On 12 May, more than 150 countries were attacked by ransomware with over 200 000 computers infected. Ransomware is a type of malicious software (malware) that encrypts a computer’s data until a ransom is paid. In this case, $300 worth of the cryptocurrency bitcoin was demanded for infected computers.
While the scale of the attack makes it seem spectacular, flaws found in the ransomware showed that the attacker was relatively amateur – cybersecurity specialists temporarily stopped the spread of the ransomware using a ‘kill-switch’ that stops the software from running.
But new adaptations of the code are already being found, and if the world was this vulnerable to a relatively unsophisticated attack, what kind of damage could an experienced group of hackers cause? And what can be done to prevent future attacks?
Malware can only infect a computer if there is a vulnerability in the system such as a design flaw in the programming code. This particular type of ransomware was a worm, which is a form of malware that spreads by searching a network for other vulnerable computers to infect them as well.
The specific vulnerability that this worm searched for is one of the ‘exploits’ for old Windows operating systems identified by the US National Security Agency. An exploit is a recognised vulnerability in a system that can be used to bypass its security. Security agencies gather these to use for hacking and spying on criminals or other governments. This particular exploit was leaked in mid-April by the hacking group Shadow Brokers.
The reason why the ransomware spread so quickly is a consequence of a widespread lack of basic cybersecurity. Four weeks before the leak, Microsoft released an update to fix it. This means that most of the infected computers had not implemented security updates for more than two months. The rest of the infected computers were still running the outdated Windows XP operating system, which Microsoft stopped providing security updates for in April 2014.
The 12 May attack could have been avoided by following a few basic cybersecurity principles like regularly running software updates.
Good cybersecurity requires contingency planning. Just like any organisation must have emergency evacuation plans and fire drills, organisations and individuals should be prepared for cyberattacks. This entails regularly testing cybersecurity measures and, for organisations, can include having experts try to hack into their systems.
In the case of ransomware, data should be backed up and stored separately from the main network where it can’t be reached by malware. Organisations should have plans in place for how to maintain functionality without connectivity, such as having printed records.
Cybersecurity also depends on individuals using computers in a responsible way, in what is termed ‘cyber hygiene’. Organisations should teach staff basic cybersecurity principles like choosing complex passwords, not having the same passwords for different logins and using two-factor authentication to verify when a user has logged in. Individuals should also learn to recognise suspicious documents or links where the source has not been verified and could contain malware.
Governments have a critical role to play in maintaining cybersecurity as well. In Africa, many countries still lack appropriate legislation to prosecute cybercrimes. While tracking down cybercriminals can be difficult, many perpetrators who have been traced haven’t been prosecuted because of a lack of legislation to prosecute cybercrimes.
Establishing the necessary legislation and international cooperation agreements is an important step towards addressing cybercrime. This needs to be supported by practical co-ordination mechanisms such as joint working groups, and the sharing of intelligence and techniques on combating cybercrime. Companies should be encouraged or compelled to disclose details of cyberattacks to help others prevent and combat future attacks.
There are also serious deficits in the skills for cyber defence and the tracing of perpetrators. The Center for Strategic and International Studies estimates that by 2019, one to two million cybersecurity positions will remain unfilled. Governments should work in collaboration with technology companies to fill this gap and develop a new generation of cybersecurity professionals.
In 2016, an estimated $1 billion was paid to unblock ransomware; and in 2015, ransomware called CryptoLocker extorted more than $325 million.
Based on the tracking of bitcoin addresses associated with the 12 May attack, the cybercriminals have only managed to extort about $100 000 to date. The effects were relatively small, besides the disruption it caused. But if lessons aren’t learnt from this attack, the next one could be much worse.
Written by Albertus Schoeman, Consultant, Transnational Threats and International Crime Programme, ISS