Thank you. Thank you so much. Thank you for having me. I'm sorry that I could attend in person, but I was a bit in conflict with my own schedule, so I'm very sorry about it. But I hope I can shed some light of current DDoS and ransomware threats and how those business models are working.
But first, I'm sure my usual intro is that everyone knows SCHUFA, so I don't need to introduce myself. And I know everyone because I'm the CISO of SCHUFA. But let me give you some figures about SCHUFA. We were founded in 1927, so we're pretty old, and we use information systems for a very long time. That means we have a lot of IT systems that we are running. Nonetheless, we're a medium-sized enterprise. We have seven locations all over Germany, and we organize and manage about over one billion PII of nearly everyone who lives in Germany.
And if you would like to know what SCHUFA data is about you, you can go to our subsidiary Bonify. We released an app. You can see your SCHUFA data, your credit rating score, and your PII online.
And now, if you register at the subsidiary of SCHUFA, if you like. But that's the commercial part of it. Let me leave it to that. So we not only provide data and work with the credit rating score, we also have solutions for fraud prevention, compliance, identity. And even security solutions like when your data is being compromised and published in a darknet, you can get information from us about it. And now I'd like to talk about ransomware and DDoS and first shed some light on ransomware.
So if you are exposed to ransomware attacks, just do some math and specify on those assets you are famous for as a company. So, for example, if you are a bank, you maybe have a lot of financial assets, then you are more vulnerable to some kind of attackers than other companies like we. For example, we have a lot of information, so we are targeted by other groups. And we also, as you said in your introduction, we have a lot of bad reputation because nearly everyone in Germany knows us, but about 20% of German people don't like us, as our studies told us.
So the asset reputation is one important asset to us as Shufa. But when you're a small craftman and run a small business, then reputation means another kind of vulnerability than information or financial, for example.
So, in short, if you have a lot of financial assets, then you are attracted by other people than we do. We have a lot of information and financial assets and reputation. So our targets, our threat actors are nation state actors, as well as hacktivists, as script kiddies, as professional groups. So what I like to say is nation state actors don't need these quick cash out when they attack a company because they already have money. So they like to get the information about one specific person or a specific group.
So they will target other companies as those professional groups who are interested in getting a fast cash out and make some money. Or if you are out in bad standing, for example, or if you have a bad reputation, then you are attractive for hacktivists and script kiddies, for example. So your threat actors differs regarding your own business model. And if you get some groups to those categories, then let's go to the Microsoft taxonomy of those groups.
Then you have a lot of nation state actors that are being visible to information gathering attacks and less professional groups who work in a direct way with their victims. So, but back to ransomware. Ransomware, the first ransomware attack appeared in 1998. It was delivered by mail, by post mail and on disks and through one post office in London. And Joseph L.
Popp, a researcher, sent it about 20,000 disks to 20,000 different addresses and targeted other researchers who were researching AIDS. And he encrypted one database with the results of some studies regarding AIDS and infected around 1000 computers. And as you can see, those malware worked with bank accounts. And so it was pretty, pretty old fashioned. And the Popp was arrested, but never convicted because there were no laws against computer crime at that time.
So the whole evolution in a nutshell of ransomware was at first, they just encrypted some parts of files and some single files, not the whole disks of your computer. And they used some API, some self-written crypto functions that you could break very easily. And then in 2013, CryptoLocker was the first one who used the operation system API to encrypt even single files. And that was the first time Bitcoin was used. I think it was much cheaper that day than now to pay the ransom.
And in 2017, there was this first major incident, major attack with a not-paid-jump attack that used a vulnerability, a flaw in the Windows file stack protocol, and caused the damage about $1 billion. And then 2019, the CanGrab ransomware as a service, the first ransomware as a service showed up. So there was a mechanism that you can upload an encrypted file to a website that was in the darknet. And you get a kind of instruction, and the ransom was calculated regarding your specific file. And now you have these double extortion to triple extortion groups. You have very professional groups.
You have some kind of marketplace where you can see which companies are attacked and successfully been attacked, how long they will have to pay the ransom. And you can see it on websites, and even journalists and third parties have access to those websites. So everyone can see that you've been hit by a ransomware group and successfully hit. And for that, you need a very well-organized company behind that. And they have invented some division of labor.
At first, there were just some developers and some script kiddies that invented some ransomware. And now you have negotiated professional people who put the pressure on you to pay the ransom. You have data managers who are very high specialized to extract those data, these a lot of tons of gigabytes and terabytes of data that they encrypted. And you have a network of affiliates who is prepared for the initial access. And you have those accountants who exchange the Bitcoins in other money and other currencies.
So well-organized companies with awareness trainings with kind of hire to retire process. It's very interesting to see. And this is a short excerpt from a ransomware attack from another company. Those are the chat, the interview that they typically do when the ransomware group hits you as a company. So the first question you have to ask for yourself as a company who's been affected, infected by ransomware is how good, how old are my backups? And can my data be recovered? And often these answer sadly goes no, because most of the backups also been encrypted.
So you have to separate your backup from your production system, even with access, even with users. So it's very tough to separate and to not to pay the ransom. And then they sent you, for example, two to three encrypted files and unencrypt them for you as kind of proof of concept. And then they negotiate about the money. And that is incredibly successful over the last years. And with the coronavirus, that figures increases, that number increased.
And so we're about at the moment, if you look in your quarantine of your mailbox, of your email, usually we have about 16 ransomware attack attempts per second as a company. Every company has it in average worldwide. So it's a lot of, it's a very high number. But when you look in your quarantine and your email in kind of phishing attempts, you have, it's a very realistic number, even if it's a very bad and high number, because this business model is very successful. And the other number I'd like to share with you in this short period is about DDoS, about distributed denial of service attacks.
So first, the evolution of it, there were very classic DDoS attacks. So they just sent you a lot of packets, a lot of requests at your website and your website suspended and gone offline. So that was the main part. And there were some very large attacks in the past, targeting GitHub, targeting CloudFlare, AWS, and so on. And now those attacks are not even a number of requests that goes on very standard protocols. The groups also attack your website with, for example, the authentication process and on an application level.
So they try to get some very high, close to infinite numbers to your application when they need to calculate something and cause a lot of workload at your application so that your application can't handle any other requests. And that's a pain because you don't need to have so much requests. You have very small numbers of computers that attack your website, but with a lot of complexity in the requests. And it's getting worse because you also can do it with some pre-designed tools that comes with some operation systems, some specific operation systems.
Or you can buy it at the internet on legit lookalike websites and you can pay by, for example, by PayPal or other payment systems, or you can use it for free. Or you can just ask ChatGPT to get some complexity to it and to get some requests for workload tests for your website. And this amount of attacks leads to that figure that 23 DDoS attacks per second happens to your company. Most of them are being mitigated by your ISP, by your internet service provider, by the gateways you use, by the firewalls.
But the small number of DDoS attacks that come through with a lot of complexity, it's very hard to defend and to prevent. And the only good thing about this, when you compare those business models, like ransomware attacks to DDoS, ransomware groups often do a lot of intelligence to get some information about their victim. And they need to tailor the malware at first and send the malware. And with this sending process, they can multiply it. They can send it to many companies and just when one company is vulnerable to it, they have one and they can encrypt the data.
DDoS, on the other hand, is less intelligence and less preparation of an attack, but they have a lot to do while keeping the attack alive. So the effort to attack you is, for a DDoS attacker, as high as your effort to prevent or to defend it. And that is why ransomware groups are often professional groups or like information gathering groups, like nation state actors.
And DDoS, on the other hand, is often used, but just by activists or by script kiddies and not that dangerous on a long term like ransomware. So hopefully I didn't use my time too much. And now I'd like to thank you for listening. And if you've got questions, feel free to ask.
Well, thank you, Christopher. We don't have time for questions, but you might want to share your contact information with our audience here today, if you can.
Yes, I can. So if you have any questions, you can reach out to him. We don't see it in this slide.
Oh, okay. So I will send it afterwards. All right. Okay. And thank you very much. Thank you so much.
