1

Ransomware

Dr. Kevin Streff

Founder, Secure Banking Solutions

www.protectmybank.com

July 7, 2016

Overview

Cybercriminals are using ransomware, DDOS, theft of member information and more to extort funds or require certain actions from financial institutions.

FFIEC guidance outlines some veryspecific steps you can take to understand and mitigate these risks.

2

2

Analogy

Very similar to kidnapping insurance that some executives hold in volatile foreign countries, insurance companies are now writing policies to cover the extortion fees and expert technical costs incurred when a company is held as a cyber-hostage.

3

Ransomware

Ransomware is a type of malware specifically designed to block or encrypt data, followed by a ransom demand.

A warning massage usually pops up explaining that an attempt to uninstall or inhibit the ransomware’s functionality in any way would lead to an immediate deal-breaker. 4

3

Ransomware

Like most malware, ransomware spreads through social engineering techniques and traps sent from mostly unsolicited sources, such as spam, phishing emails with malicious attachments, links to bogus websites, and malvertising.

5

Ransomware

Once a victim’s system is accessed, an encryption type of ransomware installs itself and launches a complete hard disc scan, in order to locate documents of interest.

The next step is encryption, which converts the targeted files into an unreadable form.

6

4

Ransomware

Non-encrypting ransomware programs typically ‘lock’ the entire PC, terminating all processes that are non-essential to paying the ransom, and can eventually receive an ‘unlock’ code.

7

Ransomware

A ransom message is displayed on the victim’s screen that demands a particular sum (usually between $100-1,500 for ordinary users) in exchange for a decryption key

8

5

DDoS

DDoS attacks have become an industry whose sheer power is at call for anyone willing to pay the price.

DDoS service prices are constantly going down, which also contributes to the epidemic proportions of this problem.

9

DDoS

According to Corero’s survey, 38% of the respondents admitted that they had suffered one or more DDoS attacks in the past 12 months.

Depending on how huge the target is, rates for downing websites vary from as little as $5 to $100 per hour.

10

6

DDoS

DDoS dealers circulate everywhere online, in underground forums, and even on the public internet.

DDoS attacks may be time limited in order to achieve a maximum psychological effect.

11

DDoS

Cyber extortionists justify the ransom size with crude calculations of the approximate financial negative impact on the victim’s online business in the event of successful DDoS attack.

12

7

Webcam

Malware can even take control of a webcam and record its owner. Hundreds of Australian visitors of adult websites were literally caught with their pants down and later blackmailed.

13

Pornography

Malware planted child pornography, which cannot be deleted easily, and asked for a fee, otherwise a notification would be forwarded to the authorities.

14

8

Unreported Cases

In spite of the growing number of cyber extortion cases, many injured parties, concerning all the ensuing negativity, are hesitant to get in touch with the authorities to apprehend criminals.

The FBI reported that more than two-thirds of companies struck by a grievous cyber attack never report it.

15

Unreported Cases

Nevertheless, based upon the great number of business now looking for protection and guidance, an impartial bystander can judge for themselves that this issue has a real presence and is gaining momentum

The SANS Institute assesses that thousands of organizations are paying off cyber extortionists. Seemingly, they prefer to choose the lesser evil, at least from their point of view. 16

9

Catching and Punishing

Identification and arrest of cyber extortionists are low because they usually operate from countries other than those of their victims and use anonymous accounts and fake e-mail addresses.

17

First Digital Case

The first case of cyber extortion, as reported by Thomas Whiteside in his book Computer Capers, occurred in 1971 when two reels of magnetic tape belonging to a branch of the Bank of America were stolen at Los Angeles International Airport. The thieves demanded money for their return, but the ransom was not paid because tape backup was available.

18

10

Case 1 – Code Spaces

What happened: The code hosting company Code Spaces was hit by a DDoS attack and then extorted by a hacker who had gained control of the firm's Amazon EC2 control panel and hoped to get paid by the firm in exchange for returning control to its operations.

19

Case 1 – Code Spaces

Outcome: Code Spaces did not pay off the extortionists. Instead, it hurried to take back its account by changing passwords, attempt which was thwarted by the criminal, who had created backup logins to the panel and started randomly deleting files once he saw what the company was doing.

20

11

Case 1 – Code Spaces

In the end, the company stated that "most of our data, backups, machine configurations and offsite backups were either partially or completely deleted."

The situation led the company to shut its doors.

21

Case 2 - Feedly

What Happened: The RSS feed service provider experienced widespread outages due to DDoS attacks that were followed up by blackmail attempts, who promised to ease up if the firm paid a ransom.

22

12

Case 2 - Feedly

Outcome: The company worked with its content network provider to restore service as quickly as possible. The company was up and running in a couple of hours. "We refused to give in and are working with our network providers to mitigate the attack as best as we can," Feedly CEO Edwin Khodabakchian told customers during the attack. 23

Case 2 - Feedly

Outcome: Feedly publicly spurned the bribe attempt and reported that it was working with other firms suffering from attacks from the same group, along with the authorities, to bring the perpetrators to justice.

24

13

Case 3 – Medical Center

In February, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoins to unlock data encrypted by cyber attackers. Allen Stefanek, the hospital's president and CEO, noted that his organization decided to pay the ransom because obtaining the decryption key from the attackers was "the quickest and most efficient way to restore our systems and administrative functions." 25

26

14

Background

November 2015, FFIEC released a joint statement to notify financial institutions of the increasing frequency and severity of cyber attacks involving extortion.

Cybercriminals are using various strategies such as ransomware, distributed denial of service (DDOS) and theft of sensitive member information to extort funds or require certain actions from targeted financial institutions.

Some institutions have experienced severe disruption to member facing systems, internal business interruptions and loss of member data.

There is additional reputational risk with unavailability of banking services and data breach notification processes

27

Risks

Financial institutions face a variety of risks from cyber attacks involving extortion, including liquidity,

capital,

operational,

compliance, and

reputation risks.

Resulting from fraud, data loss, and disruption of member service.

28

15

Layered Security Approach

29

Actions

Conduct ongoing information security risk assessments Securely configure systems and services Protect against unauthorized access Perform security monitoring, prevention, and risk

mitigation Update information security awareness and training

programs, as necessary, to include cyber attacks involving extortion

Implement and regularly test controls around critical systems

Review, update, and test incident response and business continuity plans periodically

Participate in industry information-sharing forums30

16

Other Actions

Institutions that are victims of cyber attacks involving extortion are encouraged to inform law enforcement authorities and notify their primary regulator(s).

In the event that an attack results in unauthorized access to sensitive member information, the institution has responsibility to notify its federal and state regulators

Institutions should determine if filing a Suspicious Activity Report (SAR) is required or appropriate

31

Other Resources

US-CERT Security Alert “Crypto Ransomware” (TA14-295A)https://www.us-cert.gov/ncas/alerts/TA14-295A

FBI “Ransomware on the Rise”https://www.fbi.gov/news/stories/2015/january/ransomwareon-the-rise/ransomware-on-the-rise

FBI “E-mail Extortion Campaigns Threatening Distributed Denial of Service Attacks” (I-073115-PSA) http://www.ic3.gov/media/2015/150731.aspx

32

17

33

Costs

In 2014, U.S. businesses and consumers have experienced more than $18 million in losses stemming from a single strain of ransomware called CryptoWall, according to the Internet Crime Complaint Center.

34

18

Costs

In 2015, the U.S. Department of Justice believes that the Gameover Zeus gang is responsible for more than $100 million in losses via the banking Trojan, and netted $27 million in ransom payments in just the first two months they began using Cryptolocker.

35

Costs

FBI's Internet Crime Complaint Center received 7,694 ransomware complaints in 2015, with losses from these attacks costing victims an estimated $57.6 million.

36

19

Real Costs

But additional costs that can include network mitigation, network countermeasures, loss of productivity, legal fees, IT services and/or the purchase of credit monitoring services for employees or members.

37

Bitcoins

Even the process of collecting payments from victims - often payable in bitcoins - and providing decryption keys can be automated.

Criminals prefer Bitcoin because it's easy to use, fast, publicly available, decentralized and provides a sense of heightened security/anonymity 38

20

The Future of Ransomware

More ransom fuels more ransomware - both in funding the operations of existing purveyors of ransomware, as well as attracting more bad guys into the space

39

Additional Defenses

Don't Rely on Takedowns

Employ Anti-Malware Tools

Safeguard Android Devices

Watch Servers

Back Up Everything

Maintain Offsite Backups

Don't Expect Boy Scouts40

21

Off the Press…FBI Guidance

41

Summary

42

22

Contact Info

Dr. Kevin Streff

Dakota State University

kevin.streff@dsu.edu

Secure Banking Solutions, LLC

www.protectmybank.com

kevin@protectmybank.com

605.270.0790

43

44

Thank You!

Upcoming CUWebinarsJuly 14th - Critical issues on Share Accounts:

Identifying Your Member

July 20th - Regulation CC: Update and Review

July 28th - Electronic Transactions - SWIFT Breaches Highlight Growing Wire Fraud

August 5th - ALERT! New Customer Due Diligence Rules: Part Two Consumers

August 10th - Best-Ever Compliance Checklist for Consumer Loans

August 23rd - Flood Insurance Review and Update

Don’t forget about our listing of OnDemand programs at CUWebinars.com!

Wesley KavelarisTTS800‐831‐0678info@TTStrain.comCUWebinars.com