“If you’re gonna commit a crime,” as “Slick Willie” Sutton said when asked why he robbed banks, “That’s where the money is.” Also known as “Willie the Actor” for his ability to disguise himself, Sutton stole an estimated $2 million during his 40-year robbery career. Modern-day cyber criminals have adopted this approach to digital extortion and blackmail. They’ve become good at going where the money is and disguising themselves on their victim’s networks until it’s time to levy the threat to pay up.
Easy money
Ed Cabrera, chief cyber security officer at Trend Micro said, “The motivation for extortionists is simple. It works.” In many cases, cyber criminals are able to monetize their criminal activity within minutes of their initial attack. Any type of extortion-related activity, be it through ransomware or by other means, has changed the threat landscape coming out of the cyber-criminal undergrounds. With traditional data breaches, monetization can take months. They not only have to penetrate and exploit a particular network to find data that they can sell in the criminal underground, they have to exfiltrate that data, then parse it before they can sell it.
David Perry, noted computer security consultant, pointed out the main enticement for criminals to go digital is because “we’ve put everything onto computers, and put all the computers online.” He added, “Extortion isn’t the only thing that’s happening. It’s only one of a vast panoply of things that involve everything from me hacking into your computer just to prove how tough I am, to nation-states attacking one another.”
The players
Perry described six silos of actors that have to be dealt with. “The first are trolls. I would call them bullies, under a different context. Although we think of them as being very low point, in terms of extortion and blackmail, they actually have driven children to suicide. So I would say that’s a very important category.”
Second there are hackers.“There’s a great range of these, from wannabe script kiddies with orange hair you meet at DEFCON for their first year, to people who are so dangerous the CIA is afraid of them.” He said they mostly want companies to know how tough they are.
Then come hacktivists, groups of hackers banded together for political action. These groups are more dangerous than any individual.
Perry said, “Beyond hacktivists, are criminals which comprise maybe 100,000 different groups ranging from one person, for example your dirtbag nephew who’s hacking into you to make money, all the way to the Russian mafia. It is a whole world of criminals. There’s no one adversary that we can point the magic bullet at.” This is where much of the extortion activities are coming from.
Next are corporations. According to Perry, corporations are more dangerous than criminals because corporations believe that they can do everything that they do, because that as long as they are pursuing profit and adding value for their shareholders, then what they do is right. He adds, “Criminals at least know what they’re doing is against the law.”
The last silo is government. “You could argue that it’s very difficult to tell the corporations from the governments. I’m unwilling to admit that just yet,” Perry said.
Enter Crime as a Service
Cabrera said that what’s aided and abetted attacks is the growth of “crime as a service” in the criminal underground. Cabrera describes the burgeoning market of groups offering these services as “cyber tech startups.” They’re able to create ransomware as a service to budding cyber criminals that are not as capable or don’t have the infrastructure needed to successfully run the attack. On top of these services, they’re able to deliver those attacks to a demographic of the criminal’s choosing, and handle the entire payment processing using mostly Bitcoin or other cryptocurrencies. “What’s really enabled digital extortion is not so much the data mining aspect to it, it is all the other services and capabilities that have grown on the service web that have equally grown in the criminal underground,” he said. There are groups that develop a capability and a capacity that lends to one type of attack or another. Cabrera warned, “Criminals are able to communicate and collaborate and obtain services that they might be missing quite easily.” For example, if they specialize in digital extortion and want to move into other practices, such as going into traditional DDoS attacks to further their digital extortion activities, they can definitely find those individuals or groups offering those services.
Technology alone is not the fix
What can a company do to make it more difficult for extortionists? A holistic program will better protect against infiltration. Companies with networks have to learn how to segment their networks and access to those segments, so that the sysop who runs email doesn’t have the keys to get into the deep storage, and that they aren’t co-linked for the same access. Perry advised, “Don’t leave credit card info on the Point of Sale (POS) devices. Back them up immediately and take them out to an air gap network where they aren’t connected to the internet.” With accurate backups in place, you have the ability to re-flash and go back to it in an instant, if you have to. Plans have to be in place to do that. Have extra computers that are waiting in advance. Think about running a virtual operating system that you’re dumping the contents of the heap onto every time you turn off the computer, and loading fresh in the morning.
Cabrera recommended three different backups in two different file types, and one air-gapped. “The idea that you’re going to be resilient enough based on the infrastructure and the security posture that you have, is not a good approach,” he said. “You must have a layered approach from many different angles.” He points out companies either have to mitigate it, accept it, or transfer it. “So, when all else fails, purchasing cyber-insurance is also an option. There’s no one silver bullet that will help you survive these types of attacks.”
Richard Santalesa, founding member of the SmartEdgeLaw Group and of counsel to the Bortstein Legal Group, recommended a strategy of planning for the attack and performing dry-run fire drills. He used as an example the shipping company Maersk. “As part of their recovery from ransomware, they recreated something like 40,000 workstations, 1,000 servers, over the course of two weeks. That was a mammoth undertaking on the part of their IT group to do that, but that told me right away these guys had practiced this in advance and weren’t just looking at page 12A of the manual and saying, ‘What do we do now?”
Be a better cybercitizen
Individual protection begins with being better educated. The ordinary end user has to understand what’s at stake with computer security. Not just to themselves, but to their family, to their employer, and to the nation that they live in. Users need to know what they’re charged with protecting. They’re protecting their data, access, and reputation. “You’re protecting the security of your system, your relationships to other people, be those familial, work, or nation-state,” Perry said. More educated employees leads to better company security. He suggests that there needs to be a reward for an end user who discovers that the network has been breached.
One option available to victimized individuals that needs to be weighed carefully against the potential damage, is the individual publishing the information themselves, thereby negating the extortionist’s leverage on them. It’s a tough call.
Perry is working on an education program with Peter Cassidy from the APWG. It was unveiled at the United Nation’s Education Center in Vienna last fall. Ten years ago, Perry, Cassidy and the federal government founded a user awareness program called Stop.Think.Connect. as a resource to better educate end users.
What’s next?
Nothing is not hackable. “At the nationstate end of things, look for somebody to hack one of our drones and turn it back around on us,” warned Perry.
Extortion will evolve to include critical infrastructure. Travel, automotive, air traffic, power, sewage, and water will fall victim. “We’ve already seen extortion perpetrated on hospitals. We haven’t seen it on the power grid yet, but we will,” he says. To quote the great Al Jolson, “You ain’t seen nothing yet.”
GDPR: Changing the rules on both sides
The EU’s General Data Protection Regulation or GDPR, is set to take effect in May. It applies to companies processing the personal data of EU residents and business’s residing in the Union, regardless of the company’s location. In other words, it also applies to any business if it does business with any person living anywhere in the EU without regard to where that business’s headquarters are. Essentially, this means everyone.
Richard Santalesa, founding member of the SmartEdgeLaw Group and Of Counsel to the Bortstein Legal Group, says, “It’s going to have a huge effect. The GDPR has never been a fan of U.S. tech companies, and this gives them another lever and baseball bat to go after them if they so choose. For instance, Amazon, Google and Facebook have all set up specific different privacy settings and encryption in direct response to the GDPR. It’s gonna have a dramatic effect on the big players for starters, but then everybody else as well.”
Other significant changes include the strengthening of consent conditions and the requirement that terms need to be in understandable, plain language. Breach notification must be given within 72 hours of the breach discovery. Data subjects have the right to demand and receive data control confirmation as to whether or not personal data concerning them is being processed, where and for what reason. Data erasure, data portability, and Privacy by Design are also addressed in further protection of the data subject.
If companies haven’t already assessed their level of compliance, it’s time to do so.
Penalties for non-compliance are stiff. According to the official GDPR site, GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine and the rules apply to both controllers and processors. In plain English, clouds will not be exempt from GDPR enforcement.
What this means to a company in the throws of a breach is that it must assess whether it’s worth paying the ransom, which could be considerably less than the fine, and securing their data, or not paying the ransom and reporting the breach within required time frames. The downside here is that these hacks can have a devastating impact on company reputation if the data is released. By levying their fine structure, GDPR has now given digital extortionists a calculator by which to determine the amount of ransom to demand so that it can fall within the victim’s brand protection loss tolerance, in other words, less than the potential fine.