Naavi.org

I argued yesterday that it is time to place a global ban on Bitcoins .

The reasons were clear. We need to disarm the Cyber Financial Terrorists like those who were behind the WannaCry ransomware and could also be planning for other ransomware attacks with Uiwix and Jaff. We cannot allow these terrorists to benefit by bleeding the market. Even if the current perpetrators are small time fraudsters as some think they are, I anticipate that other professional terrorists including rogue countries such as North Korea and Pakistan would be quick to adopt these ransomware as their own weapons to carry on their proxy war against their own enemies.

Now today’s report says that “Another large-scale cyberattack under way”.

According to this report researchers have discovered a new attack linked to WannaCry called Adylkuzz,  which  uses the hacking tools recently disclosed by the NSA and which have since been fixed by Microsoft in a more stealthy manner and for a different purpose.

Instead of completely disabling an infected computer by encrypting data and seeking a ransom payment, Adylkuzz uses the machines it infects to “mine” in a background task a virtual currency, Monero, and transfer the money created to the authors of the virus.

This sort of infection had been reported earlier also by one free software and this is a re-play of similar efforts to use the resources of the target computer to mine “Crypto Coins”.

This indicates that all “Unregulated Crypto Currencies” are the likely beneficiaries of such attacks and they need to be addressed as “Tools of Cyber Robbery” though this is more in the nature of a salami attack.

Though Adylkuzz is not directly linked to Bitcoin, it indicates the possibility of “Monero” also developing itself into a currency of the underworld and should be nipped in the bud. Monero is today only in the range of Us$ 27.60 as against Bitcoin which hovers around US$ 1760. It is therefore not as popular as Bitcoin. But soon it can become a Junior Bitcoin and we need to also consider banning such currencies which feed on cyber financial terrorism.

Naavi

Wanna Cry has not only affected companies, but also individuals who donot actually are target audience for payment of extortion money. Hence this advisory for such people.

Leaving all the technical discussions to the experts, I would like to provide the common man’s guide to fighting the ransomware like WannaCry. This advisory is meant for circulation in the Whats App Groups of non technical persons.

If you are not so far affected by WannaCry, consider yourself lucky. But your luck may not hold for long and hence act immediately with the following steps.

1. Disconnect Internet and donot use Internet or E Mail until the following exercise is complete.
2. Buy one external hard disk matching your computer memory and create a full back up of both your operating system and the data.
3. Windows  provides an easy system back up option. You can use it. Additionally data can be backed up manually.
4. Ideally have two back ups, one created through windows and another manually.
5.  Some Anti virus software also provide their own means of creating a recovery disk. Create such a Recovery disk through the anti virus software. Also create another recovery disk through the process recommended by your computer/laptop manufacturer so that you can re-install the operating system from scratch.
6. Some security software manufacturers may provide options for recovering the computer without re-installing the Operating system. But this may be complicated for an ordinary computer user.
7. Now go back to the computer and Internet. Update your Windows to current version (Windows 10) and apply all patches. Download updates to your anti virus software. I advise you to also use a paid version of Malware Bytes or such other dedicated anti malware software as a second defense.

Now you may be ready to face the consequences of a future attack. If there is an attack, donot pay ransom. Re format and restore the OS and data from the back up.

In case you are affected before you have taken the back up, it is most unfortunate. If you feel your data is not that critical, forget the incident as a bad dream and start afresh. Even if you are tempted to pay the ransom, beware that buying ransom amount in bitcoin and paying it to the extortionist is itself a punishable offence since it is classic “Money laundering”. Also there is no guarantee that the data would be restored even after payment.

if you are a professional, keep a record that your computer was in fact attacked. This is by having a certified copy of your desktop with the ransomware message. CEAC.IN will provide the details of how this certificate can be obtained. This is required as an evidence since some time later, the taxman can ask you for the data which you may refuse and he may charge you for not providing the required data and assess you with a penalty.

After certification, you can keep the hard disk preserved so that if in the event that some good samaritan finds a decryption key for the WannaCry int he next few weeks, you may restore your data. In the meantime you may use a new hard disk to continue your activities with the precautions mentioned earlier.

Ensure that you donot spread the infection in your computer to other computers by forwarding infection ridden e-mails and messages. You should yourself now stop responding to phishing mails and clicking on the attachments from unknown sources.

If necessary, open your emails first on your mobiles before opening on the computer. Ensure that your mobile also has a good anti virus program running.

Remember that there would be phishing mails suggesting removal of WannaCry which itself may infect. Be careful even if the e-mail appears to come from “Naavi”. There have been earlier occasions when spoofed e-mails have gone apparently from “Naavi”. I will not take any responsibility for it. It is your responsibility to identify phishing e-mails and act cautiously.

Naavi

(P.S: Experts can suggest corrections if required to the above advisory. You can add your comment so that any person visiting this page would get the benefit of your suggestions.)

One of the Counter terrorism strategies is to choke a terrorist organization of the money supply. This holds good not only for terrorists in Kashmir or elsewhere and to the Naxalites, but also to organized cyber criminals.

If we look at the recent developments on the growth of “Ransomware”, there is no doubt that the collection of ransom through “Bitcoins” has become one of the hurdles for law enforcement. Though some brave people suggest that Bitcoins can also be tracked and they may be right to some extent, it is definitely not easy to locate the owner of the Bitcoin wallets in the anonymized world and zero in on the recipients of the bitcoins.

Just like Bitcoin is used for laundering legacy currency, bitcoin itself is laundered to make it less and less identifiable. Like spoofing an IP address, the recipients of Bitcoins break it up into sub units, jumble up and then distribute it before finally converting it into legacy currency at which point of time there could be a possibility of identification.

At present FBI thinks that it has the technology to track Bitcoins because it has a few successes in the past. But in India, I am not sure if we have the forensic capability to track a Bitcoin transaction. So would be many other countries. hence Bitcoin continues to be the Currency of Convenience to the Cyber Criminals.

Now that WannaCry storm has blown over, it is anticipated that more such ransomwear attacks may be coming up in the coming days. The news that WannaCry has emanated from North Korea may not be correct as of now.

But it is likely that terrorists in Pakistan as well as the North Korean dictator would definitely get the idea and will soon send out a ransomware in the guise of Jaff Ransomware  or Uiwix Ransomware or by any other name and either use it as a weapon to destabilize the economy or to fund their nefarious activities.

Since India is one of the most affected countries both in terms of Cyber Crimes and Cyber Terrorism, we need to take the lead to run a global campaign to fight this “Cyber Financial Terrorism” called Ransomware.

We should therefore move the world forum such as United Nations to immediately declare Bitcoins as a “Banned Possession” across the globe without exception and stop its circulation.

This will ensure that Bitcoin holders will not be able to make profitable use of their holdings and hence it will cease to be a valuable currency for criminals.

Just as in the case of “Demonetization”, one time offer can be given to genuine Bitcoin holders to exchange their holding to legacy currency after they provide proof of its acquisition through proper accounted money.

I request Mr Arun Jaitely to take a lead in this direction. This will put an effective curb on the ransom writers to give up this means of extortion on the community.

I look forward to a response from Mr Arun Jaitely as well as Mr Ravi Shankar Prasad in this regard.

Naavi

ALSO READ

Anonymize Bitcoins

How we got busted…

Bitcoins are easier to track than you think

Using Bitcoins anonymously

Uiwix, yet another ransomware like WannaCry – only more dangerous

Jaff Ransomware Family Emerges In Force

The WannaCry ransomware seems to have targetted the health sector more, probably for the reason that most of the systems used in the industry were using unpatched or old windows systems and also their employees were not as well informed as those in IT industry as to the social engineering and phishing mail threats.

Just as ATMs in the Banking sector run on old Windows XP systems, it is possible that an industry like Health Care that depends on many equipments with computerised support systems may be working in the background on windows XP.

We already have evidence that some ATMs in India have been hit by WannaCry but the damage has not been felt because the closure of ATMs was some thing people got used to in the last few months and a few more did not matter. ATMs did not contain sensitive data in itself and hence could be easily reset.

However, when an ATM was found to have been affected, there is a suspicion that the back end system also must have been affected. Firstly the infection cannot originate in the ATM except in the case when an ATM maintenance is undertaken with a USB. Mostly ATMs are updated remotely and hence are the nodes for a back end server. If therefore the local memory of the ATM has been affected, there is every reason to believe that the back end server has already been compromised. The Back end server ultimately connects to the Core Banking server.

One reason that many of the Indian organizations seems to have escaped the vortex of the attack is that most of the servers could be running on Linux and not on Windows. This could have been the reason that even when parts of the network were affected, some parts have remained safe.

In the health Care segment, the hospitals are using a large number of diagnostic equipments some of which are used as critical equipments for support of surgeries and any infection of these machines would cause a “Denial Of Access” situation in the hospital.

One of the doubts that health care segment is confronted with in the case of a ransomware attack is whether the attack needs to be reported as a “Data Breach” to the HHS ?. In the case of a Business Associate, the doubt is whether the attack has to be reported to the upstream data supplier?

In the case of a “Ransomware attack”, it is presumed that the nature of compromise is that “Data remains where it is but gets encrypted”. Hence data does not go out of the system and it is not a conventional data theft case.

However, data may become “Unusable” even by the “Authorized users” and in case there is a request of data from the data subject, the request cannot be met. Hence there is a disruption of activities and breach of contractual obligations without data loss.

Hopefully, data may be recovered after some time and processes may continue. However equipments need to be re-calibrated and tested before it is back to normal use.

HHS may not impose heavy penalties but reporting is a necessity.

Hence users of these compromised and rectified equipments need to first create an evidence (In India the evidence should be certified under Section 65B of Indian Evidence Act as explained in www.ceac.in) that they have been adversely affected in this Global storm and hence their systems have been disrupted. They need to simultaneously notify their principals about the disruption because “Denial of Service” is also a “Data Security Breach”.

The attack is a confirmation that the organization is perhaps using systems that are running on unpatched or unpatchable systems which will remain vulnerable unless further action is taken. Hence a post incident audit report has to be obtained where the cause of the breach is determined and necessary preventive measures are taken. In certain cases where the equipments are controlled by embedded systems which are not meddled with by the hospital administration, the equipment manufacturers need to be notified and rectification demanded on an emergent basis. Some of these equipments may be “imported” and quick servicing may not be easy.

I pity the IT administrators of such systems because there may be no easy solution to their problem. While the CISO s may say, keep the equipments quarantined until they are disinfected and vaccinated, the business requirements may force reinduction of the equipments before a thorough check is done and systems upgraded.

If so, they need to be alert of the possibility of a second wave of attack from a mutated virus may hit them again. To avoid any adverse impact on the patients, the hospitals which are dependent on such compromised IT systems need to reduce their dependence on IT and double check their results produced by IT systems manually.

For those who have taken the Cyber Insurance policies, it is time to check the clauses. In this incident, there is no data loss but there could be expenses involved in recovery of systems and data. The ransom payment if any is an illegal expense and I am not sure if Cyber Insurance companies should cover this. But I am told that some Cyber Insurance companies may cover this expenditure also, and if so, it is fine. We know that when multiple systems are affected, the decryption key has to be bought for each such machine and hence the actual ransom may not be $ 300 for an organization but several times more and go beyond the “Minimum Loss Clause” in the insurance contract.

If however an Insurance company takes a stand that the attack was facilitated by the negligence of the user in not patching its systems or by an employee negligence in clicking on a phishing mail attachment etc., they will have some justification to reject the claims. This needs to be settled on the basis of relationship between the Insurer and the Insured on whether the negligence amounted to being “Grossly Negligent” or ” Below Average Negligent”. This may depend on the policies and procedures adopted and documented and the manpower training undertaken in the past. If the organization has not previously undertaken effective measures to meet such contingencies, it would amount to “Negligence of the Organization” and not “Negligence of an Employee” and hence the Cyber Insurance cover may be rejected.

It is time for every organization to review their past actions on Cyber Security to that in future when such attacks recur they are better equipped.

In the meantime, we may keep our fingers crossed and wait for the after effects of the WannaCry storm to pass over..

Naavi

Also refer:

WannaCry: After worldwide ransomware hack, governments and cyber experts brace for more attacks

Insurance companies may face the brunt of botched tech after WannaCry

Cyber insurance market expected to grow after WannaCry attack

After WannaCry, ex-NSA director defends agencies holding exploits

India third worst hit nation by ransomware Wannacry; over 40,000 computers affected 

Today, the 15th May 2017, Indian corporates, including Banks will be switching on their computers with a prayer in their lips hoping that they would not see the dreaded “Your files are encrypted” screen.

It is still not clear what would be the extent of damage that the ransomware could cause. The first version was killed. But it is reported that a modified version which does not have the kill switch is now in circulation. It could spread like a worm in a networked computer, self replicate and execute an encryption code remotely. Most major anti virus manufacturers have claimed to have included a ransomware protection tool either as part of their end-point security software or separately.

The first task for all IT users particularly those who are using Windows systems is to check if they have installed the patches provided for Windows and the Anti Virus software that they are using. They should not open their computers to internet before this task is accomplished. In this process, it is expected that most ATMs in the country will remain shut off today and create a mini cash crisis for Indian citizens who are running around. Consequently there will be a more than normal crowd in the Banks also where also the servers may run slow. We therefore may find some confusion in the financial market.

Unconfirmed reports are suggesting that many Banks including Syndicate bank, Union Bank, SBI, Karnataka Bank have been affected by the ransomware. Even HCL is reported to have been affected. I hope this report is not true as otherwise there would be chaos in the Banking industry today which will extend to the stock markets by the afternoon.

CERT-IN has announced a webcast to make companies aware of the issue which those interested may attend. The webcast may be available at webcast.gov.in. It may be difficult to access in view of the network related issues but it is worth trying.

CCN-CERT of China has issued a prevention tool which may be available here which security professionals can check.

Amidst all the confusion it is necessary to note that one of the reports indicate that India is one of the countries with the highest number of infections.

Initially the breakout was observed in UK and Europe where there is a large number of infections particularly in the heath care sector. Indian impact may be yet to unfold. If the above report is true then nearly 10% of the infections are in India and we will come to know about the impact some time during this week.

We are concerned that the GST systems and UIDAI systems may also need to watch out.

The UIDAI system may not get affected since it’s design may prevent infection if normal precautions are in place. But the fact that the Iranian nuclear systems which were “Air gapped” and operating hundreds of feet below ground under utmost military security could be affected by Stuxnet means that no system is really safe as long as there are employees who are ignorant and negligent.

We may recall that the Stuxnet which was perhaps developed by US/Israel to attack Iranian Nuclear program also infected (Reportedly) the Rare Earth Minerals near Mysore, in Karnataka, India. Similarly WannaCry may also ultimately reach the GST systems and UIDAI. GST is yet to start but some testing is on. It is good if they take special steps to secure this nationally critical information system.

What is tragic is to note that “Shadow Brokers”, the group which released the weaponized cyber exploitation tools developed by NSA, a couple of which have been used in the creation of WannaCry have released further exploits from the hacked NSA stable in the last few days which may result in newer attacks.

Thus the source of all the chaos that is occurring in the Cyber world today is NSA. The speed with which the ransomware spread in Europe and the fact that US itself has not been affected as much as other countries indicate that most probably the infections had taken place earlier than when shadow brokers leaked the information and exploitation occurred now. It is possible that US had already infected systems in Europe and other countries as a part of its “Cyber Military Exercise” and when the exploits were used by the criminals, the victims had no defense. It is like a Military exercise preparation for which a stock pile of weapons were kept ready and terrorists took over the stockpile of weapons and used it for their own gains. It is a replay of a typical movie plot. Unfortunately we donot have a James Bond to enter in time to destroy the terror infrastructure before the real damage is done.

The Government of India and other affected countries need to take up the issue with the UN and question the US intentions. Is this in any way linked to discrediting Mr Trump? . Is it linked to the change in the FBI Director in US? …etc are also questions that bug our mind.

If US wants to stockpile Cyber weapons, it is their duty to secure them and not let hackers hack into their stockpile and endanger other countries. US should therefore take up a part of the liability for this Cyber attack and I request India to raise this issue in the appropriate forum.

For the time being we keep our fingers crossed and wait to see how the impact of the ransomware unfolds in India.

Naavi

Related Articles

MeitY reaches out to RBI, others against Wanna Cry ransomware

Cyber experts working round the clock to protect India from the ‘biggest ransomware’ attack

Revealed: The mysterious case of ‘Shadow Brokers’ and NHS hacking

Seriously, Beware the Shadow Brokers

U.S. Government Fears a Monday Explosion of the Ransomware Plague It Helped Create

Wannasmile… a quick tool

China and Japan wake up to the Attack…

How To Remove…Symantec

Update at 8.52 AM

The new infection map in the last 24 hours given below indicate that a large number of Indian computers are infected. Even US is now getting affected probably because we are dealing with a Worm that travels across the network and today US systems are also connected worldwide.

The WannaCry ransomware attack across 100+ countries attracted a huge attention of the media yesterday. It continues to be the main story in print media today. The developments on the ransomware has been fast and furious with security experts all over the world joining hands to find a remedy for Wannacry.

A few hours into yesterday, CERT IN joined in sending out its advisory but the advisory was a little too late to be of any practical help. But by that time most of the Anti Virus and anti malware companies had put out their advisories and it had been circulated by most security professionals and in discussions over social media including Naavi.org. Nevertheless this was one of the few occasions when CERT In did respond with an advisory within a short time and hopefully the trend will continue and improve in future.

One of the reasons stated for the delay is that CERT In has to wait  for secondary confirmations before an advisory is sent. But there is no use in locking the stable after the horses had bolted. Keeping the nature of the organization which is CERT-In, I suggest that CERT-In should develop an “Incident Alert” which could go out as an “Intelligence Advisory” even when a security threat is not fully confirmed to the satisfaction of a Government Agency like CERT-IN and then follow it up with a full scale advisory. This will meet the needs of the market and preserve the conservative outlook on advisories to be held out by the Agency.

For the sake of records, we have given below some links which provide an excellent analysis of the Version 1 of the WannaCry ransomware.

This was “Accidentally” halted yesterday through an activation of the “Kill Switch” when a security professional analysing the malware code found that the encryption is activated only if the malware cannot connect to a particular website named in the code. The URL named was http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/

Out of curiosity he checked the domain and found that it remained unregistered. He registered the same and it acted as a “Kill Switch” for the malware.

The person has admitted that when he registered the domain he was not aware that it would act like a kill switch but since the domain looked strange, he tested if it was available and went on to register it.

The kill switch doesn’t help devices WannaCry has already infected. But by registering the domain, and then directing the traffic to it into a server environment meant to capture and hold malicious traffic (“sinkhole”) some time has been bought for systems.

Additionally some security specialists advised disabling of the SMB 1 in windows features which comes activated by default. In fact even as back as an year, a security specialist categorically stated (Refer here) that this “Server Block Messaging Protocol” had outlived its utility and has no place in the modern world of malicious hackers. It can be easily disabled by going into “Turn off/on windows features” and unchecking the feature.

I am not sure if CERT-In had observed this opinion and converted it into an “Advisory”. It is this sort of advisory that would be useful to the people.

In the meantime, the ego of the hackers who introduced the WannaCry version 1 with a kill switch which was decyphered quickly has been hurt and we already have a notice that a new version of the malware has been released without the kill switch.

In view of this, the need to implement the security measures including applying the patch provided by Microsoft and disabling SMB1.0 becomes critical. Additionally, avoiding clicking on phishing mails and attachments also become necessary to be reiterated.

Some of the protective measures that people may try are as follows:

(Kindly beware that there would be phishing and fake sites offering such solutions which may themselves infect your company. Check if you are on a genuine site before proceeding further.)

1. CERT Advisory from Cyber Swachcha kendra
2. Kasparesky System Watcher: (Works on Endpoint Security)
3. Guide at PCRISK.com
4. Malware Bytes
5. Bitdefender solution
6. Sophos Solution
7. TrendMicro solution

The best solution for “Ransomware”  however remains to keep an off network data backup and complete segregation of critical systems from e-mail and internet threats. Ensure that the backup is accessed and operated in a secure environment so that the backups would not be infected during the process of updation or retrieval.

Naavi

Related Articles

Technical Analysis

Marcus Huchins, the hero  who saved many from wannaCry