Last week, computer malware swept systems the world over and locked them down until a ransom was paid. While the initial attack might have been a jarring one, it could easily prove to be the tremors before a truly disastrous event.
It turns out the aftereffects of “WannaCry” could be scarier than originally believed. At worst, a hacker could have entered your system, only to reside there for years and wreak havoc at will, cybersecurity experts warn.
And the next variant of the malware, whenever it strikes, could be far worse, they add.
The ransomware began infecting users on May 12 and gave them 72 hours to pay $300 in bitcoins or shell out twice as much. Refusal to pay after seven days would result in the permanent loss of data via irrevocable encryption, it warned. The malware managed to hijack Britain's health service and India was one of the worst affected.
QuickHeal Technologies, an IT security solutions provider, detected nearly 48,000 attempted WannaCry attacks on Indian computers, of which 60 percent were targeted at enterprises and 40 percent towards individual customers. The top five Indian cities impacted by the virus are Kolkata followed by Delhi, Bhubaneshwar, Pune, and Mumbai.
Experts say that’s just the tip of the iceberg and that the global attack exposed some serious weaknesses. Researchers have been warning about such a massive ransomware attack and now that it has happened, the fear is that the next variant could be a lot worse.
Sahir Hidayatullah, ethical hacker and chief executive officer of Smokescreen Technologies, insists we got lucky this time around. The attack happened over a weekend when most people weren’t at work, so their systems were offline. This also gave security teams time to scramble and get the patch out, he explains. By the time Monday hit, the ‘kill-switch’ URL had been activated, resulting in a drastic drop in infections.
He’s quick to add, though, that thousands of systems were not patched against “ETERNALBLUE”, a skeleton key into any Windows system. “WannaCry was perhaps the most noisy, public exposition of this fact, but what about the more insidious attackers who would have used the exploit over the last couple of months to gain access, implant back-doors, and steal information? These attacks would not have even been detected,” says Hidayatullah.
Was India Prepared?
It wasn’t just the U.K. and other European countries that were adversely impacted by this attack. According to Sanjay Katkar, co-founder and chief technology officer at QuickHeal Technologies, India was one of the worst affected countries.
Why? Indian companies, banks and the government were significantly underprepared for an attack of this scale, Hidayatullah says.
Most rely on antivirus to detect ransomware, which doesn’t work as there are hundreds of new variants everyday. They have no ability to detect malicious activity moving around the internal network (with their focus being on perimeter security). In the case of WannaCry, many organisations hadn’t patched their systems against the ETERNALBLUE exploit that allows it to spread like wildfire once in the network.Sahir Hidayatullah, CEO, Smokescreen Technologies
Experts point out that WannaCry took advantage of systems running old versions of Windows which had left the vulnerability exposed. Microsoft officially ended support for XP in 2014, but several small businesses, ATMs and government computers still use the outdated operating system. In fact, pirated versions of XP have always been easily available in India.
But whether you have a valid or a pirated licence doesn’t really matter, says Samir Shah, chief executive officer at U.S.-based cyber security firm Aurionpro. “As long as you did not have the security patch updated, you were vulnerable. Piracy is not the issue here; lack of anticipation and preparedness is the prime concern.”
According to Microsoft and antivirus software companies, the fix was fairly simple – install the Microsoft patch MS17010 and back it up with adequate anti-virus protection in the system to control or prevent the virus from spreading.
But what about networks already infiltrated by the virus? Hidayatullah suggests there is only one solution – infected networks will have to be shut down and rebuilt from scratch. And if that’s not worrisome, there’s the ‘Golden Ticket’.
Dig a little deeper to understand what that means, and it begins to resemble the script of a Die Hard sequel.
While in this attack, the virus used ETERNALBLUE to exploit vulnerabilities on Windows, a patch by Microsoft prevented it from spreading like wildfire. DARKPULSAR was the next stage which let the virus maintain access, a lot like an implant backdoor. It was designed to be covert and almost impossible to detect.
The Golden Ticket
What’s most worrisome is the ETERNALBLUE exploit can give access to the domain controller, which happens to be the route to the Golden Ticket. The Golden Ticket stands for a key using which a hacker can exploit practically any resource in the network if he get access to domain administrator credentials. Hidayatullah says, “It revolves around compromising a particular account that Microsoft creates known as the ‘krbtgt’. The Golden Ticket can be generated by the hacker in such a way that it remains a valid key for decades. In short, once the hacker is able to create it, he can walk back through the front door, pretending to be anyone in your company for the next 10 years (unless you go through the difficult process of resetting the account).”
Essentially, once a hacker has managed to launch a Golden Ticket attack on your system, he could reside there for years and wreak havoc on your system at will.
Better Safe Than Sorry
So what can companies do? According to Shah, a CXO should adopt a four-step approach to deal with a virus like WannaCry in the future:
1) Isolate: Isolate the system from all connectivity to prevent further activity. Cut the internet connection – hardwired or wireless, the network connection and ensure that the system cannot call home.
2) Assess: Consult a security expert or the IT task force responsible for the system’s security to understand the scope and scale of the attack. Sometimes it is just a hack of the browser, and a simple task manager level killing of the application can do the trick. Sometimes it is a deep rooted challenge, where you are dealing with encrypted files and you have to go back to BIOS for a course correction. It should be left at the discretion of an expert to assess and make that judgement
3) Eliminate: Eliminate the threat by necessary course corrections, technology interventions. If that means incurring losses, one should be prepared for the same. This is where proper redundancies in back-up at a policy level help.
4) Strengthen: Getting out of an attack is only half the job done. One should immediately secure and strengthen systems to ensure that such a problem never resurfaces again. This can range from simple upgrades to IT policy to making enterprise level updates and policy decisions.