Ransomware: what precautions we need to take

Ransomware: what precautions we need to take

On May 12, a global cyber-attack of immense proportions befell tens of thousands of computers across more than 150 countries. Attackers gained access to computers and held their victim’s precious data for ransom, demanding payments of between $300 and $600 and payable in Bitcoin to restore information.

Universities, health services and major companies like FedEx were the targets of these cyber-extortionists. The Russians were quick to confirm their Interior Ministry was also targeted in the global cyber-attack, pointing out the origin of the hacking tools as those of the United States’ National Security Agency (NSA).

While Russia, Ukraine, and Taiwan were top targets of the attack, Avast—a security software maker—observed more than 57,000 infections around the world. The attacks were targeted on Windows operating systems, using a malicious software now known as “WannaCryptor 2.0” or commonly referred to as “Wannacry” ransomware.

The United Kingdom’s national healthcare system was also affected in the attack. As a result, doctors and hospital staff were locked out of their computers, and hospitals were forced to divert emergency patients, cancel operations, and develop work­arounds when documents, such as patient records, became widely unavailable throughout Scotland and England.

How does ransomware work? For those still unfamiliar with ransomware, it does just what the name implies, encrypting computer files, or converting them into a format to which the owners cannot access their files, without paying the ransom. Once the ransom is paid, the hacker will decrypt the files, or provide a cipher key for doing so. Maybe…as not all cases are resolved.

Payment is usually requested in Bitcoin, a crypto currency created in 2009. Since Bitcoins are not issued by governments and not transacted through banks, the currency does not have middlemen tracking the purchases nor do they charge transaction fees.

International payments are easy and cheap since Bitcoins are not tied to any country nor regulated or manipulated in any way. Payment transfers can be completed using mobile apps on computers, similar to current digital cash transactions.

With today’s advanced security systems and anti-malware, how could this happen? Easy. While the attackers used advanced hacking tools and software stolen from the NSA, they gained entry the old-fashioned way—by sending spam emails with malware attachments offering enticements such as job offers, and commonly opened items such as invoices, security warnings, and legitimate business files.

In today’s rapid-fire society, we are often under perceived time constraints to quickly open email attachments, and are flattered when asked to click on included links to respond to perceived opportunities.

These opportunities are often a ruse, providing “opportunity” only to those who wish to do us harm. Users should never open attachments, even from known associates, unless they anticipate receiving these items, and confirm the authenticity of the email.

In many cases, ransomware victims won’t even know they have been targeted until they attempt to access their files. However, “Wannacry” ransomware is more damaging and rapidly noticeable, locking victims out of their entire system immediately. Wannacry is a computer worm, attacking a computer, then also looking for other computers to continue infecting, then spreading the attack.

When Microsoft Corporation learned of the potential for penetration of their system through a vulnerability exploited by NSA techniques, the company released an update patch to cover the vulnerability.

Unfortunately, if the computer systems are running outdated Microsoft Windows versions without the patch, and outdated versions of Windows do not receive security updates, the systems remain vulnerable.

Who are these criminals? Here is where things get interesting. While the originators of the attack remain anonymous, they acquired their NSA hacking tools through the cybercrime group known as “Shadow Brokers”, an organisation known to post stolen NSA files online. From there, it was anyone’s game to acquire the tools and set their malware in motion.

But what do we know about Shadow Brokers themselves? The group began releasing NSA hacking tools and documents more than three years ago, and have been active since that time. Within the security community, experts originally believed the leaks were from an external staging server of the NSA, but now believe more recent leaks are from inside the NSA. It is believed the Shadow Brokers are publishing NSA data from multiple sources.

NSA files

What more we know of these guys? Speculation on who would be both capable of hacking NSA files and willing to publish the information was reported recently in the Washington Post.

Only two countries, Russia or China, would be capable and willing. Russia is the leading candidate. Most likely, the country used the information to defend their own networks. Once their own systems were secure, information was then sold to third parties. This would explain one reason why the Russian Interior Ministry was a centre of the most recent attack, but escaped nearly unscathed.

What can we learn from this global attack? First, it will happen again at all levels. Nation-states are conducting cyber-warfare through espionage, theft of national hacking tools and exposure of these tools on the open markets through third-party sales.

Users must be prepared to defend themselves by keeping their system patches up to date. This includes all devices that are connected to computer systems or are computer systems themselves, such as mobile devices, smart phones, tablets and even television sets. If it is connected to the Internet or another device, it is vulnerable.

Be aware of attachments such as PDFs and embedded links in emails, as well as attached zip files. Take extra precautions before opening them!

(Iyengar is a distinguished Ryder Professor and Director, School of Computing and Information Sciences, Miami; Miller has been with US Air Force for over two decades and is Coordinator, Discovery Lab, Florida International University)

DH Newsletter Privacy Policy Get top news in your inbox daily
Comments (+)