Don’t miss the latest developments in business and finance.

When danger lurks behind every file

Thousands of people receive messages of ransom from cybercriminals every day

Dealing with the WannaCry ransomware attack
Devangshu Datta
Last Updated : Jul 16 2017 | 2:28 AM IST
It’s morning. You pick up your cuppa and head for the computer, which was set to download a torrent file of Wonder Woman before you went to sleep. You’re looking forward to watching WW over the weekend on your fancy home theatre system.  Everything looks fine. The machine is running and the screensaver is on.

As you move your fingers across the trackpad, the saver disappears and a message scrolls onto the screen.

It says, “Your personal files are encrypted. To decrypt the files you need to download a private key. That key will be destroyed after (specified time). After, nobody [sic] and never [sic] will be able to restore files. To obtain the private key, pay $300 in bitcoin. Click next to select mode of payment.”

That torrent file was infected. You have been hacked and the hacker wants money to release your data. Instead of paying Rs 250 for a movie ticket, you may end up paying Rs 20,000 or more, to get the data back.   

Every day, thousands of people around the world wake up to similar messages.  Ransomware is a popular way for cybercriminals to make a quick buck. Ransomware attacks have generated millions for the perpetrators — the FBI estimates that CryptoWall extorted over $18 million before it was stopped.

It’s easy to set up a ransomware operation. There are literally thousands of data-encryption programmes available. These often come bundled with the operating system on a new computer or smartphone. Most are legitimate and used to protect sensitive data.  In addition, there are malicious encryption programmes created by hackers.

There are many ways to infect a computer and thousands of viruses and worms are written for this purpose.  A worm can be introduced through email attachments, or torrent downloads. Or, a malicious app might masquerade as a safe programme.  Once a worm is injected into a network, it can propagate on its own. So, one unsafe machine in a network can infect others.

The hacker doesn’t need to be computer-savvy. Many malicious programmes are available for free on the internet, complete with instruction videos. A “script kiddie” can just copy code to get rolling. The hacker can download a free bitcoin wallet, for the purpose of receiving an untraceable payment. A throwaway email account can be set up somewhere to communicate the private key and any instructions. What’s more, even if the hacker does decrypt your files upon payment, your machine may remain infected and open to future exploitation.

It isn’t just individuals and small businesses that have been affected. In the past six months, ransomware has hit many large businesses and even infrastructure.  Power grids, airlines, ports, train services, bank ATMs and automobile factories have been attacked.  

The WannaCry worm that hit the Net in May is estimated to have infected over 230,000 computers across 150 countries on the first day, May 12. The attack happened over a weekend and that may have saved a lot of offices from being victimised. The worm used a weakness in Windows called EternalBlue, which had been weaponised by America’s National Security Agency and picked up by somebody who hacked the NSA and released the code.  

The initial attack was halted almost fortuitously when a young IT security researcher  in England (who calls himself Malwaretech) discovered a kill switch. But new versions were soon released without that kill switch. Microsoft had to generate an emergency security patch.  

The next attack started in the Ukraine in June. This deployed versions of a malware called Petya that was embedded in an apparently innocent app that “helped” Ukrainians calculate tax. It used a fake security certificate that made it look legit. Prior to the attack, the malware was commercially sold on the Darkweb as a RaaS (Ransomware as a Service) by somebody with a sense of irony. The sellers threw in a payment collection system and marketed it thus,  “As professional cybercriminals we know that you can’t trust anyone. So we’ve developed a payment system ... where nobody can rip you off".

Petya spread like lightning across the world, knocking out all sorts of systems everywhere. Very few payments were made and the “payment system” referred to above, was plugged with the associated email id blocked.

But there was a grim twist to this tale. Data cannot be recovered from a Petya attack. Anybody who paid the ransom would have been left with dead data anyhow. IT security researchers allege that this malware was designed to destroy data. Ukrainian researchers allege that, in all probability the attack was mounted with, at the very least, the collusion of Russian state agencies. The Ukraine has been hit several times over the years in an undeclared  “cyberwar” with Russia. For that matter, there are allegations that the WannaCry attack was sponsored by North Korea. So state actors may be in the picture as well.

How do you deal with this scourge? 

Sensible habits help. Don’t download pirated videos, or click on email attachments from unknown sources, or install apps without checking.

Operating systems and anti-malware programs must be kept updated. However, new malware variants are being written constantly and there are no guarantees that ransomware won’t get through.

If you do nothing else, follow this Golden Rule: Backup regularly to at least two different places such as an external hard drive and the cloud. Then, backup some more, just to be safe.

How to protect your smartphone

1, Only download apps from trustworthy sources 
 
2. Read the permissions the app wants 
 
3. Read the user reviews 

4. Make sure Google Play Protect is activated on an android phone (click the playstore menu and then activate Play Protect)

5. Back up your data , preferably at two places 

6. Update android security patches (click settings — about phone — check android security patch level)  

Anti-ransomware for corporations

Lucideus, an IT risk assessment and digital security services provider, has a new cyber risk management platform called SAFE, which flags vulnerability to ransomware along with other aspects of cyber security.

SAFE (Security Assessment Framework for Enterprise) is customised for every organisation’s specific needs and integrated on top of existing security measures. It maintains a real-time watch on the company’s cyber security, monitoring every IT asset, from servers down to smartphones and PCs. SAFE is tested by the simulation of real hacks, DDOS attacks, etcetera to check if anything is vulnerable. It also ensures that the company’s cybersecurity conforms to required regulatory norms in different regions. 

SAFE offers a simple, single number (0-5, with 5 best) to rank the cybersecurity in a firm. What’s more, it offers a peer comparison, informing the client where it rates in comparison to competitors. 

Lucideus CEO Saket Modi claims, “SAFE can safeguard you against multiple kinds of advanced cyber attacks. For example, ransomware incidents rose by over 40 per cent globally in the last year. SAFE used in conjunction with any reputed anti-malware solution will reduce the probability of a Ransomware hack by over 50 per cent. “

Don't Pay Up 

Kaspersky Lab is one of the world's leading IT security firms. We asked Kaspersky to give pointed advice to readers. The emailed responses to our queries are given below: 

Q1. Does Kaspersky have specific products to defend against ransomware for enterprise / individuals?

Kaspersky Lab offers various levels of protection for your home and office. We have inbuilt features in our solutions like System Watcher that takes care of Ransomware. For Non-Kaspersky users, Kaspersky Lab provides a free anti-ransomware tool that is available for all to download.

The Dutch Police, Europol, Intel Security and Kaspersky Lab jointly run the No More Ransom project— a non-commercial initiative that aims to inform about ransomware and help recover data. This portal https://www.nomoreransom.org/  carries 50 decryption tools, (seven made by Kaspersky).

Q2. What advice would you give on safe practices?

How to protect against any ransomware:

1. Make sure that you back up your important files regularly

2. Regularly check that your back up copy is ok 

3. Fine-tune antispam e-mail settings and never open attachments from an unknown sender

4. Trust no one, literally. Malicious links can be sent by your friends on social media, your colleagues or clients whose
accounts have been compromised

5.Enable ‘Show file extensions’ option in the Windows settings. This will make it much easier to distinguish potentially
malicious files. You should be warned to stay away from file extensions like “exe”, “vbs” and “scr”.  Scammers could use several extensions to masquerade a malicious file as a video, photo, or a document 

6.Regularly update your operating system, browser, antivirus, and other programmes 

7.Use a robust antivirus programme to protect your system from ransomware 

8.If you discover a rogue or unknown process on your machine, cut off the internet connection immediately. There’s still a
chance you can restore the files. However, this tip, unfortunately, would not work in all cases

9. If you are unlucky to have your files encrypted, don’t pay the ransom, unless the instant access to some of your files is critical. Each payment fuels this unlawful business

10.If you have been infected by ransomware, you should try to find out the name of the malware: maybe it’s an older version and it is relatively simple to restore the files

Next Story