First published by ISS Today
On 12 May, more than 150 countries were attacked by ransomware with over 200,000 computers infected. Ransomware is a type of malicious software (malware) that encrypts a computer’s data until a ransom is paid. In this case, $300 worth of the cryptocurrency bitcoin was demanded for infected computers.
While the scale of the attack makes it seem spectacular, flaws found in the ransomware showed that the attacker was relatively amateur – cybersecurity specialists temporarily stopped the spread of the ransomware using a “kill-switch” that stops the software from running.
But new adaptations of the code are already being found, and if the world was this vulnerable to a relatively unsophisticated attack, what kind of damage could an experienced group of hackers cause? And what can be done to prevent future attacks?
Malware can only infect a computer if there is a vulnerability in the system such as a design flaw in the programming code. This particular type of ransomware was a worm, which is a form of malware that spreads by searching a network for other vulnerable computers to infect them as well.
The specific vulnerability that this worm searched for is one of the “exploits” for old Windows operating systems identified by the US National Security Agency. An exploit is a recognised vulnerability in a system that can be used to bypass its security. Security agencies gather these to use for hacking and spying on criminals or other governments. This particular exploit was leaked in mid-April by the hacking group Shadow Brokers.
The reason why the ransomware spread so quickly is a consequence of a widespread lack of basic cybersecurity. Four weeks before the leak, Microsoft released an update to fix it. This means that most of the infected computers had not implemented security updates for more than two months. The rest of the infected computers were still running the outdated Windows XP operating system, which Microsoft stopped providing security updates for in April 2014.
The 12 May attack could have been avoided by following a few basic cybersecurity principles like regularly running software updates.
Good cybersecurity requires contingency planning. Just like any organisation must have emergency evacuation plans and fire drills, organisations and individuals should be prepared for cyberattacks. This entails regularly testing cybersecurity measures and, for organisations, can include having experts try to hack into their systems.
In the case of ransomware, data should be backed up and stored separately from the main network where it can’t be reached by malware. Organisations should have plans in place for how to maintain functionality without connectivity, such as having printed records.
Cybersecurity also depends on individuals using computers in a responsible way, in what is termed “cyber hygiene”. Organisations should teach staff basic cybersecurity principles like choosing complex passwords, not having the same passwords for different logins and using two-factor authentication to verify when a user has logged in. Individuals should also learn to recognise suspicious documents or links where the source has not been verified and could contain malware.
Governments have a critical role to play in maintaining cybersecurity as well. In Africa, many countries still lack appropriate legislation to prosecute cybercrimes. While tracking down cybercriminals can be difficult, many perpetrators who have been traced haven’t been prosecuted because of a lack of legislation to prosecute cybercrimes.
Establishing the necessary legislation and international cooperation agreements is an important step towards addressing cybercrime. This needs to be supported by practical co-ordination mechanisms such as joint working groups, and the sharing of intelligence and techniques on combating cybercrime. Companies should be encouraged or compelled to disclose details of cyberattacks to help others prevent and combat future attacks.
There are also serious deficits in the skills for cyber defence and the tracing of perpetrators. The Centre for Strategic and International Studies estimates that by 2019, 1 to 2-million cybersecurity positions will remain unfilled. Governments should work in collaboration with technology companies to fill this gap and develop a new generation of cybersecurity professionals.
In 2016, an estimated $1-billion was paid to unblock ransomware; and in 2015, ransomware called CryptoLocker extorted more than $325-million.
Based on the tracking of bitcoin addresses associated with the 12 May attack, the cybercriminals have only managed to extort about $100,000 to date. The effects were relatively small, besides the disruption it caused. But if lessons aren’t learnt from this attack, the next one could be much worse. DM
Albertus Schoeman is a Consultant, Transnational Threats and International Crime Programme, ISS.
Photo: People use computers at a cyber cafe in Taipei, Taiwan, 13 May 2017. According to news reports, a ‘Ransomware’ cyber attack has hit computers in 99 countries with the attacker demanding 300 US dollars in Bitcoin to decrypt the files. Photo: EPA/DAVID CHANG
Watch Pauli van Wyk’s Cat Play The Piano Here!
No, not really. But now that we have your attention, we wanted to tell you a little bit about what happened at SARS.
Tom Moyane and his cronies bequeathed South Africa with a R48-billion tax shortfall, as of February 2018. It's the only thing that grew under Moyane's tenure... the year before, the hole had been R30.7-billion. And to fund those shortfalls, you know who has to cough up? You - the South African taxpayer.
It was the sterling work of a team of investigative journalists, Scorpio’s Pauli van Wyk and Marianne Thamm along with our great friends at amaBhungane, that caused the SARS capturers to be finally flushed out of the system. Moyane, Makwakwa… the lot of them... gone.
But our job is not yet done. We need more readers to become Maverick Insiders, the friends who will help ensure that many more investigations will come. Contributions go directly towards growing our editorial team and ensuring that Daily Maverick and Scorpio have a sustainable future. We can’t rely on advertising and don't want to restrict access to only those who can afford a paywall subscription. Membership is about more than just contributing financially – it is about how we Defend Truth, together.
So, if you feel so inclined, and would like a way to support the cause, please join our community of Maverick Insiders.... you could view it as the opposite of a sin tax. And if you are already Maverick Insider, tell your mother, call a friend, whisper to your loved one, shout at your boss, write to a stranger, announce it on your social network. The battle for the future of South Africa is on, and you can be part of it.
A lightning bolt is 5 times hotter than the sun's surface.