WannaCry Ransomware brought organisations to their knees
View(s):Ransomware is a piece of malware that denies access to a victim’s computer or device or encrypts most important files, and holds them hostage until a payment is made to the cybercriminal. It essentially kidnaps the information viz, data files, photos and videos and extorts money from the vulnerable, technology dependent innocent users and organisations. It is widely believed that the ransomware targets affluent or populous countries or the members of the G20 organisation which represent industrialised and developing economies that make up over 80 per cent of the world’s global domestic product (GDP).
The problem of ransomware is on the increase in several countries. The problem begins when the victim clicks on an infected advertisement, email, or attachment, or visits an infected website. However, the unprecedented ransomware known as “WannaCry, Wana Decryptor or WCry” attacked several organisations last week. This ransomware spread fast as it used a worm to self-propagate itself through networks and spread westward as businesses went online for the day on Friday May 12, 2017. The ransomware was designed to allow “infection of one computer to quickly spread across the networks” using a worm like behaviour. Though a temporary fix slowed the infection rate, the attackers released a new version which demonstrates that the cybercriminals behind this ransomware have been innovative continually and have evolved the way they operate.
This attack was successfully launched using a vulnerability first uncovered by the National Security Agency and then released by hackers on the Internet. This is one of the most prolific cyberattacks ever around the world till to date. WannaCry was wildly indiscriminate and it infected anything and everything it could. It locked people out of their data and demanded that they pay a ransom or lose everything. So far more than 150 countries including India and Sri Lanka have been affected according to data published by Malware Researcher “Malware Tech” by analysing the data collected through a sinkhole. While the debate rages on to identify as to who was behind the huge cyber-attack, globally over 350,000 computers have been affected with victims including hospitals, banks, telecommunication, Internet Service Providers ( ISPs), warehouses, logistic giant, gas, automobile companies and government departments such as Police, interior ministry etc. This is an indication that the cybercriminals behind ransomware attacks do not care who their victims are, as long as they are willing to pay the ransom.
The high value and the dependency on the information motivate the cybercriminals to exploit vulnerabilities for their own economic benefit. The ransomware is a product where the cybercriminals seek to create a reliable source of direct income from victims worldwide. Some of the ransomware creators portray themselves as service providers offering technical support and discounts to their “customers” i.e. the “victims.” The low risk, high reward incentive involved with ransomware has opened the flood gates for criminal pioneers to evolve financially motivated heists. The WannaCry ransomware warning said that the cost would double after three days from US$300 to $600 on Monday, and threatened to delete files within seven days if no payment was made. An analysis of three bitcoin accounts linked to the ransom demands showed only about $50,000 worth in bitcoins have been paid by the victims. The amount paid so far is still a small amount despite the global nature and scale of the attack and unlike its competitors did not have a way of associating a payment to the person making it. Most ransomware generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to. The motive of the attack is still unclear.
As organisations embark on the digital journey, many users are not aware of the importance of backups to guard against hard disk failures or the loss or theft of the computer, let alone a possible crypto ransomware attack. This is primarily due to their lack of knowhow, non-compliant to organisational security policies or don’t realise the value of the data until it is lost. Setting up an effective backup process requires some work and discipline, so it’s not an attractive proposition for an average user. Further, many organisations fail to implement a vulnerability management framework to keep their systems up to date, allowing the malware to spread. Microsoft had released a Windows security update in March 2017 to tackle the problem involved in the latest attack, but many users were yet to apply it. In some cases, the user does not install a good antivirus nor update the signatures frequently.
The ransomware targets these known weaknesses in the user’s security posture for extortion purposes. The creators of ransomware know that data stored on servers, personal computers and devices is likely to be important to users. For example, the data could include a project report, a financial data, reports or a business plan and memories of loved ones. The ransomware after it installs will stay undetected until it can find and encrypt all of the files that could be of value to the user. The ransomware victims will become desperate to get their data back, preferring to pay the ransom to restore access rather than simply lose it forever and suffer the consequences.
All of this puts the emphasis on defense and stopping the ransomware malware before it has a chance to deploy its payload. Here are some guidelines to protect your computer and devices from Ransomware which I recommended in an article published in September 2015:
* Make sure you have updated antivirus software on your computer.
* Keep the operating system and web browsers patches up to date.
* Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if you think it looks safe. Instead, close out the e-mail and go to the organisation’s website directly.
* Have strong passwords, and don’t use the same passwords for everything.
* Use a pop-up blocker.
* Only download software especially free software from sites you know and trust, as malware can also come in downloadable games, file-sharing programs, and customised toolbars.
* To prevent the loss of essential files due to a ransomware infection, it’s recommended that individuals and businesses always conduct regular system back-ups and store the backed-up data offline.
* User awareness education – most attacks begin with phishing emails.
* Use the same precautions on your smartphone as you would on your computer when using the Internet.
As cybercriminals become more sophisticated, there is simply no way for organisations to protect themselves against threats unless they patch and update their systems promptly while monitoring compliance regularly. Looking at the evolution of ransomware in recent years it’s clear that cybercriminals will continue to evolve their techniques and develop new families of malware. Cyber attackers do not need zero day vulnerabilities or have to use previously unseen or extremely sophisticated attacks to bypass defences. Hence, protecting servers and personal devices from ransomware requires an ongoing personal vigilance.
(The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria (Pvt) Ltd. He is the founding member and Secretary of the (ISC)2 Chennai Chapter, Founder/President of Information Security Professional Associates (iSPA) and a board member of the (ISC)2 Colombo Chapter. He can be emailed at
sujit@layers-7.com)