Thursday, May 25, 2017

Does your software make you WannaCry?

The recent WannaCry ransomware attack brought back memories of my own experience with ransomware more than four years ago. 

Thankfully, that was the only time I fell prey to this cruel malware that encrypts the user’s files and demands payment for unlocking them.  At the time, I was annoyed. It was an inconvenience to be unable to use my home computer, but it wasn’t a crisis.  I could afford the time to find a way to decrypt the ransomware (or let my husband figure it out while I was at work, although I think he might have preferred that I just pay the ransom…)  

Today would be a different story.  I use my laptop to work at home or wherever I happen to be.  It is my primary means of communicating with friends and family.  It is my key source of news.   It gives me directions to places I need to go.  I use it to make appointments, pay bills, and buy things.  Being denied access, even for a day, would be unthinkable.  

After my encounter with ransomware, I was mildly curious about how my computer was infected.  I assumed I had inadvertently opened an email with a bad attachment, although I have always been very careful about that. 

I found that poor security and outdated software make one vulnerable to such attacks. While we prided ourselves on good security for our home computers, I was a little unsure about keeping up with software updates (that often include security patches).  The notices would pop up at inconvenient times, and the downloads took too long.  Had I clicked “remind me later” or “snooze” too many times?  Shut off my computer instead of permitting an update to be downloaded?  

Yeah, well who hasn’t?

Over time, I continued to follow stories of ransomware, but couldn’t get too excited about the technical details.  I was surprised to find that the origin of ransomware is credited to one Dr. Joseph L. Popp, an evolutionary biologist (anthropologist) with a PhD from Harvard, who in 1989 distributed 20,000 disks to attendees of a World Health Organization (WHO) conference on AIDS.  On the disk was an interactive survey that would supposedly measure a person’s likelihood of contracting AIDS.  Also on the disk, was a virus that would encrypt the user’s files after rebooting a fixed number of times.  When the lock-up occurred, the user was given a message to turn on their printer which then delivered a ransom note demanding payment of $189 for a decryption key.  Payment was to be made to the attention of PC Cyborg Corporation at a post office box in Panama.  

This was something new, so it is understandable that victims (including private and government laboratories, universities and other medical research institutions) would panic.  It was subsequently reported that some of these deleted their own data because their hard drives had been compromised.  

“PC Cyborg Corporation” was a fictitious entity.  The chances of finding the perpetrator would seem remote, but less than two weeks after the virus went public, Dr. Popp made a mistake.  While traveling back to the U.S. (from Nairobi where he had attended a WHO seminar on AIDS), he came to the attention of airport officials in Amsterdam when they discovered “DR. POPP HAS BEEN POISONED” written on another passenger’s suitcase.  A subsequent baggage search turned up a seal labeled “PC Cyborg Corp.” in Popp’s luggage and, soon thereafter, the FBI arrested Popp at his parents’ home in Ohio.  (The mistake was that Popp himself wrote the message on the suitcase…)

Popp was extradited to the UK and charged with blackmail and criminal damage.  His motive, however, was not clear.  

Popp was himself engaged in AIDS research as a part-time WHO consultant, although some thought the ransomware attack was retaliation for a recent rejection for a WHO job. Others, prompted by Popp’s lawyer’s claim that Popp was going to use the ransom payments for alternative AIDS research, thought he was a reformist who was unhappy with the current state of AIDS research.  The judge concluded Popp was insane and unfit to stand trial.  (In addition to the suitcase message, while awaiting trial, Popp was reported to have worn a cardboard box on his head, condoms on his nose and curlers in his beard to ward off radiation.)  While there was other evidence suggesting that Popp had been planning the attack for more than a year and was intending to distribute additional disks, Popp was allowed to return to the U.S. without penalty, where he later opened the Joseph L. Popp Jr. Butterfly Conservatory in Oneonta, NY.  

What started as perhaps a political statement turned to “fun” for teenagers in the early years of the internet, but has since become a real moneymaker for the criminally inclined, and a serious challenge to businesses and organizations.  

While we typically hear about the large entities that are struck by cybercrime, it is generally understood to be a much greater threat to small and medium sized businesses which do not have the economic means to maintain large IT staffs or pay for outside services necessary to keep ahead of the criminals.  Nearly two years ago, in a Public Statement the Commissioner of the SEC identified small and medium-sized businesses as the principal target of cyber attacks because of their limited preparedness and their relationships with larger organizations making them an attractive entry to the big guys. Although perhaps a mere stepping stone, the effect of a cyber attack on a small business is much more brutal because of the lack of ability to withstand the loss of data or lost time, as well as potential damages relating to the disclosure of confidential and/or customer information – all without cyber liability insurance coverage. 

The Commissioner’s Statement offers some recommendations for education and resources that should be available to small and medium businesses, all seemingly appropriate and of a nature that would benefit the public generally.  While you are waiting for that to happen, however, take heed of the practical advice from security experts who suggest that we use recommended security programs and practices, and promptly update our software (WannaCry is reported to have primarily infected computers running unpatched versions of Windows 7).  There are tools that can decrypt files corrupted by ransomware, but they may be costly and/or take time, without guaranteeing that the files will be successfully recovered, so the best bet is to also maintain offline backups of important data.  

No need to hurry, but just last week, while the WannaCry stories were still prominent, a Croatian security expert discovered new stream of malware (referred to as EternalRocks) that also uses the tool stolen from the National Security Agency to spread the virus (did I forget to mention that?), as well as other tools from the NSA. Initial reports are that this will spread faster and further than WannaCry.  Wanna cry?

No comments :

Post a Comment