Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Not-So-Improbable Future of Ransomware

The Not-So-Improbable Future of Ransomware

Ransomware may have been perceived as a nuisance as recently as last year, but now we’re seeing it strike – and cripple – hospitals, police stations, schools, and other critical organizations that serve the common good. This session explores the evolution of traditional real world extortion tactics and how they will likely be incorporated by ransomware.

7eaca7b954a0966ed47bda102a669af9?s=128

Andrew Hay

April 26, 2017
Tweet

Transcript

  1. www.leocybersecurity.com 1 FUTURE OF RANSOMWARE THE NOT-SO-IMPROBABLE Andrew Hay, Co-Founder

    and CTO, LEO Cyber Security +1.650.532.3555 andrew.hay@leocybersecurity.com www.leocybersecurity.com @andrewsmhay
  2. www.leocybersecurity.com 2 Andrew Hay @andrewsmhay You may know me from

    the Internet… • Chief Technology Officer (CTO) @ LEO Cyber Security • Former: • CISO @ DataGravity • Director of Research @ OpenDNS • Chief Evangelist & Director of Research @ CloudPassage • Senior Security Analyst @ 451 Research • Sr. Security Analyst in higher education and a bank in Bermuda • Blogger, author, history buff, and rugby coach About Me
  3. www.leocybersecurity.com 3 LEO is a seasoned team of cyber trailblazers

    and creative practitioners who have the deep experience and operational knowledge to combat the cyber skills gap Through creative solutions we help our customers build and manage security programs OUR HISTORY About LEO Threats adapt and so do we
  4. www.leocybersecurity.com 4 • The reluctant acceptance payment, combined with the

    low risk and high reward, is driving organized criminal elements to embrace ransomware • The major concern, however, is the evolution of tactics paralleling traditional extortion rackets • What can we learn from real world hostage, terrorist negotiation, and kidnap & ransom schemes that we can apply to our digital world?
  5. www.leocybersecurity.com 5 Agenda Introduction Summary Ransomware TTPs and K&R Doctrine

    The History of Kidnap and Ransom (K&R) Preparing For The Next Wave
  6. www.leocybersecurity.com 6 The History of Kidnap & Ransom Prior to

    1000 A.D. KIDNAPPING IN ANTIQUITY • Not only practiced but was much more common than one might expect • Removal of Hebrews to Babylon (kidnapping of an entire race of people) • Victim’s perceived wealth, position in a hierarchy, or social status determined whether he or she ended up being ransomed or enslaved
  7. www.leocybersecurity.com 7 The History of Kidnap & Ransom 1000 –

    1800 A.D. THE MIDDLE AGES & THE RENAISSANCE • Numerous European leaders and nobles used ransom kidnapping to finance their wars and conquests • In Europe and in the New World ransom had religious issues as major contributing factors • Far East and Africa, less so
  8. www.leocybersecurity.com 8 The History of Kidnap & Ransom 1800 –

    1970 A.D. THE INDUSTRIAL AGE • Practice of exchanging hostages as a guarantor of treaties and agreements had ceased, except in Africa • African slave trade continued apace • “Press-ganging” of sailors • Ransoming entire cities continued • Legislation defining the crime of kidnapping and prescribing harsh punishments for wrongdoers was formally adopted for the first time
  9. www.leocybersecurity.com 9 The History of Kidnap & Ransom 1968 to

    the Present A MODERN SCOURGE • Terrorist and criminal actions propelled kidnapping to the forefront • Terrorists and revolutionaries use the tactic to make political statements or to raise funds • Criminals commit kidnappings for profit
  10. www.leocybersecurity.com 10 The History of Kidnap & Ransom 1968 to

    the Present A MODERN SCOURGE • Italy was a worldwide leader in kidnappings throughout the late 1970s and most of the 1980s • Government instituted the freezing of kidnap victim assets and made kidnap-ransom insurance policies illegal • Also empowered magistrates to freeze the assets of anyone who might be considered a potential contributor to ransom payments Italy
  11. www.leocybersecurity.com 11 The History of Kidnap & Ransom 1968 to

    the Present A MODERN SCOURGE • In the 1990s, countries such as Colombia, Mexico, and Brazil raced past Italy into the top spots on the worldwide list • By the end of the 1980s, as many as four thousand kidnappings for ransom were reportedly occurring yearly in Colombia • Government froze assets of kidnap victims, made outside intercession illegal, and increased penalties for kidnappers • The measures had little or no effect Colombia
  12. www.leocybersecurity.com 12 The History of Kidnap & Ransom 1968 to

    the Present A MODERN SCOURGE • In the late 80s, the kidnapping problem began with a series of high- profile kidnappings of industrialists and well-known figures. • No one was immune and kidnappers established a pattern of kidnapping • There was an overwhelming lack of trust in the authorities • Became the “kidnap capital of the world” in 2004 Mexico
  13. www.leocybersecurity.com 13 The History of Kidnap & Ransom 1968 to

    the Present A MODERN SCOURGE • Since 2004, the families of soccer stars have become fair game for kidnappers • Robinho’s mother was kidnapped and a number of family members of football players have been kidnapped and significant ransoms paid for their return • Overall, Brazil continues to suffer one of the highest kidnapping rates in the world Brazil
  14. www.leocybersecurity.com 14 The History of Kidnap & Ransom 1968 to

    the Present A MODERN SCOURGE • After the fall of the Berlin Wall entrepreneurial criminals began a wave of kidnappings that still continues • Criminal organizations have practiced kidnapping with virtual impunity, taking ransoms for businessman, family members, and persons of all socioeconomic levels • Kidnapping flourishes with rampant corruption and less than effective law enforcement Eastern Europe
  15. www.leocybersecurity.com 15 The History of Kidnap & Ransom 1968 to

    the Present A MODERN SCOURGE • Nigeria has become one of the world’s most active locations for kidnapping • Hundreds of locals and expats are kidnapped every year and massive ransoms are paid • White western oil company executives are referred to by gang members as “white gold” • Nigeria is the leading kidnapping state in Africa Nigeria
  16. www.leocybersecurity.com 16 ”The criminal element now calculates that crime really

    does pay.” - President Ronald Wilson Reagan, 40th President of the United States The History of Kidnap & Ransom
  17. www.leocybersecurity.com 17 The History of Kidnap & Ransom 1989 to

    2000 ENTER TECHNOLOGICAL KIDNAP AND RANSOM • AIDS Trojan hid the files on the hard drive and encrypted their names • Asked to pay $189 to PC Cyborg Corporation for a tool to decrypt • Had a design failure so severe it was not necessary to pay the extortionist at all
  18. www.leocybersecurity.com 18 The History of Kidnap & Ransom ENTER TECHNOLOGICAL

    KIDNAP AND RANSOM • By mid-2006, Trojans such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began utilizing more sophisticated RSA encryption schemes • June 2008, Gpcode.AK was detected using a 1024-bit RSA key. Believed large enough to be computationally infeasible to break without a concerted distributed effort 2000 to 2010
  19. www.leocybersecurity.com 19 The History of Kidnap & Ransom ENTER TECHNOLOGICAL

    KIDNAP AND RANSOM • CryptoLocker using digital currency to collect ransom (2013) • CryptoLocker had procured about US$27 million from infected users • Technique was widely copied in the months following • Some ransomware strains have used proxies tied to Tor connect to their C2 servers • Dark web vendors have increasingly started to offer the technology as a service 2010 to the Present
  20. www.leocybersecurity.com 20 Ransomware Timelines

  21. www.leocybersecurity.com 21 Ransomware Timelines

  22. www.leocybersecurity.com 22 Ransomware Timelines

  23. www.leocybersecurity.com 23 Ransomware Timelines

  24. www.leocybersecurity.com 24 Ransomware Timelines

  25. www.leocybersecurity.com 25 Ransomware Timelines http://privacy-pc.com/articles/ransomware-chronicle.html

  26. www.leocybersecurity.com 26 Agenda Introduction Summary Ransomware TTPs and K&R Doctrine

    The History of Kidnap and Ransom (K&R) Preparing For The Next Wave
  27. www.leocybersecurity.com 27 TECHNIQUES Detailed descriptions of behavior in the context

    of a tactic PROCEDURES Even lower-level, highly detailed descriptions in the context of a technique TACTICS High-level descriptions of behavior • Tactics, Techniques, and Procedures (TTPs) • Describe the behavior of an actor • TTPs could describe an actor’s tendency to use a • specific malware variant, • order of operations, • attack tool, • delivery mechanism (e.g., phishing or watering hole attack), or • exploit. TTPs
  28. www.leocybersecurity.com 28 Common Kidnap & Ransom Tactics RANSOM • Individuals

    held against their will pending payment of a ransom • Long-term negotiation (3 days to years) • Victim survival rate (estimate) of ~90%
  29. www.leocybersecurity.com 29 Common Kidnap & Ransom Tactics EXPRESS RANSOM •

    Occurs quickly and finishes quickly (<24hrs) • Grab individual on the street and immediately call family for ransom • Victim often driven to various ATMs to empty bank accounts • Individuals held against their will pending payment of a ransom • Long-term negotiation (3 days to years) • Victim survival rate (estimate) of ~90%
  30. www.leocybersecurity.com 30 Common Kidnap & Ransom Tactics EXPRESS VIRTUAL RANSOM

    • Victim isolated and out of contact for hours (like at a movie) • Kidnappers convince family that they have the victim (using pictures, other information) • Extremely short in duration • Occurs quickly and finishes quickly (<24hrs) • Grab individual on the street and immediately call family for ransom • Victim often driven to various ATMs to empty bank accounts • Individuals held against their will pending payment of a ransom • Long-term negotiation (3 days to years) • Victim survival rate (estimate) of ~90%
  31. www.leocybersecurity.com 31 Common Kidnap & Ransom Tactics EXPRESS VIRTUAL RANSOM

    • Victim isolated and out of contact for hours (like at a movie) • Kidnappers convince family that they have the victim (using pictures, other information) • Extremely short in duration • Occurs quickly and finishes quickly (<24hrs) • Grab individual on the street and immediately call family for ransom • Victim often driven to various ATMs to empty bank accounts • Individuals held against their will pending payment of a ransom • Long-term negotiation (3 days to years) • Victim survival rate (estimate) of ~90% PSYCHOLOGICAL • Also known as extortion • Victims will be kidnapped or murdered unless payment is made • Can force a family to pay almost as a form of insurance • Low risk, high-reward crime
  32. www.leocybersecurity.com 32 Less Common K&R Tactics TIGER • Individuals forced

    to commit or assist in a theft • Hostage or hostages are held until the victim has met the demands of the criminal • Victims often work in banks, post office, currency exchange, etc.
  33. www.leocybersecurity.com 33 Less Common K&R Tactics BRIDE TIGER • Form

    of forced marriage • Often the couple has never met until the day of the kidnapping • Practiced in the Caucasus region, Central Asia, and some African nations • Kidnapper may contact bride’s family to also demand compensation • Individuals forced to commit or assist in a theft • Hostage or hostages are held until the victim has met the demands of the criminal • Victims often work in banks, post office, currency exchange, etc.
  34. www.leocybersecurity.com 34 Ransomware Tactics • Individuals held against their will

    pending payment of a ransom • Long-term negotiation (3 days to years) • Victim survival rate (estimate) of ~90% RANSOMWARE • Employed by virtually all ransomware variants • Access denied to victim data or entire systems pending payment of a ransom • Short-term negotiation (hours or days) • Victim survival rate, of those that pay, similar to that of actual kidnapping schemes • But most (95%)* refuse to pay the ransom * https://blog.barkly.com/ransomware-prevention-tips-to-avoid-paying-ransom RANSOM
  35. www.leocybersecurity.com 35 EXPRESS • Occurs quickly and finishes quickly (<24hrs)

    • Grab individual on the street and immediately call family for ransom • Victim often driven to various ATMs to empty bank accounts Ransomware Tactics RANSOMWARE • Employed by virtually all ransomware variants • Less targeted than traditional Express tactics and more opportunistic • Infect as many as possible for maximum payoff (spray and pray)
  36. www.leocybersecurity.com 36 VIRTUAL • Victim isolated and out of contact

    for hours (like at a movie) • Kidnappers convince family that they have the victim (using pictures, other information) • Extremely short in duration Ransomware Tactics RANSOMWARE • Not YET employed by ransomware operators with great frequency • Some occurrences according* to Citrix study in January 2017 • Would work well for road-warrior victims that travel great distances from their data • Making it difficult to validate the claims • Expect this one to eventually emerge * https://www.citrix.com/blogs/2017/01/24/bluff-ransomware-attacks-bamboozle-british-businesses/
  37. www.leocybersecurity.com 37 PSYCHOLOGICAL • Also known as extortion • Victims

    will be kidnapped or murdered unless payment is made • Can force a family to pay almost as a form of insurance • Low risk, high-reward crime Ransomware Tactics RANSOMWARE • Employed by virtually all ransomware variants • Data will be deleted or publicly released unless the ransom is paid • Former is traditional threat but latter could be considered insurance • Low risk, high-reward crime
  38. www.leocybersecurity.com 38 Ransomware Tactics • Individuals forced to commit or

    assist in a theft • Hostage or hostages are held until the victim has met the demands of the criminal • Victims often work in banks, post office, currency exchange, etc. RANSOMWARE • Starting to see this be more common • First seen with Popcorn Time Ransomware* in December 2016 • Attackers telling victims to share the ransomware with friends or specific targets • Upon payment by those second-stage individuals, the original target (mule) will get their files back TIGER * https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/
  39. www.leocybersecurity.com 39 EXPRESS VIRTUAL RANSOM PSYCHOLOGICAL RANSOMWARE RANSOMWARE RANSOMWARE RANSOMWARE

    Common Kidnap & Ransom Tactics TIGER RANSOMWARE
  40. www.leocybersecurity.com 40 “How does a man or woman leave home

    in the morning, make the sign of the cross and ask for blessings on the day’s labors, then proceed to violently deprive another individual of his or her liberty for ransom?” - Richard P. Wright, Author, Kidnap for Ransom Kidnap & Ransom Techniques
  41. www.leocybersecurity.com 41 Kidnap & Ransom Techniques Alternatively titled ”How they

    get you” • Less common, higher risk • Find a random victim and grab them • Hope that the victim is valuable enough to someone to facilitate a ransom Methods • Opportunistic grab • Force into vehicle/building under threat of harm OPPORTUNISTIC 02 • Most common, higher reward • Track victim movements, habits, patterns • Research victim’s wealth and value Methods • Capture at time of kidnappers choosing • Transport victim to controlled site pre- arranged for long- term negotiations TARGETED 01
  42. www.leocybersecurity.com 42 Ransomware Techniques Alternatively titled ”How they get you”

    • Very common • Spray and pray approach Methods • Email attachments • Email links • Exploit kits • Cloud storage • Social media • Malvertising OPPORTUNISTIC 02 • Less common • Crafted to evade victim’s defenses • Extort large sums of money from businesses and wealthy individuals/families Methods • Emails • Removable media • Business applications TARGETED 01
  43. www.leocybersecurity.com 43 "I don't know who you are. I don't

    know what you want. If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my daughter go now, that will be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you. I will find you. And I will kill you." - Liam Neeson, Taken Kidnap & Ransom Procedures
  44. www.leocybersecurity.com 44 Kidnap & Ransom Procedures NEGOTIATE PAYMENT Highest likelihood

    that the victim will be returned unharmed. Highest likelihood that the data or system will be returned. KIDNAP & RANSOM RANSOMWARE KIDNAP & RANSOM RANSOMWARE
  45. www.leocybersecurity.com 45 Kidnap & Ransom Procedures NEGOTIATE PAYMENT REFUSE PAYMENT

    Highest likelihood that the victim will not be returned alive or in one piece. Highest likelihood that the data or system will not be recovered at all. KIDNAP & RANSOM RANSOMWARE KIDNAP & RANSOM RANSOMWARE
  46. www.leocybersecurity.com 46 Kidnap & Ransom Procedures ATTEMPT RESCUE NEGOTIATE PAYMENT

    REFUSE PAYMENT High risk of injury or death to the victim. K&R insiders say ultimately paying up is the most reliable way of getting someone back alive. Depends entirely on the technical ability of the recovery team, the complexity of the ransomware, and (ultimately) time available. KIDNAP & RANSOM RANSOMWARE KIDNAP & RANSOM RANSOMWARE
  47. www.leocybersecurity.com 47 Agenda Introduction Summary Ransomware TTPs and K&R Doctrine

    The History of Kidnap and Ransom (K&R) Preparing For The Next Wave
  48. www.leocybersecurity.com 48 CRYPTOCURRENCY STOCKPILE PREVENTATIVE TOOLS DETECTIVE TOOLS RESTORATIVE TOOLS

    Preparing For The Next Wave TECHNICAL
  49. www.leocybersecurity.com 49 TABE TOP EXERCISES BUSINESS RISK ASSESSMENTS CYBER INSURANCE

    EDUCATION CRYPTOCURRENCY STOCKPILE PREVENTATIVE TOOLS DETECTIVE TOOLS RESTORATIVE TOOLS Preparing For The Next Wave TECHNICAL NON-TECHNICAL
  50. www.leocybersecurity.com 50 Contact DOs and DON’Ts K&R DOs • Attempt

    to verify that the kidnapping has actually occurred. • Start a case record or establish a journal of all events. Ransomware DOs • Attempt to verify that the data theft or encryption has actually occurred. • Start a paper case record or establish a journal of all events. Assume your electronic mediums are being monitored.
  51. www.leocybersecurity.com 51 Contact DOs and DON’Ts DOs • Tape all

    conversations. • Demonstrate a willingness to cooperate in reaching a solution. • Let the kidnapper know that you are taking the conversation seriously and making notes. Ransomware DOs • Tape/record/document all conversations. • Demonstrate a willingness (if you can establish a communications channel) to cooperate in reaching a solution. • Let the kidnapper know that you are taking the conversation seriously and making notes.
  52. www.leocybersecurity.com 52 Contact DOs and DON’Ts DOs • Make sure

    they understand that you are not the final arbiter and that you will facilitate communication with those who can actually make decisions. • Obtain and write down specific detailed instructions, demands, comments, and requirements. Ransomware DOs • Make sure they understand that you are not the final arbiter and that you will facilitate communication with those who can actually make decisions. • Obtain and write down (on paper) specific detailed instructions, demands, comments, and requirements.
  53. www.leocybersecurity.com 53 Contact DOs and DON’Ts DOs • Try to

    obtain a code by which to identify the kidnapper in future communications. • Establish a time frame for subsequent communications if possible. Ransomware DOs • Try to obtain a code by which to identify the attacker in future communications. • Establish a time frame for subsequent communications if possible.
  54. www.leocybersecurity.com 54 Contact DOs and DON’Ts K&R DON’Ts • Make

    any promises that later cannot be kept; specifically avoid offering a specific sum or agreeing to ransom demands. • Provide any additional information to the kidnapper. • Threaten the kidnapper or engage in verbal abuse or confrontational rhetoric. Ransomware DON’Ts • Make any promises that later cannot be kept; specifically avoid offering a specific sum or agreeing to ransom demands. • Provide any additional information to the ransomware attacker. • Threaten the ransomware attacker or engage in verbal abuse or confrontational rhetoric.
  55. www.leocybersecurity.com 55 Contact DOs and DON’Ts K&R DON’Ts • Beg

    or show nervousness, fear or suspicion. • Become sidetracked by outside disruptions or allow yourself to become distracted. • Accept conditions; later calls will establish parameters and conditions. Ransomware DON’Ts • Beg or show nervousness, fear or suspicion. • Become sidetracked by outside disruptions or allow yourself to become distracted. • Accept conditions; later communications may establish additional parameters and conditions.
  56. www.leocybersecurity.com 56 Agenda Introduction Summary Ransomware TTPs and K&R Doctrine

    The History of Kidnap and Ransom (K&R) Preparing For The Next Wave
  57. www.leocybersecurity.com 57 Summary Be aware of the traditional K&R tactics,

    techniques, and procedures as they ARE quickly emulating traditional K&R doctrine. Negotiate when you can, pay if you are forced to, fight if you think you can win. OMG WTF, K&R TTPs What has historically worked will ultimately be reused – especially when the ROI and risk/reward equation make ransomware a more attractive extortion technique. MUCH CAN BE LEARNED FROM HISTORY A combination of of technical and non-technical controls are needed to mitigate current and future ransomware campaigns. Don’t discount the value of cyber insurance. PREPARATION IS KEY 02 03 01
  58. www.leocybersecurity.com 58 Thank You Questions? www.leocybersecurity.com LEO Cyber Security 2000

    McKinney Avenue, Suite 2125, Dallas, TX 75201 +1.469.844.3608 www.leocybersecurity.com Andrew Hay, Co-Founder and CTO, LEO Cyber Security +1.650.532.3555 andrew.hay@leocybersecurity.com @andrewsmhay