Your State Association Presents
FFIEC Statement on Cyber Extortion
Program Materials
Use this document to follow along with the live webinar presentation. Please test your system before the broadcast. Be sure to print enough copies for all listeners.
Thursday, April 7, 2016 Presenter: Dr. Kevin Streff
Technical Support (for faster service please submit inquiries via email or online): (Registration & Tech Support): Email- [email protected], Phone- (877)988-7526FOR ADDITIONAL ASSISTANCE PLEASE REFER TO OUR FAQs
4/7/2016
1
FFIEC Statement on Cyber Extortion
FFIEC Statement on Cyber Extortion
Dr. Kevin Streff Founder, Secure Banking Solutions
www.protectmybank.com
Dr. Kevin Streff Founder, Secure Banking Solutions
www.protectmybank.com
April 7, 2016
©Secure Banking Solutions 2016
OverviewOverview
Cybercriminals are using ransomware, DDOS, theft of customer information and more to extort funds or require certain actions from financial institutions.
FFIEC guidance outlines some veryspecific steps you can take to understand and mitigate these risks.
Cybercriminals are using ransomware, DDOS, theft of customer information and more to extort funds or require certain actions from financial institutions.
FFIEC guidance outlines some veryspecific steps you can take to understand and mitigate these risks.
2
4/7/2016
2
©Secure Banking Solutions 2016
Very similar to kidnapping insurance that some executives hold in volatile foreign countries, insurance companies are now writing policies to cover the extortion fees and expert technical costs incurred when a company is held as a cyber-hostage.
Very similar to kidnapping insurance that some executives hold in volatile foreign countries, insurance companies are now writing policies to cover the extortion fees and expert technical costs incurred when a company is held as a cyber-hostage.
3
©Secure Banking Solutions 2016
RansomwareRansomware
Ransomware, as the name suggests, is a type of malware specifically designed to block or encrypt data, followed by a ransom demand. A warning massage usually pops up explaining that an attempt to uninstall or inhibit the ransomware’s functionality in any way would lead to an immediate deal-breaker. As mentioned before, an extortionist literally takes your data and system hostage.
Ransomware, as the name suggests, is a type of malware specifically designed to block or encrypt data, followed by a ransom demand. A warning massage usually pops up explaining that an attempt to uninstall or inhibit the ransomware’s functionality in any way would lead to an immediate deal-breaker. As mentioned before, an extortionist literally takes your data and system hostage.
4
4/7/2016
3
©Secure Banking Solutions 2016
RansomwareRansomware
Like most malware, ransomware spreads through social engineering techniques and traps sent from mostly unsolicited sources, such as spam, phishing emails with malicious attachments, links to bogus websites, and malvertising.
Like most malware, ransomware spreads through social engineering techniques and traps sent from mostly unsolicited sources, such as spam, phishing emails with malicious attachments, links to bogus websites, and malvertising.
5
©Secure Banking Solutions 2016
RansomwareRansomware
Once a victim’s system is accessed, an encryption type of ransomware installs itself and launches a complete hard disc scan, in order to locate documents of interest. The next step is encryption, which converts the targeted files into an unreadable form. Non-encrypting ransomware programs typically ‘lock’ the entire PC, terminating all processes that are non-essential to paying the ransom, and can eventually receive an ‘unlock’ code.
Once a victim’s system is accessed, an encryption type of ransomware installs itself and launches a complete hard disc scan, in order to locate documents of interest. The next step is encryption, which converts the targeted files into an unreadable form. Non-encrypting ransomware programs typically ‘lock’ the entire PC, terminating all processes that are non-essential to paying the ransom, and can eventually receive an ‘unlock’ code.
6
4/7/2016
4
©Secure Banking Solutions 2016
RansomwareRansomware
a ransom message is displayed on the victim’s screen that demands a particular sum (usually between $100-1,500 for ordinary users) in exchange for a decryption key (usually claimed to be unique), thus completing a vicious cycle of cyber extortion crime done with the help of malware.
a ransom message is displayed on the victim’s screen that demands a particular sum (usually between $100-1,500 for ordinary users) in exchange for a decryption key (usually claimed to be unique), thus completing a vicious cycle of cyber extortion crime done with the help of malware.
7
©Secure Banking Solutions 2016
DDoSDDoS
DDoS attacks have become an industry whose sheer power is at call for anyone willing to pay the price. And DDoS service prices are constantly going down, which also contributes to the epidemic proportions of this problem. According to Corero’s survey, 38% of the respondents admitted that they had suffered one or more DDoS attacks in the past 12 months. Depending on how huge the target is, rates for downing websites vary from as little as $5 to $100 per hour. DDoS dealers circulate everywhere online, in underground forums, and even on the public internet.
DDoS attacks have become an industry whose sheer power is at call for anyone willing to pay the price. And DDoS service prices are constantly going down, which also contributes to the epidemic proportions of this problem. According to Corero’s survey, 38% of the respondents admitted that they had suffered one or more DDoS attacks in the past 12 months. Depending on how huge the target is, rates for downing websites vary from as little as $5 to $100 per hour. DDoS dealers circulate everywhere online, in underground forums, and even on the public internet.
8
4/7/2016
5
©Secure Banking Solutions 2016
DDoS DDoS
DDoS attacks may be time limited in order to achieve a maximum psychological effect. Cyber extortionists justify the ransom size with crude calculations of the approximate financial negative impact on the victim’s online business in the event of successful DDoS attack.
DDoS attacks may be time limited in order to achieve a maximum psychological effect. Cyber extortionists justify the ransom size with crude calculations of the approximate financial negative impact on the victim’s online business in the event of successful DDoS attack.
9
©Secure Banking Solutions 2016
WebcamWebcam
Malware can even take control of a webcam and record its owner. Hundreds of Australian visitors of adult websites were literally caught with their pants down and later blackmailed.
Malware can even take control of a webcam and record its owner. Hundreds of Australian visitors of adult websites were literally caught with their pants down and later blackmailed.
10
4/7/2016
6
©Secure Banking Solutions 2016
PornographyPornography
Malware planted child pornography, which cannot be deleted easily, and asked for a fee, otherwise a notification would be forwarded to the authorities.
Malware planted child pornography, which cannot be deleted easily, and asked for a fee, otherwise a notification would be forwarded to the authorities.
11
©Secure Banking Solutions 2016
Unreported CasesUnreported Cases
In spite of the growing number of cyber extortion cases, many injured parties, concerning all the ensuing negativity, are hesitant to get in touch with the authorities to apprehend criminals. The FBI reported that more than two-thirds of companies struck by a grievous cyber attack never report it. Nevertheless, based upon the great number of business now looking for protection and guidance, an impartial bystander can judge for themselves that this issue has a real presence and is gaining momentum
In spite of the growing number of cyber extortion cases, many injured parties, concerning all the ensuing negativity, are hesitant to get in touch with the authorities to apprehend criminals. The FBI reported that more than two-thirds of companies struck by a grievous cyber attack never report it. Nevertheless, based upon the great number of business now looking for protection and guidance, an impartial bystander can judge for themselves that this issue has a real presence and is gaining momentum
12
4/7/2016
7
©Secure Banking Solutions 2016
Unreported CasesUnreported Cases
The SANS Institute assesses that thousands of organizations are paying off cyber extortionists. Seemingly, they prefer to choose the lesser evil, at least from their point of view.
The SANS Institute assesses that thousands of organizations are paying off cyber extortionists. Seemingly, they prefer to choose the lesser evil, at least from their point of view.
13
©Secure Banking Solutions 2016
Catching and PunishingCatching and Punishing
identification and arrest of cyber extortionists are low because they usually operate from countries other than those of their victims and use anonymous accounts and fake e-mail addresses.
identification and arrest of cyber extortionists are low because they usually operate from countries other than those of their victims and use anonymous accounts and fake e-mail addresses.
14
4/7/2016
8
©Secure Banking Solutions 2016
First Digital CaseFirst Digital Case
The first case of cyber extortion, as reported by Thomas Whiteside in his book Computer Capers, occurred in 1971 when two reels of magnetic tape belonging to a branch of the Bank of America were stolen at Los Angeles International Airport. The thieves demanded money for their return, but the ransom was not paid because tape backup was available.
The first case of cyber extortion, as reported by Thomas Whiteside in his book Computer Capers, occurred in 1971 when two reels of magnetic tape belonging to a branch of the Bank of America were stolen at Los Angeles International Airport. The thieves demanded money for their return, but the ransom was not paid because tape backup was available.
15
©Secure Banking Solutions 2016
Case 1 – Code SpacesCase 1 – Code Spaces
What happened: The code hosting company Code Spaces was hit by a DDoS attack and then extorted by a hacker who had gained control of the firm's Amazon EC2 control panel and hoped to get paid by the firm in exchange for returning control to its operations.
What happened: The code hosting company Code Spaces was hit by a DDoS attack and then extorted by a hacker who had gained control of the firm's Amazon EC2 control panel and hoped to get paid by the firm in exchange for returning control to its operations.
16
4/7/2016
9
©Secure Banking Solutions 2016
Case 1 – Code SpacesCase 1 – Code Spaces
Outcome: Code Spaces did not pay off the extortionists. Instead, it hurried to take back its account by changing passwords, attempt which was thwarted by the criminal, who had created backup logins to the panel and started randomly deleting files once he saw what the company was doing. In the end, the company stated that "most of our data, backups, machine configurations and offsite backups were either partially or completely deleted."
The situation led the company to shut its doors.
Outcome: Code Spaces did not pay off the extortionists. Instead, it hurried to take back its account by changing passwords, attempt which was thwarted by the criminal, who had created backup logins to the panel and started randomly deleting files once he saw what the company was doing. In the end, the company stated that "most of our data, backups, machine configurations and offsite backups were either partially or completely deleted."
The situation led the company to shut its doors.17
©Secure Banking Solutions 2016
Case 2 - FeedlyCase 2 - Feedly
What Happened: The RSS feed service provider experienced widespread outages due to DDoS attacks that were followed up by blackmail attempts, who promised to ease up if the firm paid a ransom.
Feedly publicly spurned the bribe attempt and reported that it was working with other firms suffering from attacks from the same group, along with the authorities, to bring the perpetrators to justice.
What Happened: The RSS feed service provider experienced widespread outages due to DDoS attacks that were followed up by blackmail attempts, who promised to ease up if the firm paid a ransom.
Feedly publicly spurned the bribe attempt and reported that it was working with other firms suffering from attacks from the same group, along with the authorities, to bring the perpetrators to justice.
18
4/7/2016
10
©Secure Banking Solutions 2016
Case 2 - FeedlyCase 2 - Feedly
Outcome: The company worked with its content network provider to restore service as quickly as possible. The company was up and running in a couple of hours. "We refused to give in and are working with our network providers to mitigate the attack as best as we can," Feedly CEO Edwin Khodabakchian told customers during the attack.
Outcome: The company worked with its content network provider to restore service as quickly as possible. The company was up and running in a couple of hours. "We refused to give in and are working with our network providers to mitigate the attack as best as we can," Feedly CEO Edwin Khodabakchian told customers during the attack.
19
©Secure Banking Solutions 2016
Case 3 – Medical CenterCase 3 – Medical Center
in February, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoins to unlock data encrypted by cyber attackers. Allen Stefanek, the hospital's president and CEO, noted that his organization decided to pay the ransom because obtaining the decryption key from the attackers was "the quickest and most efficient way to restore our systems and administrative functions."
in February, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoins to unlock data encrypted by cyber attackers. Allen Stefanek, the hospital's president and CEO, noted that his organization decided to pay the ransom because obtaining the decryption key from the attackers was "the quickest and most efficient way to restore our systems and administrative functions."
20
4/7/2016
11
©Secure Banking Solutions 2016
Another Example – How it WorksAnother Example – How it Works
Asprox malware - now typically distributed via phishing attacks - "phones home" to the Asprox command-and-control server after it infects a device, and receives back the Zemot dropper malware.
The dropper then downloads the Rovnix rootkit, as well as Rerdom, which is a click-fraud installer.
Asprox malware - now typically distributed via phishing attacks - "phones home" to the Asprox command-and-control server after it infects a device, and receives back the Zemot dropper malware.
The dropper then downloads the Rovnix rootkit, as well as Rerdom, which is a click-fraud installer.
21
©Secure Banking Solutions 2016
22
4/7/2016
12
©Secure Banking Solutions 2016
BackgroundBackground
November 2015, FFIEC released a joint statement to notify financial institutions of the increasing frequency and severity of cyber attacks involving extortion.
Cybercriminals are using various strategies such as ransomware, distributed denial of service (DDOS) and theft of sensitive customer information to extort funds or require certain actions from targeted financial institutions.
Some institutions have experienced severe disruption to customer facing systems, internal business interruptions and loss of customer data.
There is additional reputational risk with unavailability of banking services and data breach notification processes
November 2015, FFIEC released a joint statement to notify financial institutions of the increasing frequency and severity of cyber attacks involving extortion.
Cybercriminals are using various strategies such as ransomware, distributed denial of service (DDOS) and theft of sensitive customer information to extort funds or require certain actions from targeted financial institutions.
Some institutions have experienced severe disruption to customer facing systems, internal business interruptions and loss of customer data.
There is additional reputational risk with unavailability of banking services and data breach notification processes 23
©Secure Banking Solutions 2016
RisksRisks
Financial institutions face a variety of risks from cyber attacks involving extortion, including liquidity,
capital,
operational,
compliance, and
reputation risks.
Resulting from fraud, data loss, and disruption of customer service.
Financial institutions face a variety of risks from cyber attacks involving extortion, including liquidity,
capital,
operational,
compliance, and
reputation risks.
Resulting from fraud, data loss, and disruption of customer service. 24
4/7/2016
13
©Secure Banking Solutions 2016
Layered Security ApproachLayered Security Approach
25
ActionsActions
Conduct ongoing information security risk assessments Securely configure systems and services Protect against unauthorized access Perform security monitoring, prevention, and risk mitigation Update information security awareness and training
programs, as necessary, to include cyber attacks involving extortion
Implement and regularly test controls around critical systems
Review, update, and test incident response and business continuity plans periodically
Participate in industry information-sharing forums
Conduct ongoing information security risk assessments Securely configure systems and services Protect against unauthorized access Perform security monitoring, prevention, and risk mitigation Update information security awareness and training
programs, as necessary, to include cyber attacks involving extortion
Implement and regularly test controls around critical systems
Review, update, and test incident response and business continuity plans periodically
Participate in industry information-sharing forums 26
4/7/2016
14
©Secure Banking Solutions 2016
Other ActionsOther Actions
Institutions that are victims of cyber attacks involving extortion are encouraged to inform law enforcement authorities and notify their primary regulator(s).
In the event that an attack results in unauthorized access to sensitive customer information, the institution has responsibility to notify its federal and state regulators
Institutions should determine if filing a Suspicious Activity Report (SAR) is required or appropriate
Institutions that are victims of cyber attacks involving extortion are encouraged to inform law enforcement authorities and notify their primary regulator(s).
In the event that an attack results in unauthorized access to sensitive customer information, the institution has responsibility to notify its federal and state regulators
Institutions should determine if filing a Suspicious Activity Report (SAR) is required or appropriate 27
©Secure Banking Solutions 2016
Other ResourcesOther Resources
US-CERT Security Alert “Crypto Ransomware” (TA14-295A)https://www.us-cert.gov/ncas/alerts/TA14-295A
FBI “Ransomware on the Rise”https://www.fbi.gov/news/stories/2015/january/ransomwareon-the-rise/ransomware-on-the-rise
FBI “E-mail Extortion Campaigns Threatening Distributed Denial of Service Attacks” (I-073115-PSA) http://www.ic3.gov/media/2015/150731.aspx
US-CERT Security Alert “Crypto Ransomware” (TA14-295A)https://www.us-cert.gov/ncas/alerts/TA14-295A
FBI “Ransomware on the Rise”https://www.fbi.gov/news/stories/2015/january/ransomwareon-the-rise/ransomware-on-the-rise
FBI “E-mail Extortion Campaigns Threatening Distributed Denial of Service Attacks” (I-073115-PSA) http://www.ic3.gov/media/2015/150731.aspx
28
4/7/2016
15
©Secure Banking Solutions 2016
Other ResourcesOther Resources
US-CERT Security Alert “Crypto Ransomware” (TA14-295A)https://www.us-cert.gov/ncas/alerts/TA14-295A
FBI “Ransomware on the Rise”https://www.fbi.gov/news/stories/2015/january/ransomwareon-the-rise/ransomware-on-the-rise
FBI “E-mail Extortion Campaigns Threatening Distributed Denial of Service Attacks” (I-073115-PSA) http://www.ic3.gov/media/2015/150731.aspx
US-CERT Security Alert “Crypto Ransomware” (TA14-295A)https://www.us-cert.gov/ncas/alerts/TA14-295A
FBI “Ransomware on the Rise”https://www.fbi.gov/news/stories/2015/january/ransomwareon-the-rise/ransomware-on-the-rise
FBI “E-mail Extortion Campaigns Threatening Distributed Denial of Service Attacks” (I-073115-PSA) http://www.ic3.gov/media/2015/150731.aspx
29
30
4/7/2016
16
SummarySummary
31
©Secure Banking Solutions 2016
CostsCosts
In 2014, U.S. businesses and consumers have experienced more than $18 million in losses stemming from a single strain of ransomware called CryptoWall, according to the Internet Crime Complaint Center.
In 2015, the U.S. Department of Justice believes that the Gameover Zeus gang is responsible for more than $100 million in losses via the banking Trojan, and netted $27 million in ransom payments in just the first two months they began using Cryptolocker.
In 2014, U.S. businesses and consumers have experienced more than $18 million in losses stemming from a single strain of ransomware called CryptoWall, according to the Internet Crime Complaint Center.
In 2015, the U.S. Department of Justice believes that the Gameover Zeus gang is responsible for more than $100 million in losses via the banking Trojan, and netted $27 million in ransom payments in just the first two months they began using Cryptolocker.
32
4/7/2016
17
©Secure Banking Solutions 2016
CostsCosts
FBI's Internet Crime Complaint Center received 7,694 ransomware complaints in 2015, with losses from these attacks costing victims an estimated $57.6 million.
FBI's Internet Crime Complaint Center received 7,694 ransomware complaints in 2015, with losses from these attacks costing victims an estimated $57.6 million.
33
©Secure Banking Solutions 2016
Real CostsReal Costs
But additional costs that can include network mitigation, network countermeasures, loss of productivity, legal fees, IT services and/or the purchase of credit monitoring services for employees or customers.
But additional costs that can include network mitigation, network countermeasures, loss of productivity, legal fees, IT services and/or the purchase of credit monitoring services for employees or customers.
34
4/7/2016
18
©Secure Banking Solutions 2016
BitcoinsBitcoins
Even the process of collecting payments from victims - often payable in bitcoins - and providing decryption keys can be automated.
Criminals prefer Bitcoin because it's easy to use, fast, publicly available, decentralized and provides a sense of heightened security/anonymity
Even the process of collecting payments from victims - often payable in bitcoins - and providing decryption keys can be automated.
Criminals prefer Bitcoin because it's easy to use, fast, publicly available, decentralized and provides a sense of heightened security/anonymity
35
©Secure Banking Solutions 2016
Evolution of RansomwareEvolution of Ransomware
"Ransomware is now one of the fastest growing classes of malicious software," Source: Security Firm Kaspersky Lab.
All early versions of ransomware (CryptoLocker, CryptoWall, Locky) encrypted files, both local and on network share, and left computers operational, while the newer versions, like Petya, encrypt the file system structures and render an entire machine unusable.
"Ransomware is now one of the fastest growing classes of malicious software," Source: Security Firm Kaspersky Lab.
All early versions of ransomware (CryptoLocker, CryptoWall, Locky) encrypted files, both local and on network share, and left computers operational, while the newer versions, like Petya, encrypt the file system structures and render an entire machine unusable.
36
4/7/2016
19
©Secure Banking Solutions 2016
Awareness of RansomwareAwareness of Ransomware
Gartner analyst Avivah Litan laments that too many businesses "are not spending large amounts of resources on security and are not equipped to even understand these [ransomware] threats. These entities are not focused on fighting ransomware, so criminals' attack methods can easily stay ahead of their victims' ability to defend themselves."
Gartner analyst Avivah Litan laments that too many businesses "are not spending large amounts of resources on security and are not equipped to even understand these [ransomware] threats. These entities are not focused on fighting ransomware, so criminals' attack methods can easily stay ahead of their victims' ability to defend themselves."
37
©Secure Banking Solutions 2016
The Future of RansomwareThe Future of Ransomware
More ransom fuels more ransomware - both in funding the operations of existing purveyors of ransomware, as well as attracting more bad guys into the space
More ransom fuels more ransomware - both in funding the operations of existing purveyors of ransomware, as well as attracting more bad guys into the space
38
4/7/2016
20
©Secure Banking Solutions 2016
Additional DefensesAdditional Defenses
Don't Rely on Takedowns Employ Anti-Malware Tools Safeguard Android DevicesWatch Servers Back Up EverythingMaintain Offsite Backups Don't Expect Boy Scouts
Don't Rely on Takedowns Employ Anti-Malware Tools Safeguard Android DevicesWatch Servers Back Up EverythingMaintain Offsite Backups Don't Expect Boy Scouts
39
©Secure Banking Solutions 2016
Fresh off the Press…FBI GuidanceFresh off the Press…FBI Guidance
40
4/7/2016
21
Contact InfoContact Info
Dr. Kevin Streff
Dakota State University
Secure Banking Solutions, LLC
www.protectmybank.com
605.270.0790
Dr. Kevin Streff
Dakota State University
Secure Banking Solutions, LLC
www.protectmybank.com
605.270.079041