It is still difficult to assess the losses resulting from WannaCry, the malicious ransomware attack, despite attempts to slow it down. Experts warn that it may strike again in a wilder way in the light of newly discovered vulnerabilities.
The world is currently facing a new phase of more complex coordinated cyberattacks that have the ability to spread in seconds targeting various technological infrastructures. Such coordination hinder states from confronting them, once the attack has been launched. These attacks are driven by disparate groups of individuals, criminal gangs, mafia, and countries whether involved directly or indirectly. What is the malicious ransomware that wreaked havoc across the world, and how will cyber-attacks look like in the future, and what actions to be taken to avoid such risks? These are some of the questions that this analysis attempts to answer.
Malicious Ransomware and its Characteristics
There are two basic types of malicious ransomware, crypto and locker, the first only encrypts the data and allows the user to access the data, but cannot use them without the decryption key; the second establish a barrier between the user and the computer, a barrier the user cannot cross unless a ransom is paid. WannaCry software has several characteristics, which could be summarized according to the following:
1. It is not a new pattern: This type of malicious software- which encrypts files and demands ransom to decrypt them- appeared for the first time in 2005 under the name Archievus. Though it wasn’t sophisticated as WannaCry, yet it was a presented a hurdle for the decryption attempts. Later, it developed and reemerged under several different names, sometimes without the need to name it at all, as happened in 2011, till the emergence of Cryptolocker in September 2013. Cryptolocker was a sophisticated software that targeted companies through phishing to inflict casualties on individual users. Another version called CryptoDefense emerged in 2014, which was later developed and popped out under a new name CryptoWall. Mobile phones also came under attacks with the emergence of Sypeng and Koler, which had the ability to lock the mobile phone and deny the user access to personal date till a ransom of USD 200 is paid.
2. WannaCry is the most sophisticated to date: All previous attacks were characterized by limited spread, controlled quickly and their consequences were evaded. In the case of WannaCry, a group of anonymous hackers launched fierce attack on companies, factories and hospitals, hitting more than 300,000 users in approximately 150 countries around the world. It is the most vicious and prevalent attack, as it encrypted data on the infected servers and hardware, giving specific notice to the victim to pay up to about USD 300 for decryption, to be doubled after three days, and the data would be deleted if ransom was not paid after a week.
Unlike previous attacks that targeted individuals, this one has mainly targeted the economic entities because these institutions are most able to pay the ransom. Furthermore, such entities were the most affected as their databases include customers data, patents, financial accounts or marketing plans or others.
3. The hackers relied on two methods, phishing and zero-days, in their process: First, phishing is a traditional pattern used in cyber-attacks in general and malicious ransomware in particular. The virus is sent to individuals through an infected link, either through email or social media outlets and applications. Once the user click on the link the virus starts the encryption and lock the data.
Second, zero-day exploits are undiscovered bugs in software and operating systems such as Windows, exploited by hackers to control devices, plant malware and activate them. Zero-day is the most dangerous type of cyberattacks that can be used. When they happen, they are unavoidable in the onset, simply because they have not been discovered by cyber security specialists.
4. Bitcoin is the official currency for ransomware: During the few days leading to the attack, there was a significant spike in the exchange rate of bitcoin, crossing the USD 1800 threshold. This hike was unjustified in the beginning, especially with many economists predicted the currency's collapse. However, the hackers insisted that the ransom was to be paid in bitcoin, a decentralized online digital currency that relies primarily on anonymity, making the tracking of money transfers very difficult.
NSA Involvement
Analyses indicate the US National Security Agency (NSA) involvement in the development of this software before it was stolen and leaked. WikiLeaks published leaks of what was known as the "Vault7" on March 7, 2017, which leaked many projects, bugs and tools used by NSA to spy on all individuals around the world, including one of the tools developed by the agency to exploit some bugs in existing zero -days for Windows to spy on individuals and governments. NASA gave those bugs to Microsoft last August. Although Microsoft fixed the bugs in March, about two months before the attack, yet the patch did not include all the devices around the world, leaving many of them vulnerable to attacks. These bugs have been exploited by a group of hackers, which called itself Shadow Brokers, which had previously appeared in 2016 and claimed that it was able to steal some of the cyber-weapons developed by NSA.
Confronted by Coincidence
A cyber security researcher, owner of MalwareTechBlog account on Twitter, in collaboration with a friend in the Proofpoint, cybersecurity firm, through pure coincidence, found a code to kill-switch the attack. The kill switch was hardcoded into the malware in case the creator wanted to stop it from spreading. The researcher found an unregistered domain that receives pingbacks after ransomware infect each new target. This prompted the researcher to buy the domain, for about USD 10, and register it under his name. Once the domain was registered, the attack stopped for no apparent reason, and slowed down markedly.
Nevertheless, several researchers believe that this halt is temporary and not enduring, as the ransomware may strike again in a wilder and fiercer form, and may be unstoppable. But since the attack aims to gain money, not to revenge or mount terrorist actions, such a scenario is unlikely to happen. Instead, its creator may be willing to control it to prevent the collapse of the entire internet system, in order to count and reap the profits.
A New Generation of Cyber Attacks
Cyber attacks were marked during the last decade in general, until 2016 in specific as limited and temporary. They did not affect a large segment of users and did not halt government services. Apart from a military-style attacks like Stuxnet, these attacks have been limited to targeting bank accounts, websites and official pages on social media websites, usually causing a temporary paralysis of the service, to be quickly fixed by specialists.
This continued till the arrival of the internet of things attack that occurred in the United States on Friday October 21, 2016. Indeed, it was a major shift in the form and type of cyberattacks, where some hackers controlled simple internet-connected devices such as electronic games, music players, cameras connected to the internet, and some home electronic appliances. Hackers used it to mount cyberattacks on many websites such as Twitter, Netflix, and some operators of domains such as DynDNS, flooding these servers with millions and even billions of requests that exceed the capacity of servers to process data and respond to requests, causing the denial of service on a large number of users for a period amounted to 11 hours.
Less than six months later, the malicious ransomware WannaCry attacks emerged, the first of its kind on in terms of scale and number of victim users, causing financial losses, halting the health sector in the UK, leading to the cancellation of surgeries and postponement of emergency health situations. Thus, the attack affected a large segment of users in record time and crippled the health sector, one of the most crucial sectors of the British infrastructure.
Accordingly, one can say that the next generation of cyber attacks will have certain properties, among which are the following:
- Rapidly evolving cyber attacks: The shape of cyber attacks will swiftly evolve; so as to hit computers in one time, infect the Internet of things in another, and target mobile phones in a third one. The aims for such attack will also vary: one to gain money, another to serve political opposition or terrorism-related activities, and unjustified violence in others.
- Narrow time-gap between major attacks: The time frame difference between cyberattack and another will be shorter. We may witness several major attacks within one year, where the world hardly comes out of the fallout of one attack, another one will strike using different mechanism, scope and target.
- Relying on virtual currency: Virtual currencies, such as bitcoin will be the official currency in dealing with cyber attacks, due to its usage in actual trading, ability to be exchanged into conventional currencies, and decentralization, which makes it hard to trace.
- Growing complexity of the attack and its fallout: The attacks will be complex, difficult to track or determine its origin. It will involve a large number of individuals around the world, using unexpected devices in the process of hacking, like drones for misinformation, with disastrous consequences at either levels of individuals or states.
- A prominent role for non-state actors: Non-state actors will play an important role, may be equal to that of the States, whether a group of hackers or terrorist movements or international mafia, or even normal individuals.
- Involving non-professionals: Many hacking software are developed to be used by non-developers and professionals, anyone can buy and use them easily, opening the door for a large segment of the non-professionals to engage in this kind of attacks.
Despite the losses caused by the previous and current cyber attacks, including WannaCry, yet at the end of the day they target computers. However, with further technical developments in our daily lives and the spread of smart homes, the internet of things devices, artificial intelligence applications, it will be easier for the hackers to penetrate their targets, and the losses incurred will be much heavier. Projections suggest that the number of the internet of things devices by 2020 will be more than 20 billion machines, which are inherently vulnerable, easily penetrated and hacked. And if that happens, it may lead to the breakdown of the entire internet system or at least halt internet services in many regions around the globe.