Ransomware is center stage, as campaigns are practically guaranteed financial gain. Cyber-criminals profit hundreds of millions of dollars by selling our data back to us. If you look closely, the ransomware economic dynamics closely follow the real-world kidnapping and ransom industry. We’ll explore the eerie similarities, where ransomware is headed, and strategies we can bring to the fight.

1. WHAT THE KIDNAPPING & RANSOM ECONOMY
TEACHES US ABOUT RANSOMWARE
JEREMIAH GROSSMAN
CHIEF OF SECURITY STRATEGY
@jeremiahg
https://www.jeremiahgrossman.com/
http://blog.jeremiahgrossman.com/
http://sentinelone.com/

2. BIO
WHO I AM…
▸Professional Hacker
▸Black Belt in Brazilian Jiu-Jitsu
▸Founder of WhiteHat Security

4. MY FIRST ‘PERSONAL’ EXPERIENCE
WITH CYBER-EXTORTION
2005

5. “THE FBI RECENTLY PUBLISHED
THAT RANSOMWARE VICTIMS
PAID OUT $209 MILLION IN Q1
2016 COMPARED TO $24
MILLION FOR ALL OF 2015.”
LA Times
THE BIRTH OF A BILLION DOLLAR CYBER-CRIME INDUSTRY
JUST OVER 10 YEARS LATER…

6. DEC 11, 1989: 20,000
ENVELOPES CONTAINING 5
1/4" FLOPPY DISKS LOADED
W/ THE FIRST KNOWN
RANSOMWARE (‘AIDS')
WERE MAILED.

9. MEDICAL CARE TRANSPORTATION GOVERNMENT
EDUCATION POLICE IOT
SECURITY PEOPLE HOTELS

10. “FAMILY MEMBER'S TV IS BRICKED BY
ANDROID MALWARE. #LG WONT
DISCLOSE FACTORY RESET. AVOID
THESE "SMART TVS" LIKE THE
PLAGUE.”
TWITTER
INTERNET OF THINGS

11. “A 'RANSOMWARE' PROGRAM HAD
INFECTED HIS COMPUTER ALLOWING
THE HACKERS TO FILM HIM THROUGH
THE WEBCAM. HE HAD BEEN FILMED
IN A COMPROMISING SITUATION. NOW
THEY WANTED MONEY.”
ABC AU
PEOPLE

12. “ONE OF EUROPE'S TOP HOTELS HAS
ADMITTED THEY HAD TO PAY THOUSANDS IN
BITCOIN RANSOM TO CYBERCRIMINALS
WHO MANAGED TO HACK THEIR ELECTRONIC
KEY SYSTEM, LOCKING HUNDREDS OF
GUESTS OUT OF THEIR ROOMS UNTIL THE
MONEY WAS PAID.”
The Local
HOTELS

13. “A RANSOMWARE ATTACK TOOK TICKET
MACHINES FOR SAN FRANCISCO'S LIGHT
RAIL TRANSIT SYSTEM OFFLINE ALL DAY
SATURDAY DURING ONE OF THE BUSIEST
SHOPPING WEEKENDS OF THE YEAR, BUT
RATHER THAN SHUTTING DOWN, THE
AGENCY DECIDED INSTEAD TO LET USERS
RIDE FOR FREE.”
USA TODAY
TRANSPORTATION

14. “CRIMINALS INFECTED 70 PERCENT OF
STORAGE DEVICES TIED TO CLOSED-
CIRCUIT TVS IN WASHINGTON DC
EIGHT DAYS BEFORE THE
INAUGURATION OF PRESIDENT
DONALD TRUMP.”
The Register
EVENT SECURITY

15. “THE ATTACK FORCED DEPARTMENTS
SUCH AS THE LICKING COUNTY 911
CENTER, COUNTY AUDITOR'S OFFICE
AND CLERK OF COURTS TO PERFORM
THEIR JOBS WITHOUT THE USE OF
COMPUTERS OR OFFICE
TELEPHONES.”
Newark Advocate
EMERGENCY SERVICES

16. “LOST DATA GOES BACK TO 2009. DATA
FROM THAT PERIOD BACKED UP ON DVDS
AND CDS REMAINED INTACT. WHILE
ARCHIVED DATA HAS ITS IMPORTANCE,
MORE WORRYING IS THAT THE DEPARTMENT
LOST DATA FROM ONGOING
INVESTIGATIONS.”
Bleeping Computer
LAW ENFORCEMENT

17. “THE TRUST DID NOT PAY ANY
RANSOM AS A RESULT OF THE ATTACK
BUT IT DID HAVE TO CANCEL 2,800
PATIENT APPOINTMENTS DURING 48
HOURS WHEN IT SHUT DOWN
SYSTEMS.”
The Telegraph
MEDICAL CARE

18. INDUSTRY REPORTS, DATA, AND ANECDOTES

19. IBM SECURITY’S X-FORCE
70% OF ENTERPRISE RANSOMWARE VICTIMS PAID UP.
20% OF COMPROMISED ORGANIZATIONS PAID RANSOMS OF
MORE THAN $40,000 (USD).
25% HAVE PAID BETWEEN $20,000 (USD) AND $40,000 (USD).
(DEC, 2016)

20. SENTINELONE
OVER THE PAST 12 MONTHS, 50% OF ORGANIZATIONS HAVE
RESPONDED TO A RANSOMWARE CAMPAIGN.
THOSE ORGANIZATIONS THAT SUFFERED A RANSOMWARE
ATTACK IN THE PAST 12 MONTHS, 85% STATED THAT THEY WERE
HIT WITH THREE OR MORE ATTACKS.
(NOV, 2016)

21. KASPERSKY LAB
THE NUMBER OF RANSOMWARE INFECTIONS SUFFERED BY
COMPANIES UP 3-FOLD FROM JANUARY TO SEPTEMBER.
1-IN-5 BUSINESSES WORLDWIDE HAS BEEN VICTIMS OF A
RANSOMWARE AND THE RATE OF RANSOMWARE ATTACKS
INCREASED FROM ONE EVERY 2-MIN TO ONE EVERY 40-SEC.
(DEC, 2016)

22. KASPERSKY LAB

24. THE RANSOMWARE LANDSCAPE
▸Not all critical systems are backed-up
▸Your Anti-Virus software SUCKS
▸Infection rates rising fast (still)
▸Rising ransom demands
▸CFOs - or their law firms - must learn how to transact in Bitcoin
▸Innovation in business models, victim targeting, and malware
▸Cyber-Insurance reimbursement

25. KIDNAPPING & RANSOM
“K&R”
REPORTEDLY A $500 MILLION (USD) MARKET

27. ”IN 75 BCE, 25-YEAR-OLD JULIUS CAESAR
WAS SAILING THE AEGEAN SEA WHEN HE WAS
KIDNAPPED BY CILICIAN PIRATES. WHEN THE
PIRATES ASKED FOR A RANSOM OF 20
TALENTS OF SILVER, CAESAR LAUGHED AT
THEIR FACES. THEY DIDN'T KNOW WHO THEY
HAD CAPTURED, HE SAID, AND DEMANDED
THAT THEY ASK FOR 50 (1550 KG OF SILVER),
BECAUSE 20 TALENTS WAS SIMPLY NOT
ENOUGH.”

28. “ON OCT 22, THE FAMILY OF
BILLIONAIRE PEARL ORIENTAL OIL
CHAIRMAN WONG YUK-KWAN
PAID TAIWANESE KIDNAPPERS
$1.68 MILLION (USD) IN BITCOIN
AFTER THEY THREATENED TO “DIG
OUT THE EYEBALLS OR CHOP OFF
THE LEGS” OF YUK-KWAN.”

29. "MOST OF SOMALIA'S MODERN-DAY PIRATES ARE FISHERMEN WHO
TRADED NETS FOR GUNS. THEY'VE LEARNED THAT RANSOM IS MORE
PROFITABLE THAN ROBBERY, AND RATHER THAN SQUANDERING THEIR
LOOT, THEY REINVEST IN EQUIPMENT AND TRAINING."

30. “AN ORDINARY SOMALI EARNS ABOUT
$600 (USD) A YEAR, BUT EVEN THE
LOWLIEST FREEBOOTER CAN MAKE
NEARLY 17 TIMES THAT — $10,000
(USD) — IN A SINGLE HIJACKING.
NEVER MIND THE RISK; IT'S LESS
DANGEROUS THAN LIVING IN WAR-
TORN MOGADISHU.”

31. “FEWER THAN 1-IN-3 HIJACK ATTEMPTS IS SUCCESSFUL. A
SAVVY CAPTAIN CAN WARD OFF MARAUDERS BY
MANEUVERING THE SHIP TO CREATE A TURBULENT WAKE
WHILE CALLING FOR HELP. IF THE ATTACKERS DON'T BOARD
WITHIN 15-MIN, A NEARBY NAVAL SHIP MIGHT SEND A
HELICOPTER GUNSHIP. ONCE THE PIRATES CONTROL THE
VESSEL, THOUGH, IT'S GAME OVER: LIKE CONVENIENCE-
STORE CLERKS, CREWS ARE TRAINED NOT TO RESIST.”

32. HIGH SEAS PIRACY
PIRACY MISSION SET-UP & COSTS
▸$50K-$250K (USD) in seed capital
▸Crew of 12-24 men (varied skills)
▸Speed boats, larger ship to launch boats, caterer, ladders,
ropes, intelligence, weapons, communications, etc
▸Select targets by the cargo, owner, and port of origin
▸“Trustworthy” financial system for money-laundering

33. DIVISION OF LABOR
BACK OFFICE LOGISTICS
▸Tribe Elders: Liaisons with the outside world.
▸Financiers: Capital comes from local businessmen as well as the Islamist militant
group.
▸Commander: Marshal resources, recruits crew, and organizes operations.
▸Security Squad: Protects the commander, ferries supplies and backs up attackers.
▸Mother Ship Crew Attack Squad: Extends the marauders' reach hundreds of
miles out to sea; Carries attack squad made up of fishermen.
▸Negotiators: English speaking; Point of contact for the hostage takers.

34. IT’S JUST BUSINESS
NEGOTIATION PROCESS
▸May take days, weeks, months — sometimes years
▸Negotiations by professional K&R consultants (ex-
military, law enforcement, or intelligence)
▸No “supernormal profits.”
"Pirates routinely demand far more than they expect to receive. For catches with valuable cargo,
bargaining can open at 10 times the previously highest settlement. The limiting factor is time:
With each passing day, chances increase that a hostage will die or the ship will become damaged,
and the likelihood of a peaceful resolution — and a fat bag of cash — dwindles."

35. “ONE NEW TECHNIQUE IS TO AIRDROP THE MONEY. A MILLION
DOLLARS IN $100 NOTES WEIGHS ABOUT 29 POUNDS. IT IS
PLACED INTO A CONTAINER LIKE AN INFLATABLE BALL AND
DROPPED OUT OF AN AIRPLANE USING A PARACHUTE GUIDED
BY A GLOBAL POSITIONING SYSTEM.”

36. GETTING PAID
DIVVYING UP THE BOOTY
▸Reimbursement of supplier(s)
▸Financiers: 30-70% of the ransom
▸Elders: 5-10 %of the ransom (anchoring rights)
▸Crew: Remaining sum divided up by shares
“ Gullestrup's ship and crew were returned safely, although the pirates didn't actually want to get
off the ship right away. That's because they were afraid of getting robbed by other pirates on their
way back to shore, Gullestrup says, so he gave them a ride north, dropping them closer to home.”

37. PREVENTION AND RESPONSE
HIGH-SEAS PIRACY PREVENTION
▸Armed private security guards on board ships
▸Shippers harden vessels or take evasive action
▸A change in Somalia at national and local level
▸Pre-emptive action by combined navies in the region
▸Britney Spears
“It lasted just a few minutes, with a helicopter crew launching from a ship just offshore and raking
beached and unmanned pirate speedboats - known as "skiffs" - with machine-gun fire. Fuel stores
and other equipment were also fired on, but EU Navfor says there were no casualties on either
side and there were no European "boots on the ground".

38. “HER SONGS WERE CHOSEN BY THE
SECURITY TEAM BECAUSE THEY THOUGHT
THE PIRATES WOULD HATE THEM MOST.
THESE GUYS CAN'T STAND WESTERN
CULTURE OR MUSIC, MAKING BRITNEY'S
HITS PERFECT. AS SOON AS THE PIRATES
GET A BLAST OF BRITNEY, THEY MOVE ON
AS QUICKLY AS THEY CAN."
NBC News
LAW ENFORCEMENT

39. KIDNAPPING & RANSOM
INSURANCE
ORIGINATED FOLLOWING THE KIDNAPPING OF CHARLES
LINDBERGH’S BABY IN 1932. THE BOOST IN POLICIES
BEGAN IN THE LATE 70’S.

40. “K&R INSURANCE IS DESIGNED TO PROTECT
INDIVIDUALS AND CORPORATIONS
OPERATING IN HIGH-RISK AREAS AROUND
THE WORLD. LOCATIONS MOST OFTEN
NAMED IN POLICIES INCLUDE MEXICO,
VENEZUELA, HAITI, AND NIGERIA, CERTAIN
OTHER COUNTRIES IN LATIN AMERICA, AS
WELL AS SOME PARTS OF THE RUSSIAN
FEDERATION AND EASTERN EUROPE.”
Wikipedia
KIDNAPPING & RANSOM INSURANCE

41. “THE INSURANCE BUSINESS IS A GAMBLE.
INSURERS KNOW THAT SOME SHIPS WILL
BE HIJACKED, FORCING THE COMPANIES TO
DISPENSE MULTIMILLION-DOLLAR
SETTLEMENTS. HOWEVER, THEY KNOW THE
CHANCE OF THIS HAPPENING IS
MINUSCULE, WHICH BY THE CALCULATIONS
OF THEIR INDUSTRY MAKES IT WORTH
ISSUING POLICIES.”

42. AIG TRAVELERS HISCOX
CHUBB XL CATLIN CHARTIS
“K&R” INSURANCE CARRIERS

43. K&R REIMBURSEMENT
K&R INSURANCE COVERAGE
▸ Ransom Amount
▸ Transportation Costs
▸ Accidental Death or Dismemberment
▸ Legal Liability
▸ Medical Expenses
▸ Crisis Response Team
▸ Lost Wages
▸ Replacement Personnel Costs
▸ Extortionist Bounty

44. “ALL KIDNAPPING INSURANCE IS EITHER WRITTEN OR
REINSURED AT LLOYD’S OF LONDON. WITHIN THE LLOYD’S
MARKET, THERE ARE ABOUT 20 FIRMS (OR “SYNDICATES”)
COMPETING FOR BUSINESS. THEY ALL CONDUCT
RESOLUTIONS ACCORDING TO CLEAR RULES. THE LLOYD’S
CORP. CAN EXCLUDE ANY SYNDICATE THAT DEVIATES FROM
THE ESTABLISHED PROTOCOL AND IMPOSES COSTS ON
OTHERS. OUTSIDERS DO NOT HAVE THE NECESSARY
INFORMATION TO PRICE KIDNAPPING INSURANCE CORRECTLY.”

45. FINE-PRINT
HISTORY AND PROVISIONS
▸Price vary: $500 a year for $1M (USD) of liability
coverage. $50,000 for $25M (USD) in coverage.
▸Policy Confidentiality
▸Ransom is reimbursed, not paid directly
▸Customer Training

46. WHAT THE KIDNAPPING & RANSOM
ECONOMY TEACHES US ABOUT
RANSOMWARE?

47. K&R VS RANSOMWARE
SIMILARITIES
▸Sentient adversary
▸When you are a victim, you know it (unlike traditional malware)
▸Time is on the adversaries side
▸Adversaries leverage fear and anxiety
▸Bilateral monopoly (1 buyer, 1 seller)
▸Market value of the ‘asset’ is subjective and very little info
▸Victims are targeted (Not always in ransomware)
▸If adversaries break an agreement, they'll ruin the business for everyone

48. K&R VS RANSOMWARE
DIFFERENCES
▸Ransomware requires far less upfront costs and logistics
▸Ransomware is less risky for adversaries (attribution)
▸Ransomware hostage (the data) is not a witness
▸Ransomware scales
▸Ransomware negotiation process is way faster
▸Ransomware is easier to pay logistically (Bitcoin vs cash)

49. WHERE RANSOMWARE IS HEADING
RANSOMWARE TRENDS
▸Ransomware campaigns increasingly professionalized
and funded
▸Emergence of professional ransomware negotiators
▸Cyber-insurers require clients to keep ransomware
policies secret
▸Adversaries will increasingly target backup systems

50. RANSOMWARE
PREVENTATIVE AND RESPONSE ACTIONS
▸Backups! Test your backups! (DO NOT destroy encrypted data)
▸Fast system recovery via virtualization
▸Patch, disable MS Office macros, etc
▸Law enforcement investigate and arrest ransomware groups
▸Formation of insurance “syndicates” for ransomware pricing (ie
Lloyd’s of London)
▸Listen to your cyber-insurer (security guidance)

51. “IN 2010, $148 MILLION OF RANSOMS
WERE PAID TO PIRATES. ON THE OTHER
HAND, $ 1.85 BILLION DOLLARS WERE
SPENT ON INSURANCES TO COVER PIRACY,
THAT’S 10 TIMES MORE THAN THE ACTUAL
RANSOMS THAT ARE GIVEN TO PIRATES.”
Yahoo News
RANSOMWARE HAS ARRIVED

52. THANK YOU
Jeremiah Grossman
@jeremiahg
https://www.facebook.com/jeremiahgrossman
https://www.linkedin.com/in/grossmanjeremiah
https://www.jeremiahgrossman.com/
http://blog.jeremiahgrossman.com/