Valuing Data in the Age of RansomwareBUSINESS AND CONSUMER PERCEPTIONS OF DIGITAL EXTORTION

Limor S Kessem

June 2016

Executive Security Advisor IBM Security

2 IBM Security

Agenda

• What is Ransomware?

• Consumer Perceptions and Experience

• Business Perceptions and Willingness to Pay

• How to Respond to a Ransomware Attack

3 IBM Security

How Did This Even Start?! The Major Milestones

1989The AIDS Trojan

2005Misleading Apps

2008Fake AV

2011Lockers

“Police Trojans”

2013Cryptolockers

Drive by Download

2013Android

Ransomware

4 IBM Security

Ransomware attachment to spam has skyrocketed

Source: IBM X-Force

5 IBM Security

Locked Up For Good? …It Depends

• Lockers: Win APIs, app loops• Crypto: Symmetric encryption

@Example: AES 56-bit@Advantage: speed, length@Disadvantage: forgetting keys behind

• Crypto: Asymmetric encryption@Example: RSA asymmetric@Advantage: two keys, unique pair for each endpoint@Disadvantage: long and slow

• Double encryption@Encrypt the AES with the RSA

• Android lockers: persistent activity window

The Consumer Take

7 IBM Security

Consumers are confident in their ability to protect computers and mobile devices but aren’t necessarily taking action to do so

BUT

Overall, consumers are confident that they can protect personal data on their devices

75% are confident they can protect data on a personal

computer

67% are confident they can protect data on a mobile device

6 in 10Have not taken action in the past three months to protect their devices from being hacked

8 IBM Security

Those taking preventative action are in the minority; avoiding risky attachments is most common preventative action

71% avoided opening suspicious attachments/links in

emails/texts

59% change their passwords regularly

48% avoided using or logging into

public Wi-Fi access points

4 in 10 Have taken action in the past three months to protect their devices from being hacked

9 IBM Security

Mobile devices and laptops most important devices to protect, also two most feared for data hacks

60% laptop

64% mobile47% desktop

32% modem

29% tablet

28% home security system

5% wearable device

8% car navigation

10% home devices

16% home wifi camera

IMPORTANCE OF PROTECTING DEVICES FROM DATA HACKSLESS MORE

2.Which of the following PERSONAL or HOME electronic devices (whether you use one or not), do you think are most important for people to protect from being hacked? Please select the THREE you think are the most important. 6. Generally, how afraid are you that your data will be held for ransom, or access will be blocked on a…

10 IBM Security

“Value” of data differs slightly with financial records worth the most

Regardless of data type, roughly 37% would pay over $100 to get data back

Willing to pay $500 or more

8% 20%

Financial InfoGaming data

PasswordsMusicPersonal emails

Browser history

14%

Social network data

Online purchase data

DVR Data

Mobile phone data

Other digital photos

Family digital photos

Personal computer accessHealth records

11 IBM Security

Consumers: Say they won’t pay, then pay nine fold that amount

Over half of consumers would

be unwilling to give a hacker money in order to get their

data back

Of those who would pay, they generally are not willing to

pay more than $100

Consumers are most willing to pay for

financial data, with a slim majority of 59% indicating they would

likely pay

$900Average ransomware demandPer current day ransomware variants in the wild

Reality Check:

41%Success rate boasted by CryptoLockerUniversity of Kent research

12 IBM Security

Average Ransomware Fee Can Be Rather High

Cerber:1 – 2 BTC

Petya:1.3 BTC

1 BTC = ~ $900 US

Locky:1 - 2 BTC

Popcorn Time:1 BTC

CTB-Locker:3 BTC

7ev3n-HONE$T:

$5,000

13 IBM Security

Consumer response in the event of a data attack varies

Friends/family members are consistently ranked among the top-2 sources a consumer would go to

in the event of a data attack

Police topped the list in the case of a home computer (25%) being

hacked but was less likely for the other cases

In general consumers are extremely likely (88%) to turn to someone for help if data is

stolen from one of their devices

If data is stolen from a smart TV consumers are more likely to go to

a local electronic store (24%)

If data is stolen from a work/school computer consumers are most

likely to turn to their work IT department (40%)

Business Perceptions

15 IBM Security

Business executives are aware of ransomware but lack deeper knowledge

15

Business Executives have heard of ransomware

3 in 5

Are very knowledgeable about the topic

1 in 5BUT

62% of those who work for larger sized companies have

heard of ransomware.

VS

55% of those who work for smaller sized companies

16 IBM Security

SBs are less “data attack” prepared than larger businesses

74% of large companies

require employees to regularly change

passwords

74% of large companies block

some websites from being used in

the workplace

58% of large companies offer

training on workplace IT

security

56% of small companies

require employees to regularly change

passwords

56% of small companies block

some websites from being used in

the workplace

Only 30% of small companies offer

training on workplace IT

security

Large companies

Small companies

53% of SBs

77% of medium sized companies

76% of large companies

Taken action in past three months to protect

electronic data

17 IBM Security

The majority of executives worry about corporate data hacks

63% of Business Executive

Worry About Data Hacks

Business Executives are most concerned about financial data being hacked

72% worry about financial records

68% worry about email servers/

systems

66% worry about customer and sales records

65% worry about cloud system

access

Less confidence in ability to

protect employee vs

company owned devices

VS.

-13% pts.

18 IBM Security

Business Executives willing to pay ransom for data recovery

Regardless of data type,

roughly

60%of BEs would

pay something to get data back

from hackers

Financial Records

Customer & Sales Records

Corporate Email System/Server

Intellectual Property

HR Records

Corporate Cloud System

Business Plans

R&D Plans

62%

62%

61%

60%

60%

60%

58%

58%

19 IBM Security

“Value” of data differs slightly with financial records worth the most

Regardless of data type, roughly

25% would pay $20,000-

$50,000 to get data back

Willing to pay $50K

or more

15%

9%

Financial Records

Business Plans

R&D Source Code

IP

Corp Email/Cloud HR Records 12%

Customer and Sales Records

20 IBM Security

The Larger Companies Experienced Ransomware Before

Ransomware Experience

29% of those who work at smaller companies have experience with ransomware attacks

57% of those who work at medium sized companies

have experience with ransomware attacks

53% of those who work at large sized companies have experience with ransomware

attacks

21 IBM Security

Previous ransomware experience fairly common; generally willing to pay to resolve

21

Nearly one in two of business

executives have experience with

ransomware attacks in the workplace

Of those with experience, 7 in

ten paid to resolved the

hack

Over half of those paid over $10,000…20%

paid over $40K

22 IBM Security

Responding to an attack: while many companies have taken protective measures, most know they would benefit from expert consultation

7 in 10 Respondents stated their company has taken action to protect its electronic data from being hacked

The most useful resources in preventing a hack

58% want best practices to protect data security was

the most useful

56% stated security expert consultants are the most

useful

Ransomware Response

24 IBM Security

This is a People Problem

• Blanket user education: from receptionist to CEO

• Launch high visibility, company-wide awareness campaigns

• Train C-level executives

• Talk to board level stakeholders

• Use planned phishing campaigns to learn

what your users need to know most

25 IBM Security

Read the full IBM Ransomware guide to learn more

Visit the Ransomware landing page to review the infographic and register to receive the client engagement guide

Visit ibm.com/security/servicesto learn how IBM Security Services can help protect your organization

26 IBM Security

Preparation

IBM’s Ransomware Response Guide is largely occupied by the Preparation phase of the Incident Lifecycle.

Once the organization has been hit by ransomware, few options remain.

Sources: NIST 800-61R2, IBM’s Ransomware Response Guide

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU

28 IBM Security

Annex: Resources

• http://phishme.com/locky-a-new-encryption-ransomware-borrowing-ideas-from-the-best/

• Symantec: The-evolution-of-ransomware

• http://www.symantec.com/connect/blogs/cryptodefense-cryptolocker-imitator-makes-over-34000-one-month

• http://thehackernews.com/2016/01/javascript-ransomware-malware.html

• http://news.thewindowsclub.com/samas-ransomware-changes-way-ransomware-operates-82755/

• https://blog.fox-it.com/2016/05/02/ransomware-deployments-after-brute-force-rdp-attack/

• http://www.staradvertiser.com/breaking-news/interpol-philippines-bust-cyber-extortion-network/

• http://krebsonsecurity.com/2016/01/ransomware-a-threat-to-cloud-services-too/

• http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-bill-curb-the-extortion-malware-epidemic

• https://threatpost.com/criminals-peddling-affordable-alphalocker-ransomware/117888/

• http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/