The WannaCry global cyberattack that started on May 12 reminds me of the film “Independence Day”. Not that we were attacked by aliens from outer space, but by someone on Planet Earth who managed to disrupt computer systems, some critical, globally.
The commonality to me is that Planet Earth was “saved” by closing down computer systems and resorting instead to telephone and more basic means of communication – in Independence Day it was Morse code.
Like an alien, WannaCry quickly spread worldwide, affecting more than 230,000 organisations in 150 countries within just a few days.
This malicious software hit Britain’s National Health Service (47 trusts), some of Spain’s largest companies including Telefónica, as well as computers across Russia, the Ukraine and Taiwan, leading to PCs and data being locked up and held for ransom.
The consequences ranged from companies instructing employees to turn off their computers, to complete company networks being shut down, patient operations being cancelled and A&E patients being turned away in the NHS. The main targets were reported to be in Russia, Ukraine and Taiwan, and the ransomware included localised translations in 28 languages.
It was discovered that the ransomware used a vulnerability first revealed to the public as part of a leaked bundle of US National Security Agency (NSA)-related documents, in order to infect Windows PCs and encrypt their contents, before demanding payments of hundreds of dollars for the key to decrypt files.
Affects in Portugal
According to the director of the Polícia Judiciária, the cyberattack was made by email, with a link that infects the computer, “essentially directed to telecommunications companies”, but others as well.
As a precaution, however, energy company EDP cut its network’s internet accesses on the day and Portugal Telecom asked users to exercise caution in browsing the network and opening email attachments.
INEM suspended the ICARE computer system that sends information about victims to ambulances. Hospitals and health centres across the country were for a while without email service and there were interruptions in prescription drugs. Patient information was sent over the telephone and radio.
Three days after the initial attack, the Electronic Drug Prescription (PEM) system was temporarily unavailable, causing constraints in the health services and users.
Who is at risk?
The attack initially appeared to be targeted at weaknesses in older versions of Windows, especially Windows XP, locking computers and demanding payments to unlock them. However, although many were pointing the finger at Windows XP for allowing WannaCry to cause so much damage, new research from Kaspersky shows 98% of the computers hit by WannaCry were actually running Windows 7 – a more modern OS that’s still officially supported by Microsoft.
This is used by nearly half of computers worldwide. A patch was issued to protect Windows 7 from this kind of exploit in March, so these would appear to be systems that haven’t yet been updated.
What is ransomware?
The first case appeared in 2005 in the United States, but quickly spread around the world. Ransomware spiked from 2015 to 2016, and has become the fifth most common form of malware. Last year ransomware extorted over US $1 billion.
Ransomware is a kind of cyberattack that involves hackers taking control of a computer system and blocking access to it until a ransom is paid.
For cyber criminals to gain access to the system they need to download a type of malicious software onto a device within the network. This is often done by getting a victim to click on a link or download it by mistake. Once the software is on a victim’s computer, the hackers can launch an attack that locks all files it can find within a network.
Ransomware malware can be spread through malicious email attachments, infected software apps, infected external storage devices and compromised websites. In a lock screen attack, the malware may change the victim’s login credentials for a computing device; or may encrypt files on the infected device, as well as other connected network devices.
Currency can be extorted in the following ways: the victim receiving a pop-up message or email, warning that if the ransom is not paid by a certain date, the private key required to unlock the device or decrypt files will be destroyed; or the victim may be duped into believing he/she is the subject of an official inquiry. After being informed, the victim is told to pay a fine to unlock the computer.
What is Wannacry?
Wanna Decryptor, also known as WannaCry or wcry, is a specific ransomware programme that locks all the data on a computer system and leaves the user with only two files: instructions on what to do next and the Wanna Decryptor programme itself.
When the software is opened, it tells computer users that their files have been encrypted, and gives them a few days to pay up, warning that their files will otherwise be deleted. It demands payment in Bitcoin, gives instructions on how to buy it, and provides a Bitcoin address to send it to.
Protecting yourself against Ransomware attacks
WannaCry has broken new grounds showing how digitally vulnerable we are – by using NSA’s spyware to infiltrate MS Windows and possibly holding to ransom an unreleased Disney film (Pirates of the Caribbean – Dead Men Tell No Tales).
The current attack is considered the worst ever. Clearly this should be a wake-up call to businesses, public organisations and governments that it is essential to invest in the latest systems that are less vulnerable to risk from this sort of attack. If your company uses outdated Windows systems which are less secure, this places your company and clients at risk.
The best protection against ransomware is to have all files backed up in a completely separate system. This means that if you suffer an attack you won’t lose any information to the hackers.
It is difficult to prevent determined hackers from launching a ransomware attack, but exercising caution can help.
Be suspicious of unsolicited emails and always type out web addresses yourself rather than clicking on links. Another key defence is antivirus programmes that can scan files before they are downloaded.
Recovery
As at May 22 Europol reports that Decryption of WannaCry encrypted files is currently not possible.
Options to recover affected files are restoring from backups. In some cases, files may be recovered without backups; e.g. from Shadow Copies (if enabled) or using an undelete tool.
The partial solution developed by a French IT team has been tested by Europol and found to recover data encrypted by WannaCry in some circumstances. Infected victims are advised not to reboot their machines and to try it by following the instructions: WannaCry — Decrypting files with WanaKiwi + Demos
In any case, do not pay the ransom. Paying does not guarantee that your problem will be solved and that you will be able to access your files again. In addition, you will be supporting the cybercriminals’ business and the financing of their illegal activities.
By David Thomas
|| [email protected]
David Thomas is a former Assistant Commissioner of the Hong Kong Police, consultant to INTERPOL and the United Nations Office on Drugs and Crime. In October 2011 he founded Safe Communities Algarve an on-line platform www.safecommunitiesalgarve.com here in the Algarve to help the authorities and the community prevent crime. It is now registered as Associação SCP Safe Communities Portugal, the first national association of its type in Portugal, with a new website www.safecommunitiesportugal.com launched in May 2015. He can be contacted at [email protected]garve.com, or on 913045093 or at www.facebook.com/scalgarve
