It took a 22-year-old UK researcher to stop rampaging virus WannaCry which hit 150 countries in five continents. But will the world be prepared next time and invest more on cyber security and govt policy?
~By Sajeda Momin in London
This was a crime that didn’t differentiate between its victims on the basis of race, religion, gender, geography, class or caste. It hit individuals as well as large corporations, NGOs and governments. It cut across all political borders and affected 150 countries in five continents. All you needed was a computer using a relatively old or outdated version of Microsoft Windows and you were caught in its web.
It was the most audacious cybercrime till date and hoped to rake in $1 billion for the criminals who are yet to be identified. The unprecedented ransomware attack that infected more than two lakh computers according to Europol, the European Union’s law enforcing agency, could have been far worse if a cyber security researcher in the UK had not found and inadvertently activated a “kill switch” in the malicious software and so halted its spread.
The coordinated attack was first reported in the UK on the morning of March 12, and then spread globally like wildfire. Victims found that a harmful software took over their computers, encrypted the information and then demanded a payment of $300 in cryptocurrency bitcoin from the users before releasing the devices. It gave three days to pay the ransom after which it doubled it to $600. And if that was not paid either, then the data on the computer would be destroyed.
In the UK, the worst hit by the virus was the National Health Service where around 45 hospitals, doctors’ offices and ambulance companies were crippled— making it the one of the largest institutions affected worldwide. At its peak, the worm was hitting 9,000 computers per hour and these included the Russian Interior Ministry, German transport giant Deutsche Bahn, Spanish telecommunications firm Telefonica, French auto-maker Renault, American courier company FedEx, universities, schools and the traffic police in China, a can-cer hospital in Indonesia and many, many more.
“Ransomware attacks happen every day—but what makes this different is the size and boldness of the attack”, said Robert Pritchard, a cyber security expert at the Royal United Services Institute, a think-tank here.
This particular ransomware attack used a malicious software called “Wana-Cryptor 2.0” or “WannaCry”, which ironically, was made available online on April 14 through a dump by a group called Shadow Brokers which claimed last year to have stolen a cache of cyber weapons from America’s National Security Agency (NSA). At the time, there was skepticism about whether the group was exaggerating the scale of its hack.
Whistleblower Edward Snowden blamed the NSA on Twitter saying: “If @NSAGOV had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened.” The NSA is among many government agencies around the world to collect cyber weapons so that they can use them to carry out intelligence gathering or engage in cyber warfare.
WannaCry exploits a vulnerability in Windows and Microsoft had released a software update that fixed the problem (called a patch) in March, but computers that had not installed the security update remained vulnerable. Computers which use Windows XP and other older operating systems cannot be patched and so were most vulnerable to the virus. The malware spreads through email.
The spread of the attack was thankfully brought to a sudden halt by a 22-year-old cyber security researcher from south-west England who identified himself as MalewareTech. “I was out having lunch with a friend and got back about 3 pm and saw an influx of new articles about the NHS and various UK organisations being hit,” said the researcher who works for Kryptos Logic, a Los Angeles-based threat intelligence company, to The Guardian newspaper.
“I had a bit of a look into that and then I found a sample of the malware behind it and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time,” continued the youngster who still lives with his parents.
The kill switch was hardcoded into the malware in case the creator wanted to abort the attack at any time and stop the virus from spreading and involved a very long nonsensical domain name. MalwareTech bought the domain at a cost of just $10.69 to monitor the spread and for future research. “But we actually stopped the spread just by registering the domain,” explained the accidental hero.
He warned people to patch their systems, adding: “This is not over. The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows up-date, update and then reboot.”
MalwareTech, who skipped university to start a tech blog and write software, got his first job after school without any real qualifications. “It’s always been a hobby to me, I’m self-taught,” says the techie who prefers to remain anonymous.
“It just doesn’t make sense to give out my personal information, obviously we’re working against bad guys and they’re not going to be happy about this,” he explained.
There had been fears that the attack would spread further the following week, particularly in Asia where many companies had shut down computers for the weekend by the time it began in Europe.
However, the kill switch seemed to have worked and on the following Monday, no major infections were reported.
World attention then turned to investment and government policy implications of lax cyber security. “People should be thinking about this as an attack that for right now we have under control, but as an attack that represents an extremely serious threat,” said Tom Bossert, US President Donald Trump’s homeland security advisor. While US officials have not ruled out “state action”, Bossert said it appeared to be a criminal act given the ransom requests.
By Tuesday afternoon (May 16), the total value of funds paid into anonymous bitcoin wallets the hackers were using stood at just over $55,000, according to calculations made by Reuters using publicly available data. A far cry from the $1 billion they had hoped to get. However, shares in firms that provide cyber security jumped at the prospects of companies and governments spending more money on defenses. Israel’s Cyren Ltd and US firm FireEye Inc were the biggest gainers. Cisco Systems’ shares rose by 2.8 percent, making it the leading gainer in the Dow Jones Industrial Average which was up more than 100 points in afternoon trading.
Ransomware attacks have been on the rise for some time. Security company SonicWall, which studies cyber threats, saw ransomware attacks rise 167 times in 2016 compared to 2015. A Los Angeles hospital paid $17,000 in bitcoin to ransomware hackers last year after a cyber attack locked doctors and nurses out of their computer systems for days.
Aftershocks of the WannaCry attack can be expected for days, if not weeks. Brad Smith, president and chief legal officer of Microsoft, said in blog post that the attack should be a “wake-up call for the tech industry, consumers and governments”. Policing the cyber-world is difficult but not impossible and international security agencies need to form a “coalition of the willing” against cyber attackers.
Europol has already said its team of cyber security specialists made up of agents from countries like Britain, Germany and the US was investigating the attack. It will be interesting to see its findings.