDLY A $500 MILLION (USD) MARKET
  22. 22. #RSAC SentinelOne Hollywood 23 LA Times
  23. 23. #RSAC SentinelOne 24 ”IN 75 BCE, 25-year-old Julius Caesar was sailing the Aegean Sea when he was kidnapped by Cilician pirates. when the pirates asked for a ransom of 20 talents of silver, Caesar laughed at their faces. They didn't know who they had captured, he said, and demanded that they ask for 50 (1550 kg of silver), because 20 talents was simply not enough.”
  24. 24. #RSAC SentinelOne 25 “On OCT 22, the family of billionaire Pearl Oriental Oil chairman Wong Yuk-Kwan paid Taiwanese kidnappers $1.68 million (USD) in bitcoin after they threatened to “dig out the eyeballs or chop off the legs” of Yuk-Kwan.”
  25. 25. #RSAC SentinelOne 26 "Most of Somalia's modern-day pirates are fishermen who traded nets for guns. They've learned that ransom is more profitable than robbery, and rather than squandering their loot, they reinvest in equipment and training."
  26. 26. #RSAC SentinelOne 27 “An ordinary Somali earns about $600 (USD) a year, but even the lowliest freebooter can make nearly 17 times that — $10,000 (USD) — in a single hijacking. Never mind the risk; it's less dangerous than living in war-torn Mogadishu.”
  27. 27. #RSAC SentinelOne 28 “Fewer than 1-in-3 hijack attempts is successful. A savvy captain can ward off marauders by maneuvering the ship to create a turbulent wake while calling for help. If the attackers don't board within 15-min, a nearby naval ship might send a helicopter gunship. Once the pirates control the vessel, though, it's game over: Like convenience-store clerks, crews are trained not to resist.”
  28. 28. #RSAC SentinelOne High Seas Piracy Mission Set-up & Costs 29 $50K-$250K (USD) in seed capital Crew of 12-24 men (varied skills) Speed boats, larger ship to launch boats, caterer, ladders, ropes, intelligence, weapons, communications, etc. Select targets by the cargo, owner, and port of origin “Trustworthy” financial system for money-laundering
  29. 29. #RSAC SentinelOne Back Office Logistics 30 Tribe Elders: Liaisons with the outside world Financiers: Capital comes from local businessmen as well as the Islamist militant group Commander: Marshal resources, recruits crew, and organizes operations Security Squad: Protects the commander, ferries supplies and backs up attackers Mother Ship Crew Attack Squad: Extends the marauders' reach hundreds of miles out to sea; Carries attack squad made up of fishermen Negotiators: English speaking; Point of contact for the hostage takers
  30. 30. #RSAC SentinelOne Negotiation Process 31 May take days, weeks, months — sometimes years Negotiations by professional K&R consultants (ex-military, law enforcement, or intelligence) No “supernormal profits.” "Pirates routinely demand far more than they expect to receive. For catches with valuable cargo, bargaining can open at 10 times the previously highest settlement. The limiting factor is time: With each passing day, chances increase that a hostage will die or the ship will become damaged, and the likelihood of a peaceful resolution — and a fat bag of cash — dwindles."
  31. 31. #RSAC SentinelOne 32 “One new technique is to airdrop the money. A million dollars in $100 notes weighs about 29 pounds. It is placed into a container like an inflatable ball and dropped out of an airplane using a parachute guided by a Global Positioning System.”
  32. 32. #RSAC SentinelOne Divvying Up the Booty 33 Reimbursement of supplier(s) Financiers: 30-70% of the ransom Elders: 5-10 %of the ransom (anchoring rights) Crew: Remaining sum divided up by shares “Gullestrup's ship and crew were returned safely, although the pirates didn't actually want to get off the ship right away. That's because they were afraid of getting robbed by other pirates on their way back to shore, Gullestrup says, so he gave them a ride north, dropping them closer to home.”
  33. 33. #RSAC SentinelOne High Seas Piracy Prevention 34 Armed private security guards on board ships Shippers harden vessels or take evasive action A change in Somalia at national and local level Pre-emptive action by combined navies in the region “It lasted just a few minutes, with a helicopter crew launching from a ship just offshore and raking beached and unmanned pirate speedboats - known as "skiffs" - with machine-gun fire. Fuel stores and other equipment were also fired on, but EU Navfor says there were no casualties on either side and there were no European "boots on the ground.”
  34. 34. #RSAC Kidnapping & Ransom Insurance Originated following the kidnapping of Charles Lindbergh’s baby in 1932. The boost in policies began in the late 70’s.
  35. 35. #RSAC SentinelOne Kidnapping & Ransom Insurance 36 “K&R INSURANCE IS DESIGNED TO PROTECT INDIVIDUALS AND CORPORATIONS OPERATING IN HIGH-RISK AREAS AROUND THE WORLD. LOCATIONS MOST OFTEN NAMED IN POLICIES INCLUDE MEXICO, VENEZUELA, HAITI, AND NIGERIA, CERTAIN OTHER COUNTRIES IN LATIN AMERICA, AS WELL AS SOME PARTS OF THE RUSSIAN FEDERATION AND EASTERN EUROPE.”
  36. 36. #RSAC SentinelOne 37 “The insurance business is a gamble. Insurers know that some ships will be hijacked, forcing the companies to dispense multimillion-dollar settlements. However, they know the chance of this happening is minuscule, which by the calculations of their industry makes it worth issuing policies.”
  37. 37. #RSAC SentinelOne 38 AIG TRAVELERS HISCOX CHUBB XL CATLIN CHARTIS “K&R” Insurance Carriers
  38. 38. #RSAC SentinelOne K&R Insurance Coverage 39 Ransom Amount Transportation Costs Accidental Death or Dismemberment Legal Liability Medical Expenses Crisis Response Team Lost Wages Replacement Personnel Costs Extortionist Bounty
  39. 39. #RSAC SentinelOne 40 “All kidnapping insurance is either written or reinsured at Lloyd’s of London. Within the Lloyd’s market, there are about 20 firms (or “syndicates”) competing for business. They all conduct resolutions according to clear rules. The Lloyd’s Corp. can exclude any syndicate that deviates from the established protocol and imposes costs on others. Outsiders do not have the necessary information to price kidnapping insurance correctly.”
  40. 40. #RSAC SentinelOne Costs and Fine-Print 41 Price varies: $500 a year for $1M (USD) of liability coverage; $50,000 for $25M (USD) in coverage Policy Confidentiality Ransom is reimbursed, not paid directly Customer Training LA Times
  41. 41. #RSAC What Does the Kidnapping & Ransom Economy Teaches Us About Ransomware?
  42. 42. #RSAC SentinelOne Similarities 43 Sentient adversary When you are a victim, you know it (unlike traditional malware) Time is on the adversaries side Adversary’s leverage fear and anxiety Bilateral monopoly (1 buyer, 1 seller) Market value of the ‘asset’ is subjective and very little info Victims are targeted (not always in ransomware) If adversaries break an agreement, they'll ruin the business for everyone LA Times
  43. 43. #RSAC SentinelOne Differences 44 Ransomware requires far less upfront costs and logistics Ransomware is less risky for adversaries (attribution) Ransomware hostage (the data) is not a witness Ransomware scales Ransomware negotiation process is way faster Ransomware is easier to pay logistically (Bitcoin vs cash) LA Times
  44. 44. #RSAC SentinelOne Trends 45 Ransomware campaigns increasingly professionalized and funded Emergence of professional ransomware negotiators Cyber-insurers require clients to keep ransomware policies secret Adversaries will increasingly target backup systems LA Times
  45. 45. #RSAC SentinelOne Prevention and Response Actions 46 Backups! Test your backups! (DO NOT destroy encrypted data) Fast system recovery via virtualization Patch, disable MS Office macros, etc Law enforcement investigates and arrests Formation of insurance “syndicates” for ransomware pricing (ie Lloyd’s of London) Listen to your cyber-insurer (security guidance) LA Times
  46. 46. #RSAC SentinelOne 47 “IN 2010, $148 MILLION OF RANSOMS WERE PAID TO PIRATES. ON THE OTHER HAND, $ 1.85 BILLION DOLLARS WERE SPENT ON INSURANCE TO COVER PIRACY, THAT’S 10 TIMES MORE THAN THE ACTUAL RANSOMS THAT ARE GIVEN TO PIRATES.”
  47. 47. #RSAC SentinelOne 48 “RANSOMWARE PROTECTION MARKET TO REACH $17 BILLION BY 2021 - ANALYSIS BY SOLUTION, SERVICE, APPLICATION, DEPLOYMENT, ORGANIZATION SIZE, VERTICAL & REGION - RESEARCH AND MARKETS”
  48. 48. #RSAC Thank You! @jeremiahg https://www.facebook.com/jeremiahgrossman https://www.linkedin.com/in/grossmanjeremiah https://www.jeremiahgrossman.com/ http://blog.jeremiahgrossman.com/

×