The worst ransomware attack the world has ever seen has just been thwarted, or so it might seem, with a $10 web domain. WannaCry drove thousands to tears around the globe, and held out a stark warning about the vulnerabilities of our digital, inter-connected, existence.
What exactly happened?
WannaCry, a crypto-ransomware that is also called WannaCrypt, affected at least 45,000 computers spread over 74 countries, including India, on Friday. The WanaCrypt0r 2.0 bug encrypts data on a computer within seconds and displays a message asking the user to pay a ransom of $ 300 in Bitcoins to restore access to the device and the data inside. Alarmingly, the attack also hit the National Health Service of the United Kingdom, stalling surgeries and other critical patient care activity across the British Isles, and making confidential patient information and documents inaccessible.
But what is ransomware? How is it different from other malicious software?
There are many types of malware that affect a computer, ranging from those that steal your information to those that just delete everything on the device. Ransomware, as the name suggests, prevents users from accessing their devices and data until a certain ransom is paid to its creator. Ransomware usually locks computers, encrypts the data on it and prevents software and apps from running.
How was the attack ultimately brought under control? What could potentially have happened otherwise?
The attack was brought under control by an “accidental hero”, a security researcher who wants to be identified only as MalwareTech, who discovered a hard-coded security switch in the form of a link to a nonsensical domain name. He bought the domain name for $10.69, and this triggered thousands of pings from affected devices, thus killing the ransomware and its spread. If this had not been discovered, millions of computers worldwide could theoretically have been locked within a few days, affecting all kinds of services globally. Within hours of this attack, many surgeries were reported to have been put off, x-rays cancelled, and ambulances called back — just in the UK, where at least 40 hospitals under NHS were affected. It had been long feared that an attack of this nature could bring public utilities or transport systems to a halt, forcing the government to pay a huge ransom to normalise services — for a few hours on Friday, that day appeared to have arrived.
Who was behind the attack and what was their motivation?
It isn’t known yet. However, it is widely accepted that the hackers used the ‘Eternal Blue Hacking Weapon’ created by America’s National Security Agency (NSA) to gain access to Microsoft Windows computers used by terrorist outfits and enemy states. Since over a thousand computers in the Russian Interior Ministry, as well as computers in China, were hit, some of the state- or quasi-state actors suspected of carrying out largescale break-ins of computer systems in the United States will, on this occasion, start as not being immediate suspects. Interestingly, the NSA tool was stolen in April by a group called Shadow Broker, who seemed unhappy with US President Donald Trump, whom they said they had voted for.
How secure are Indian databases such as banks or UID (Aadhaar)?
The attack was specifically targeted at Microsoft Windows devices. Microsoft claims it “released a security update which addresses the vulnerability that these attacks are exploiting” in March itself, and advised users to update their systems in order to deploy the latest patches. However, in India, where most official computers run Windows, regular updates might not be a habit, and hence the vulnerability could be very high. A lot of personal data online are now connected to the Aadhaar data of over a billion Indians. Pradipto Chakrabarty, Regional Director, CompTIA India, said that the linking of Aadhaar to bank accounts, income-tax and other sensitive information increases the “threat surface”. “Since the user’s bank account is linked with his Aadhaar number, the ransomware can potentially lock down the account and make it unusable unless a ransom is paid,” Chakrabarty said. Amit Nath, Head of Asia Pacific, Corporate Business, at F-Secure Corporation, said the success of the WannaCry ransomware attack could give hostile nation states a reason to create cyber weapons where there’s no hope of ever recovering the data. “That’s the worst case scenario,” Nath said.
Given the manifest vulnerabilities of the digital age, what, if anything, can you do to protect yourself?
A post attributed to Phillip Misner, Principal Security Group Manager, Microsoft Security Response Center, said some of the attacks were using “common phishing tactics” like malicious attachments, and asked users to be cautious while opening attachments. The least you can do is stop clicking links that you don’t trust, and stop downloading software from unknown sources.
F-Secure highlights the need for a four-phase approach to cybersecurity: Predict, Prevent, Detect, and Respond. Predict by performing an exposure analysis; prevent by deploying a defensive solution to reduce the attack surface; respond by determining how a breach happened and what impact it had on systems; and detect by monitoring infrastructure for signs of intrusion or suspicious behaviour.