The Lawyer, the Rich & the Wardrobe: The real-life impact of Ransom Attacks

So as I said we've saved the best for last. First up is someone I've been following for several years and he never fails to impress with his insights on cybersecurity and digital change. So please welcome, Head of Cybersecurity for Vodafone Business, Andrzej Kawalec. Thank you and I hope you're not being following too closely. I'm in bushes and things. It's an absolute pleasure to be here. I'm glad we could fill half the room and I'll hopefully take you on a journey. A few days ago I stood here and said to look forward we have to look back.

We have to learn the lessons of the past and we can understand what's happening and I think we have to do that and we should. There are some really important things that happened that have informed where and how we stand here today and the decisions we make going forward and that's what I wanted to talk to you about. And at its heart security is a very simple thing done and made very complex by our entire industry. What do we do? We try to protect what matters the most.

Now the beauty of cybersecurity professionals is if you ask 10 cybersecurity professionals what matters the most you'll get at least 11 or 12 different answers. We can't even always agree on it with ourselves. We tend to agree on is that data sits at the heart of it, that identity plays a role and all of the other things flow around that. Now I'm not quite so sure. We did some work and we asked several thousand of Vodafone customers in the event of your house or your business setting on fire, what would you grab? What's the most important thing? What matters the most to you?

You can play this game in your own head. People clearly went for, that's my family first, pets. Items of sentimental value I could never get back. And then clearly a lot of people as I can imagine said their mobile phones as well. And then if we ask them okay if it wasn't your house, of course 330 million people can't be wrong. And then we said well if it was on your mobile phone what is it that's most important on there? And by a vast majority people said photos. Personal correspondence.

16% of people said their place in a game they were playing on a games platform which I think talks to some of the younger generation. But is it really data? Is it people? Actually what does matter the most? Is it your country? Is it your family? The people who are close to you? Is it your job or the organization you work for? Or your health? So when you really think what matters the most and where we place controls, this is what it looks like.

And this is the point where we go a little step back into history and I'll, what I want to think about is in protecting what matters the most, we also invite people to attack what matters the most. And if you can take the most important thing from a person and hold it, be it their family, their iPhone, their pets, whatever it is, then you have control over that person and that thing.

So if we go back a little bit in time and it would be never miss an opportunity to stand on stage in Germany and talk about the most wonderful kidnap of an English king by an Austrian Duke and then the German state who ransomed Richard I for at the time 150,000 silver shillings which was three times the English government's annual revenue. Today that would equate to three trillion euros. Thank you. You beautifully bankrupted my country for years, set in chain a set of European political events that changed the landscape of what we all see now.

And I was born in Nottingham, created Robin Hood, who famously robbed from the rich to give to the poor because of the taxes that were levied as a result of King Richard being held in a series of German castles from Dernstein all the way through. And then we saw people actually, you know, targeting the wealthiest people on the planet. And there's a picture of John Paul Getty, Jr, the third, who was the grandson of John Paul Getty, who was kidnapped and ransomed back to his father for what would in today's money be 120 million dollars.

However, his grandfather, being one of the richest men in the world, wasn't sure he wanted to pay the ransom. He actually said no.

He said, and I think I quote, I have 14 grandchildren. If any, if I paid a ransom once, I would have 14 kidnapped grandchildren. Eventually, after they had cut off John Paul Getty, Jr's ear and sent it back to his father, after five months of captivity, he agreed to pay the ransom. He agreed to pay 2.2 million dollars. And he lent that money to his son to pay the ransom to the kidnappers. He also informed his son he would have to pay that back with 4% interest compound annually. And he set the level of 2.2 million dollars based on what? The worth of his grandson? No.

He believed that was what was tax-deductible under US tax and accounting rules. So we see ransom and kidnap isn't new, right? So where we move to now, we move to the mass prosecution of ransomware attacks and kidnap and influence not just of people's jobs but actually of everything. And whether it's JBS as a meat producer or, you know, Colonial Pipeline is great examples of that. Deliberately targeting the weak underbelly of North America. You can say that standing in Europe.

The inability of Americans to fill their car full of gas and drive to a fast-food chain by targeting both the meat production and gas distribution. Or most recently, the huge attacks against critical infrastructure, against healthcare, against banking, against retail. These things are not inconsequential. And we've seen they, you know, we're not quite at the three trillion impact that we saw earlier but we see ransomware attacks last year, you know, tipping over the one billion dollar mark for the first time. And we know there's a classic kill chain.

It's the same kill chain that was done for Richard I as he landed in Vienna because he couldn't go by sea because the French were causing problems and then he went incognito and he got found out by Leopold and then taken, kidnapped. It's the same process. You control an asset, you ransom it back for the most money. So what I want to take us back to the title of the thing which is all about, and I paraphrase a C.S. Lewis book, The Lion, the Witch and the Wardrobe, The Lawyer, the Rich and the Wardrobe, about the kidnap which I'm sure you're very familiar with of the Aldi family.

So Theo Albrecht was kidnapped and the Albrecht family, and people often ask me what does Vodafone stand for? They don't ask me that very often but I like to tell them Vodafone stands for voice, data, phone. Vodafone. It was quite cool 35 years ago that that came out when there really were phones. There certainly was voice but no data. And I also didn't know that Aldi stood for Albrecht discount. Al-di. Two brothers founded it and built it up over many years to become one of the largest discount retail stores and chains in the world.

And they, as brothers, became two of the richest men in the entire world. Now they had a falling out and those of us who know that, they fell out as families do. And they drew a line through Essen and they said everything north of Essen is Aldi North and everything south of Essen is Aldi South. And they built the business in that way with subtly different logos, revenue streams and actually success. But at that point they became, whilst not known, but very clear that they were a target in those unique days of when you could actually walk up to a global CEO. And that's exactly what happened.

Not very long, at this point in the year, as Theo left Aldi HQ, walked to his car across the car park. Two gentlemen walked up to him, put a gun in his face and then stopped and had to check. And they asked him to produce his ID to prove who he was. Because true to his discount roots, he was wearing a rather shabby suit and looked a bit disgruntled, didn't look like a global billionaire. So they forced him to prove who he was, which is another authentication identity. I'm sure that's a conference coming up in a few months.

And then they made him get in his car, which he drove himself, put the gun to the back of his head, blindfolded him and drove him around for two hours. Took him up some stairs and then kept him in a wardrobe for 17 days. Imagine that. It took a couple of days for his colleagues at Aldi to realise he wasn't there. I don't think that could happen to any of us because, you know, we're constantly contactable. But he was eventually released. He negotiated his own ransom. He negotiated the kidnappers down. The discount story continues through.

He got them down to 7 million Deutschmarks, which is about 14, 17 million euros today. He also persuaded them not to lock him in the trunk of the car because he was claustrophobic and didn't think he'd be able to breathe. And his eventual release was mediated by the then Bishop of Essen. I think if I was kidnapped or my family was kidnapped, I'm not sure I could ask the Archbishop of Canterbury or the Pope to mediate on my behalf. But he did. And he was changed forever. He was already a reclusive man. He then did no interviews, no photos taken of him apart from one after that.

Every day he travelled by armoured car and driver to the office and pretty much went about his life behind closed doors. I think those kind of experiences stay with you for a long time. The two kidnappers who, curious how they met, I don't know if you know. So Heinz-Joachim Bollenberg, a lawyer with huge gambling debts who also faked his own legal certificates, met Paul Krohn, nicknamed Diamond Paul. They met in prison when Bollenberg was representing Paul and they must have had the conversation which went along the lines of, so Paul, I'm your lawyer.

What are you doing when you get out of prison? I don't know. What are you doing? Should you kidnap somebody?

Yes, let's. So they did. And eventually, afterwards, Diamond Paul, as he became known, they said, well, you know, how much did you?

He said, I was only given 10,000 marks because I'm the stupid one. And Bollenberg got the rest of the money. Still to this day, half of the money remains unfound.

But Paul, he lasted five days in, with his money. He tried to go into a shop and buy something with a 500 Deutschmark note. And they checked the serial numbers from that and they ran some money and he went to prison. Bollenberg got all the way to, I think, Mexico, where he was then apprehended and brought back and they both served eight and a half years in prison. Not brilliant kidnappers.

However, half of the money still remains out there. So if any of you do happen to find yourself in a bedroom in Dusseldorf with a wardrobe, I suggest you open the door and knock on the back and just check because there could be maybe seven or eight million euros in old, old Deutschmarks, which I think you can still change if you found them. But what can we learn from that story apart from the human cost? It won't surprise any of you to learn and know that today's ransomware and ransom kidnappers do not use guns and cars and wardrobes.

We know that they operate in a highly sophisticated, targeted, global ecosystem. They don't meet each other in prison asking what they're going to do next. They're hugely organized and operate around the clock, around the globe, prosecuting 11 ransomware attacks a second, where you can buy not just information on the dark web but complete access kits. And it's a relatively low risk occupation for criminals. A study was done recently in the United Kingdom. The average age of burglars in prison is now over 35 years. That's not because older people run slower and get caught by the police.

That's because new young criminals are not robbing houses, they're robbing people's social media accounts, bank accounts. If you were going into crime now and you saw that chance of prosecution, what would that say to you?

You'd say, this is the thing for me to do. And who is being targeted?

Well, the colour on the chart may give you a clue where we go next in our conversation. Because yes, the key target for ransomware is what matters the most. And what matters the most to most people is the health. The health of the ones they love. It's where acute care and treatment meets people. And our ransomware attackers recognise this and have been very, very successful targeting particularly US healthcare organisations. And not just US healthcare organisations, but organisations all over the world that deal in this area.

And I wanted just to leave you with a story about one particular attack in the UK that happened on the 3rd of June this year. And just at the time as a young girl was travelling into London to see her doctor to get really important treatment, a Russian ransomware as a service gang attacked their third major healthcare provider of the year. And took out Synovus, which was the, you know, the blood test operating unit for the five major hospitals in London.

Now, as it turns out, it's very hard to deliver modern medicine and treatment and operations if you can't trust the blood work that you get. You can't prescribe medicine, you can't take people into an operating theatre if you're not sure, completely sure that the results of the blood test are correct.

So, over a few days at the start of June, 1,600 operations were cancelled. 800 of those related to organ transplants, cancer treatment, critical life saving medication. By September of this year, the impact was over 10,000 treatments. Absolutely massive. They reverted back to paper for critical moments in medicine provision. Printing out and writing down different things and then sending runners from hospital to hospital to help people get those treatments.

Now, this isn't a particularly upbeat way to end a conference on security, I must admit. But for me, this is really important because that little girl on the train with her family was my daughter. And I've been doing this security thing for a long time now. And it's often been theoretical, intangible. It's been a conversation of risk and those kind of things. But having to explain to my daughter, who, you know, is only little, why the doctor couldn't see her today and couldn't see her tomorrow. Why she couldn't get the treatment she wanted.

Why her and thousands of people like her couldn't be treated. Had to endure pain and disruption of their lives. It was really hard and it brought it home to me why we do what we do. I also had the opportunity for the first time ever to explain to her what I actually did. And she was like, Daddy, why is this happening? I was able to tell her.

She said, is that what you do? I was like, yes, it is, my love.

So, I want to leave you with two things, if I may. And before we do, to paraphrase Bert Baccarat and Dionne Warwick, what the world needs now isn't love, but it's security. Not just for one, but for everyone. And I want to leave you with two things.

One is, please, when you think about security and protecting things, it's not about protecting a budget, it's not about a KPI of protection, it's not about complexity or installation. It's about what you're protecting. And it's about the people. I genuinely believe that. And the second thing is a big thank you to everybody in this room and in this industry.

Because, actually, without what we do, without our contributions, small or large, every time we work on security, somebody is safer. Somebody is protected. Somebody gets treatment. Something is delivered on time. Services are deployed.

So, without us doing what we do, literally, the world would be a worse place. So, it's been an amazing few days. It's been wonderful to share it with you. And thank you ever so much for having me this evening. Thank you. I don't know how we follow up on that, Andre. But I just wonder if anybody in the audience have a quick question for Andre.

Because, as I say, I've been following his career from a distance, a respectful distance, for several years. And he has a wealth of experience in this area.

So, I don't know if there's a quick question in the room. No?

Well, thanks very much for being thoughtful, as always, and hugely entertaining, as always, too.