May 16, 2017

WannaCry attack: all you need to know, and updates

Even as I was almost finishing my post on social media and tech updates today, the news of worldwide cyber-attack exploded all across. I had not realized over the weekend that it would grow so much so fast. There is no bigger tech news today than this, so devoting this episode on this.

updated on Sunday, May 21

The story in short is this: For five days, the world had been in the grip of an attack on networked computers, which encrypts files and makes them unusable. The victim can make the files usable after paying a ransom to the hackers. 

WHAT THE HELL IS THE WORM?

This is a virus attack, commonly termed as ransomware because it seeks ransom in return for going away. It is named WannaCry (or WannaCrypt).

The attack by WannaCry is supposed to exploit a vulnerability in Windows operating system (OS). President and Chief Legal Officer of Microsoft says on this blog that Microsoft had issued a security patch against this vulnerability two months back but many users have ignored it. A new patch was issued on May 12.

Some experts have blamed governments for lacking alertness, responsibility and understanding in dealing with tech, which might endanger the entire net. To prove the point, they cite the present attack and the leaks from CIA that WikiLeaks exposed recently. It is reported that as back as 2010, the UK government had wanted to replace old computers in National Health Service (NHS) with new ones but hospitals and government officials sat over it, making the computers sitting ducks for cyber-attackers. 

It is reported that US's intelligence agency NSA had created a code ETERNALBLUE to exploit this particular vulnerability and it was leaked to the public by a group called Shadow Brokers. On Monday, the group said, it would come out with more such exploits. Russian President Putin has come public, saying that WannaCry is creation of American intelligence agencies and would backfire on them. In response, US Homeland Security Advisor has said, it was not the creation of NSA but done by 'potential criminals and foreign nation states' perhaps hinting at North Korea.

Microsoft says, it has been telling intelligence agencies to fix vulnerabilities rather than making them tools of cyber-warfare. If they are selectively releasing such tools, it is extremely wicked indeed.

But why did Microsoft release a security patch in March against this particular vulnerability? Microsoft has not been supporting ancient versions such as Windows XP for quite some time. But suddenly they came out with a fix in March that plugs this  vulnerability. So, either NSA told MS of the theft before it became public, or someone tipped MS, or MS was part of some operation. The last one looks extremely unlikely. 

Computers running on old versions of core software are most vulnerable to various types of cyber attacks because vulnerabilities were discovered later and new ones arose due to new developments in coding. Even security patches released by the parent companies can insulate the old software against modern malware only to an extent. The issue becomes serious when the parent company stops supporting the old software, e.g. Microsoft has stopped supporting Windows XP, Windows 95 and Windows 98 versions of OS. Specifically for WannaCry, something else seems to have happened. Read on.

Vulnerabilities occur in latest versions of Windows and other operating systems too, and cyber-criminals exploit them. It is not always a design fault but the way the OS handles certain tasks. By writing a malicious code that resembles a genuine one, hackers can fool the OS into harming itself much like viruses and cancer cells in living beings. 

The present virus is supposed to have infected Windows 7, 64bit version much more than any other version, and very few Windows XP computers as earlier thought.

Financial Times has said that Microsoft held back a security patch that might have slowed down the attack. In fact, the paper goes on to tell how MS is charging huge sums from users of old Windows versions for additional security. Not only that, it is not giving all the security free on its latest Windows (Windows 10) but is charging extra bucks for full security!

WannaCry is an unprofessional job by the attackers, experts say. The attackers were also stupid enough not to try multiple web addresses or virtualize them to spread the virus, but they chose an unlikely web address. Interestingly, a tech blogger in the UK (MalwareTech) got curious of the web address and registered it, and it led to stopping of the malware spread. Of course, the earlier spread took time to taper off and new variants took over. It is learned that many groups are working on the vulnerabilities stolen from NSA vaults, so there could be more similar attacks, perhaps after a lull and with a different name.

It is reported that the hackers have also not been able to make big money by way of ransom. By Monday, they seem to have collected around 50K dollars, at the rate of $300 per attack.

GENESIS AND SPREAD

The cyber-attack is supposed to have started with some vulnerable computers in Europe, especially those of National Health Service (NHS) of the UK on Friday and then spread elsewhere. Vital operations in NHS hospitals came to standstill on Friday itself, leaving patients in the lurch. 

But researchers are not yet sure how and to how many computers the first attacks took place. The latest evidence suggests, it was not through emails but by a process that looked for this particular vulnerability. Once the virus attacked a few computers in a big network, it spread through LAN.

From Europe, the virus spread fast to all continents, especially Asia. Besides UK, France and Spain, Russia, India, China, Taiwan  and South-East Asia have faced the ire but except for some public services and companies, the attack on enterprises has been contained. The attack on US has so far been less in intensity as it got time to secure its servers. Africa and Canada are supposed to have been attacked only mildly.

It is reported that WannaCry has attacked over 300,000 computers/ servers in 150 countries.
WannaCry attack: heat map, courtesy Symantec

Such an attack hits services in many ways. One, vital services keep internet disconnected from their computers so as to secure them and stop threat and further damage if already attacked. Two, users stop using the services for fear of infection, thus disrupting life. Three, the real damage to many computers and their data.

TRACKING THE HACKERS

How do the hackers get the ransom money? Well, it can't be through credit cards or bank transfers as the recipient would be immediately nailed. So, they use the virtual digital currency Bitcoin. Yet, it may not be impossible to track them, experts say.

Europol and FBI have started a massive manhunt to nab the criminals. The Bitcoin account is also being tracked. A small hacker group has claimed responsibility for the attack but is being dismissed as bravado.North Korea has been blamed, but how much of it is political propaganda is to be seen.

HOW DO I SECURE MYSELF

  • To secure your networked computer, update its OS immediately.
  • If your computer runs on Windows OS, and you have not updated it recently or you are not in a position to do so, apply this patch from Microsoft site: MS 17-010
  • Avoid digital transactions for some days, so as to allow service providers (e-comm sites, banks, etc) to secure their servers.
  • Do not open an email attachment, especially of the following types: with unusual suffixes in their file names / from unknown sources / tasksche.exe / with a URL about which you do not know.
  • Do not open any email or act on their instructions if they seem to come from Microsoft or some other known big name. Typically, they pose as security experts and tell you that your computer is at risk unless you enable macros, apply a software offered by them or something similar.
  • Avoid using public wi-fi.
  • Back up your critical data in external hard disk or DVDs. 
  • Install a powerful antivirus software on your computer (and smartphone) and keep it on auto-update mode. 
  • This particular malware is unable to attack systems working on Mac and Linux operating systems. But why not use this opportunity to secure Mac and Linux computers, if you are using them?

No comments:

Post a Comment