by Nirmal John
What is little known is that these well-publicized global attacks weren’t the first time entities in India had to encounter the threat of ransomware. Over 2016 and 2017, says Atul Gupta of KPMG, a large number of the cases which his firm was brought in to investigate were instances of ransomware. Most annual security forecasts over the last few years have featured the threat of ransomware prominently.
Interestingly, Gupta says that quite a few organizations in India that bore the brunt of these early attacks ended up paying the ransom demanded by the hacker. The data that was encrypted by these ransomware attacks was deemed too important, and rather than waiting for those behind these attacks to blink, companies preferred paying up. As long as they could recover the data and that was the end of the issue, it was a pretty easy choice for them.
Funnily enough, he adds, some of the companies that resorted to paying up didn’t want to go through the trouble of engaging a firm for investigating the attack because the fee charged for this was higher than the ransom the companies had to pay. ‘We got phone calls where they [the companies] asked for our quote [fee] to investigate.’ On learning what it would cost them to get to the bottom of the problem, he says dryly, companies said that they would rather pay the attacker.
The trouble with paying up, most security researchers agree, is that it encourages more attacks of a similar nature. While these amounts vary, the money asked in exchange for decrypting data from infected computers seems to be $300, increasing to $600 after a certain number of days. This was the case with both Petya and WannaCry. The amount may be relatively small, considering how important data is for companies, but hackers view it as a volume game. Each ransom is not so large as it might put off those from whom it is demanded, yet, because such attacks go viral and spread around, the attacker still makes a fair amount of money.
In one of the cases reported from India in May 2016, computers in Maharashtra government’s revenue and public works departments were infected with a ransomware,2 rather aptly named Locky. What is shocking is that this particular iteration of ransomware was detected on 16 February that year. Cybersecurity companies had shared their knowledge of its existence with the public around the same time. It was pretty extensively reported in the media too. There was even a case of the Hollywood Presbyterian Medical Center in Los Angeles, which, according to the Los Angeles Times, had to pay $17,000 through bitcoins to the hacker to regain control of their computer systems and their patient data.
According to the cybersecurity firm Symantec,3 ‘one of the main routes of infection of Locky has been through spam email campaigns, many of which are disguised as invoices. Word documents containing a malicious macro are attached to these emails. Symantec detects these malicious attachments as W97M.Downloader. If this macro is allowed to run, it will instal Locky onto the victim’s computer. Symantec telemetry indicates that Locky was spread by at least five different spam campaigns on February 16. The spam campaigns spreading Locky are operating on a massive scale. Symantec anti-spam systems blocked more than 5 million emails associated with these campaigns by yesterday, February 17’.
All of this happened a full three months before the incident at Mantralaya in Mumbai, which houses the departments that were infected by the ransomware, became public. There were clearly more than enough warning signs about this strain of malware, as well as guidance and patches issued by various cybersecurity firms, despite which the incident took place.4
A senior official of Maharashtra police, on condition of anonymity, said the number of computers infected was closer to 900, far above the official figures. Multiple emails sent by this writer to the principal secretary, IT, a senior official in the information technology department of the Maharashtra government, remained unanswered.
In India, the advertising agencies owned by WPP were not alone in suffering a Petya ransomware attack. Operations in one of the three terminals in Jawaharlal Nehru Port Trust, one of the largest and busiest ports in the country, had to be halted as the port operator scrambled to fix computer systems in the aftermath of the attack. Symantec estimates that India was seventh on the list of countries, in terms of number of organizations affected by Petya. The list was topped by Ukraine.
The lack of a culture of reporting these incidents has meant that the official number of incidents of WannaCry and Petya, as put out by the Government of India, is, not surprisingly, a paltry thirty-four. The minister of state for electronics and information technology, P.P. Chaudhary, revealed this in a written reply to a question in the Lok Sabha.5 This figure was based on the number of infections reported to the Computer Emergency Response Team (CERT-IN), and indicates a need to enhance the reporting mechanism of CERT-IN as well as the importance of educating both companies and individuals on the importance of reporting instances of infection.
* * *
While ransomware may have captured column inches across the globe only recently, hackers have been evolving the idea for a significant period of time. The earliest known case was in late 1989, and infected computers across Europe, Africa and Australia through 5-1/4 inch floppy discs sent by post to various addresses, disguised as AIDS information kits. It has since been evolving through various guises, with crypto-ransomware—in which encryption of data is the method of locking, with the decryption key released on payment of ransom—taking over as the dominant iteration from the early part of this decade.
CryptoLocker, one of the more dominant attack vectors before WannaCry, spread primarily through email attachments and infected computers through 2013 and 2014. On clicking the attachment, it would immediately proceed to encrypt the data on the computer, with decryption possible only through the key that would be shared on payment of a ransom.
The evolution from CryptoLocker to WannaCry lies in the way they propagate. The newer strain attacks vulnerabilities in the software to spread rather than rely on humans clicking email attachments. For example, WannaCry spread through networks by initially checking for vulnerabilities in their Server Message Block (SMB) service.6 (SMB is a network protocol that enables shared access to files and hardware.) Petya takes a similar route to spread itself primarily within internal networks; a possible reason why it took down multinational corporations which are extensively networked like WPP.
While the Petya family of ransomware has been around since 2016, Kaspersky Lab found that the iteration which affected computers in June 2017 is ‘significantly different from all earlier known versions of Petya’. They even chose to classify it as a separate malware family: ‘We’ve named it ExPetr [or NotPetya] unofficially,’ said the lab in a blog post.7
WannaCry and Petya are demonstrations of a worrying development in which malware that was perhaps created as a tool by intelligence agencies to use for cyberwarfare has trickled down into everyday computing.
Take the case of Ukraine, which was particularly badly affected by Petya. The attack was concentrated and led to a lot of damage. This has resulted in theories that state that the attack could have been orchestrated to hurt the country and its infrastructure as part of the Russian cyberwarfare. Important installations in the country, including the Chernobyl nuclear power plant, the country’s transportation systems and its central bank, were affected by Petya. If this indeed was an act inspired by geopolitical objectives, then it holds great significance as an illustration of the havoc that can be wreaked when nation states resort to digital warfare in the future using far more sophisticated attack vectors.
There’s more. WannaCry exploited a vulnerability in Microsoft’s Windows operating system, which is believed to have been used by the United States’ intelligence wing, National Security Agency—NSA—for cyber espionage.8 The NSA, which has armies of hackers working for it, had found the vulnerability, Microsoft alleges, but kept that information to itself rather than informing the Seattle-based company, which could have patched it earlier for businesses and individuals.
In the aftermath of the WannaCry attack, Microsoft president and chief legal officer, B
rad Smith,9 blasted what he termed as the stockpiling of vulnerabilities by governments:
This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today—nation-state action and organized criminal action.
The exploit—Eternal Blue—that was eventually used in WannaCry, was part of a cache of exploits that a hacker group that calls itself Shadow Brokers had released publicly in early 2017. What is of significance is that some of these exploits are believed to have been used by the NSA in their snooping operations, from where it was stolen by another secretive hacker collective called Equation Group, before Shadow Brokers stole it again.
The Washington Post,10 citing unnamed sources, reported in June 2017 that it was North Korea’s spy agency, Reconnaissance General Bureau, which was behind the creation of WannaCry. It is a plot worthy of many a Bond movie, in which weapons from a Western nation fall into the hands of a dictator ruling a rogue nation. It also raises the scary spectre of a future where such exploits could fall into the hands of terrorists, and the dangers they could sow with it.
As Microsoft’s Smith puts it, ‘The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.’
* * *
If there is one thing that has done more to enable the rise of ransomware, it is the emergence of crypto-currencies. Payments made in crypto-currencies are extremely difficult to track (though not impossible) and hence make for a relatively safe way for cybercriminals to make money without the fear of being caught.
While transactions made in crypto-currencies like bitcoin are difficult to trace, they are not completely undetectable. Elliptic, a company registered in the UK with offices in the UK and the US, is focused on identifying ‘illicit activity on the bitcoin blockchain’ and providing ‘services to the leading Bitcoin companies and law enforcement agencies globally’.
Elliptic is among those entities who say that the perpetrators of WannaCry wouldn’t have earned much even though they orchestrated the biggest ever ransomware attack the world has seen. Elliptic estimated that only about $50,000 worth of bitcoins were transferred in the first three days of the ransomware attack into the four bitcoin wallets that the creators of WannaCry referred to in their ransom note. As of the third week of July 2017, the total amount of money that was transferred to these wallets is estimated to be around 52 bitcoins, an amount just shy of $150,000.
There could be several reasons for the relatively low amount collected, one of them being that advisories sent out by countries as well as most people in the security industry actively discouraged those affected by these attacks from paying a ransom. News in the media of the plight of many people who, despite paying up, had not received the decryption key also contributed to the low numbers. Probably the biggest reason is the reality that bitcoins are far from being understood, let alone popular, in everyday life. Most of the non-tech savvy crowd has little idea about what exactly bitcoins are, and how to source or use them.
Law enforcement and Internet security companies have been trying to create platforms which offer decryption keys for some strains of ransomware in a bid to dissuade the payment of money to criminals. One such initiative is nomoreransom.org, started by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cybersecurity companies—Kaspersky Lab and Intel Security. The website states that its goal is to ‘help victims of ransomware retrieve their encrypted data without having to pay the criminals’.
* * *
One of the big differentiators of Petya and WannaCry from earlier ransomware attacks—and one of the biggest reasons why they spread so fast—is clearly their exploitation of a vulnerability in the Windows Operating System, which an overwhelming majority of the computing world relies on. While Microsoft had issued a patch for the Eternal Blue vulnerability after Shadow Brokers released it into the public domain, there were many companies and individuals who failed to update their systems with this patch.
India is especially vulnerable because of two reasons—the large number of Windows XP systems in the country, and the dominance of pirated software in systems across individuals and smaller companies.
Both Petya and WannaCry exploited vulnerabilities in the newer versions of Microsoft Windows, and although they didn’t infect many Windows XP machines, it is only a matter of time before another round of ransomware does. According to India’s finance minister, Arun Jaitley, nearly 70 per cent of the ATMs in the country run on Windows XP, and the government is taking steps to upgrade these systems.11
The reason why upgradation of these systems is important is because Seattle-based Microsoft withdrew support to Windows XP on 8 April 2014,12 which essentially means that the company stopped working on and distributing security updates from that day onwards.
According to NetMarketshare, a firm that tracks the statistics of Internet technologies, nearly 7 per cent of the desktop computers globally still run on Windows XP. To put that in perspective, as of June 2017, the 6.94 per cent share of Windows XP is higher than the 6.12 per cent share of all systems running various versions of Apple’s Mac OSX.
That number is largely populated by computers from developing markets like India. In the aftermath of WannaCry, Microsoft was forced to release an update for Windows XP, even though they had ended support for the system officially, because of the sheer number of systems still running on it. But taping over the wounds of an operating system that is more than a decade-and-a-half old may not be the way forward.
That explains why the Indian government reached out to Microsoft for a sizeable bulk discount for the country for Windows 10 upgrades, although the deal would not be easy to negotiate. India is believed to be asking Microsoft to slash nearly three quarters off the price of Windows 10. While the country does have the leverage in terms of its market size, for Microsoft it would mean loss of potential revenues to the tune of billions of dollars, not to mention the threat of similar requests for bulk discounts from other developing countries.
That said, in the long-term, it may prove to be a good investment for Microsoft in making sure that one of the fastest growing economies in the world migrates to legal software, thereby mitigating the menace of pirated software, which has for long held sway in the Indian market. While the share of original software in India has been increasing, in the electronics markets all over the country there are enough people willing to instal pirated copies of Windows, and with an eye on sizeable savings, there are enough people willing to risk buying it too. While the fight against software piracy has moved the needle, it still hasn’t made the strides the fight against movie piracy has.
Increased penetration of original software, though, needn’t be enough. Many users of original software failed to update their software, as was evident in the lead-up to WannaCry. It is important to educate users of the pitfalls of not updating their systems as and when patches come by.
* * *
Most security researchers and cybersecurity experts agree on one thing: there is more to come and it is going to be worse. As Anmol Singh, a principal research analyst with the secure business enablement group at Gartner Research in Singapore, says, ‘WannaCry was amateurish in execution. There would eventually be a second wave which would be much more sophisticated.’
In the immediate future, the atta
cks could also become more targeted. Currently, most ransomware, unless created by national agencies engaged in cyberwarfare, seem to be based on ‘spraying and praying’—infecting as many computers as possible and hoping people will pay up in large enough numbers. Malware has generally evolved from being aimed at the masses to becoming a highly specialized and highly targeted weapon, and there is no reason why ransomware wouldn’t follow suit.
The sophistication of attack vectors coupled with increasingly networked societies will make things even more challenging. Imagine getting locked in your car with the only way to get out being to pay up. There are thousands of similarly absurd scenarios that could be waiting for us in the future, with the criminals behind our situation sitting in a faraway country, safe from law enforcement.
There is a case to be made if we are going into an over-networked future with its cybersecurity implications. Today, there is an obsession with making everything smart and networked. There are, of course, benefits to this, but it is a fair question to ask how much networking is too much. Are we are taking it too far when random household goods become networked? A pertinent question to ask would be whether your toaster really needs to be wired to the Internet.
The good news is that some of these questions are being debated, thanks to increased awareness about cybersecurity because of WannaCry and Petya. For companies that lost data through these attacks, it was a rude awakening and a lesson on the importance of taking backups. It was also their introduction to the scary idea that the data in their computers can be at the mercy of hackers across the globe sitting thousands of miles away.
Ransomware has been growing at a fair clip of 350 per cent annually, according to the 2017 Annual Cybersecurity Report published by Cisco. It can be said with a fair amount of certainty that there will be news of many more ransomware attacks that will grace the front pages of newspapers in the days ahead. WannaCry is likely to have been just the start of a new, more visible era in ransomware. The one thing that could make all the difference in this context is to heed the advice of pretty much every single cybersecurity mind and always remember to take a backup of all the data.