Don’t be held ransom
Financial motivation has always been the major factor behind crime. Holding someone hostage and asking for ransom money was very common. Over the years, things have become digital. Most valuable information is stored on digital devices. Evolution of digital age didn’t stop crimes from happening. Even today the motivation is financial gain. The only difference is, the criminals hold the digital information hostage for ransom. This has led to the latest hack which affected more than 230,000 devices across 99 countries.
The article looks particularly at ransomware, a malicious software that prevents users from accessing computers until a sum of money is paid. Cryptocurrencies such as bitcoins are the preferred way of transactions. Background is changed to customised page by the attacker with thorough details of next steps, usually time bound. If the amount is not paid within the given time, data is deleted. There are two types of crypto ransomware one encrypts the data and files the other, locker ransomware, locks the computer and blocks access to it.
If you are wondering how this works, the most common way to spread ransomware is through malicious email attachment. Clicking the link or downloading the software triggers an automatic install of the ransomware into victim’s computer — computer locks down or all the files and data gets encrypted. Ransom amount, details of payments, timers, etc is displayed on the screen. Computer is unlocked/decrypted only after ransom is received. On many occasions data is lost even after ransom amount is paid.
What you really need to worry about is the WannaCry, the biggest ransomware in history. A cyber gang called Shadow Brokers said in April that it had stolen a ‘cyber weapon’ from the National Security Agency (NSA), America’s powerful military intelligence unit. The hacking tool, called ‘Eternal Blue’, gives unprecedented access to all computers using Microsoft Windows, the world’s most popular computer operating system. It had been developed by the NSA to gain access to computers used by terrorists and enemy states.
How it works is simple: WannaCry targets Microsoft Windows machines and spreads automatically across the network by exploiting known bug in Microsoft Windows OS. Initiated with a spam email with job offers, security warnings or job offers, it locks up your computer and encrypts the content so that nobody can access them. Infected system shows a window to pay ransom amount $300 with instruction. Two timers are present on the left of the screen. One of them expires in three days after which the ransom amount doubles to $600. Second timer shows the deadline after which data will be lost forever.

WannaCry is a bigger threat because it is a self-replicating ransomware. The distributors used an exploit kit called eternalblue to spread itself using the Critical SMB vulnerability MS17-010 that might have been originally written by the National Security Agency. After running the worm, it scans the machine running vulnerable SMB services on local LAN and internet. If found any host it tries to connect to port 445 and exploit that machine as well as tries to infect other machine. WannaCry installs the NSA’s backdoor called “DoublePulsar” which allows maintained access for attackers to gain further access to machines. There is no way to restore encrypted files without access to the private key generated by the ransomware. It is so much sophisticated that requires absolutely no interaction on the part of the attacker and facilitates an effective distribution mechanism for ransomware inside a vulnerable enterprise.
What it means to India: India stands very high in Piracy of software. It is estimated that more than 65 per cent of the computers in India use pirated Microsoft Windows Operating System. This makes these users more susceptible to attacks such as this one. Updating such machines becomes very difficult.
What can be done to prevent this deadly ransomware: Install the Official Microsoft Patch M17-010, that closed the vulnerability in the attack. Disable SMBv1 and SMBv2 on your computer machines (especially if any other computer within network is affected). Take a backup of your system. Don’t open emails from unknown sources. Confirm the validity of the attached link before clicking. Block port 445 on Firewalls to block the spread from your domain.

(The writer is CEO and chief research officer at Tesseract Global Threat Research Group)