150 nations are on a high alert alongwith India after the dangerous WannaCry ransomware hijacked official data in bulk. SANGEETA YADAV speaks to experts on the worst cyber attack in history
It was a regular Monday morning on May 15, 2017. Employees at the West Bengal State Electricity Distribution Company Ltd (WBSEDCL) were in for a shock when they switched on their computers. The screen was red and read: “Oops, your files have been encrypted! Many of your documents, photos, videos, database and other files are no longer accessible. May be, you are busy looking for a way to recover your files, but don’t waste time. Nobody can recover your files without our decryption service. If you want to decrypt your files, you need to pay $300 in virtual currency — Bitcoin. You only have three days to submit the payment. After that, the price will be doubled. Also, if you don’t pay in seven days, you won’t be able to recover files ever. We will have free events for users who are poor and couldn’t pay in six months.”
Four billing offices in Narayangarh, Keshiyari, Dantal and Belda in West Midnapore district, catering to around 8,00,000 households, came to a standstill. Cyber experts declared the culprit to be the dreaded WannaCry Ransomware which had created havoc in 150 countries since Friday, May 12, 2017 with over 2,40,000 computers infected.
Soon, Whatsapp and other social media were flooded with alerts and users were advised to stop using ATMs and online transactions.
“Wannacry is a ransomware launched by a group of hackers leveraging the vulnerability — EternalBlue — released by The Shadow Brokers (TSB) hacker group. The US-based National Security Agency (NSA) has a cyber army of leet hackers doing both offensive and defensive work. The TSB hacked and stole a huge chunk of 0-day exploitation tools. 0-day means nobody knew that the vulnerability exists, not even Microsoft. Only the hacker who had found it knew about it. When Microsoft got to know about this, they released an immediate patch — MS-17-010 for all supported OS in March. Unsupported machines running Windows XP or pirated versions of Windows or who didn’t update anyway were left highly vulnerable,” Ankush Johar, director, HumanFirewall.io, a company specialising in phishing protection, says.
On May 17, 30 systems of one of the richest Hindu shrines in the world, the Tirumala Tirupati Devasthanams (TTD), got hit by the ransomware attack. Since all these systems belong to the administrative wing of the TTD, it had no impact on the hardware or software related to pilgrim services, including online bookings. Since they had a back-up data, it was easy for them to recover the loss.
“Systems of Shaheen Airlines (claimed on Twitter) have been victimised. So far, there is no news of ATM compromise noted in India. The malware has been programmed to spread via a Server Message Block (SMB), a protocol specific to Windows machines, to communicate with file systems over a network,” Sunil Gupta, president and COO, Paladion Networks, says.
In another incident, 20 computer systems in the Andhra Pradesh secretariat in Amaravati were hit. Blocks 4 and 5, mostly of the Revenue department, lost data. However, the IT department staff swung into action and managed to save some of the data from crashing.
“It all started when multiple sources in Spain began reporting an outbreak of ransomware now identified as WannaCry. The US Department of Homeland Security confirmed that more than 3,50,000 systems have been attacked across 150 countries, including Russia, Europe and China,” McAfee’s South Asia MD Anand Ramamoorthy said.
Such was the extent of the problem that UK’s National Health Service had to turn away patients as they were unable to perform X-rays. Companies like Telefonica (Spain), FedEx (US), University of Waterloo (US), the Russia Interior Ministry, Megafon Bank (Russia), Shaheen Airlines (India), Frankfurt train station (Germany), Neustadt station (Germany) besides the entire network of German Rail, the VTB Russian Bank and Portugal Telecom were scrambling for help.
The virus continued to attack worldwide data till a 22-year-old self-taught cyber expert Marcus Hutchins, also known as Malware Tech, accidentally triggered a ‘kill switch’ that helped stop the ransomware attack from spreading further. Little did one know that when people resumed work on Monday (May 15), a landmine in mailboxes would be waiting to explode the cyber extortion attack with the release of a new variant WannaCry 2.0.
“While the WannaCry 1.0 strain was easier to alleviate by activating the software’s hardcoded ‘kill switch’, WannaCry 2.0 evolved with no such switch functionality, making it difficult to mitigate the attacks. Users have to, in that case, patch immediately to safeguard themselves,” Ramamoorthy tells you.
As per Quick Heal Technologies, over 48,000 attempts of ransomware attacks were detected in India. With 60 per cent of the attempts targeting enterprises and 40 per cent being on individual customers.
Though nobody knows the origin of this ransomware, an Indian employee in Google’s security team did a reverse calculation and revealed that WannaCry was initiated by North Korea. “He has speculated that he has seen a similar type of programming being done by North Korean groups and there is a possibility that this has been done by the same group,” Johar says.
Before releasing vulnerability tools, the TSB made a ransom deal with NSA and Microsoft who refused to accept it. “The TSB first auctioned the tools pointing at NSA to buy them back, but no one paid attention, not even Microsoft. They then put it up on direct sale for $7 million but it failed to drag heat. Later, the price was brought down but neither the NSA nor Microsoft or any of its competitors approached the sale. Annoyed, they released all the tools to public as a proof of how devastating it could be and it became so.
“Now they are using the massive Wannacry to sell the rest of the exploits which claim to be even more dangerous, affecting latest versions of Windows, including Windows 10 and other OS like Linux and Mac,” Johar tells you.
To monetise the attack, TSB made another plan. “It announced a subscription-based service in June this year under which they will release monthly 0-day exploits and it would be up to the buyer to pay up. We are sitting on a ticking time bomb right now. TSB has just released the first batch of vulnerabilities. If they releases any other vulnerability which has not been patched, the hackers will come up with different versions of ransomwares that will create a massive destruction in cyberspace,” he says.
Last week, a new variant of ransomware — EternalRocks — was identified and it targets the same vulnerability that wreaked global havoc by WannaCry. The malware includes far greater threats than WannaCry, making it potentially tougher to fight.
“Though there has been no immediate impact of this malware on computers, there are chances it can lead to bigger loss as EternalRocks uses seven NSA tools leaked by ShadowBrokers. Out of the seven tools, WannaCry used only two tools to spread itself from one computer to the next through Windows. It is touted to be more dangerous since it has no loopholes as of now,” Sreedhar Yedlapalli, AVP, IT solutions, Bodhtree Consulting Limited, says.
It has been 17 days since the first cyber attack took place but the countries are still on high alert and Governments are monitoring critical networks across sectors like banking, telecom, power and aviation to ensure that the systems are protected against more such attacks.
“WannaCry highlights the real-life impact of ransomware: Crippled systems, disrupted operations, marred reputations, and the financial losses resulting from being unable to perform normal business functions-not to mention the cost of incident response and clean up. What is needed is that organisations have a basic hygiene in place, as the modus operandi of these attacks is through phishing emails. Have a robust cyber security framework in place. Ensure basic hygiene practices are adopted like back-ups, cyber awareness sessions, regular patching,” Sharda Tickoo, technical head at cyber security solutions provided Trend Micro, India, says.
Meanwhile, many countries are still battling to recover the data. In China, apart from the Government, police and traffic authorities, energy giant PetroChina got massively hit by this attack although it has been able to restore its systems. The Chinese tech firm Qihoo 360 said that at least 2 lakh computers had been affected in China, with schools and colleges particularly hard-hit. A school in South Korea barred its pupils from using the Internet. Taiwan’s Government appeared to have escaped a major infection, possibly because regulations require all departments to install software updates as soon as they are available. South Korea’s presidential Blue House office reported nine cases of ransomware but didn’t provide details. In Australia, three business houses were hit by the bug amid worries of a widespread infection.
Where some have managed to recover data through the constant back-up facility, others are either resigned to paying the ransom to get the data back or have left all their hopes of getting it. Since May 7, the price of Bitcoin (virtual currency) has soared from $1,499 to $2800 last week.
“We haven’t seen anything like this since Conficker in 2008. It is the biggest ransomware outbreak in history in terms of infections. But, as of the day after its outbreak, it had only made a measly $25,000, according to our researchers,” Amit Nath, head of Asia Pacific, Corporate Business, F-Secure Corporation, says.
It is advised not to pay the ransom as it will not necessarily guarantee return of hijacked data from hackers. “The US Department of Homeland Security reported that they are aware of no more than $75,000 being paid in ransom. Additionally, they are unaware of any instances where payment resulted in the victim receiving working decryption keys. McAfee discourages individuals and organisations from making ransomware payments to cybercriminals. Such a response rewards extortion by cybercriminals, and there is no evidence that decryption keys will be shared with victims following any payments. Meeting hackers’ demands will not necessarily guarantee their compliance. There are high chances that the attackers would release more variants over the coming weeks,” Ramamoorthy says.
To protect themselves, many companies are now taking cyber liability insurance. “Companies who have proactively opted for cyber insurance are breathing a sigh of relief as they have security against the financial consequences of the attack. Cybersecurity practices in India are still evolving and companies must proactively improve their security strategies rather than take reactive measures after suffering cyber losses. Cyber insurance helps clients mitigate a cyber risk. It gives financial protection against any liability arising out of a data breach and pays for policy holder’s costs, such as forensic services, data subject notification and reputation management. It also assists clients to mitigate cyber risks by conducting two risk assessments and sharing reports with clients, providing a shunning device to block unwanted IPs,” Sushant Sarin, senior vice-president commercial lines, Tata AIG General Insurance Company Ltd, says.
Small and Medium-sized Enterprises (SMEs) carry less risk as compared to a large corporation. “If SMEs buy an Internet connection, they get a firewall and basic Windows update services. If they have these two configured, they are safe. Having the best infrastructure is the basic hygiene companies need to follow today. The only challenge is, if they are doing the right thing such as updating software at the right time. By delaying updates, they become potential victims of an attack,” Srinivasan CR, senior vice-president, global product management and data centre services at Tata Communications, says.
The biggest reason for being vulnerable to cyber attacks is not having the latest patches and updates. “Since the outbreak of this ransomware attack, we’ve found that only 10-15 per cent of businesses worldwide are in preparedness with the right security systems, latest patches and updates. About 80-85 per cent businesses are not at the current patch levels and have had to undergo patching urgently. Microsoft had released a patch update back in March and a high percentage of businesses were at the January-February update levels,” Srinivasan tells you.
While a company’s IT team and consumers are well-aware of this fact, they intentionally decide not to update the latest patches to prevent disruption on applications and ongoing business activities.
“That’s because businesses that have a quarter ending in March may want to defer updates to April. It’s more the fear of application downtime and the fear of business impact that prevents them from getting to the latest patch level in time. Most companies have critical infrastructure and IT teams take business approvals for shutting down systems. Some updates may need elaborate testing so it may not be possible to apply patches right after they release. Businesses having a process of sustained monitoring of such alerts and a process for patch updates would be completely protected in such situations,” Srinivasan says.
Need To Do
- Run a robust security solution that covers all your devices.
- Take regular back-ups of data offline. Test restore them to make sure they work.
- Keep software updated. Utilise tools that identify old versions and suggest updates.
- Be extra careful with email attachments, especially ZIP files and Office documents (Word, Excel, and PowerPoint).
- Don’t open unknown email attachments.
- Disable macro scripts from office files.
- Limit use of browser plug-ins. Disable commonly exploited ones like Flash Player.
— Sunil Gupta, president & COO, Paladion Networks
Need To Know
WannaCry Ransomware: Used an exploit of this vulnerability, known as EternalBlue to worm its way into systems. Once the infection spread, WannaCry used the backdoor, DoublePulsar to allow remote attackers to execute code on the compromised machines
The Shadow Brokers (TSB): It is a hacker group which popped up in 2016 and published several leaks containing hacking tools from the National Security Agency, including several zero-day exploits. They are the ones who hacked EternalBlue malware.
ALL ABOUT BITCOIN
Ankush Johar, Director, HumanFirewall.io, talks to Sangeeta Yadav about why Bitcoin is popular among hackers & how it has become the biggest investment platform
What is Bitcoin?
It is cryptocurrency that works on a fundamental principle called Blockchain (digital ledger). Unlike RBI, which is the central body that controls the cash flow there is no central authority managing this.
Why is it so popular?
If configured properly finding out the owner of a wallet is very difficult unless one converts Bitcoins from the digital-wallet to a controlled currency by depositing it in an account. Then the person can be traced via Know Your Customer.
Where is it stored?
It can be stored in the wallets of companies like Bither, GreenBits, Coinomi, Coin.Space, Simple Botcoin, Breadwallet, Armory etc. One can register with these wallets then buy Bitcoins by paying money through normal bank accounts. The coins will then be stored in the wallet and you will receive a username and a password for it. Another way of storing them is by mining (a process where a person rents computer’s resources to the bitcoin network and in return get free bitcoins) them.
How can people spend these?
If the seller and the buyer both accept Bitcoins, they can deal in them to obtain any product or services. The entire transaction takes place within the eco-system of Bitcoin. The receiving party sends its wallet address to the sender, the sender then puts that address in its wallet and sends money to it instantly. Regular companies in the US accept money in Bitcoin. You can buy goods on many e-commerce sites just like one uses other modes of payment like Paytm, credit card or debit card, etc.
How can this be an investment?
In the last three years, Bitcoin has been considered a very good asset class for investment like we have in bonds, fixed deposits, equity, real estate, mutual fund etc. People worldwide are investing in it as its value has shot up to 150 per cent in the last five months giving higher returns than other investments.
What is the present value of Bitcoin?
After the WannaCry attack, the Bitcoin went up from $1,800 to $2,800. The demand has gone up since many have paid the attackers the ransom.
What are the advantages and disadvantages?
Since the transactions are completely anonymous, it is beneficial to liberals, whistleblowers and other ethical jobs that require a secrecy. The medium is foolproof and known to be secure. Another benefit is that there are no intermediate charges. The bad is that not only hackers but underground markets deal in bitcoins to make sure that they don’t get into trouble. This makes them fearless.
Does India that accept Bitcoin?
There are players like Zeb Pay, Unocoin etc. Transaction through Bitcoin is at a nascent stage in India. But RBI has constituted a committee which will give its review in June.
The article got published in Pioneer Newspaper: http://www.dailypioneer.com/sunday-edition/sunday-pioneer/special/hijacked-online.html.