Since May 12, 2017, the world is witnessing one of the worst ever recorded Ransomware attacks in internet history. As per the latest reports, WannaCry, a kind of ransomware, has spread to 150 countries, locking down over 200,000 computers worldwide. The damage caused has been devastating. UK’s health services had to turn away patients, FedEx had to turn away customers, Russia’s interior ministry computers were reportedly locked down, Renault had to shut its computers and Spain’s largest telecom company, Telefonica, had to ask its employees to shut down their computers.
The absence of any reports from India may not be a reason to cheer, however. Many, due to obvious reasons, may not be reporting and may be silently paying the criminals to unlock ransomed files. While technical solutions are being found to control the spread of WannaCry, the potential of such attacks to cripple national infrastructure requires a comprehensive strategy to combat such future attacks.
On the reactive side, besides technically taking care of the locked system, it is required that such acts be severely punished. Just like in traditional crimes, punishment for ransomware attacks needs to be imposed not only on those who engineer such attacks but also on those who facilitate such attacks.
It is common knowledge that ransomware exploits vulnerabilities which exist within the operating systems of computers. WannaCry too, exploited a known Server Message Block protocol vulnerability in Microsoft Windows operating systems since Windows XP. While Microsoft, in a departure from its past practices, in order to stall the progress of WannaCry, issued patches for operating systems it no longer supports publicly (Windows XP), its liability for having left these vulnerabilities in the system cannot be washed away. While Microsoft did issue an update in March to address the vulnerability, one can argue that the company did not do enough to stress the importance of the update. It’s only now, when the focus of the entire world is on Windows, that the update is being brought into focus. The payment of damages from makers of operating systems with such gaping holes will not only adequately compensate the victims but also act as a future deterrent to such negligence on part of software manufacturers.
On the preventive front, in order to protect the national critical infrastructure in India, as mandated in section 70A amended IT Act 2000, a National Critical Information Infrastructure Protection Centre has been set up. Towards this goal a National Cyber Security Policy was rolled out in 2013.
While these are good measures, India can take a leaf out of the 11 May, 2017, US presidential executive order on cyber security. This order provides a 240 days window to complete risk assessment of all federal networks of importance. It also mandates the presenting of a strategy to combat cyber terrorism in a span of 90 days from the date of signing of the order. Considering the urgency of the situation, the time frames to get national infrastructure risk assessed and for developing a clear policy of public-private partnership in combating such crimes is urgently required.
Besides macro level efforts, since the strength of any security effort is measured by the strength of the weakest link, the implementation of best practices cannot be left as mere guidelines. At a micro level, backing up resources and keeping the systems updated needs to be made mandatory. Negligence towards any of these best practices needs to be penalized on the same lines as those who unleash such attacks.
In this entire episode, the chilling fact is that ransomware are not a new phenomenon. The first ransomware program, AIDS Trojan, surfaced way back in 1989. It attacked the health industry and demanded a ransom for unlocking files on users’ computers. Since then, this crime has grown. In 2016 alone, as per estimates of the FBI (Federal Bureau of Investigation, USA) cyber criminals pocketed USD 1 billion through Ransomware. Ransom figures in recent attack, as per Bitcoin accounts, are growing with each passing day.
If this has to stop, besides local measures, a coordinated global effort is required. Severe punishments to perpetrators and facilitators of such attacks besides mandated preventive measures seem to be the only remedy to wipe out the travails of WannaCry like attacks in future.
Sanjay Pandey is an Indian Police Service officer currently posted as ADG Homeguards in Mumbai and is a Certified Information System Security Professional (CISSP)