Published On: May 19, 2017 09:04 AM NPT By: Prajesh SJB Rana

The ubiquity of computers has gained unprecedented momentum in today’s digitalized world. While personal computers have made work easy for individuals, they have also made cataloguing and data processing easier for big companies and government bodies. This has led to a digitalization of information at such a massive scale that all important information today resides on magnetic disks. This information consists of critical data such as health records, citizenship information and criminal records, accessed through systems that aren’t any different from the ones that we use at home. Almost all of these systems are powered with Microsoft Windows connected via a central network that helps disseminate data across different computer terminals connected to the network. 

But while comprehensive computer networks have made complicated tasks such as airport traffic control and central network banking easier, they also pave a path for nefarious code to easily borrow into systems and disrupt these networks. As heavy computer users, we all know about the existence of malicious programs called viruses, but as much as the defensive structures that protect us from these viruses have developed significantly over the years, so have the viruses themselves. 

We have seen malicious computer code used as an international weapon with the discovery of the Stuxnet virus that specifically targeted the nuclear power plants in Iran, and we have seen codes that encrypt all data on your systems. These kinds of codes, called ransomware, lock all of the data on your computer with an encryption key. The key is sent via a secure server to the developers of the code and unless the victim sends a set amount of money to these hackers, decryption of your data is almost impossible. 

Ransomware is not a new a kind of virus. The earliest version of this kind of malware can be traced back to 1999 with the AIDS Trojan. But since the internet was not as comprehensive and omnipresent as it is today, the spread of the Trojan depended on physical floppy disks that severely hindered the spread of the malware. But modern iterations of such kinds of malware have made optimal use of the far-reaching capabilities of the internet. 

In 2013, a massive surge of such malware flooded the internet with ransomware. Cryptolocker was one such malware that caused widespread harm and accumulated a total of $3 million before it was shutdown. Malware such as Winlock and CryptoWall 2.0 have also managed to encrypt many computers online, even leading to cases of suicide once important data had been locked.

But regardless of the existence of such malware in the internet ecosphere, there hasn’t been one of the scale of the recent WannaCrypt (WannaCry) cyber-attacks discovered in May, 2017.  Till date the malware has managed to infect more than 230,000 computers in over 150 countries and according to recent reports by Rigo Technologies, a cybersecurity company that monitors the Nepali cyberspace, the malware has already managed to enter here too. 

Developed by the hacker group known as The Shadow Brokers, the malware utilizes an exploit on Microsoft Window’s Sever Message Block (SMB) protocol. The SMB protocol is an essential part of Windows that allows shared access to files, printers, and serial ports on various computers within the same network. By default, this option is usually turned on. While modern versions of Windows like Windows 10 does not suffer from this exploit, every other Windows version below 10 seems to be susceptible to the attacks. Once news of the attack grained traction, Microsoft immediately released a patch that revolved the exploit for all Windows versions below 10, making an exception even for the outdated Windows XP.

Once infected, a file called ‘mssecsvc.exe’ is dropped through the network to the vulnerable computer. This process immediately run another file called ‘tasksche.exe’ that starts encrypting all files inside disk drive directories such as C:, D: and so on. The process immediately starts encoding all files with a 2048-bit RSA encryption while creating a directory for the execution of the TOR proxy server. This allows WannaCry to maintain anonymity during the process of connecting to their own servers. 

But since the malware also behaves as a worm, once a computer is infected it searches for other computers within a network and borrows through with the help of SMB ports 139 and 445 to infect other computers. Since remote code execution through an SMB port is possible, users won’t even be prompted with any security notifications before the execution of the malicious code. But after the code is finished infecting computers within a local network, it starts scanning for SMB ports on outbound connections as well, effectively spreading across the internet. 

But the ingenuity of the code lies not only in the effective spread and encryption methods of the malware, but in its social engineering as well. Once infected, a simple dialog box appears asking the victim to pay $300 in Bitcoin to specific Bitcoin wallets (Bitcoin is untraceable currency). The ransomware also creates a sense of urgency with a threat that informs the victim that if the $300 payment is not made within three days, the amount would double to $600 worth of Bitcoin. Further still, if the victim is not able to meet the final one-week deadline, then the malware threatens to delete all files on the computer. There is also a sense of hope at play here with the ability to decrypt one infected file before any payment is made. And who is to say that the hackers will send in the decryption code once the payment is made.

But as destructive as the ransomware may be, its effects are amplified in a country like Nepal where outdated computer systems are found in abundance, especially within big enterprises and government bodies. These bodies hold Nepal’s most crucial data, and they seem to be most vulnerable to WannaCry. Updating systems tend be expensive, both on the hardware level as well as software, thus companies tend to leave computers as is because they don’t have an incentive to upgrade. It still works. Windows updates are also disabled by network administrators since they tend to hog a lot of the limited internet bandwidth. And without any Bitcoin exchange portals in Nepal, a WannaCry epidemic might be devastating for the Nepali cyberspace. 

Once infected, there is no hope. All your data is compromised and getting them back seems to be a pipe-dream. I would also not recommend paying the hacker the ransom since it further helps incentivize other such projects. So the only hope for containment of the ransomware in Nepal would be to immediately start containing the infection. Microsoft has released patches that fix the SMB vulnerability and containment is only possible when the IT professionals within these organizations immediately start patching all computer nodes with Microsoft’s MS17-010 update, if a full-scale system update is not possible. 

It is imperative that these steps be taken as soon as possible because once infected, essential infrastructure like hospitals, supermarkets, media agencies, and government bodies might be rendered dysfunctional. Newer variants of the WannaCry malware have already started surfacing on the internet and we immediately need to secure our cyberspace if we don’t want a complete systems meltdown on our hands. 

The writer is The Week’s tech guru. If you have any queries, write to us at theweek@myrepublica.com and we will have him answer them for you.

Leave A Comment