Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

Naavi’s Advisory for Common People on WannaCry

Posted by Vijayashankar Na on May 17, 2017
Posted in Cyber Law  | No Comments yet, please leave one

Wanna Cry has not only affected companies, but also individuals who donot actually are target audience for payment of extortion money. Hence this advisory for such people.

Leaving all the technical discussions to the experts, I would like to provide the common man’s guide to fighting the ransomware like WannaCry. This advisory is meant for circulation in the Whats App Groups of non technical persons.

If you are not so far affected by WannaCry, consider yourself lucky. But your luck may not hold for long and hence act immediately with the following steps.

  1. Disconnect Internet and donot use Internet or E Mail until the following exercise is complete.
  2. Buy one external hard disk matching your computer memory and create a full back up of both your operating system and the data.
  3. Windows  provides an easy system back up option. You can use it. Additionally data can be backed up manually.
  4. Ideally have two back ups, one created through windows and another manually.
  5.  Some Anti virus software also provide their own means of creating a recovery disk. Create such a Recovery disk through the anti virus software. Also create another recovery disk through the process recommended by your computer/laptop manufacturer so that you can re-install the operating system from scratch.
  6. Some security software manufacturers may provide options for recovering the computer without re-installing the Operating system. But this may be complicated for an ordinary computer user.
  7. Now go back to the computer and Internet. Update your Windows to current version (Windows 10) and apply all patches. Download updates to your anti virus software. I advise you to also use a paid version of Malware Bytes or such other dedicated anti malware software as a second defense.

Now you may be ready to face the consequences of a future attack. If there is an attack, donot pay ransom. Re format and restore the OS and data from the back up.

In case you are affected before you have taken the back up, it is most unfortunate. If you feel your data is not that critical, forget the incident as a bad dream and start afresh. Even if you are tempted to pay the ransom, beware that buying ransom amount in bitcoin and paying it to the extortionist is itself a punishable offence since it is classic “Money laundering”. Also there is no guarantee that the data would be restored even after payment.

if you are a professional, keep a record that your computer was in fact attacked. This is by having a certified copy of your desktop with the ransomware message. CEAC.IN will provide the details of how this certificate can be obtained. This is required as an evidence since some time later, the taxman can ask you for the data which you may refuse and he may charge you for not providing the required data and assess you with a penalty.

After certification, you can keep the hard disk preserved so that if in the event that some good samaritan finds a decryption key for the WannaCry int he next few weeks, you may restore your data. In the meantime you may use a new hard disk to continue your activities with the precautions mentioned earlier.

Ensure that you donot spread the infection in your computer to other computers by forwarding infection ridden e-mails and messages. You should yourself now stop responding to phishing mails and clicking on the attachments from unknown sources.

If necessary, open your emails first on your mobiles before opening on the computer. Ensure that your mobile also has a good anti virus program running.

Remember that there would be phishing mails suggesting removal of WannaCry which itself may infect. Be careful even if the e-mail appears to come from “Naavi”. There have been earlier occasions when spoofed e-mails have gone apparently from “Naavi”. I will not take any responsibility for it. It is your responsibility to identify phishing e-mails and act cautiously.

Naavi

(P.S: Experts can suggest corrections if required to the above advisory. You can add your comment so that any person visiting this page would get the benefit of your suggestions.)

One of the Counter terrorism strategies is to choke a terrorist organization of the money supply. This holds good not only for terrorists in Kashmir or elsewhere and to the Naxalites, but also to organized cyber criminals.

If we look at the recent developments on the growth of “Ransomware”, there is no doubt that the collection of ransom through “Bitcoins” has become one of the hurdles for law enforcement. Though some brave people suggest that Bitcoins can also be tracked and they may be right to some extent, it is definitely not easy to locate the owner of the Bitcoin wallets in the anonymized world and zero in on the recipients of the bitcoins.

Just like Bitcoin is used for laundering legacy currency, bitcoin itself is laundered to make it less and less identifiable. Like spoofing an IP address, the recipients of Bitcoins break it up into sub units, jumble up and then distribute it before finally converting it into legacy currency at which point of time there could be a possibility of identification.

At present FBI thinks that it has the technology to track Bitcoins because it has a few successes in the past. But in India, I am not sure if we have the forensic capability to track a Bitcoin transaction. So would be many other countries. hence Bitcoin continues to be the Currency of Convenience to the Cyber Criminals.

Now that WannaCry storm has blown over, it is anticipated that more such ransomwear attacks may be coming up in the coming days. The news that WannaCry has emanated from North Korea may not be correct as of now.

But it is likely that terrorists in Pakistan as well as the North Korean dictator would definitely get the idea and will soon send out a ransomware in the guise of Jaff Ransomware  or Uiwix Ransomware or by any other name and either use it as a weapon to destabilize the economy or to fund their nefarious activities.

Since India is one of the most affected countries both in terms of Cyber Crimes and Cyber Terrorism, we need to take the lead to run a global campaign to fight this “Cyber Financial Terrorism” called Ransomware.

We should therefore move the world forum such as United Nations to immediately declare Bitcoins as a “Banned Possession” across the globe without exception and stop its circulation.

This will ensure that Bitcoin holders will not be able to make profitable use of their holdings and hence it will cease to be a valuable currency for criminals.

Just as in the case of “Demonetization”, one time offer can be given to genuine Bitcoin holders to exchange their holding to legacy currency after they provide proof of its acquisition through proper accounted money.

I request Mr Arun Jaitely to take a lead in this direction. This will put an effective curb on the ransom writers to give up this means of extortion on the community.

I look forward to a response from Mr Arun Jaitely as well as Mr Ravi Shankar Prasad in this regard.

Naavi

ALSO READ

Anonymize Bitcoins

How we got busted…

Bitcoins are easier to track than you think

Using Bitcoins anonymously

Uiwix, yet another ransomware like WannaCry – only more dangerous

Jaff Ransomware Family Emerges In Force

WannaCry and Cyber Insurance

Posted by Vijayashankar Na on May 17, 2017
Posted in Cyber Law  | No Comments yet, please leave one

The WannaCry ransomware seems to have targetted the health sector more, probably for the reason that most of the systems used in the industry were using unpatched or old windows systems and also their employees were not as well informed as those in IT industry as to the social engineering and phishing mail threats.

Just as ATMs in the Banking sector run on old Windows XP systems, it is possible that an industry like Health Care that depends on many equipments with computerised support systems may be working in the background on windows XP.

We already have evidence that some ATMs in India have been hit by WannaCry but the damage has not been felt because the closure of ATMs was some thing people got used to in the last few months and a few more did not matter. ATMs did not contain sensitive data in itself and hence could be easily reset.

However, when an ATM was found to have been affected, there is a suspicion that the back end system also must have been affected. Firstly the infection cannot originate in the ATM except in the case when an ATM maintenance is undertaken with a USB. Mostly ATMs are updated remotely and hence are the nodes for a back end server. If therefore the local memory of the ATM has been affected, there is every reason to believe that the back end server has already been compromised. The Back end server ultimately connects to the Core Banking server.

One reason that many of the Indian organizations seems to have escaped the vortex of the attack is that most of the servers could be running on Linux and not on Windows. This could have been the reason that even when parts of the network were affected, some parts have remained safe.

In the health Care segment, the hospitals are using a large number of diagnostic equipments some of which are used as critical equipments for support of surgeries and any infection of these machines would cause a “Denial Of Access” situation in the hospital.

One of the doubts that health care segment is confronted with in the case of a ransomware attack is whether the attack needs to be reported as a “Data Breach” to the HHS ?. In the case of a Business Associate, the doubt is whether the attack has to be reported to the upstream data supplier?

In the case of a “Ransomware attack”, it is presumed that the nature of compromise is that “Data remains where it is but gets encrypted”. Hence data does not go out of the system and it is not a conventional data theft case.

However, data may become “Unusable” even by the “Authorized users” and in case there is a request of data from the data subject, the request cannot be met. Hence there is a disruption of activities and breach of contractual obligations without data loss.

Hopefully, data may be recovered after some time and processes may continue. However equipments need to be re-calibrated and tested before it is back to normal use.

HHS may not impose heavy penalties but reporting is a necessity.

Hence users of these compromised and rectified equipments need to first create an evidence (In India the evidence should be certified under Section 65B of Indian Evidence Act as explained in www.ceac.in) that they have been adversely affected in this Global storm and hence their systems have been disrupted. They need to simultaneously notify their principals about the disruption because “Denial of Service” is also a “Data Security Breach”.

The attack is a confirmation that the organization is perhaps using systems that are running on unpatched or unpatchable systems which will remain vulnerable unless further action is taken. Hence a post incident audit report has to be obtained where the cause of the breach is determined and necessary preventive measures are taken. In certain cases where the equipments are controlled by embedded systems which are not meddled with by the hospital administration, the equipment manufacturers need to be notified and rectification demanded on an emergent basis. Some of these equipments may be “imported” and quick servicing may not be easy.

I pity the IT administrators of such systems because there may be no easy solution to their problem. While the CISO s may say, keep the equipments quarantined until they are disinfected and vaccinated, the business requirements may force reinduction of the equipments before a thorough check is done and systems upgraded.

If so, they need to be alert of the possibility of a second wave of attack from a mutated virus may hit them again. To avoid any adverse impact on the patients, the hospitals which are dependent on such compromised IT systems need to reduce their dependence on IT and double check their results produced by IT systems manually.

For those who have taken the Cyber Insurance policies, it is time to check the clauses. In this incident, there is no data loss but there could be expenses involved in recovery of systems and data. The ransom payment if any is an illegal expense and I am not sure if Cyber Insurance companies should cover this. But I am told that some Cyber Insurance companies may cover this expenditure also, and if so, it is fine. We know that when multiple systems are affected, the decryption key has to be bought for each such machine and hence the actual ransom may not be $ 300 for an organization but several times more and go beyond the “Minimum Loss Clause” in the insurance contract.

If however an Insurance company takes a stand that the attack was facilitated by the negligence of the user in not patching its systems or by an employee negligence in clicking on a phishing mail attachment etc., they will have some justification to reject the claims. This needs to be settled on the basis of relationship between the Insurer and the Insured on whether the negligence amounted to being “Grossly Negligent” or ” Below Average Negligent”. This may depend on the policies and procedures adopted and documented and the manpower training undertaken in the past. If the organization has not previously undertaken effective measures to meet such contingencies, it would amount to “Negligence of the Organization” and not “Negligence of an Employee” and hence the Cyber Insurance cover may be rejected.

It is time for every organization to review their past actions on Cyber Security to that in future when such attacks recur they are better equipped.

In the meantime, we may keep our fingers crossed and wait for the after effects of the WannaCry storm to pass over..

Naavi

Also refer:

WannaCry: After worldwide ransomware hack, governments and cyber experts brace for more attacks

Insurance companies may face the brunt of botched tech after WannaCry

Cyber insurance market expected to grow after WannaCry attack

After WannaCry, ex-NSA director defends agencies holding exploits

India third worst hit nation by ransomware Wannacry; over 40,000 computers affected 

Close It