What makes up the recent wave of attacks?
Ransomware program WannaCry swept the world May 12, holding victims’ computer files hostage and asking a ransom of $300 to $600 worth of digital currency bitcoin to release them. In what may be the largest cyberattack to date, WannaCry took control of at least 200,000 computers running older versions of the Windows operating system in 150 countries, locking up their files. The attack hit companies and institutions hardest, including British hospitals, German train stations, a Portuguese telecommunications company, and FedEx in the United States. Microsoft had released a security update about two months before the attack, but large institutions, where installing updates can mean costly downtime or even corrupted software, often lag behind individual users in upgrading their software.
Just a month later, on June 27, a new attack borrowing and improving WannaCry’s lethal method of leaping automatically from device to device on the same network broke out in Ukraine, shutting down ATMs and Chernobyl nuclear power plant computers before spreading to more than 65 other countries. Nicknamed Petya, for its superficial similarities to a 2016 attack of the same name, this new malware also encrypts files before demanding a bitcoin ransom.
Are the attacks over?
No. Both are still out there, but waning. WannaCry has been declawed, thanks to the creators’ sloppy coding and a timely move by a British security researcher who goes by the pseudonym MalwareTech.
While examining a WannaCry sample in a computer isolated from the internet, MalwareTech noticed that, before locking up files, the program searched for a nonexistent domain. He immediately registered the website as a way to track the attack’s spread, but what he didn’t realize at first was that he’d also halted the attack worldwide. Further testing showed that when WannaCry successfully connected to the domain, it went dormant. Some say this feature was a “kill switch” to allow the malware’s creators to stop the attack, but MalwareTech suspects it was a poorly thought out defense against anti-virus analysis.
Petya’s Achilles’ heel, if there is one, was still undiscovered at press time. More sophisticated than its predecessor, Petya is equipped with multiple ways to spread, including stealing administrator credentials. Unlike WannaCry’s indiscriminate propagation, however, Petya prioritizes fully penetrating a single network rather than spreading to others. This narrower focus leads security experts to believe the new infection rate will continue to taper off.
Who’s to blame for the attacks?
Both attacks used hacking tools designed by the US National Security Agency (NSA), tools that exploited weaknesses in the way older Windows computers communicate. The aim was to spy on the SWIFT banking network, probably to track cash flows in the Middle East.
The NSA malware tool kit was stolen by a mysterious group known as The Shadow Brokers. After failing to auction off its goody bag of NSA-engineered spyware, the group leaked a portion in April, including what would become the heart of the new ransomware attacks. Microsoft’s March update closed a fatal flaw (perhaps thanks to a tip from the NSA), but anyone still clicking “remind me later” remains vulnerable. Members of The Shadow Brokers are thought to be Russian – or NSA insiders.
As for the actual architects, the ease with which anyone can copy-and-paste public code makes attribution challenging, but British intelligence and an internal NSA memo blame WannaCry on the North Korea-linked Lazarus Group. Research on Petya continues to unfold.
How much will the ransomware creators rake in?
These crimes may not pay. Bitcoin “wallets” are anonymous, but public, and investigators are watching the payment addresses WannaCry and Petya specified. At press time, no withdrawals had been made.
But the amateur way both attacks handle payments leads security experts to doubt that money is the motivation. Many suspect Petya, which spread stealthily for five days before being triggered just before Ukraine’s Constitution Day, uses ransom to mask a political blow. Some point to Russia, although the attack hit Russian networks, too.
Are we safe from future attacks?
These particular attacks may be ebbing, but with The Shadow Brokers taking advantage of the publicity to advertise its new $65,000 NSA-hack-of-the-month subscription service, experts expect the threat to grow. The attacks have renewed debate in the security community as to how the NSA should balance its offensive and defensive missions.
To stay safe, keep devices updated and backed up. If you do become a victim, experts say don’t pay up. Rewarding hackers encourages more attacks, and there’s no guarantee you’ll get your data back.