May 12, 2017, was not a normal day rather it was a day when history was created. The day witnessed the biggest ever cyber attack in the history of Internet as a ransomware, named WannaCry, invaded almost tens of thousands of computers across the world.
The malicious software that leveraged a vulnerability in the Windows OS and borrowed from leaked NSA exploits, infected about 200,000 computer systems with the damage epicenter lying in Europe. WannaCry stormed 150 countries with Russia, Ukraine, and Taiwan being the top targets.
Although the ransomware outbreak has been curtailed, it momentarily crippled big organizations, made British hospitals to turn away patients, and threw several government agencies into chaos. Before we dig into the details of WannaCry, let’s understand what a ransomware is.
What is a Ransomware?
Ransomware is an advanced type of malware that blocks victims’ access to their own files. The malware is coded in a way that it locks the user out of his/her system and one can regain access to the files only by paying a ransom. This particular software, WannaCry was demanding about $300 with the price increasing over time.
Ransomware has been growing its roots for the past two years, and WannaCry is just a grand reveal of the threat to the wider world.
There are two types of ransomware:
- Encryptors: Incorporates sophisticated encryption algorithms to block system files and demand payment to provide the key for decrypting the blocked content.
- Lockers: Locks the user out of the operating system and makes it impossible to access the desktop and any apps or files without the payment of the ransom.
- MBR ransomware: A type of locker that infects the Master Boot Record (MBR), the section of the hard drive that enables the operating system to boot up. The MBR ransomware does not allow the boot process to complete and prompts a ransom note to be displayed on the screen.
Encryptors, also known as Crypto-ransomware, are the most widespread type of ransomware, to which the notorious WannaCry also belongs.
Characteristics of Ransomware that Set It Apart from Other Malware
As we know, ransomware typically demands payment for providing victims with the access to their own files. Here is a list of characteristics typical of ransomware that set them apart from other malicious software:
- They come with unbreakable encryption that is almost impossible to decrypt to gain access to the files on your own.
- They can encrypt all kinds of files, ranging from documents to audio files, pictures, videos, and boot files.
- Ransomware scrambles file names to confuse the victims and make it impossible to trace which data is affected.
- They add a different extension to your files that signal a specific type of ransomware strain.
- They prompt for a ransom via an image or a message that tells you that your data has been encrypted.
- They request payment in Bitcoins as bitcoins cryptocurrencies that cannot be tracked by cyber security professionals or law enforcements agencies.
- Ransomware induces a time-limit on the ransom payments, going beyond which typically means that the ransom will increase or the data will be destroyed forever.
- They leverage a complex set of evasion techniques to go undetected by traditional antiviruses.
- They often recruit the infected computers into botnets enabling cyber criminals to expand their infrastructure and fuel future attacks.
Now that we have discussed quite a lot about ransomware, let’s take the specific case of WannaCry and look at how it works.
How WannaCry Works
Being a form of ransomware that locks up files in a computer and encrypts them denying access to them by the user, WannaCry targets the Windows operating system. An invaded user is notified via a pop-up window that appears on the screen of the infected system and contains the instructions on how to pay a ransom amount of $300 (to be paid in bitcoins).
The pop-up window also displays two countdown clocks, one showing a three-day deadline before the ransom amount increases to $600 and another showing a deadline beyond which the victim loses his/her data forever. According to cyber security experts, the malware was released by a hacking crew named Shadow Brokers who claimed to have discovered the flaw from the US’ National Security Agency (NSA).
How Does Ransomware Spread?
Cyber criminals look for the easiest way to infect a computer or network and use the backdoor to spread the malicious content. A ransomware program usually gets into your computer, either by clicking or downloading malicious files, which then holds your data as ransom. Crypto-ransomware attacks use a subtle combination of technology and psychological manipulation to coerce the victims to pay the ransom amount.
The most common methods used by cyber criminals to infect systems with ransomware are:
- Spam email containing malicious links or attachments
- Security exploits contained in vulnerable software
- Internet traffic redirects to malicious websites
- Websites having malicious code injected in their web pages
- Drive-by downloads
- Malvertising campaigns
- SMS messages
- Self-propagation, spreading from one infected computer to another, after infection
According to cyber security researchers, the infections in the case of WannaCry had been deployed via a worm, spreading by itself within a network. It did not rely on humans to spread it by clicking on an infected attachment. The code encrypted the files of the infected computers and demanded payment in order to provide access.
How to Prevent Ransomware Infection
The Malware Protection Center of Microsoft has devised a few steps to help you protect yourself against ransomware attacks. Here are they as follows:
- Install an antivirus solution and always keep it up-to-date
- Ensure that your software is up-to-date
- Avoid clicking on links or opening attachments or emails from unknown email addresses
- Keep the smart screen turned on in your web browser to identify reported phishing and malware websites
- Turn on a pop-up blocker on your web browser
- Backup your important files regularly
The recent ransomware attack with WannaCry has brought extortion to a global scale. Therefore, the onus lies with us to remain cautious and disrupt it. The new cyberspace vulnerability necessitates us to be aware of the cyber security protocols and avoid being the prey to cyber criminals. However, the cyber attacks are evolving day by day and each invasion is getting more sophisticated than the other.
As cyber security guru, Bruce Schneier, has rightly said, “Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools. As long as we’re all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon.
WannaCry has proved that the NSA leaks have led to real-world attacks, regardless of additional protections provided by Microsoft. However, we know that we are not powerless and there is a handful of things we can do to prevent ransomware. So, let’s stay prepared and let’s not allow the cyber criminals impact our peace of mind.