On Friday, May 12, 2017, around 11 AM ET/3PM GMT, a ransomware attack of “unprecedented level” (Europol) started spreading WannaCry around the world. It used a vulnerability in Windows that allowed it to infect victims PC’s without their action & knowledge. The computer threat popularly known as “WannaCry” is a unique name for a Crypto – Ransomware type of malicious computer program that is specifically designed and developed to attack computer files by encrypting the data and asking money in return for decryption. It started its activities nearly 6-8 months back while few instances were reported to us. It came into public light at an alarming rate as the infections hit massively and is still continuing its action of damaging the computer files.
The process of knowledge sharing and interests to know about the threat grew worldwide with a great pace. In a very short span of time the malicious program got spread over computers using various medium of Internet communication and web applications (like email, websites, etc.). Though the infection phase is slightly different for each ransomware version, the key stages are the following:
- Initially, the victim receives an emailwhich includes a malicious link or a malware-laden attachment. Alternatively, the infection can originate from a malicious website that delivers a security exploit to create a backdoor on the victim’s PC by using vulnerable software from the system.
- If the victim clicks on the link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC.
- The downloader uses a list of domains or C&C servers controlled by cyber criminalsto download the ransomware program on the system.
- The contacted C&C server responds by sending back the requested data.
- The malware then encrypts the entire hard disk content, personal files, and sensitive information. Everything, including data stored in cloud accounts (Google Drive, Dropbox) synced on the PC. It can also encrypt data on other computers connected to the local network.
- A warning pops up on the screen with instructions on how to payfor the decryption key
- WannaCry-pt uses the SMB protocol which is often unfiltered within corporate networks
- The tools behind WannaCry-pt (EternalBlue and DoublePulsar) originated within the NSA
- WannaCry-pt is able to replicate and spread itself
As per the global statistics more than 3,00,000 computers in 150 countries have already got affected and more are yet to get affected. It is a high time for every one of us to realize the importance of services rendered by computers, Internet and software applications. The first known ransomware attack was called “AIDS Trojan” that infected Windows machines back in 1989. This particular ransomware attack switched the autoexec.bat file. This new file counted the amount of times a machine had been booted; when the machine reached a count of 90, all of the filenames on the C drive were encrypted.
The risk is high these days because, almost every service that we can think about, are impossible to be provided to the huge population without the help of computers. So we need to keep our computers safe from getting infected by malicious programs. It’s just a matter of alertness and preparation for using safe practices related to our usage
How bad guys or attackers perform their attack?
The bad guys are few intelligent computer programmers who exploit flaws and loopholes in the software applications (may be in operating system or any other software) that are widely used. Their wish is to make fool of us and try to make us damage our own resources by allowing their computer program to run over our operating system. The motive for all such activities is money making or showing their expertise. They are able to perform so because of low awareness, easy belief and compromised trusted services. If the popular email services like gmail, outlook, yahoo, rediffmail, zoho etc. were unable to diagnose the vulnerable links, then it is obvious for all of us to get fooled. Basically the attackers perform a research of their scope of massive attack before their execution. They hide themselves under different personal names and under different companies. Few techniques they use are:
- Encrypted communication command and control servers
- Usage of built-in traffic anonymizers like TOR and Bitcoin
- Deployment of encrypted payloads to avoid anti-virus scans
- Anti-Sandboxing mechanisms to avoid anti-virus for analysis
- Employs domain shadowing to conceal exploits and communications
- Featuring Fast FLUX techniques to keep the source of information anonymous
- Polymorphic behaviour for altering the program identity
- Attack getting unnoticed remaining dormant until the best suitable time
- Spread as much as possible algorithm using LAN or Internet
They try to execute their malicious projects using multiple computers distributed over Internet. Mostly, they need sufficient computer processing power and resources to perform their action as quicker as possible. In any case, their action always needs our involvement for their success.
Role of Cyber cops is these cases. Is it a Cyber Crime?
These are certain situations where we usually think to file a case against concerned persons. It is obviously a cyber crime. As per Indian cyber act (IT act 2000 and its amendments) Section 65, 66, 66D, 69, 70 are mostly applicable for the Crypto – Ransomware worldwide attack. But, it is a different context if we would try to file a case for the cause. As we know, the cyber cops take very less interest in any case until strictly notified by their senior officials or media. They would tell us a different story of their inability in finding the criminals and possibly they may catch any innocent victim and force them to admit needful clauses. Their brain usually have a great intent of doubt for everyone and hence listen very less while understand more by themselves. So it is not advised to get your problem solved by those fellows unless it is unavoidable.
Best security practices: How to stay safe?
The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do. One principle about system security is that every computing device is secure logically until it is connected to any network (e.g. LAN or Internet) of resources or any external device (e.g. pen drive, external HDD, etc.) is plugged into it. So let’s know the two types of safe practices for personal computers:
- Multi Operating System Environment: In this type of environment, we can get dual boot computing environment. That means we can have two operating systems over a computer. The two operating systems can be Microsoft Windows and Ubuntu (or any Linux OS variant like fedora, red hat, suse etc.). The benefit of such a system is that we can save a backup of all our important data files and folders generated using windows to our Linux operating system environment. There are so many great aspects of using this type of platform related to lowest malware infections and least downtime. You can use Internet and USB devices over Linux platform and rest of your work in windows. It has to be made as a practice. In this way, one can avoid all the future infections and virus attacks without using anti-virus. As Linux is highly secure due to their permission hierarchy and Microsoft windows latest versions are having their internal security systems like Windows Defender and Microsoft Security essentials, the windows part will remain secure too.
- Virtual Operating System Environment: In this method, we will have a host operating system i.e. Windows or Linux any one version. Next we need to install Virtual Box (many versions available in Internet like VMware, Oracle virtual box, etc.) software into it. Then we can have any guest operating version over the virtual box software. In this method, the guest operating system shall be used for Internet. Auto play (for USB, CD/DVD) shall be turned off in the all the operating systems. Updated antivirus is required in the host operating system if it is Microsoft Windows but it is not required in Linux (ubuntu, fedora, red hat, suse etc.)
The above techniques will make your personal computer more secure and will make harder to be compromised. Beside this there are a few things you can do to make your files safe in Windows operating system. You can do few simple things:
- Don’t use share folders over LAN or Internet.
- Switch on your windows firewall from the control panel and in any case don’t turn it off. If you want any application to pass through the firewall you can configure in the firewall.
- Keep your important files in Briefcases or external HDD. Additionally, you can keep your files into ZIP or RAR archives and then put them to Briefcases. You can create a briefcase using your context menu by right click in any unfilled area. In windows 10 or above you will have to enable it using registry.
- You can put your files into cloud drives periodically, but don’t use the sync folder applications installed to your system.
- Don’t use your windows computer in Administrator mode. Rather create a standard user with all accounts as password protected.
Stay alert; use best practices for security and have a fearless user experience. We should use these techniques to secure ourselves and have a secured digital India. We shall not allow our computers to be compromised and let others suffer by our infected computers. It is also advised to take consultation from good consultants for securing enterprises. We do offer free surveys related to security and practices for the cause. Awareness and practices will create a better environment of digital security.
The article is written by Debi Prasanna Nayak, Founder and Director of EDO Informatics Pvt. Ltd, Bhubaneswar. He can be contacted at dpnayak@live.com