The Not-So-Improbable Future of Ransomware

www.leocybersecurity.com 1 FUTURE OF RANSOMWARE THE NOT-SO-IMPROBABLE Andrew Hay, Co-Founder
and CTO, LEO Cyber Security +1.650.532.3555 [email protected] www.leocybersecurity.com @andrewsmhay

www.leocybersecurity.com 2 Andrew Hay @andrewsmhay You may know me from
the Internet… • Chief Technology Officer (CTO) @ LEO Cyber Security • Former: • CISO @ DataGravity • Director of Research @ OpenDNS • Chief Evangelist & Director of Research @ CloudPassage • Senior Security Analyst @ 451 Research • Sr. Security Analyst in higher education and a bank in Bermuda • Blogger, author, history buff, and rugby coach About Me

www.leocybersecurity.com 3 LEO is a seasoned team of cyber trailblazers
and creative practitioners who have the deep experience and operational knowledge to combat the cyber skills gap Through creative solutions we help our customers build and manage security programs OUR HISTORY About LEO Threats adapt and so do we

www.leocybersecurity.com 4 • The reluctant acceptance payment, combined with the
low risk and high reward, is driving organized criminal elements to embrace ransomware • The major concern, however, is the evolution of tactics paralleling traditional extortion rackets • What can we learn from real world hostage, terrorist negotiation, and kidnap & ransom schemes that we can apply to our digital world?

www.leocybersecurity.com 5 Agenda Introduction Summary Ransomware TTPs and K&R Doctrine
The History of Kidnap and Ransom (K&R) Preparing For The Next Wave

www.leocybersecurity.com 6 The History of Kidnap & Ransom Prior to
1000 A.D. KIDNAPPING IN ANTIQUITY • Not only practiced but was much more common than one might expect • Removal of Hebrews to Babylon (kidnapping of an entire race of people) • Victim’s perceived wealth, position in a hierarchy, or social status determined whether he or she ended up being ransomed or enslaved

www.leocybersecurity.com 7 The History of Kidnap & Ransom 1000 –
1800 A.D. THE MIDDLE AGES & THE RENAISSANCE • Numerous European leaders and nobles used ransom kidnapping to finance their wars and conquests • In Europe and in the New World ransom had religious issues as major contributing factors • Far East and Africa, less so

www.leocybersecurity.com 8 The History of Kidnap & Ransom 1800 –
1970 A.D. THE INDUSTRIAL AGE • Practice of exchanging hostages as a guarantor of treaties and agreements had ceased, except in Africa • African slave trade continued apace • “Press-ganging” of sailors • Ransoming entire cities continued • Legislation defining the crime of kidnapping and prescribing harsh punishments for wrongdoers was formally adopted for the first time

www.leocybersecurity.com 9 The History of Kidnap & Ransom 1968 to
the Present A MODERN SCOURGE • Terrorist and criminal actions propelled kidnapping to the forefront • Terrorists and revolutionaries use the tactic to make political statements or to raise funds • Criminals commit kidnappings for profit

the Present A MODERN SCOURGE • Italy was a worldwide leader in kidnappings throughout the late 1970s and most of the 1980s • Government instituted the freezing of kidnap victim assets and made kidnap-ransom insurance policies illegal • Also empowered magistrates to freeze the assets of anyone who might be considered a potential contributor to ransom payments Italy

the Present A MODERN SCOURGE • In the 1990s, countries such as Colombia, Mexico, and Brazil raced past Italy into the top spots on the worldwide list • By the end of the 1980s, as many as four thousand kidnappings for ransom were reportedly occurring yearly in Colombia • Government froze assets of kidnap victims, made outside intercession illegal, and increased penalties for kidnappers • The measures had little or no effect Colombia

the Present A MODERN SCOURGE • In the late 80s, the kidnapping problem began with a series of high- profile kidnappings of industrialists and well-known figures. • No one was immune and kidnappers established a pattern of kidnapping • There was an overwhelming lack of trust in the authorities • Became the “kidnap capital of the world” in 2004 Mexico

the Present A MODERN SCOURGE • Since 2004, the families of soccer stars have become fair game for kidnappers • Robinho’s mother was kidnapped and a number of family members of football players have been kidnapped and significant ransoms paid for their return • Overall, Brazil continues to suffer one of the highest kidnapping rates in the world Brazil

the Present A MODERN SCOURGE • After the fall of the Berlin Wall entrepreneurial criminals began a wave of kidnappings that still continues • Criminal organizations have practiced kidnapping with virtual impunity, taking ransoms for businessman, family members, and persons of all socioeconomic levels • Kidnapping flourishes with rampant corruption and less than effective law enforcement Eastern Europe

the Present A MODERN SCOURGE • Nigeria has become one of the world’s most active locations for kidnapping • Hundreds of locals and expats are kidnapped every year and massive ransoms are paid • White western oil company executives are referred to by gang members as “white gold” • Nigeria is the leading kidnapping state in Africa Nigeria

www.leocybersecurity.com 16 ”The criminal element now calculates that crime really
does pay.” - President Ronald Wilson Reagan, 40th President of the United States The History of Kidnap & Ransom

2000 ENTER TECHNOLOGICAL KIDNAP AND RANSOM • AIDS Trojan hid the files on the hard drive and encrypted their names • Asked to pay $189 to PC Cyborg Corporation for a tool to decrypt • Had a design failure so severe it was not necessary to pay the extortionist at all

www.leocybersecurity.com 18 The History of Kidnap & Ransom ENTER TECHNOLOGICAL
KIDNAP AND RANSOM • By mid-2006, Trojans such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began utilizing more sophisticated RSA encryption schemes • June 2008, Gpcode.AK was detected using a 1024-bit RSA key. Believed large enough to be computationally infeasible to break without a concerted distributed effort 2000 to 2010

www.leocybersecurity.com 19 The History of Kidnap & Ransom ENTER TECHNOLOGICAL
KIDNAP AND RANSOM • CryptoLocker using digital currency to collect ransom (2013) • CryptoLocker had procured about US$27 million from infected users • Technique was widely copied in the months following • Some ransomware strains have used proxies tied to Tor connect to their C2 servers • Dark web vendors have increasingly started to offer the technology as a service 2010 to the Present

www.leocybersecurity.com 20 Ransomware Timelines

www.leocybersecurity.com 25 Ransomware Timelines http://privacy-pc.com/articles/ransomware-chronicle.html

www.leocybersecurity.com 27 TECHNIQUES Detailed descriptions of behavior in the context
of a tactic PROCEDURES Even lower-level, highly detailed descriptions in the context of a technique TACTICS High-level descriptions of behavior • Tactics, Techniques, and Procedures (TTPs) • Describe the behavior of an actor • TTPs could describe an actor’s tendency to use a • specific malware variant, • order of operations, • attack tool, • delivery mechanism (e.g., phishing or watering hole attack), or • exploit. TTPs

www.leocybersecurity.com 28 Common Kidnap & Ransom Tactics RANSOM • Individuals
held against their will pending payment of a ransom • Long-term negotiation (3 days to years) • Victim survival rate (estimate) of ~90%

www.leocybersecurity.com 29 Common Kidnap & Ransom Tactics EXPRESS RANSOM •
Occurs quickly and finishes quickly (<24hrs) • Grab individual on the street and immediately call family for ransom • Victim often driven to various ATMs to empty bank accounts • Individuals held against their will pending payment of a ransom • Long-term negotiation (3 days to years) • Victim survival rate (estimate) of ~90%

www.leocybersecurity.com 30 Common Kidnap & Ransom Tactics EXPRESS VIRTUAL RANSOM
• Victim isolated and out of contact for hours (like at a movie) • Kidnappers convince family that they have the victim (using pictures, other information) • Extremely short in duration • Occurs quickly and finishes quickly (<24hrs) • Grab individual on the street and immediately call family for ransom • Victim often driven to various ATMs to empty bank accounts • Individuals held against their will pending payment of a ransom • Long-term negotiation (3 days to years) • Victim survival rate (estimate) of ~90%

www.leocybersecurity.com 31 Common Kidnap & Ransom Tactics EXPRESS VIRTUAL RANSOM
• Victim isolated and out of contact for hours (like at a movie) • Kidnappers convince family that they have the victim (using pictures, other information) • Extremely short in duration • Occurs quickly and finishes quickly (<24hrs) • Grab individual on the street and immediately call family for ransom • Victim often driven to various ATMs to empty bank accounts • Individuals held against their will pending payment of a ransom • Long-term negotiation (3 days to years) • Victim survival rate (estimate) of ~90% PSYCHOLOGICAL • Also known as extortion • Victims will be kidnapped or murdered unless payment is made • Can force a family to pay almost as a form of insurance • Low risk, high-reward crime

www.leocybersecurity.com 32 Less Common K&R Tactics TIGER • Individuals forced
to commit or assist in a theft • Hostage or hostages are held until the victim has met the demands of the criminal • Victims often work in banks, post office, currency exchange, etc.

www.leocybersecurity.com 33 Less Common K&R Tactics BRIDE TIGER • Form
of forced marriage • Often the couple has never met until the day of the kidnapping • Practiced in the Caucasus region, Central Asia, and some African nations • Kidnapper may contact bride’s family to also demand compensation • Individuals forced to commit or assist in a theft • Hostage or hostages are held until the victim has met the demands of the criminal • Victims often work in banks, post office, currency exchange, etc.

www.leocybersecurity.com 34 Ransomware Tactics • Individuals held against their will
pending payment of a ransom • Long-term negotiation (3 days to years) • Victim survival rate (estimate) of ~90% RANSOMWARE • Employed by virtually all ransomware variants • Access denied to victim data or entire systems pending payment of a ransom • Short-term negotiation (hours or days) • Victim survival rate, of those that pay, similar to that of actual kidnapping schemes • But most (95%)* refuse to pay the ransom * https://blog.barkly.com/ransomware-prevention-tips-to-avoid-paying-ransom RANSOM

www.leocybersecurity.com 35 EXPRESS • Occurs quickly and finishes quickly (<24hrs)
• Grab individual on the street and immediately call family for ransom • Victim often driven to various ATMs to empty bank accounts Ransomware Tactics RANSOMWARE • Employed by virtually all ransomware variants • Less targeted than traditional Express tactics and more opportunistic • Infect as many as possible for maximum payoff (spray and pray)

www.leocybersecurity.com 36 VIRTUAL • Victim isolated and out of contact
for hours (like at a movie) • Kidnappers convince family that they have the victim (using pictures, other information) • Extremely short in duration Ransomware Tactics RANSOMWARE • Not YET employed by ransomware operators with great frequency • Some occurrences according* to Citrix study in January 2017 • Would work well for road-warrior victims that travel great distances from their data • Making it difficult to validate the claims • Expect this one to eventually emerge * https://www.citrix.com/blogs/2017/01/24/bluff-ransomware-attacks-bamboozle-british-businesses/

www.leocybersecurity.com 37 PSYCHOLOGICAL • Also known as extortion • Victims
will be kidnapped or murdered unless payment is made • Can force a family to pay almost as a form of insurance • Low risk, high-reward crime Ransomware Tactics RANSOMWARE • Employed by virtually all ransomware variants • Data will be deleted or publicly released unless the ransom is paid • Former is traditional threat but latter could be considered insurance • Low risk, high-reward crime

www.leocybersecurity.com 38 Ransomware Tactics • Individuals forced to commit or
assist in a theft • Hostage or hostages are held until the victim has met the demands of the criminal • Victims often work in banks, post office, currency exchange, etc. RANSOMWARE • Starting to see this be more common • First seen with Popcorn Time Ransomware* in December 2016 • Attackers telling victims to share the ransomware with friends or specific targets • Upon payment by those second-stage individuals, the original target (mule) will get their files back TIGER * https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/

www.leocybersecurity.com 39 EXPRESS VIRTUAL RANSOM PSYCHOLOGICAL RANSOMWARE RANSOMWARE RANSOMWARE RANSOMWARE
Common Kidnap & Ransom Tactics TIGER RANSOMWARE

www.leocybersecurity.com 40 “How does a man or woman leave home
in the morning, make the sign of the cross and ask for blessings on the day’s labors, then proceed to violently deprive another individual of his or her liberty for ransom?” - Richard P. Wright, Author, Kidnap for Ransom Kidnap & Ransom Techniques

www.leocybersecurity.com 41 Kidnap & Ransom Techniques Alternatively titled ”How they
get you” • Less common, higher risk • Find a random victim and grab them • Hope that the victim is valuable enough to someone to facilitate a ransom Methods • Opportunistic grab • Force into vehicle/building under threat of harm OPPORTUNISTIC 02 • Most common, higher reward • Track victim movements, habits, patterns • Research victim’s wealth and value Methods • Capture at time of kidnappers choosing • Transport victim to controlled site pre- arranged for long- term negotiations TARGETED 01

www.leocybersecurity.com 42 Ransomware Techniques Alternatively titled ”How they get you”
• Very common • Spray and pray approach Methods • Email attachments • Email links • Exploit kits • Cloud storage • Social media • Malvertising OPPORTUNISTIC 02 • Less common • Crafted to evade victim’s defenses • Extort large sums of money from businesses and wealthy individuals/families Methods • Emails • Removable media • Business applications TARGETED 01

www.leocybersecurity.com 43 "I don't know who you are. I don't
know what you want. If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my daughter go now, that will be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you. I will find you. And I will kill you." - Liam Neeson, Taken Kidnap & Ransom Procedures

www.leocybersecurity.com 44 Kidnap & Ransom Procedures NEGOTIATE PAYMENT Highest likelihood
that the victim will be returned unharmed. Highest likelihood that the data or system will be returned. KIDNAP & RANSOM RANSOMWARE KIDNAP & RANSOM RANSOMWARE

www.leocybersecurity.com 45 Kidnap & Ransom Procedures NEGOTIATE PAYMENT REFUSE PAYMENT
Highest likelihood that the victim will not be returned alive or in one piece. Highest likelihood that the data or system will not be recovered at all. KIDNAP & RANSOM RANSOMWARE KIDNAP & RANSOM RANSOMWARE

www.leocybersecurity.com 46 Kidnap & Ransom Procedures ATTEMPT RESCUE NEGOTIATE PAYMENT
REFUSE PAYMENT High risk of injury or death to the victim. K&R insiders say ultimately paying up is the most reliable way of getting someone back alive. Depends entirely on the technical ability of the recovery team, the complexity of the ransomware, and (ultimately) time available. KIDNAP & RANSOM RANSOMWARE KIDNAP & RANSOM RANSOMWARE

www.leocybersecurity.com 48 CRYPTOCURRENCY STOCKPILE PREVENTATIVE TOOLS DETECTIVE TOOLS RESTORATIVE TOOLS
Preparing For The Next Wave TECHNICAL

www.leocybersecurity.com 49 TABE TOP EXERCISES BUSINESS RISK ASSESSMENTS CYBER INSURANCE
EDUCATION CRYPTOCURRENCY STOCKPILE PREVENTATIVE TOOLS DETECTIVE TOOLS RESTORATIVE TOOLS Preparing For The Next Wave TECHNICAL NON-TECHNICAL

www.leocybersecurity.com 50 Contact DOs and DON’Ts K&R DOs • Attempt
to verify that the kidnapping has actually occurred. • Start a case record or establish a journal of all events. Ransomware DOs • Attempt to verify that the data theft or encryption has actually occurred. • Start a paper case record or establish a journal of all events. Assume your electronic mediums are being monitored.

www.leocybersecurity.com 51 Contact DOs and DON’Ts DOs • Tape all
conversations. • Demonstrate a willingness to cooperate in reaching a solution. • Let the kidnapper know that you are taking the conversation seriously and making notes. Ransomware DOs • Tape/record/document all conversations. • Demonstrate a willingness (if you can establish a communications channel) to cooperate in reaching a solution. • Let the kidnapper know that you are taking the conversation seriously and making notes.

www.leocybersecurity.com 52 Contact DOs and DON’Ts DOs • Make sure
they understand that you are not the final arbiter and that you will facilitate communication with those who can actually make decisions. • Obtain and write down specific detailed instructions, demands, comments, and requirements. Ransomware DOs • Make sure they understand that you are not the final arbiter and that you will facilitate communication with those who can actually make decisions. • Obtain and write down (on paper) specific detailed instructions, demands, comments, and requirements.

www.leocybersecurity.com 53 Contact DOs and DON’Ts DOs • Try to
obtain a code by which to identify the kidnapper in future communications. • Establish a time frame for subsequent communications if possible. Ransomware DOs • Try to obtain a code by which to identify the attacker in future communications. • Establish a time frame for subsequent communications if possible.

www.leocybersecurity.com 54 Contact DOs and DON’Ts K&R DON’Ts • Make
any promises that later cannot be kept; specifically avoid offering a specific sum or agreeing to ransom demands. • Provide any additional information to the kidnapper. • Threaten the kidnapper or engage in verbal abuse or confrontational rhetoric. Ransomware DON’Ts • Make any promises that later cannot be kept; specifically avoid offering a specific sum or agreeing to ransom demands. • Provide any additional information to the ransomware attacker. • Threaten the ransomware attacker or engage in verbal abuse or confrontational rhetoric.

www.leocybersecurity.com 55 Contact DOs and DON’Ts K&R DON’Ts • Beg
or show nervousness, fear or suspicion. • Become sidetracked by outside disruptions or allow yourself to become distracted. • Accept conditions; later calls will establish parameters and conditions. Ransomware DON’Ts • Beg or show nervousness, fear or suspicion. • Become sidetracked by outside disruptions or allow yourself to become distracted. • Accept conditions; later communications may establish additional parameters and conditions.

www.leocybersecurity.com 57 Summary Be aware of the traditional K&R tactics,
techniques, and procedures as they ARE quickly emulating traditional K&R doctrine. Negotiate when you can, pay if you are forced to, fight if you think you can win. OMG WTF, K&R TTPs What has historically worked will ultimately be reused – especially when the ROI and risk/reward equation make ransomware a more attractive extortion technique. MUCH CAN BE LEARNED FROM HISTORY A combination of of technical and non-technical controls are needed to mitigate current and future ransomware campaigns. Don’t discount the value of cyber insurance. PREPARATION IS KEY 02 03 01

www.leocybersecurity.com 58 Thank You Questions? www.leocybersecurity.com LEO Cyber Security 2000
McKinney Avenue, Suite 2125, Dallas, TX 75201 +1.469.844.3608 www.leocybersecurity.com Andrew Hay, Co-Founder and CTO, LEO Cyber Security +1.650.532.3555 [email protected] @andrewsmhay

The Not-So-Improbable Future of Ransomware

The Not-So-Improbable Future of Ransomware

More Decks by Andrew Hay

Other Decks in Technology

Featured

Transcript