Destruction after disruption: cyber security becoming top priority

The WannaCry ransomware shook the media last month by infecting, encrypting, and ransoming the data of roughly 200,000 victims in 150 countries, in a cyber attack of unprecedented measures, according to EU police body Europol. With the reappearance of the threat at a Honda manufacturing facility in Japan and the emergence of the GoldenEye virus in Ukraine, companies and organisations need to take a long hard look at their cyber defences.

Destruction after disruption: cyber security becoming top priority
WannaCry in May, and now the GoldenEye (Petya) virus calls attention to cyber security (Source: securelist.com)
RELATED CONTENTS:
Firms scramble to recover from wave of cyberattacks
NUS Study: Cybercriminals exploit pirated software to fuel malware infections in Asia-Pacific
Honeywell acquires industrial cyber security firm Nextnine
Palo Alto Networks releases next-gen security platform
Cyber-attacks have become a fact of life
Local firms learn the importance of cyber security
Microsoft withheld update that could have slowed WannaCry: Report
WannaCry virus attacks 1,900 computers in VN

The ransomware was designed to spread quickly among computers on the same network and encrypt files to then demand ransom in the form of the difficult-to-trace bitcoin, ranging from $300-600 per affected computer.

WannaCry made use of a Microsoft Windows vulnerability called EternalBlue that was discovered by the NSA, which developed the tool as an exploit for surveillance activities. The hacking tool was stolen by a group of hackers known as The Shadow Brokers and was published on WikiLeaks earlier in 2017.

To circumvent the security threat, Microsoft published a security patch (MS17-010) in March, but companies and individuals at large were slow to install it, making it possible for WannaCry to start the widest cyber attack to date in May.

According to a summary posted on dataprotectionreport.com, the ransomware also included an additional malware called DoublePulsar, providing hackers a backdoor to later gain further access to infected systems.

The first WannaCry attacks were recorded on May 12, 2017 and made headlines by wreaking havoc on organisations, including FedEx, Spanish telecommunications operator Telefonica, and the UK’s National Health Service (NHS), forcing the British national healthcare provider to cancel operations and X-rays and made test results and patient records unavailable.

Within less than a day a security researcher found and inadvertently activated a so-called kill switch in the software. By identifying and purchasing the domain of the web address where the first WannaCry strain was attempting to communicate, the first attack was effectively stopped, but within two days additional strains were developed, many without the kill switch.

According to dtaprotectionreport.com, by May 17, WannaCry has affected at least 100,000 organisations in 150 countries. However, cybersecurity-insiders.com estimated this number at more than 200,000 on May 15, professing of incredible scale and spread rate for the ransomware.

Scale of the attack

While cyber security expert Dr Afzal Ashraf speculated that WannaCry was meant to target small companies, shaking them down for a relatively small amount of money, the grievous unpreparedness of computer systems around the globe netted much larger fish very early in the game.

Probably the most serious and noteworthy attack was made on the NHS, whereby 48 NHS organisations and some GP practices were affected. NHS Wales and Northern Ireland fell outside the scope of the attack.

According to BBC, WannaCry hit the NHS brutally hard, as much of the organisations operations are done electronically. By encrypting data, the organisations entire patient record was made inaccessible, effectively stunning the operations of medical centres.

“Our entire patient record is accessed through the computer—blood results, history, medicines,” told Dr Chris Mimnagh, who works at a medical centre in Liverpool, to BBC. “Most of our prescribing is done electronically... it's sent direct to the pharmacy and (...) all that is not able to be accessed when we lose the clinical system.”

Dr Emma Fardon, a GP in Dundee, returned from house visits to find the surgery’s computers demanding money. “We can’t access any patient records. Everything is fully computerised," she said. "We have no idea what drugs people are on or the allergies they have. We can't access the appointments system."

Probably the reason why the NHS was so badly hit, despite security experts’ conviction that it was not targeted specifically by the malware, is its reliance on a massive IT infrastructure. An immense number of partners are connected to the system’s core network, ranging from pharmacies, surgeries, and hospital departments to suppliers, leaving sizeable holes in the system’s security net: without sufficient overview of all connected parties and their security settings (including installing security updates, which was apparently woefully neglected throughout the overall system), WannaCry found a hotbed to spread and bring the entire organisation to its knees.

Apart from the UK, the ransomware went rampant around the world: according to Kaspersky Lab research, in France some Renault factories had to stop operations, while in the US delivery company FedEx was affected. Similarly, Spanish telecommunications group Telefonica and a series of gas companies were struck, and the Russian Ministry of Internal Affairs reported that about 1,000 of its computers were infected.

According to BBC, Russia might have seen the most infections, as banks, state-owned railways, and a mobile phone network were hit, in addition to the Ministry of Internal Affairs, which reported that the virus was swiftly dealt with and no sensitive data was compromised.

Destruction after disruption: cyber security becoming top priority
Twitterfamous: a German ticket machine infected with WannaCry (Source: Twitter)

Twitter was awash by pictures of an infected ticket machine in Germany, after the federal railway operator’s electronic boards had been disrupted.

In Spain, telecom giant Telefonica and utilities firm Iberdrola and Gas Natural were affected, along with Portugal Telecom, an Italian university computer lab, and a Swedish local authority. Additionally, schools in China, hospitals in Indonesia and South Korea were also affected, professing to the global scale of the attack.

Not done yet?

Within a month WannaCry seemed to have lost momentum and the world cyber community was lulled into its usual false sense of security once again. However, the threat is far from over.

Recently, the computer system of a Honda manufacturing plant in Japan was infected, affecting a complete plant shutdown on Wednesday, June 21. According to Reuters, Honda discovered on June 18 that the virus has affected networks across Japan, North America, Europe, China, and other regions, despite the company’s efforts in May to immunise its computer system against it—an encore causing such widespread disturbance is hardly good news.

Additionally, according to news site bgr.com, the Shadow Brokers hacker group responsible for leaking EternalBlue, on which WannaCry was based, has said it has many more exploits in its bag of tricks misappropriated from the NSA and that they will make them available for paying customers.

Destruction after disruption: cyber security becoming top priority
GoldenEye or Petya has spread to more than 60 countries within just two days

Further disconcerting development was the insurgence of the GoldenEye or Petya virus on this Tuesday, June 27, which spread from Ukraine through a local news site by infecting a popular downloadable tax accounting package.

According to Reuters, within a single day the virus spread as far as Danish shipping giant A.P. Mollers-Maersk, causing congestion at some of the 76 ports around the world run by the company’s APM Terminals subsidiary. On late Wednesday, June 28, the company announced that the system was back online.

Additionally, US delivery firm FedEX reported that its TNT Express division had been badly hit by the virus, and the virus found its way into Argentinian ports operated by Chinese company Cofco.

The virus works very similarly to WannaCry, as it encrypts data on machines and demands a ransom of $300 for decryption.

Tom Kellerman, chief executive of Strategic Cyber Ventures told Reuters that, unlike WannaCry, the GoldenEye virus was not meant as petty profiteering, but as a powerful disruption tool as it made use of wiping software that made it impossible to recover lost data.

“It was a wiper disguised as ransomware. They had no intention of obtaining money from the attack,” he said.

According to Brian Lord, a former official at Britain’s Government Communications Headquarters who is now managing director at private security firm PGI Cyber, the test was an experiment in using ransomware to cause destruction.

By the estimates of risk-modelling firm Cyence, the economic losses caused by WannaCry and GoldenEye would likely total $8 billion.

With hacker groups managing to steal surveillance tools from the NSA and managing to turn them into powerful tools of disruption and now even trying their wings at straight-out destruction, companies across the world are reminded to re-double efforts at cyber security and raise protection to the top of their agendas.

By Tom Nguyen