WannaCry? Meet the Biggest Ever Ransomware Attack in History!

The biggest global ransomware cyberattack on record has impacted over 130,000 individual computers across over 100 countries in just 48 hours. That figure is an estimate as of Saturday midnight May 13, and will certainly increase over the next few days as more victims are identified.

So What Exactly Happened?

Victims see a ransom demand on their screens, stating that their data has been encrypted. The criminals demand $300 in Bitcoin to unlock the data. This price increases to $600 within a few hours if the ransom is not paid. The attacks utilize malware – a worm called Wanna Decryptor (a.k.a. WannaCry). It infects the device of a user who has been tempted to open an email attachment and thereby unknowingly installs the virus. The malware encrypts the hard drive and searches for other potential target systems on the network to spread itself. Once inside an organization, it exploits a known vulnerability in the Windows OS that pertains to document sharing with other users on a network. Defense mechanisms to protect against harmful document sharing between trusted users within a network are usually less stringent. These loopholes combined to deliver the biggest ever ransomware attack in history.

A happy accident temporarily halted the spread of the infection when a UK security analyst discovered what amounts to a ‘stop button’ or so-called kill switch.

Who has been targeted?

The malware targets Windows systems that are not up to date or older versions of Windows that Microsoft no longer supports. For example, Windows XP was released in October 2001 and withdrawn from service, officially more than 12 years later in 2014. However, some organizations chose not to purchase a newer version of Windows and saved on the licensing costs only to risk security attacks like the latest ransomware incident. Other large organizations, such as the UK’s National Health Service paid Microsoft to continue supporting XP for them. However, the UK government decided to halt that spend in 2015, leaving the health care system vulnerable to the type of attack that occurred. The organization failed to access sensitive patient data, critical planned surgeries and procedures had to be cancelled, and hospitals had to shut down some units.

In general, government, university and health care networks using outdated Windows OS versions are likely to be hardest the hit.

What options do victims have?

There are only 3 options:

  • Pay the ransom
  • Restore the data from a recent backup – if one exists
  • Live without the data

In any event, users should work to apply the recommended security patches immediately. It is inevitable that the criminals will change their attack mechanisms and remove the temporary kill-switch capability, and then there are likely to be a number of copycat attacks using the same vulnerability in different ways.

Is the NSA at fault for this?

Not entirely. The NSA apparently did discover the vulnerability some time ago. They then weaponized it for their own use by building software code that exploited the vulnerability. The hacker group known as TheShadowBrokers made public this code amongst some of the NSA’s digital espionage toolkit as part of their exposure of NSA hacking tools. Reports indicate that the hackers behind this week’s attack simply did a copy and paste of that code into their worm. Microsoft did in fact release a security patch to fix the vulnerability in March. However, not all users were aware of the vulnerability or the patch, chose to run potentially vulnerable systems instead. The debate continues as to whether the NSA should alert software vendors regarding vulnerabilities that they uncover, rather than keeping the knowledge to themselves for surveillance purposes.

What can we do to help protect against ransomware attacks?

The least you can do is to keep your software updated, at all times. The next level of defense is the human element – Internet users should never click on email attachments unless they are absolutely certain that the files are coming from genuine, legitimate and known senders. These measures alone will suffice to curtail majority of ransomware attacks coming your way.

The WannaCry worm will potentially reappear in different guises over the coming days and weeks. The best advice is to take action now to protect your devices.

Hackers Can’t Hide Forever… Even the Allies of Powerful Russian Politicians

The 32-year-old son of a Russian parliamentarian and an ally to Vladimir Putin has been sentenced to 27 years in prison by the U.S. government for causing damages worth $169 million. Roman Selenev, known as “Track2” in the cybercrime underworld was described as a “pioneer” of credit card data theft. His modus operandi was hacking point-of-sale systems to steal credit card data. Not only did he drive several U.S. firms to bankruptcy, but also established an entire market for stolen credit card information.

Hackers are now going to prison for 20-30 year stretches. The number of hackers being successfully prosecuted and receiving prison sentences has grown in recent years. In the murky mix of state-sponsored hacktivism and criminality, authorities in Russia and China have assisted the US in capturing hackers. The criminal hacker who stole a vast amount of customer data from JPMorgan Chase was arrested with the assistance of Russian intelligence in December. He had been hiding out in Moscow. Chinese authorities arrested hackers in connection with records theft of staggering 22 million U.S. federal employees. This is just a small sample of successful captures.

The growing issue of cybercrime

The reality is that cybercrime does pay and is difficult to defend against. Law enforcement resources are overstretched and hackers are getting away with it. Even though more criminals are being apprehended, that number is most likely being dwarfed by a greatly increasing cybercrime wave. It is reasonable to assume that the ratio of incidents to arrests is growing larger by the year.

The statistics on cybercrime are frightening. Approximately half of all reported security breaches are caused by hostiles, with the remainder due to system or human error. The cost of a data security breach is estimated at $4 million on average. Actors in the cybercrime underworld can be categorized into four distinct groupings: pranksters, super-criminals, hacktivists and nation-state attackers.

Detection and prosecution of the criminal elements are restricted by global reach of the Internet. The law enforcement agencies of nation states already have a full case load of local crime issues without the added difficulty of seeking cross-border cooperation. Also, the skills required to pursue hackers are still in relative short supply within law enforcement agencies.

Stay clean, stay safe

Young people, especially those who possess the necessary technical skills, can be easily seduced by the seemingly easy pickings. Criminal activities can be launched from their own bedroom these days – what the FBI calls “criminal computer intrusion”. Phishing, fraud, ransomware are all on the rise. Often the perpetrators are 18 and 19 year olds.

For regular law abiding citizens or “netizens”, it pays to utilize a heightened sense of awareness online. Scams and get rich quick schemes abound. The old adage of “if it looks too good to be true, then it probably is” certainly holds true more often now than it ever did before.

Simple precautions include never clicking on email attachments from a source you do not know or completely trust, and not using the same password for every online account (an extremely common security weakness, apparently).

The cavalry will not come over the hill

For companies and individuals, it is important to realize that every device with the capability to access the Internet, can also be accessed from the Internet. This means that hackers can infiltrate equipment, systems and confidential information. The authorities can only do so much and it is not their responsibility to come to the rescue of every person or company that has been attacked and suffered a data security breach.

Microsoft Word 0-Day Exploit – and the State Sponsored Hacktivism Behind It

Zero-day vulnerability is a flaw that hackers can exploit on the same day it’s identified, leaving zero days of warning for the unaware, unsuspecting victims. In the case of Microsoft Word Zero-Day vulnerability, hackers knew about it since at least Nov 2016. Forensics have detected traces linked to attacks on Russian targets in addition to the mundane cybercriminal attacks that surfaced recently. A UK company that sells spyware systems to governments was named as the supplier, suggesting potentially state sponsored hacktivism in action.

The vulnerability affects almost every version of Microsoft Office out there. It was found in the Encapsulated PostScript (EPS), a graphics filter functionality. Victims were emailed a Word document that bypassed the standard warning about enabling macros. That server than sent a malicious payload, an RTF file disguised as a Word document to infect targeted systems. The external content was not accessed until users said OK to the standard warning about remote content. You can read more details in the Microsoft announcement of the security patch and their advice not to switch on that particular filter. The Sophos site describes the mechanics of the exploit. This article claims that three groups were exploiting the vulnerability prior to its discovery.

The Upsurge in State-Sponsored Hacktivism

State sponsored hacktivism is nothing new. Many observers believe that the Russian group Fancy Bear is attached to Russian military intelligence. The recent embarrassing public dumps of the NSA hacking tools appear to indicate a similar role for them. Some recent suspected state sponsored hacktivism targets included the UK Brexit referendum ad the US presidential election.

Governments are increasingly harnessing hired-in hacking skills as a weapon, both against internal dissidents and external states. It’s obvious why – low cost, very difficult to detect when done successfully, even more difficult to trace and next to impossible to find proof and pin blame with any degree of certainty. It’s also not thought of as being in the same destructive category as dropping bombs or invading countries. Russia and China have been in the headlines recently as prime suspects. No doubt western allies have been active too. The incidence will increase, not go away. Government funding attracts hacking groups to offer their services and the advantage is all too often with the attacker.

Will State Hacktivism Affect the Average Business?

Yes and no. It’s no secret that governments collect and store all digital phone calls, for example, and endeavor to do the same with email. Innocent personal communications are in the mix but it’s difficult to perceive any sense of threat for law abiding citizens. However, this touches on the great privacy debate and the balancing act between a state protecting its citizens and prying too deeply into personal lives. It is not going to go away.

The age-old advice about not opening email attachments still holds strong. If you’re not aware of the sender’s true identity, you must not click unsolicited links or download attachments no matter how innocent or attractive it may seem.

This attack depended on users ignoring the standard Microsoft warning that some content is on external servers. Users should pay heed to warnings like that, and stop to think for a moment before proceeding.

An anti-virus system with real-time scanning will detect and block many attacks, although not all.

You can find more advice here.