Good cyber habits to thwart ransomware attacks – The Times of India Blog

Ransomware: The malicious phenomenon that has catapulted cybercrime to Numero-Uno crime syndicate in the world, easily surpassing syndicates like narco trafficking.

The year was 20162017, the saga unfolded straight from Hollywoodesque sci-fi potboiler. Hactivists in the elite National Security Agency(NSA) Of USA called The Equation Group were working at frenetic pace, stockpiling Zero-Day vulnerabilities (exploits not yet made public) in the ubiquitous Windows operating system, in-order to weaponise them to launch nation-state ,cyberwarfare attacks against hostile nations. NSA, instead of alerting Microsoft about fatal vulnerabilities in Windows operating system, was embellishing them as marquee trophies to use in cyberattacks against critical infrastructure of rogue nations.

Unbeknownst to NSA hackers, the infamous group shadow brokers, owing allegiance to Russian state, hacked onto NSA secrets and stole the catastrophic WannaCry and its family of ransomware codes, which exploited vulnerabilities in Windows operating system. The malware primarily consisted of twin codes ie, the double Pulsar, which created backdoor (malicious entry) in vulnerable windows systems, specially with open TCP (transmission control protocol) ports and the highly dangerous the eternal blue code, which was the payload for encrypting data in victims systems and was conspicuous by its worm like feature, which propagated it from one computer to another networked computer, without the need to click on any malicious link (zero click propagating feature), which made it extremely deadly and capable of spreading at lightning speed.

The shadow brokers put the arsenal of weaponized ransomware on an online auction in darknet (for detailed discourse on darknet kindly refer to my previous column dated 9 February 2022). However, they found no takers of the malware ,hence they released it gratis, wherein it was lapped up allegedly by the notorious Lazarus group of North Korea state actor. This is the horrific story of worlds deadliest family of ransomware attacks (RWAs) viz. ,WannaCry, Petya and GoldenEye.

In just few hours, computer systems in more than 150 countries became dysfunctional and more than 1 million computers were converted into an array of botnets (ie. a group of zombie networked computers hijacked by hackers by introducing malware and spreading the infection in a cascading effect). The ransomware spread at an incredible pace. Several small enterprises shut down as they could not bear loss of entire database, large enterprises suffered losses of billions of USD, MNCs, public sector, private sector, railways, police, banks, malls, energy companies, ISPs, and even ports and health services came to a grinding halt.

Indias own JNPT port was also hit and the operations of the largest container port in the country were halted for four days.

The national health services (NHS )of UK were badly crippled with thousands of patients, requiring critical surgeries ,turned away from hospitals leading to incalculable loss of lives. WannaCry family spread its tentacles from Europe to US to India, severely affecting Russias biggest oil company ROSNeft and worlds biggest advertising agency WPP. The sordid tale of worlds deadliest Ransomware Attack (RWA)had a grim twist. Even though billions of USD were paid in ransom through crypto currency by victims, the irony is that no-one got their data back and the RWAs of WannaCry are still continuing till date as we read this column.

What is ransom ware?

The world first came across the term ransomware, in true sense, after crypto currencies like bitcoin came in vogue in 2013, with the advent of malevolent Cryptolocker RWA, which utilised the Gameover Zeus botnet and extorted over USD 3 million. Russian hacker Evgeny Bogachevave, father of Zeus botnet and originator of first sophisticated Ransomware attack (RWA), is still at large and carries a reward of more than USD 5 million.

Ransomware may be defined as a malware code that exploits vulnerabilities in a computer system or uses phishing techniques to gain access in a victims computer network and runs an encryption process, which converts hard disk data in plain text to cipher text, which is nothing but unintelligible Gibberish. Subsequently, the malevolent actor demands ransom to re-convert or decrypt the unusable encrypted data into usable plaintext.

What makes Ransomware exponentially dangerous is that it is next to impossible to decrypt data by experts,as current techniques of decryption ,like RSA would require billions or even trillions of years to decrypt data.

Ransomware attacks or RWAs can severely impact business processes as sans data, mission critical services get obliterated, causing colossal economic and reputational adverse impact. Apart from data loss by coercive encryption, the malicious actors also make money by re-selling data on darknet and also selling access to data leading to disclosure of organisations sensitive information and breach of privacy. Imagine the plight of a housing loan company in India that was hit by a potent Ransomware attack RWA in 2020, owing to the loss of data, the organisation was entirely at sea, not even knowing how much loan to recover from which client. It paid over Rs.50 Crores in ransom in bitcoins to procure the decryption key. The case was never reported to Law enforcement agencies.

Cryptocurrencies have given a tremendous filip to ransomware proliferation. Virtual-currencies lend relative anonymity to the owner and though law enforcement agencies, with herculean trans-national effort, may sometimes be able to track the crypto currency wallet, but to track individual beneficiary requires extensive forensic analysis (IP address analysis), which makes it nigh impossible to track the cyber-criminal.

Hence, ransom is invariably demanded in crypto currencies. It is also remarkable that most cases of ransomware are never reported for the fear of loss of data or credibility and ransom is surreptitiously paid. The law enforcement agencies track the transactions of suspected crypto currency wallets to estimate the quantum of ransom paid and consequently, it only remains an approximation. From 2019 onwards, RWAs have witnessed a scale hitherto unprecedented. The pandemic induced shift to remote and hybrid online work, which has expanded the surface area of launching RWAs.

Forbes in its recent edition, states that in 2021, ransomware extortions have exceeded USD 20 billion and that a Ransomware attack is launched every 10 seconds somewhere in the planet affecting 2.5 million internet of things(IOT) devices . The eugenics in ransomware trade has seen best cyber-criminals earning millions of US dollars every month which has led to industrialisation of cybercrime, with revenues exceeding 6 trillion USD in 2021, which is about 2.5 times of Indias economy.

In mid 2021, JBS, the largest meat supplier in USA, paid USD 12 million as ransom (approximately Rs 90 crore) to malevolent actor REvil. Similarly, Colonial pipeline, the largest refined product pipeline in US, extending to over 5,500 miles was hit by a massive Ransomware attack (RWA) by a group christened as DarkSide, which crippled fuel supplies in east coast of US. It paid a ransom of about USD 5 million to get its critical data back.

A survey by Sophos cyber security firm, claimed that India is the 5th most affected country in the world by RWAs. A whopping 76% of Indian entities have faced RWAs in 202021 and many of these organisations are yet to discover that. In 2021, many Indian companies and government organisations fell victim to RWAs. The food giant Haldiram got its data encrypted in July 2020 with ransom demand of approximately Rs.70 Crores. The case till-date remains undetected, with rumour-mills in overdrive, claiming that ransom was secretly paid. Similarly in mid 2020 India-Bulls and Dominos fell victim to massive RWAs. The irony is that all these cases have hit a stalemate and remain undetected.

A celebrated case of RWAs affecting government organisations occurred in March 2021, when Maharashtra industrial development Corporation (MIDC)and its 16 regional offices were hit by SyNack RWA, which was allegedly traced to Kazakhstan and Bulgaria and ransom of over Rs 500 crore was purportedly demanded. The case too remains languishing in the police files of undetected cases. Ransomware has become such a profitable venture that ready-made ransomware package codes are being offered for sale in darknet. The out of the box Phenomenon Ransomware As a Service (RAS) claims to automatically handle key issues like scale of encryption required, ransom specifications and negotiations, answering FAQs of victims, how to get data back ,helping victims in signing up for bitcoin wallet, how to pay ransom et cetera.

Though RWAs have emerged as robust evil, with negligible cases being detected and perpetrators being brought to justice, the silver lining is that RWAs can easily be thwarted and made ineffective. The key lies in:

-Good cyberhygiene habits like regular vulnerability scanning and penetration testing.

-Regular cyber security audits involving updation and proper configuration of firewalls, adoption of latest patches and software updates to iron out exploits.

-Collective resilience by spreading awareness about phishing attacks and hardening guidelines like multifactor authentication (MFA ) for all services, to the extent possible for example VPN,s web mails et cetera.

-And most importantly, consistent schedule of taking data back ups in off-line devices so that in case of a potent RWA, off-line data can easily supplant the encrypted data.

It is high time that law enforcement agencies get their act together and become more proactive and act as bulwark to pre-empt RWAs.

With so many technologies offering anonymity like crypto currencies, proxy bouncing, VPNs, tor browsers, darknet: the only solution is that law enforcement agencies become smarter than cyber criminals and go undercover and join the forum where discussions about launching novel RWAs take place regularly in darknet. To catch a cunning, transnational, sagacious criminal hell bent on hiding tracks, the police have to think like them and pre-empt their next move

Views expressed above are the author's own.

END OF ARTICLE

The rest is here:
Good cyber habits to thwart ransomware attacks - The Times of India Blog