HT explains: The Rs 19,000-ransom seeking malware that could return this week
In India, a section of computers at Andhra Pradesh’s police departments were hacked. Computers in 18 police units in Chittoor, Krishna, Guntur, Visakhatpatnam and Srikakulam districts were affected.tech Updated: May 15, 2017 06:55 IST
A malicious program swept computers in 99 countries since Friday, locking out users from their files to seek a $300 ransom that would be doubled if it wasn’t paid in three days.
How does it work?
The malware, technically called a ‘worm’ because it spreads on its own and hunts for other targets, ironically uses one of the bulwarks of modern technology – encryption.
Encryption is deployed to keep data private. Every website with an ‘https’ address, for instance, communicates with your computer through encrypted packets that can’t be read by anyone.
Think of it as a safe. Once encrypted, your data is put inside a safe, which can be opened only with a key.
WannaCry encrypts a computer’s local files and puts it in a safe, so to speak. Only a key – in this case a combination of letters, numbers and symbols -- that its creators have set up can free those files. And for that, they seek $300.
It does not affect computers on the Apple iOS and Linux platforms.
How did we fall prey to this?
Security experts said WannaCry is exploiting a weakness in Microsoft Windows operating systems called EternalBlue.
The worm is seen spreading particularly rapidly within local networks, such as officers, government departments and university campuses. But it does not seem to be taking the usual routes like depending upon humans to click on misleading links that would secretly install it.
This is where EternalBlue comes in. EternalBlue is a vulnerability that the American spy agency NSA was aware of for a while. It used the flaw to gain access to its targets. And on April 14, a hackers’ collective called Shadow Brokers dumped details of the exploit online.
Some experts were not surprised at the WannaCry havoc. Researcher Matthew Hickey told The Intercept, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner”.
How bad is it?
At last count, more than 100 countries were hit, with India being among the worst affected. Hospitals in Britain and police stations in Andhra Pradesh saw their computers display the dreaded black and red prompt, with a demand for the ransom and a clock ticking down the three-day countdown.
The worst hit was Russia, which, ironically, the Shadow Brokers are linked to.
Cyber security firms such as Kaspersky and Avast reported seeing infections in hundreds of thousands, and people posted pictures on Twitter of computers going down.
A ransomware spreading in the lab at the university pic.twitter.com/8dROVXXkQv— １２Ｂ (@dodicin) May 12, 2017
Computers that have not been patched for the EternalBlue fault remain vulnerable.
Is it stoppable?
Microsoft released a fix for the flaw in mid-March. But not everyone updates their computers regularly. And there was no patch for the outdated Windows XP version, which is used commonly in countries like India.
As the scale of the WannaCry’s epidemic dawned on everyone, Microsoft took the “highly unusual step” to release a patch for the OS, which it had stopped supporting three years ago.
The only protection, for now, is to ensure the operating system is not vulnerable, though there also seems to be a silver lining.
“An ‘accidental hero’ has halted the global spread of the WannaCry ransomware, reportedly by spending a few dollars on registering a domain name hidden in the malware,” The Guardian reported on Saturday.
Cyber security firm Kaspersky said it is working on ways to reverse WannaCry’s effects. “Kaspersky Lab experts are currently trying to determine whether it is possible to decrypt data locked in the attack – with the aim of developing a decryption tool as soon as possible,” Altaf Halde, managing director, Kaspersky Lab South Asia, told Hindustan Times.
What should you do?
Run your Windows Update utility. All versions of Windows have it in the Control Panel that can be accessed from the Start menu. If you are not sure if the Windows Update fixed it, go here and scroll down to ‘Further resources’ where you will find links to the security updates for various versions.
If you are on Windows 10, chances are that you are already patched since this version mandatorily downloads updates.
First Published: May 14, 2017 14:20 IST