SlideShare a Scribd company logo

Cyber Security Extortion: Defending Against Digital Shakedowns

•
CrowdStrike, profile picture
CrowdStrike

The document discusses cyber extortion and ransomware, emphasizing their methods, commonalities, and trends in 'datanapping.' It outlines strategies to prevent such incidents, encourages reporting to law enforcement if victimized, and provides real-world extortion examples. Additionally, it highlights the importance of proactive defense measures and incident response services offered by CrowdStrike.

Technology
1 of 30
Downloaded 88 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Most read
25
26
Most read
27
28
29
30
Most read
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CYBER EXTORTION: DEFENDING AGAINST DIGITAL SHAKEDOWNS
1 Introductions 2 Cyber Extortion: Methods and Commonalities 3 Key Trends in “Datanapping” 4 5 Strategies to Prevent Datanapping 6 Q&A “Shakedown City”: Real-world Extortion Examples
INTRODUCTIONS
ROBIN JACKSON PRINCIPAL CONSULTANT CROWDSTRIKE SERVICES PROFESSIONAL HIGHLIGHTS • Former U.S. Army Intelligence • Expert in SCADA/Controls industry • Founder of of the first ISPs in Montana • Author and DEFCON Workshop instructor • CompTIA Security+, WetStone Certified Hacking Investigator, WetStone Certified Steganography Investigator • More than 20 years experience in malware and incident response
BRENDON MACARAEG SR. PRODUCT MARKETING MANAGER CROWDSTRIKE PROFESSIONAL HIGHLIGHTS • Former PC Magazine editorial staff member • Extensive background in product management and e-commerce application development • Prior to CrowdStrike, led GTM and product marketing efforts at Symantec for both Enterprise and Consumer security solutions • Currently leads product marketing for CrowdStrike Services and Falcon Intelligence
CYBER EXTORTION: METHODS AND THEIR COMMONALITIES
A NOTE BEFORE WE BEGIN… Both internet extortion and ransomware attacks are crimes. If your company is a victim of either activity, we recommended you report the crime to the nearest FBI field office.
TWO DISTINCT APPROACHES Both have the same goal: Extract money from the victim ATTACK AFFECTS REAL-WORLD PARADIGM Extortion Ransomware Confidentiality Integrity Availability Extortion Blackmail Kidnapping
COMMONALITIES IN APPROACHES § Pay up or something dire will happen: - Your data will be published (extortion) - You won’t be able to recover your data (ransomware) § Payment required in digital currency § Payment does not guarantee desired result § Communications obfuscated - TOR - Proton mail
DIFFERENCES IN APPROACHES § CYBER EXTORTION § Data in the wild (extortion) § Overt threat § Media component § RANSOMWARE § Small transaction commodity § Damage inflicted § Results noticeable
KEY TRENDS IN “DATANAPPING”
ex·tor·tion /ikˈstôrSH(ə)n/ noun: extortion; plural noun: extortions the practice of obtaining something, especially money, through force or threats. synonyms: blackmail, shakedown; formal exaction
INTERNET EXTORTION Internet extortion involves hacking into and controlling various industry databases, promising to release control back to the company if funds are received, or the subjects are given web administrator jobs. Similarly, the subject will threaten to compromise information about consumers in the industry database unless funds are received. https://www.ic3.gov/crimeschemes.aspx#item-10
THREAT SOPHISTICATION MALWARE NON-MALWARE ATTACKS MALWARE 40% NATION- STATES 60% NON-MALWARE ATTACKS ORGANIZED CRIMINAL GANGS HACKTIVISTS/ VIGILANTES TERRORISTS CYBER- CRIMINALS YOU NEED COMPLETE BREACH PREVENTION HARDERTOPREVENT &DETECT LOW HIGH HIGH LOW
§ Under reported (less than 1/3 of victims contact FBI) § 29% of reported incidents targeted an individual in the organization § Sensitive data § Shareholder/Customer/Supplier sensitivities § May attempt to “shop” data w/ threat of exposure - Darknet - Security blog writers - Competitors § No “tools” required EXTORTION
Data Theft Intellectual Property Theft Denial of Service / Distributed Denial of Service / Quality of Service EXTORTION ENCOMPASSES MANY THREATS 1 2 3 Website Defacement 4 Illicit materials placement 5
“SHAKEDOWN CITY”: REAL-WORLD EXTORTION EXAMPLES
NOKIA INTERNET EXTORTION § 2007 Hackers stole source code for Symbian OS § Nokia reportedly paid “multi-million” ransom § Cash delivered in a parking lot § Finnish National Bureau of Investigation / Police lost the criminals
RANSOMWARE § A category of malware that uses encryption to block access to select files on a compromised endpoint. § In most cases, the only way to retrieve the encrypted files is to restore from a pre- existing backup, or pay a ransom.
§ 777* § Al-Namrood* § Alma § Alpha § AlphaLocker § AndroidLocker/Dogspect us § Android/Lockerpin § Android/Lockdroid.E § Android.Lockscreen § Angler Exploit Kit § AnonPop § Apocalypse* § ApocalypseVM* § Autolocky* § Badblock* § Bart* § Bitcrypter/Bitcryptor* § BitLocker § Blank Slate Campaign attacks § Browlock § Cerber (version 1*) § Charger § Chimera* § CoinVault* § Coverton § Crowti § CrypBoss* § CryptoBlock § CryptoDefense* § CryptInfinite* § CrypMIC § Crypt38 § Crypt888 (see also Mircop) § CryptFile2 § Cryptobit § CryptoHitman § CryptoHost (a.k.a. Manamecrypt) § Cryptojoker § Cryptolocker § CryptoMix § CryptoRoger § Cryptowall § CryptXXX § CryptXXX v.1 & 2* § CryptXXX v1, 2, 3, 4, 5* § CryPy § Crysis § CTB-Locker § Cyber.Police § DDoS Extortion and Ransomware § Delilah § DeriaLock § DetoxCrypto § Dharma – see Crysis § DMA Locker* § Doxing as a Service § Dridex-related § DXXD § ElGato § ElasticSearch § Encryptor RAAS § Enigma § Enrume § Erebus § Evil Santa Ded § Fabiansomware* § FairWare § Faketoken § Fantom § FBI virus § FenixLocker* § FireCrypt § Flocker § FLUX: see Ransomware as a Service § Globe* § Goliath § Gomasom* § Hades Locker § Harasom* § HDD Cryptor § Hitler § HolyCrypt § HOSTMAN: see Ransomware as a Service § HydraCrypt* § JapanLocker § JBoss Backdoors § Jigsaw*/CryptoHit § Karmen § Kelihos § KeRanger § KeyBTC* § KillDisk § KimcilWare § Kirk § Koolova § Kovter § LeChiffre § Lechiffree* § Legion § Lockdroid § Locker § Locky § LogicLocker § Magic § Maktub § Mamba (See HDD Cryptor) § Manamecrypt (a.k.a. CryptoHost) § Marlboro § MarsJoke* § Mircop* § Mischa § MongoDB hacking § Nanolocker § Nemucod* § ‘Notification’ ransomware § Odin § Operation Global III* § OSX.FileCoder.E {see Patcher} § OSX.Filezip {see Patcher} § PadCrypt § Patcher § PClock* § PetrWrap § Petya* § Philadelphia* § PHP Ransomware § Polyglot – see MarsJoke* § Pompous § Popcorn Time § PornDroid § PoshCoder § PowerWare* § Power Worm § Princess Locker § PWSSynch-B § RAA § Rakhni & similar* § Rannoh* § RanRan § Ranscam § Ransoc § Ransom32 § Ransomlock.AT § Ransomware Affiliate Network: see Ransomware as a Service § Ransomware as a Service § RensenWare § Rokku § Sage § Samas § SamSam § Sarento § Satan: see also Ransomware as a Service § Satana § Serpent § 7ev3n § Shade § Shade v1 & 2* § Shark § shc – see JapanLocker § Shujin § Simplocker § Slocker § SNSLocker* § Spora § Stampado* § Surprise § SZFlocker § TeamXRat § Tech Support Scams and Ransomware § Teerac § Telecrypt § TeslaCrypt § TeslaCrypt v1, 2, 3, 4* § Tescrypt § Tordow (Android.spy.Tordow) § Towelroot § Troldesh § TrueCrypter § UmbreCrypt* § Vandev* § VinCE [See Tech Support Scams and Ransomware] § Virlock § Wildfire* § WannaCry § Xorist* § Xpan § Zcryptor § Zepto RANSOMWARE FAMILIES IN THE WILD (190)
RANSOMWARE TYPES OF THREATS § Small ransoms are associated with commodity versions which are delivered via automatic means (Locky, Cryptolocker, etc.) § Large ransoms are demanded by hackers who manually penetrate systems, discover key systems and then encrypt those systems. (Samas, Dharma)
HOLLYWOOD PRESBYTERIAN HOSPITAL § 16,175 Patients § Public reports still attribute Locky, but security researchers watching Samas portals saw the ransom demand for the exact amount paid in BTC. § Large ransom size ($17,000 US) also aligns with a targeted Samas attack § Services restored ten days after the attack
STRATEGIES TO PREVENT “DATANAPPING”
PRIOR TO AN EVENT § User Training: raise awareness of threat environment, including “after hours” personal internet activity § Tabletop exercises § Penetration testing § Rigorous backups § Media/Communications plan § Sensitive data encrypted, both at rest and in motion § Proper instrumentation: Falcon Platform
DURING AN EVENT § Early detection § Immediate interruption § Standard IR procedures
SUCCESSFUL EXFILTRATION § Contact Law Enforcement § Control media as best as possible § Interruption of attempts to disperse information § Monitor dark net activity § Don’t feed the “trolls”
Cyber Security Extortion: Defending Against Digital Shakedowns
CROWDSTRIKE SERVICES DEFENDS AGAINST & RESPONDS TO SECURITY INCIDENTS HELPING YOU DEFEAT THE ADVERSARY SERVICE PORTFOLIO: Thorough investigation and accelerated recovery time enable remediation on day one INCIDENT RESPONSE Anticipate threats, prepare your network, improve your team’s ability to prevent damage from attacks PROACTIVE SERVICES
INCIDENT RESPONSE SERVICES With an immediate and comprehensive understanding of attacker activity, we stop breaches fast. Identify attacker activity, scope and impact on your organization Engage the attackers’ tactics and actions with appropriate methods Determine how best to detect and manage future attacker activity END GOAL Get our clients back to normal business operations quickly
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Questions? Please submit all questions in the Q&A chat right below the presentation slides Contact Us Additional Information Join Weekly Demos crowdstrike.com/productdemos Featured Asset: Falcon Test Drive Website: crowdstrike.com Email: crowdcasts@crowdstrike.com Number: 1.888.512.8902 (US)

More Related Content

PPTX
Cyber security government ppt By Vishwadeep Badgujar
Vishwadeep Badgujar
 
PPTX
Investigating Using the Dark Web
Case IQ
 
PDF
MITRE ATT&CK Framework
n|u - The Open Security Community
 
PDF
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
PPTX
Cybercrime and Security
Noushad Hasan
 
PPTX
Cyberextortion
Salim Al Talie
 
PPTX
Deep Web - what to do and what not to do
Cysinfo Cyber Security Community
 
PPTX
Hacking
Sitwat Rao
 
Cyber security government ppt By Vishwadeep Badgujar
Vishwadeep Badgujar
 
Investigating Using the Dark Web
Case IQ
 
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
Cybercrime and Security
Noushad Hasan
 
Cyberextortion
Salim Al Talie
 
Deep Web - what to do and what not to do
Cysinfo Cyber Security Community
 
Hacking
Sitwat Rao
 

What's hot (20)

PPTX
Password Cracking
Sina Manavi
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
ODP
Cyber security awareness
Jason Murray
 
PDF
Red Team Framework
👀 Joe Gray
 
PDF
Bug Bounty Basics
HackerOne
 
PPTX
Phishing ppt
Sanjay Kumar
 
PPTX
Cyber security
manoj duli
 
PDF
An Inside Look At The WannaCry Ransomware Outbreak
CrowdStrike
 
PDF
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
MITRE - ATT&CKcon
 
PPTX
Cybersecurity for the non-technical
Stephen Cobb
 
PPTX
Social engineering
Maulik Kotak
 
PPTX
Cybersecurity Awareness Training
Dave Monahan
 
PDF
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
PDF
The rise of malware(ransomware)
phexcom1
 
PDF
Cyber Security Awareness
Ramiro Cid
 
PDF
Super Easy Memory Forensics
IIJ
 
PPTX
Social engineering
Vishal Kumar
 
PPTX
Research in the deep web
Seth Porter, MA, MLIS
 
PPTX
What is Ransomware
jeetendra mandal
 
PPTX
Cyber crime & security
pinkutinku26
 
Password Cracking
Sina Manavi
 
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Cyber security awareness
Jason Murray
 
Red Team Framework
👀 Joe Gray
 
Bug Bounty Basics
HackerOne
 
Phishing ppt
Sanjay Kumar
 
Cyber security
manoj duli
 
An Inside Look At The WannaCry Ransomware Outbreak
CrowdStrike
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
MITRE - ATT&CKcon
 
Cybersecurity for the non-technical
Stephen Cobb
 
Social engineering
Maulik Kotak
 
Cybersecurity Awareness Training
Dave Monahan
 
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
The rise of malware(ransomware)
phexcom1
 
Cyber Security Awareness
Ramiro Cid
 
Super Easy Memory Forensics
IIJ
 
Social engineering
Vishal Kumar
 
Research in the deep web
Seth Porter, MA, MLIS
 
What is Ransomware
jeetendra mandal
 
Cyber crime & security
pinkutinku26
 
Ad

Similar to Cyber Security Extortion: Defending Against Digital Shakedowns (20)

PPTX
cyber security-v4 slide for training purposes
ssuser250038
 
PPTX
SIEM Fundamentals-Session 1 presentations
ShivanandManjaragi2
 
PDF
Ransomware ly
Lisa Young
 
PPTX
Kinds of cybercrime (Social Networking for Social integration .pptx
DavidsonTuban
 
PDF
What are the types of Cyber Crimes and We are Lawyers and Voice of Justice.pdf
Icon Legal Services
 
PPTX
Web Security.pptx
AnnMichelleDiaz
 
PPT
FBI And Cyber Crime | Crime Stoppers International
Scott Mills
 
PPTX
Untitled presentation.pptx
techanicguy
 
PPTX
Ransomware by lokesh
Lokesh Bysani
 
PPTX
Cyber Security , types of cyber secuyrity
hari701265
 
PDF
Information Systems Audit - Auditing Information Systems
ssuser557ea5
 
PPTX
7 mike-steenberg-carlos-lopera-us-bank
shreemala1
 
PPTX
Cyber security
Sabir Raja
 
PPTX
Cyber security presentation
sweetpeace1
 
PPT
CYBER CRIME AND SECURITY
Chaya Sorir
 
PDF
Cyber Crime - How New Age Criminals Function
Parag Deodhar
 
PPTX
E-commerce Security and Payment Systems.pptx
MuhammadKashif584561
 
PPTX
Computer Crimes
Ivy Rose Recierdo
 
PPT
Lecture8 to identify the (Cyber Crime).ppt
engrkarimullah5806
 
PPTX
Ransomware
Akshita Pillai
 
cyber security-v4 slide for training purposes
ssuser250038
 
SIEM Fundamentals-Session 1 presentations
ShivanandManjaragi2
 
Ransomware ly
Lisa Young
 
Kinds of cybercrime (Social Networking for Social integration .pptx
DavidsonTuban
 
What are the types of Cyber Crimes and We are Lawyers and Voice of Justice.pdf
Icon Legal Services
 
Web Security.pptx
AnnMichelleDiaz
 
FBI And Cyber Crime | Crime Stoppers International
Scott Mills
 
Untitled presentation.pptx
techanicguy
 
Ransomware by lokesh
Lokesh Bysani
 
Cyber Security , types of cyber secuyrity
hari701265
 
Information Systems Audit - Auditing Information Systems
ssuser557ea5
 
7 mike-steenberg-carlos-lopera-us-bank
shreemala1
 
Cyber security
Sabir Raja
 
Cyber security presentation
sweetpeace1
 
CYBER CRIME AND SECURITY
Chaya Sorir
 
Cyber Crime - How New Age Criminals Function
Parag Deodhar
 
E-commerce Security and Payment Systems.pptx
MuhammadKashif584561
 
Computer Crimes
Ivy Rose Recierdo
 
Lecture8 to identify the (Cyber Crime).ppt
engrkarimullah5806
 
Ransomware
Akshita Pillai
 
Ad

More from CrowdStrike (20)

PDF
State of Endpoint Security: The Buyers Mindset
CrowdStrike
 
PDF
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
PDF
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
CrowdStrike
 
PDF
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
PDF
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 
PDF
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
PDF
Bear Hunting: History and Attribution of Russian Intelligence Operations
CrowdStrike
 
PDF
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
PDF
Battling Unknown Malware with Machine Learning
CrowdStrike
 
PDF
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
CrowdStrike
 
PDF
Venom
CrowdStrike
 
PDF
CrowdCasts Monthly: When Pandas Attack
CrowdStrike
 
PDF
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
PDF
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
 
PDF
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
PDF
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
 
PDF
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
PDF
TOR... ALL THE THINGS
CrowdStrike
 
PDF
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
CrowdStrike
 
PDF
TOR... ALL THE THINGS Whitepaper
CrowdStrike
 
State of Endpoint Security: The Buyers Mindset
CrowdStrike
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
CrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
CrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
Battling Unknown Malware with Machine Learning
CrowdStrike
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
CrowdStrike
 
Venom
CrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
TOR... ALL THE THINGS
CrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
CrowdStrike
 
TOR... ALL THE THINGS Whitepaper
CrowdStrike
 

Recently uploaded (20)

PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Software Development Methodologies in 2025
KodekX
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
The Future of Artificial Intelligence (AI)
Mukul
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
The Future of AI & Machine Learning.pptx
pritsen4700
 

Cyber Security Extortion: Defending Against Digital Shakedowns

  • 1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CYBER EXTORTION: DEFENDING AGAINST DIGITAL SHAKEDOWNS
  • 2. 1 Introductions 2 Cyber Extortion: Methods and Commonalities 3 Key Trends in “Datanapping” 4 5 Strategies to Prevent Datanapping 6 Q&A “Shakedown City”: Real-world Extortion Examples
  • 4. ROBIN JACKSON PRINCIPAL CONSULTANT CROWDSTRIKE SERVICES PROFESSIONAL HIGHLIGHTS • Former U.S. Army Intelligence • Expert in SCADA/Controls industry • Founder of of the first ISPs in Montana • Author and DEFCON Workshop instructor • CompTIA Security+, WetStone Certified Hacking Investigator, WetStone Certified Steganography Investigator • More than 20 years experience in malware and incident response
  • 5. BRENDON MACARAEG SR. PRODUCT MARKETING MANAGER CROWDSTRIKE PROFESSIONAL HIGHLIGHTS • Former PC Magazine editorial staff member • Extensive background in product management and e-commerce application development • Prior to CrowdStrike, led GTM and product marketing efforts at Symantec for both Enterprise and Consumer security solutions • Currently leads product marketing for CrowdStrike Services and Falcon Intelligence
  • 6. CYBER EXTORTION: METHODS AND THEIR COMMONALITIES
  • 7. A NOTE BEFORE WE BEGIN… Both internet extortion and ransomware attacks are crimes. If your company is a victim of either activity, we recommended you report the crime to the nearest FBI field office.
  • 8. TWO DISTINCT APPROACHES Both have the same goal: Extract money from the victim ATTACK AFFECTS REAL-WORLD PARADIGM Extortion Ransomware Confidentiality Integrity Availability Extortion Blackmail Kidnapping
  • 9. COMMONALITIES IN APPROACHES § Pay up or something dire will happen: - Your data will be published (extortion) - You won’t be able to recover your data (ransomware) § Payment required in digital currency § Payment does not guarantee desired result § Communications obfuscated - TOR - Proton mail
  • 10. DIFFERENCES IN APPROACHES § CYBER EXTORTION § Data in the wild (extortion) § Overt threat § Media component § RANSOMWARE § Small transaction commodity § Damage inflicted § Results noticeable
  • 11. KEY TRENDS IN “DATANAPPING”
  • 12. ex¡tor¡tion /ikˈstĂ´rSH(ə)n/ noun: extortion; plural noun: extortions the practice of obtaining something, especially money, through force or threats. synonyms: blackmail, shakedown; formal exaction
  • 13. INTERNET EXTORTION Internet extortion involves hacking into and controlling various industry databases, promising to release control back to the company if funds are received, or the subjects are given web administrator jobs. Similarly, the subject will threaten to compromise information about consumers in the industry database unless funds are received. https://www.ic3.gov/crimeschemes.aspx#item-10
  • 15. § Under reported (less than 1/3 of victims contact FBI) § 29% of reported incidents targeted an individual in the organization § Sensitive data § Shareholder/Customer/Supplier sensitivities § May attempt to “shop” data w/ threat of exposure - Darknet - Security blog writers - Competitors § No “tools” required EXTORTION
  • 16. Data Theft Intellectual Property Theft Denial of Service / Distributed Denial of Service / Quality of Service EXTORTION ENCOMPASSES MANY THREATS 1 2 3 Website Defacement 4 Illicit materials placement 5
  • 18. NOKIA INTERNET EXTORTION § 2007 Hackers stole source code for Symbian OS § Nokia reportedly paid “multi-million” ransom § Cash delivered in a parking lot § Finnish National Bureau of Investigation / Police lost the criminals
  • 19. RANSOMWARE § A category of malware that uses encryption to block access to select files on a compromised endpoint. § In most cases, the only way to retrieve the encrypted files is to restore from a pre- existing backup, or pay a ransom.
  • 20. § 777* § Al-Namrood* § Alma § Alpha § AlphaLocker § AndroidLocker/Dogspect us § Android/Lockerpin § Android/Lockdroid.E § Android.Lockscreen § Angler Exploit Kit § AnonPop § Apocalypse* § ApocalypseVM* § Autolocky* § Badblock* § Bart* § Bitcrypter/Bitcryptor* § BitLocker § Blank Slate Campaign attacks § Browlock § Cerber (version 1*) § Charger § Chimera* § CoinVault* § Coverton § Crowti § CrypBoss* § CryptoBlock § CryptoDefense* § CryptInfinite* § CrypMIC § Crypt38 § Crypt888 (see also Mircop) § CryptFile2 § Cryptobit § CryptoHitman § CryptoHost (a.k.a. Manamecrypt) § Cryptojoker § Cryptolocker § CryptoMix § CryptoRoger § Cryptowall § CryptXXX § CryptXXX v.1 & 2* § CryptXXX v1, 2, 3, 4, 5* § CryPy § Crysis § CTB-Locker § Cyber.Police § DDoS Extortion and Ransomware § Delilah § DeriaLock § DetoxCrypto § Dharma – see Crysis § DMA Locker* § Doxing as a Service § Dridex-related § DXXD § ElGato § ElasticSearch § Encryptor RAAS § Enigma § Enrume § Erebus § Evil Santa Ded § Fabiansomware* § FairWare § Faketoken § Fantom § FBI virus § FenixLocker* § FireCrypt § Flocker § FLUX: see Ransomware as a Service § Globe* § Goliath § Gomasom* § Hades Locker § Harasom* § HDD Cryptor § Hitler § HolyCrypt § HOSTMAN: see Ransomware as a Service § HydraCrypt* § JapanLocker § JBoss Backdoors § Jigsaw*/CryptoHit § Karmen § Kelihos § KeRanger § KeyBTC* § KillDisk § KimcilWare § Kirk § Koolova § Kovter § LeChiffre § Lechiffree* § Legion § Lockdroid § Locker § Locky § LogicLocker § Magic § Maktub § Mamba (See HDD Cryptor) § Manamecrypt (a.k.a. CryptoHost) § Marlboro § MarsJoke* § Mircop* § Mischa § MongoDB hacking § Nanolocker § Nemucod* § ‘Notification’ ransomware § Odin § Operation Global III* § OSX.FileCoder.E {see Patcher} § OSX.Filezip {see Patcher} § PadCrypt § Patcher § PClock* § PetrWrap § Petya* § Philadelphia* § PHP Ransomware § Polyglot – see MarsJoke* § Pompous § Popcorn Time § PornDroid § PoshCoder § PowerWare* § Power Worm § Princess Locker § PWSSynch-B § RAA § Rakhni & similar* § Rannoh* § RanRan § Ranscam § Ransoc § Ransom32 § Ransomlock.AT § Ransomware Affiliate Network: see Ransomware as a Service § Ransomware as a Service § RensenWare § Rokku § Sage § Samas § SamSam § Sarento § Satan: see also Ransomware as a Service § Satana § Serpent § 7ev3n § Shade § Shade v1 & 2* § Shark § shc – see JapanLocker § Shujin § Simplocker § Slocker § SNSLocker* § Spora § Stampado* § Surprise § SZFlocker § TeamXRat § Tech Support Scams and Ransomware § Teerac § Telecrypt § TeslaCrypt § TeslaCrypt v1, 2, 3, 4* § Tescrypt § Tordow (Android.spy.Tordow) § Towelroot § Troldesh § TrueCrypter § UmbreCrypt* § Vandev* § VinCE [See Tech Support Scams and Ransomware] § Virlock § Wildfire* § WannaCry § Xorist* § Xpan § Zcryptor § Zepto RANSOMWARE FAMILIES IN THE WILD (190)
  • 21. RANSOMWARE TYPES OF THREATS § Small ransoms are associated with commodity versions which are delivered via automatic means (Locky, Cryptolocker, etc.) § Large ransoms are demanded by hackers who manually penetrate systems, discover key systems and then encrypt those systems. (Samas, Dharma)
  • 22. HOLLYWOOD PRESBYTERIAN HOSPITAL § 16,175 Patients § Public reports still attribute Locky, but security researchers watching Samas portals saw the ransom demand for the exact amount paid in BTC. § Large ransom size ($17,000 US) also aligns with a targeted Samas attack § Services restored ten days after the attack
  • 23. STRATEGIES TO PREVENT “DATANAPPING”
  • 24. PRIOR TO AN EVENT § User Training: raise awareness of threat environment, including “after hours” personal internet activity § Tabletop exercises § Penetration testing § Rigorous backups § Media/Communications plan § Sensitive data encrypted, both at rest and in motion § Proper instrumentation: Falcon Platform
  • 25. DURING AN EVENT § Early detection § Immediate interruption § Standard IR procedures
  • 26. SUCCESSFUL EXFILTRATION § Contact Law Enforcement § Control media as best as possible § Interruption of attempts to disperse information § Monitor dark net activity § Don’t feed the “trolls”
  • 28. CROWDSTRIKE SERVICES DEFENDS AGAINST & RESPONDS TO SECURITY INCIDENTS HELPING YOU DEFEAT THE ADVERSARY SERVICE PORTFOLIO: Thorough investigation and accelerated recovery time enable remediation on day one INCIDENT RESPONSE Anticipate threats, prepare your network, improve your team’s ability to prevent damage from attacks PROACTIVE SERVICES
  • 29. INCIDENT RESPONSE SERVICES With an immediate and comprehensive understanding of attacker activity, we stop breaches fast. Identify attacker activity, scope and impact on your organization Engage the attackers’ tactics and actions with appropriate methods Determine how best to detect and manage future attacker activity END GOAL Get our clients back to normal business operations quickly
  • 30. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Questions? Please submit all questions in the Q&A chat right below the presentation slides Contact Us Additional Information Join Weekly Demos crowdstrike.com/productdemos Featured Asset: Falcon Test Drive Website: crowdstrike.com Email: [email protected] Number: 1.888.512.8902 (US)