On Friday, hackers—who may not be caught for months, if at all—stole a malicious software from the National Security Agency’s kitty of cyberweapons, and used it not only against their own citizens but also against various entities around the world like governments, hospitals, businesses (like FedEx in the United States, Telefónica in Spain and MegaFon, a telecom major in Russia) and of course, end users. According to Kaspersky Lab, the worst-affected amongst the 150 countries were Russia, Ukraine, India, and Taiwan. It is said to have spread to 2,30,000 systems.
Here is all you need to know about the attack that is being called the atom bomb of cybercrimes.
1. How it works
They used something known as a ‘Wanna Decryptor’—a variant of the WannaCry ransomware—which encrypts data, locks one out of their system, and demands a ransom to release it. It was circulated via an ordinary phishing email from a supposedly official source, with an infected attachment. It then used a worm to spread rapidly to all the computers on any network that had even one compromised computer. It utilised a hacking method the NSA allegedly developed as a cyberweapon. The result? A complete encryption of users' data, unlocking which came at a ransom of around $300 in bitcoin. The perpetrators have designed their ransomware in a way that the ransom increases at intervals until it finally threatens to wipe out the data until a prefixed amount of time elapses. The encryption makes sure the ransomware goes undetected by security systems until employees open it, after which, it would be too late.
2. Impact on the UK
As many as 36 British hospitals were blocked out of their computer systems and were threatened that their data— like patient records—would be wiped out if the ransom demands weren’t met. Even ERs were forced to turn people seeking urgent care away. Reportedly, employees at Britain’s National Health Service were warned earlier on Friday, but there wasn’t enough time to act, after that.
3. Impact on India
Closer home, police computers across 18 Indian units in Andhra Pradesh’s Chittoor, Krishna, Guntur, Visakhapatnam, and Srikakulam districts were affected. Gulshan Rai, chief of cybersecurity, said to India Today, “There are about 100 systems attacked in India and as of now there are no more threats…We understand systems in Andhra Pradesh are impacted, but so far our assessment is that there isn’t much impact.”
4. Impact on Russia
Russia’s Interior Ministry claimed that “around 1,000 computers were infected,” which was less than one percent of their total, they noted, and that their technicians were able to contain it.
5. The speculated role of the US government
Last summer, a group that went by the name 'Shadow Brokers' leaked software tools from the US government’s collection of hacking weapons even as the latter denied owning them. And last month, Microsoft was apparently tipped off about a vulnerability in their earlier builds—like Windows XP, which many Indian systems still run on. They released a patch within hours to combat it but its sluggish adoption by users, like the hospitals in Britain, made them susceptible to the risk. Many experts believe that the tip-off—which Microsoft is not revealing the source of— was in fact, given by the United States government after they realised that one of their hacking tools, 'Eternal Blue', which they had developed to target a weakness in Windows systems, had been stolen.
6. Microsoft's reaction
In a highly unusual move, Microsoft released a patch for its older version—namely Windows XP—in the wake of these attacks, in spite of having discontinued it over three years ago. Microsoft’s President and Chief Legal Officer Brad Smith released a statement on their official website saying that the bulk of the responsibility lay with the US government for not informing Microsoft about this vulnerability beforehand. He wrote, “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today—nation-state action and organised criminal action.
"The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new 'Digital Geneva Convention' to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
7. How it was contained
A 22-year-old UK-based researcher who goes by the name of MalwareTech, while researching WannaCry, noticed that the web domain used by one of the attackers hadn't been registered, so he paid the $10.69 registration fee, took over the domain, and started tracking their activity. A Forbes article explains, “Whoever was behind the ransomware included a feature designed to detect security tools that would fake internet access for quarantined PCs by using a single IP address to respond to any request the computer made. This is a feature of a 'sandbox', where security tools test code in a contained environment on a PC. When MalwareTech registered his domain to track the botnet, the same IP address was pinged back to all infected PCs, not just sandboxed ones.”
"So the malware thought it was in a sandbox and killed itself. Lol," MalwareTech said to Forbes. "It was meant as an anti-sandbox measure that they didn't quite think through."
After MalwareTech found the ‘kill switch’, fresh speculation has surfaced that WannaCry will strike with a second cyberattack, and this time, it would not have the kill-switch protocol that was responsible for curbing the initial attack on Friday. Matt Suiche, Founder of Comae Technologies, claimed to have found two new variants, which he described on his blog, as “One working which I blocked by registering the new domain name, and the second which is only partially working because it only spreads and does *not* encrypt files due to a corrupted archive. A new variant had been caught by @benkow_ and sent to me for analysis. I reversed it and found a new kill-switch (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com) which I immediately registered to stop the new wave of global attacks. Then, I synchronised with @MalwareTechBlog and @2sec4u to map the new domain to sinkhole name servers to feed the live interactive infection map. This is 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.
A new variant with no kill-switch caught by Kaspersky. Although this build does only work *partially* as the ransomware archive is corrupted, the spreading still works. This is 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.”
9. How to protect yourself
To be protected from this yourself, even if you are not using Windows XP, make sure your Windows OS is up to date with the latest update and security systems. The latest builds of Windows come with the Windows Defender, an antivirus software, in-built. XP users, on the other hand, should ideally upgrade to a higher version, the most recent one being Windows 10. Europol, the EU law-enforcement agency, warns against clicking links or downloading attachments in emails from any sender one does not recognise, and also to block pop-ups and ads on seemingly suspicious sites. For Windows 7 users, Microsoft’s Windows Security Essentials software could provide them the necessary protection. If your computer has already been affected, try downloading an antivirus on an uninfected system, and transfer it to your system using a CD-Rom or a USB stick. This section on Microsoft.com has provided some useful guidelines. Also, back up all your important data on an external hard disk.