RANSOMWARE Stay Safe NOW
The next hack is coming – everyone will be targeted... WHAT YOU MUST DO TO PROTECT YOURSELF
Scan your PC for locked files
Turn on automatic updates
Protect your phone and tablet
Back up to multiple discs
Configure your anti-virus
Ransomware is out to get you. You knew that already – and we expect you are better prepared than the NHS was when Wannacry struck three weeks ago. But the global attack has
WHAT YOU’LL LEARN
The real reason so many NHS computers were hacked Why ransomware hackers will hit Android and Windows 10 next… and when How to guarantee your Windows OS and software are up to date Why your antivirus isn’t enough to stop the next ransomware attack How to stop ransomware locking your files – then get rid of it for free only just begun, and ransomware hackers are boasting that they’ve got your Windows 10 PC in their sights next.
In this special feature we’ll examine what actually happened, why so many PCS fell victim and why the next big ransomware outbreak will be far more dangerous than Wannacry. Then we’ll reveal how you can protect yourself without ever paying a penny to hackers – and why antivirus and Windows Update are the bare minimum.
Anatomy of the NHS attack
On Friday 12 May, staff at hospitals and GP surgeries switched on their computers to find they’d been hacked. Emblazoned across their screens was a ransom note demanding a Bitcoin payment of $300 (£230) to unlock their files, which had been encrypted by malware named Wanna Decryptor (aka Wannacry, Wannacrypt, Wecry… you get the idea).
A few victims paid up, but not before they’d unwittingly infected dozens of their colleagues. Wannacry was being spread at almost unimaginable speed by a self-replicating worm that had broken into and swept through the NHS’S vast network. The impact was devastating. Ambulances were diverted from hospitals, appointments were cancelled and life-saving operations were postponed at the last moment.
The hackers couldn’t have chosen a more emotive and damaging target – but they hadn’t actually chosen the NHS. Wannacry had no agenda. It was just malware that rampaged through and between corporate networks,
automatically infecting every vulnerable computer it was able to access.
This strategy gave Wannacry a bigger hit rate than any other ransomware in history. By the end of that warm spring weekend, Wannacry had spread from the UK and Spain – where it was first detected – to more than 300,000 computers in over 150 countries, paralysing businesses and organisations including international delivery company Fedex, Spanish telecoms provider Telefonica, German railway operator Deutsche Bahn and even the Russian Interior Ministry.
Those numbers didn’t convert to cash, however. Only about 300 ransoms were collected in the first week, thanks to a bug in Wannacry’s Bitcoin payment code. At the time of writing Wannacry has netted its anonymous overlords roughly $100,000 (£77,000). That’s small change compared with the $27 million (£20m) raked in by Cryptolocker when it held 250,000 computers ransom in 2013.
Another sloppy error in Wannacry’s code allowed a 22-year-old British IT worker to save thousands of victims from having their files locked. Hours after the NHS attack, Devon-based Marcus Hutchins spotted a URL in the ransomware’s code and paid £8 to register the domain (the URL really trips off the tongue: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com). That was a kill switch, and registering it instantly rendered Wannacry unable to encrypt victims’ data.
The End? Well, no. Hutchins – who blogs under the name Malwaretech ( www.malwaretech.com) – warned that the hackers would respond by tweaking Wannacry’s code to make it work again. As predicted, a second wave of attacks struck as the working week began. This time, the hackers doubled the ransom to $600 (£460).
Phishing, Windows XP and other red herrings
Confusion was king over the Wannacry weekend as newspapers jumped to make sense of the attack. A number of ‘facts’ were repeatedly reported – most of which were later shown to be completely false.
For example, the ransomware was assumed to be mostly hitting Windows XP computers. That assumption took hold because Microsoft hadn’t patched security holes in XP since the operating system was put to pasture in 2014. Adding fuel to the rumour came news that Microsoft had released an emergency patch to protect XP users from the Wannacry outbreak (it can still be downloaded free from www.snipca. com/24430). But a week after the attack, security researchers at Kaspersky Labs revealed a shocking statistic: 98.35 per cent of Wannacry’s victims were using Windows 7, meaning Windows XP was far from the biggest problem.
Microsoft updated Vista, Windows 7 and 8.1 to patch the flaw that Wannacry exploited as long ago as 14 March. But victims were hit because they’d failed to run Windows Update.
“The Windows XP count is insignificant,” Kaspersky researcher Costin Raiu said on Twitter ( www.snipca. com/24445). The Windows 10 infections shown on Kaspersky’s graph (left) are down to lab testing; the flaw doesn’t actually exist in Windows 10.
Another assumption was that Wannacry came from a phishing email. A single solitary staff member in each affected organisation had supposedly clicked a dodgy link and allowed the worm into the network. Cue sleepless nights for all employees who thought they were the one to blame.
However, security researchers from Sophoslabs spent days searching for the offending links and attachments, to no avail.
So how did the worm get into the NHS’S network? Security expert Simon Edwards, head of antivirus testing firm SE Labs ( https://selabs.uk), thinks that
the worm probably found its way to the NHS’S network through shared network drives that weren’t properly secured. “The worm was then able to enter the network and propagate,” he told us.
So who’s to blame?
Before we get into the blame game, let’s remember who the real villains are – the criminals who unleashed Wannacry. Nobody knows where it originated, but security firm Symantec says it’s “highly likely” that North Korean hacking group Lazarus was responsible. But who’s culpable for the NHS catastrophe? When Wannacry appeared to be a Windows XP problem, it was easy to blame underfunding. Old unsupported computers were being used to store your private medical data and monitor your operations, and now those computers had been hacked. Conclusion: the government was to blame.
Oh, but wait. The victims were running Windows 7, as it turned out. Here’s another statistic: just 4.7 per cent of NHS computers run Windows XP, according to NHS Digital. So the health service has been upgrading its computers, after all. It just hasn’t been updating the software.
Microsoft was another easy villain when the story was about Windows XP. After all it’s Microsoft that forces everyone to keep upgrading to a new version of Windows, then whips out the safety net from older versions. Worse, it transpires that Microsoft opted not to let XP users have the patch unless they coughed up ‘custom support’ fees of $400 (£305) or more. The patch was only released for free once Wanna cry was wreaking havoc.
So let’s move on to the organisation that’s definitely at fault: the US government. Specifically the NSA (National Security Agency), America’s intelligence organisation. Media reports suggest that the NSA developed a secret tool called Eternal blue nearly a year ago and didn’t tell Microsoft. Eternal blue could ‘exploit’ – orr take advantage of a vulnerability – in Windows, apparently for the NSA’S own intelligence-gatheringring purposes. The NSA didn’t tell Microsoft because it wanted to keep the vulnerability unpatched – so it could continue to exploit it by using malware designed to spy on suspected criminals and terrorists.
It took until March this year for the NSA to tell Microsoft, and then only after the details were stolen by a group of hackers calling themselves Shadow Brokers.
Things then moved very fast. Microsoft rushed to patch the flaw on 14 March. A couple of weeks later over the Easter weekend, Shadow Brokers dumped the stolen info online. It was promptly picked up by the hackers who tweaked it into Wannacry and pressed Send.
“Microsoft is furious with the NSA,” security expert Graham Cluley ( www. grahamcluley.com) told us. “If they’d told Microsoft about the vulnerability much earlier, far fewer organisations might have been hit by this ransomware.”
Microsoft vs governments vs hackers
State-sponsored hacking isn’t limited to the USA. Our own secret services – including GCHQ – employ ‘white hat’ hackers to find flaws in software, then build spyware and other tools to exploit them. It’s an integral part of the fight against terrorism and organised crime.
Integral, but also extremely risky. If government malware falls into the wrong hands, the effects can be devastating.
In a furious blog post published two days after Wannacry struck the NHS, Microsoft demanded a more responsible attitude and renewed its calls for a ‘Digital Geneva Convention’ to establish intern international standards for fighting cybercrime. “The governments of the world should treat this attack as a wake-up call,” wrote Microsoft’s president, Brad Smith (www.snipca.com/244524454). “Consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.” Smith cited the recent theft of the CIA’S hacking tools, published in March by Wikileaks (www.snipsnipca.com/24455), as evidence that the
Eternalblue theft was not a one-off. He likened it to the theft of nuclear missiles.
Security experts have welcomed Microsoft’s proposal but said it’s unlikely to work. That’s partly because different countries have different laws and don’t want to share secrets, but also because they have too much to gain from spying on their citizens. “Politicians want to put out a message that they’re tough on crime and terror,” Graham Cluley said. “They want to be seen snooping on potential criminals and letting ISPS watch people - even when the ISPS don’t want to.”
Ministers often respond to terrorist attacks by calling for more hacking powers. “Our intelligence services should have the ability to get into situations like encrypted Whatsapp,” Home Secretary Amber Rudd said after the Westminster attack in March ( www.snipca. com/24458). Meanwhile, the Investigatory Powers Act, called the ‘Snoopers’ Charter’ by its critics, gives 48 government bodies – including HMRC – the right to monitor everything you do online, then store the data for a year ( www.snipca.com/24467). We certainly hope they store it more securely than the NSA stored Eternalblue.
Why ransomware is about to get much worse
Windows 10 and Android (the Google operating system used on millions of tablets and phones) are ransomware’s next big targets. Wannacry happened to exploit a security hole in older versions of Windows, but flaws are found regularly in Windows 10 and Android too – that’s why they need updating so often. Some vulnerabilities are patched quickly by Microsoft and Google. Others are found, kept quiet and later exploited by secret services and hackers.
Shadow Brokers have already threatened to release more zero-day bugs and exploits every month, starting in June. They promise “browser, router, handset exploits and tools (and) newer exploits for Windows 10” ( www.snipca.com/24456). Hackers are waiting to snap them up, monetise them using ransomware code, then send them off to steal from as many people as possible.
Wannacry was a missed opportunity for the criminals who sent it, however. When ransomware gets its payment system right, it’s by far the most lucrative type of malware – as we saw during the Cryptolocker outbreak. With such monetary rewards available to hackers, it’s no surprise to see ransomware growing at a terrifying rate. In the first three months of 2017, Kaspersky detected more than 55,000 new ransomware strains for Windows alone, nearly double the number from the previous three months. Mobile ransomware leapt more than three times in the same period, according to Kasperky’s latest Malware Report ( www.snipca.com/24464 see chart below left).
According to one recent survey, an extraordinary one-third of all large UK companies are now stockpiling Bitcoin in case they suffer a ransomware attack and need to unlock their files quickly ( www. snipca.com/24463). Following the Wannacry attack, that number is likely to increase sharply.
But ransomware isn’t just a problem for organisations. Wannacry was spread using a network worm, but other worms and botnets can exploit all sorts of internet-connected devices, including routers and smart TVS as well as Windows PCS. Hackers will use phishing tricks to get them on to your devices. As we write this, the first post-wannacry botnet ransomware, Xdata, is rampaging through computers in Eastern Europe, spreading even faster than Wannacry ( www.snipca. com/24460). It won’t be the last.