On Friday, May 12, 2017, around 11 AM ET/3PM GMT, a ransomware attack of “unprecedented level” (Europol) started spreading WannaCry around the world. It used a vulnerability in Windows that allowed it to infect victims PC’s without their action & knowledge. The computer threat popularly known as “WannaCry” is a unique name for a Crypto – Ransomware type of malicious computer program that is specifically designed and developed to attack computer files by encrypting the data and asking money in return for decryption. It started its activities nearly 6-8 months back while few instances were reported to us. It came into public light at an alarming rate as the infections hit massively and is still continuing its action of damaging the computer files.
The process of knowledge sharing and interests to know about the threat grew worldwide with a great pace. In a very short span of time the malicious program got spread over computers using various medium of Internet communication and web applications (like email, websites, etc.). Though the infection phase is slightly different for each ransomware version, the key stages are the following:
- Initially, the victim receives an emailwhich includes a malicious link or a malware-laden attachment. Alternatively, the infection can originate from a malicious website that delivers a security exploit to create a backdoor on the victim’s PC by using vulnerable software from the system.
- If the victim clicks on the link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC.
- The downloader uses a list of domains or C&C servers controlled by cyber criminalsto download the ransomware program on the system.
- The contacted C&C server responds by sending back the requested data.
- The malware then encrypts the entire hard disk content, personal files, and sensitive information. Everything, including data stored in cloud accounts (Google Drive, Dropbox) synced on the PC. It can also encrypt data on other computers connected to the local network.
- A warning pops up on the screen with instructions on how to payfor the decryption key
- WannaCry-pt uses the SMB protocol which is often unfiltered within corporate networks
- The tools behind WannaCry-pt (EternalBlue and DoublePulsar) originated within the NSA
- WannaCry-pt is able to replicate and spread itself
As per the global statistics more than 3,00,000 computers in 150 countries have already got affected and more are yet to get affected. It is a high time for every one of us to realize the importance of services rendered by computers, Internet and software applications. The first known ransomware attack was called “AIDS Trojan” that infected Windows machines back in 1989. This particular ransomware attack switched the autoexec.bat file. This new file counted the amount of times a machine had been booted; when the machine reached a count of 90, all of the filenames on the C drive were encrypted.
The risk is high these days because, almost every service that we can think about, are impossible to be provided to the huge population without the help of computers. So we need to keep our computers safe from getting infected by malicious programs. It’s just a matter of alertness and preparation for using safe practices related to our usage
How bad guys or attackers perform their attack?
The bad guys are few intelligent computer programmers who exploit flaws and loopholes in the software applications (may be in operating system or any other software) that are widely used. Their wish is to make fool of us and try to make us damage our own resources by allowing their computer program to run over our operating system. The motive for all such activities is money making or showing their expertise. They are able to perform so because of low awareness, easy belief and compromised trusted services. If the popular email services like gmail, outlook, yahoo, rediffmail, zoho etc. were unable to diagnose the vulnerable links, then it is obvious for all of us to get fooled. Basically the attackers perform a research of their scope of massive attack before their execution. They hide themselves under different personal names and under different companies. Few techniques they use are:
- Encrypted communication command and control servers
- Usage of built-in traffic anonymizers like TOR and Bitcoin
- Deployment of encrypted payloads to avoid anti-virus scans
- Anti-Sandboxing mechanisms to avoid anti-virus for analysis
- Employs domain shadowing to conceal exploits and communications
- Featuring Fast FLUX techniques to keep the source of information anonymous
- Polymorphic behaviour for altering the program identity
- Attack getting unnoticed remaining dormant until the best suitable time
- Spread as much as possible algorithm using LAN or Internet
They try to execute their malicious projects using multiple computers distributed over Internet. Mostly, they need sufficient computer processing power and resources to perform their action as quicker as possible. In any case, their action always needs our involvement for their success.
Role of Cyber cops is these cases. Is it a Cyber Crime?