FFIEC Statement on Cyber Extortions3.amazonaws.com/ce-assets/tba/txbankers/_warehouse/file... · 7/04/2016 · Technical Support (for faster service please submit inquiries via email

Your State Association Presents

FFIEC Statement on Cyber Extortion

Program Materials

Use this document to follow along with the live webinar presentation. Please test your system before the broadcast. Be sure to print enough copies for all listeners.

Thursday, April 7, 2016 Presenter: Dr. Kevin Streff

Technical Support (for faster service please submit inquiries via email or online): (Registration & Tech Support): Email- [email protected], Phone- (877)988-7526FOR ADDITIONAL ASSISTANCE PLEASE REFER TO OUR FAQs

mailto:[email protected]

https://bankers.confedge.com/ap/eSite/?i=faq

4/7/2016

1



Dr. Kevin Streff Founder, Secure Banking Solutions

www.protectmybank.com

Dr. Kevin Streff Founder, Secure Banking Solutions


April 7, 2016

©Secure Banking Solutions 2016

OverviewOverview

Cybercriminals are using ransomware, DDOS, theft of customer information and more to extort funds or require certain actions from financial institutions.

FFIEC guidance outlines some veryspecific steps you can take to understand and mitigate these risks.

Cybercriminals are using ransomware, DDOS, theft of customer information and more to extort funds or require certain actions from financial institutions.

FFIEC guidance outlines some veryspecific steps you can take to understand and mitigate these risks.

2

4/7/2016

2


Very similar to kidnapping insurance that some executives hold in volatile foreign countries, insurance companies are now writing policies to cover the extortion fees and expert technical costs incurred when a company is held as a cyber-hostage.

Very similar to kidnapping insurance that some executives hold in volatile foreign countries, insurance companies are now writing policies to cover the extortion fees and expert technical costs incurred when a company is held as a cyber-hostage.

3


RansomwareRansomware

Ransomware, as the name suggests, is a type of malware specifically designed to block or encrypt data, followed by a ransom demand. A warning massage usually pops up explaining that an attempt to uninstall or inhibit the ransomware’s functionality in any way would lead to an immediate deal-breaker. As mentioned before, an extortionist literally takes your data and system hostage.

Ransomware, as the name suggests, is a type of malware specifically designed to block or encrypt data, followed by a ransom demand. A warning massage usually pops up explaining that an attempt to uninstall or inhibit the ransomware’s functionality in any way would lead to an immediate deal-breaker. As mentioned before, an extortionist literally takes your data and system hostage.

4

4/7/2016

3



Like most malware, ransomware spreads through social engineering techniques and traps sent from mostly unsolicited sources, such as spam, phishing emails with malicious attachments, links to bogus websites, and malvertising.

Like most malware, ransomware spreads through social engineering techniques and traps sent from mostly unsolicited sources, such as spam, phishing emails with malicious attachments, links to bogus websites, and malvertising.

5



Once a victim’s system is accessed, an encryption type of ransomware installs itself and launches a complete hard disc scan, in order to locate documents of interest. The next step is encryption, which converts the targeted files into an unreadable form. Non-encrypting ransomware programs typically ‘lock’ the entire PC, terminating all processes that are non-essential to paying the ransom, and can eventually receive an ‘unlock’ code.

Once a victim’s system is accessed, an encryption type of ransomware installs itself and launches a complete hard disc scan, in order to locate documents of interest. The next step is encryption, which converts the targeted files into an unreadable form. Non-encrypting ransomware programs typically ‘lock’ the entire PC, terminating all processes that are non-essential to paying the ransom, and can eventually receive an ‘unlock’ code.

6

4/7/2016

4



a ransom message is displayed on the victim’s screen that demands a particular sum (usually between $100-1,500 for ordinary users) in exchange for a decryption key (usually claimed to be unique), thus completing a vicious cycle of cyber extortion crime done with the help of malware.

a ransom message is displayed on the victim’s screen that demands a particular sum (usually between $100-1,500 for ordinary users) in exchange for a decryption key (usually claimed to be unique), thus completing a vicious cycle of cyber extortion crime done with the help of malware.

7


DDoSDDoS

DDoS attacks have become an industry whose sheer power is at call for anyone willing to pay the price. And DDoS service prices are constantly going down, which also contributes to the epidemic proportions of this problem. According to Corero’s survey, 38% of the respondents admitted that they had suffered one or more DDoS attacks in the past 12 months. Depending on how huge the target is, rates for downing websites vary from as little as $5 to $100 per hour. DDoS dealers circulate everywhere online, in underground forums, and even on the public internet.

DDoS attacks have become an industry whose sheer power is at call for anyone willing to pay the price. And DDoS service prices are constantly going down, which also contributes to the epidemic proportions of this problem. According to Corero’s survey, 38% of the respondents admitted that they had suffered one or more DDoS attacks in the past 12 months. Depending on how huge the target is, rates for downing websites vary from as little as $5 to $100 per hour. DDoS dealers circulate everywhere online, in underground forums, and even on the public internet.

8

4/7/2016

5


DDoS DDoS

DDoS attacks may be time limited in order to achieve a maximum psychological effect. Cyber extortionists justify the ransom size with crude calculations of the approximate financial negative impact on the victim’s online business in the event of successful DDoS attack.

DDoS attacks may be time limited in order to achieve a maximum psychological effect. Cyber extortionists justify the ransom size with crude calculations of the approximate financial negative impact on the victim’s online business in the event of successful DDoS attack.

9


WebcamWebcam

Malware can even take control of a webcam and record its owner. Hundreds of Australian visitors of adult websites were literally caught with their pants down and later blackmailed.

Malware can even take control of a webcam and record its owner. Hundreds of Australian visitors of adult websites were literally caught with their pants down and later blackmailed.

10

4/7/2016

6


PornographyPornography

Malware planted child pornography, which cannot be deleted easily, and asked for a fee, otherwise a notification would be forwarded to the authorities.

Malware planted child pornography, which cannot be deleted easily, and asked for a fee, otherwise a notification would be forwarded to the authorities.

11


Unreported CasesUnreported Cases

In spite of the growing number of cyber extortion cases, many injured parties, concerning all the ensuing negativity, are hesitant to get in touch with the authorities to apprehend criminals. The FBI reported that more than two-thirds of companies struck by a grievous cyber attack never report it. Nevertheless, based upon the great number of business now looking for protection and guidance, an impartial bystander can judge for themselves that this issue has a real presence and is gaining momentum

In spite of the growing number of cyber extortion cases, many injured parties, concerning all the ensuing negativity, are hesitant to get in touch with the authorities to apprehend criminals. The FBI reported that more than two-thirds of companies struck by a grievous cyber attack never report it. Nevertheless, based upon the great number of business now looking for protection and guidance, an impartial bystander can judge for themselves that this issue has a real presence and is gaining momentum

12

4/7/2016

7


Unreported CasesUnreported Cases

The SANS Institute assesses that thousands of organizations are paying off cyber extortionists. Seemingly, they prefer to choose the lesser evil, at least from their point of view.

The SANS Institute assesses that thousands of organizations are paying off cyber extortionists. Seemingly, they prefer to choose the lesser evil, at least from their point of view.

13


Catching and PunishingCatching and Punishing

identification and arrest of cyber extortionists are low because they usually operate from countries other than those of their victims and use anonymous accounts and fake e-mail addresses.

identification and arrest of cyber extortionists are low because they usually operate from countries other than those of their victims and use anonymous accounts and fake e-mail addresses.

14

4/7/2016

8


First Digital CaseFirst Digital Case

The first case of cyber extortion, as reported by Thomas Whiteside in his book Computer Capers, occurred in 1971 when two reels of magnetic tape belonging to a branch of the Bank of America were stolen at Los Angeles International Airport. The thieves demanded money for their return, but the ransom was not paid because tape backup was available.

The first case of cyber extortion, as reported by Thomas Whiteside in his book Computer Capers, occurred in 1971 when two reels of magnetic tape belonging to a branch of the Bank of America were stolen at Los Angeles International Airport. The thieves demanded money for their return, but the ransom was not paid because tape backup was available.

15


Case 1 – Code SpacesCase 1 – Code Spaces

What happened: The code hosting company Code Spaces was hit by a DDoS attack and then extorted by a hacker who had gained control of the firm's Amazon EC2 control panel and hoped to get paid by the firm in exchange for returning control to its operations.

What happened: The code hosting company Code Spaces was hit by a DDoS attack and then extorted by a hacker who had gained control of the firm's Amazon EC2 control panel and hoped to get paid by the firm in exchange for returning control to its operations.

16

4/7/2016

9


Case 1 – Code SpacesCase 1 – Code Spaces

Outcome: Code Spaces did not pay off the extortionists. Instead, it hurried to take back its account by changing passwords, attempt which was thwarted by the criminal, who had created backup logins to the panel and started randomly deleting files once he saw what the company was doing. In the end, the company stated that "most of our data, backups, machine configurations and offsite backups were either partially or completely deleted."

The situation led the company to shut its doors.

Outcome: Code Spaces did not pay off the extortionists. Instead, it hurried to take back its account by changing passwords, attempt which was thwarted by the criminal, who had created backup logins to the panel and started randomly deleting files once he saw what the company was doing. In the end, the company stated that "most of our data, backups, machine configurations and offsite backups were either partially or completely deleted."

The situation led the company to shut its doors.17


Case 2 - FeedlyCase 2 - Feedly

What Happened: The RSS feed service provider experienced widespread outages due to DDoS attacks that were followed up by blackmail attempts, who promised to ease up if the firm paid a ransom.

Feedly publicly spurned the bribe attempt and reported that it was working with other firms suffering from attacks from the same group, along with the authorities, to bring the perpetrators to justice.

What Happened: The RSS feed service provider experienced widespread outages due to DDoS attacks that were followed up by blackmail attempts, who promised to ease up if the firm paid a ransom.

Feedly publicly spurned the bribe attempt and reported that it was working with other firms suffering from attacks from the same group, along with the authorities, to bring the perpetrators to justice.

18

4/7/2016

10


Case 2 - FeedlyCase 2 - Feedly

Outcome: The company worked with its content network provider to restore service as quickly as possible. The company was up and running in a couple of hours. "We refused to give in and are working with our network providers to mitigate the attack as best as we can," Feedly CEO Edwin Khodabakchian told customers during the attack.

Outcome: The company worked with its content network provider to restore service as quickly as possible. The company was up and running in a couple of hours. "We refused to give in and are working with our network providers to mitigate the attack as best as we can," Feedly CEO Edwin Khodabakchian told customers during the attack.

19


Case 3 – Medical CenterCase 3 – Medical Center

in February, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoins to unlock data encrypted by cyber attackers. Allen Stefanek, the hospital's president and CEO, noted that his organization decided to pay the ransom because obtaining the decryption key from the attackers was "the quickest and most efficient way to restore our systems and administrative functions."

in February, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoins to unlock data encrypted by cyber attackers. Allen Stefanek, the hospital's president and CEO, noted that his organization decided to pay the ransom because obtaining the decryption key from the attackers was "the quickest and most efficient way to restore our systems and administrative functions."

20

4/7/2016

11


Another Example – How it WorksAnother Example – How it Works

Asprox malware - now typically distributed via phishing attacks - "phones home" to the Asprox command-and-control server after it infects a device, and receives back the Zemot dropper malware.

The dropper then downloads the Rovnix rootkit, as well as Rerdom, which is a click-fraud installer.

Asprox malware - now typically distributed via phishing attacks - "phones home" to the Asprox command-and-control server after it infects a device, and receives back the Zemot dropper malware.

The dropper then downloads the Rovnix rootkit, as well as Rerdom, which is a click-fraud installer.

21


22

4/7/2016

12


BackgroundBackground

November 2015, FFIEC released a joint statement to notify financial institutions of the increasing frequency and severity of cyber attacks involving extortion.

Cybercriminals are using various strategies such as ransomware, distributed denial of service (DDOS) and theft of sensitive customer information to extort funds or require certain actions from targeted financial institutions.

Some institutions have experienced severe disruption to customer facing systems, internal business interruptions and loss of customer data.

There is additional reputational risk with unavailability of banking services and data breach notification processes

November 2015, FFIEC released a joint statement to notify financial institutions of the increasing frequency and severity of cyber attacks involving extortion.

Cybercriminals are using various strategies such as ransomware, distributed denial of service (DDOS) and theft of sensitive customer information to extort funds or require certain actions from targeted financial institutions.

Some institutions have experienced severe disruption to customer facing systems, internal business interruptions and loss of customer data.

There is additional reputational risk with unavailability of banking services and data breach notification processes 23


RisksRisks

Financial institutions face a variety of risks from cyber attacks involving extortion, including liquidity,

capital,

operational,

compliance, and

reputation risks.

Resulting from fraud, data loss, and disruption of customer service.

Financial institutions face a variety of risks from cyber attacks involving extortion, including liquidity,

capital,

operational,

compliance, and

reputation risks.

Resulting from fraud, data loss, and disruption of customer service. 24

4/7/2016

13


Layered Security ApproachLayered Security Approach

25

ActionsActions

Conduct ongoing information security risk assessments Securely configure systems and services Protect against unauthorized access Perform security monitoring, prevention, and risk mitigation Update information security awareness and training

programs, as necessary, to include cyber attacks involving extortion

Implement and regularly test controls around critical systems

Review, update, and test incident response and business continuity plans periodically

Participate in industry information-sharing forums

Conduct ongoing information security risk assessments Securely configure systems and services Protect against unauthorized access Perform security monitoring, prevention, and risk mitigation Update information security awareness and training

programs, as necessary, to include cyber attacks involving extortion

Implement and regularly test controls around critical systems

Review, update, and test incident response and business continuity plans periodically

Participate in industry information-sharing forums 26

4/7/2016

14


Other ActionsOther Actions

Institutions that are victims of cyber attacks involving extortion are encouraged to inform law enforcement authorities and notify their primary regulator(s).

In the event that an attack results in unauthorized access to sensitive customer information, the institution has responsibility to notify its federal and state regulators

Institutions should determine if filing a Suspicious Activity Report (SAR) is required or appropriate

Institutions that are victims of cyber attacks involving extortion are encouraged to inform law enforcement authorities and notify their primary regulator(s).

In the event that an attack results in unauthorized access to sensitive customer information, the institution has responsibility to notify its federal and state regulators

Institutions should determine if filing a Suspicious Activity Report (SAR) is required or appropriate 27


Other ResourcesOther Resources

US-CERT Security Alert “Crypto Ransomware” (TA14-295A)https://www.us-cert.gov/ncas/alerts/TA14-295A

FBI “Ransomware on the Rise”https://www.fbi.gov/news/stories/2015/january/ransomwareon-the-rise/ransomware-on-the-rise

FBI “E-mail Extortion Campaigns Threatening Distributed Denial of Service Attacks” (I-073115-PSA) http://www.ic3.gov/media/2015/150731.aspx




28

4/7/2016

15


Other ResourcesOther Resources







29

30

4/7/2016

16

SummarySummary

31


CostsCosts

In 2014, U.S. businesses and consumers have experienced more than $18 million in losses stemming from a single strain of ransomware called CryptoWall, according to the Internet Crime Complaint Center.

In 2015, the U.S. Department of Justice believes that the Gameover Zeus gang is responsible for more than $100 million in losses via the banking Trojan, and netted $27 million in ransom payments in just the first two months they began using Cryptolocker.

In 2014, U.S. businesses and consumers have experienced more than $18 million in losses stemming from a single strain of ransomware called CryptoWall, according to the Internet Crime Complaint Center.

In 2015, the U.S. Department of Justice believes that the Gameover Zeus gang is responsible for more than $100 million in losses via the banking Trojan, and netted $27 million in ransom payments in just the first two months they began using Cryptolocker.

32

4/7/2016

17


CostsCosts

FBI's Internet Crime Complaint Center received 7,694 ransomware complaints in 2015, with losses from these attacks costing victims an estimated $57.6 million.

FBI's Internet Crime Complaint Center received 7,694 ransomware complaints in 2015, with losses from these attacks costing victims an estimated $57.6 million.

33


Real CostsReal Costs

But additional costs that can include network mitigation, network countermeasures, loss of productivity, legal fees, IT services and/or the purchase of credit monitoring services for employees or customers.

But additional costs that can include network mitigation, network countermeasures, loss of productivity, legal fees, IT services and/or the purchase of credit monitoring services for employees or customers.

34

4/7/2016

18


BitcoinsBitcoins

Even the process of collecting payments from victims - often payable in bitcoins - and providing decryption keys can be automated.

Criminals prefer Bitcoin because it's easy to use, fast, publicly available, decentralized and provides a sense of heightened security/anonymity

Even the process of collecting payments from victims - often payable in bitcoins - and providing decryption keys can be automated.

Criminals prefer Bitcoin because it's easy to use, fast, publicly available, decentralized and provides a sense of heightened security/anonymity

35


Evolution of RansomwareEvolution of Ransomware

"Ransomware is now one of the fastest growing classes of malicious software," Source: Security Firm Kaspersky Lab.

All early versions of ransomware (CryptoLocker, CryptoWall, Locky) encrypted files, both local and on network share, and left computers operational, while the newer versions, like Petya, encrypt the file system structures and render an entire machine unusable.

"Ransomware is now one of the fastest growing classes of malicious software," Source: Security Firm Kaspersky Lab.

All early versions of ransomware (CryptoLocker, CryptoWall, Locky) encrypted files, both local and on network share, and left computers operational, while the newer versions, like Petya, encrypt the file system structures and render an entire machine unusable.

36

4/7/2016

19


Awareness of RansomwareAwareness of Ransomware

Gartner analyst Avivah Litan laments that too many businesses "are not spending large amounts of resources on security and are not equipped to even understand these [ransomware] threats. These entities are not focused on fighting ransomware, so criminals' attack methods can easily stay ahead of their victims' ability to defend themselves."

Gartner analyst Avivah Litan laments that too many businesses "are not spending large amounts of resources on security and are not equipped to even understand these [ransomware] threats. These entities are not focused on fighting ransomware, so criminals' attack methods can easily stay ahead of their victims' ability to defend themselves."

37


The Future of RansomwareThe Future of Ransomware

More ransom fuels more ransomware - both in funding the operations of existing purveyors of ransomware, as well as attracting more bad guys into the space

More ransom fuels more ransomware - both in funding the operations of existing purveyors of ransomware, as well as attracting more bad guys into the space

38

4/7/2016

20


Additional DefensesAdditional Defenses

Don't Rely on Takedowns Employ Anti-Malware Tools Safeguard Android DevicesWatch Servers Back Up EverythingMaintain Offsite Backups Don't Expect Boy Scouts

Don't Rely on Takedowns Employ Anti-Malware Tools Safeguard Android DevicesWatch Servers Back Up EverythingMaintain Offsite Backups Don't Expect Boy Scouts

39


Fresh off the Press…FBI GuidanceFresh off the Press…FBI Guidance

40

4/7/2016

21

Contact InfoContact Info

Dr. Kevin Streff

Dakota State University

[email protected]

Secure Banking Solutions, LLC


[email protected]

605.270.0790

Dr. Kevin Streff

Dakota State University

[email protected]

Secure Banking Solutions, LLC


[email protected]

605.270.079041

Documents

FFIEC Statement on Cyber Extortions3.amazonaws.com/ce-assets/tba/txbankers/_warehouse/file... · 7/04/2016 · Technical Support (for faster service please submit inquiries via email