It is alarming yet not a surprise to see another mass scale ransomware attack just weeks after the havoc created by the Wannacry ransomware. To start with, the genesis of both these attacks appears similar. Both of them use the Microsoft vulnerability called EternalBlue for which Microsoft had issued a patch. In both cases, they attacked institutional computer networks, which we unsecured – the NHS in UK and now the Ukrainian Government. However, there is a slight but important difference. Usually in case of ransomware attacks, the demand is made from users and the email for communication is unique to each user. In this case it is observed that there is a single email ID that had been provided to all the affected users for communication. This email ID was since suspended by provider. This alludes to the fact that either the hackers were amateurs or more dangerously this attack is not a ransomware and was not unleashed with the intention of merely extracting money, but to destruct important data.
These new mutations of malware are increasingly getting more and more capable and complex in terms of the speed and reach. We are observing that the malwares are spreading automatically across interconnected networks more freely and with minimal or no human intervention. This also is different from ransomware of earlier versions, which we more topical and pointed – say an individual hospital system. The free lowing nature of the current ransomware is particularly scary since we have limited control or predictive mechanism to guess which networks will be affected next.
As of now, the effect in India has been observed at the Jawaharlal Nehru Port Trust (JNPT). This can be explained as one of the largest private enterprises to get effected is Maersk, the leading shipping and container corporation whose systems in all likely hood is interconnected with the networks of the JNPT. Having said that it is impossible to predict the next network where the “worm” will sneak in. Also, the Petya ransomware is more fluid than Wannacry as the latter was linear and had one way to move from network to network. Petya has the capability to evaluate multiple options and can use another option of attacking if one fails. It is indeed quite petrifying to imagine a situation is it infects the national service such as the Defense, Police, Financial Institutions and UIDAI.
Sectors that are vulnerable and Does it need to be done at individual or Govt level
Considering this, it is clear that prevention is the best form of attack. It should be the responsibility of all computer and internet users – institutional as well as individuals to be aware of the threat and also be prepared for a future attack. Through CERT-IN (Computer Emergency Response Team of India) the Government must issue a “what to do” advisory on prevention tactics to enterprises and individuals. We observe that most of ransomware attacks use “end users” as entry point. The end user might be an individual or a user in an institutional environment. In most cases there is nothing that user can do as these types of ransomware are typically executed through “drive-by downloads” in which legitimate website and browsers are infected. Some of the key action points that can be followed are through basic IT housekeeping such as keeping antivirus software updated and having URL CHECKERS. Also it is recommended that individuals keep only those plug-in and add-on that are absolutely necessary and used regularly.
Finally, it is high time that system administrators within enterprises and government agencies should have updated defensive security skills. Institutions and governments need strong cyber security and cyber-defense strategies. Cyber-defense capabilities, particularly, is an important mandate as hacking becomes extremely easy and pervasive and IT administrators should know how to “defend” their systems.