India not spared in ransomware attack

By Balamurugan Selvaraj Published on May 15, 2017 04:41 PM IST

Across the world, Ransomware WannaCry has many many citizen weep with its atrocities. This year alone, the rate of ransomware attacks has increased manifold.

'NMR- No More Ransomware' project, initiated by Europol and other security agencies to scrutinise ransomware threat, has stopped various business in earlier days. But considering this WannaCry, many security researchers were working to stop it.

Similar to Enthiran movie, a security researcher behind the Twitter handle 'MalwareTech'  discovered a kill switch for WannaCry accidentally. But, unfortunately, Wannacry 2.0 has come to the update of WannaCry without any kill switch.

The discovered kill switch has stopped the ransomware from further spreading. Unlikely, the new version had downed the entire hard work of the researcher. Some security researchers have claimed that there are more samples of WannaCry with different 'kill-switch' domains and without any kill-switch function, continuing to infect unpatched computers.

UNDER THREAT

Till today, around 2,37,000 computers in 150 countries around the world have been infected with ransomware. In the United Kingdom, United States  and other 97 countries, the attacks happen majorly on business, health and telecom sector. But in India, hackers targeted and infected hundreds and thousands of computers in the Police department and those of famous automobile manufacturers.

Yesterday, the ransomware infected a few systems of the police department in Andhra Pradesh. Later on, in the evening, actors attacked the computers of Maharastra police department.

And today, it has been heard that the Ministry of Electronics and Information Technology (MeitY) advised the government bodies including  RBI, National Payments Corporation of India, NIC and UIDAI (Aadhaar) to protect their systems from 'WannaCry'. Also, it has instructed the authorities to ensure the safety of digital payments system.

HOW HAS IT SPREAD?

WannaCry is a ransomware designed by an unknown hacker or actors group to infect and encrypt the files in the vulnerable computers in Microsoft computers. It has been believed that the ransomware is using the same Eternalblue's SMB exploit, which CIA used earlier to spy and crack the vulnerable Microsoft systems. As soon the ranomware infects the system, the malware starts to scan other vulnerable computers, which were connected on the same network. The SMB exploit has become quite popular, when a collection of hacking tools leaked by the famous, 'The Shadow Brokers' on the Internet.

ESCAPE ROUTE

Edward Snowden, renowned whistleblower, said, "If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened."

*'hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com'

Researchers say, "The above-mentioned domain keeps WannaCry to spread like a worm, if the connection to this domain fails, the SMB worm proceeds to infect the system."

But, MalwareTech registered this domain in question and created a sinkhole-tactic researchers use to redirect traffic from the infected machines to a self-controlled system.

Similar to blue liquid, ransomware spread is increasing more. Regarding this, when contacted, a tech enthusiast, Jagath Raja, said, "The new ransomware is spreading like a worm. And I should say that, we are in a critical situation. Though if you pay ransom, there is no cent per cent assurance that you will get your data back. Because, the leaked data is there in cloud, controlled by the actor. In case, if s/he leaks it, then your privacy is in danger. Changing the operating system may help the system bring it to safe mode, but the lost data can't be recovered. And you have to remember that, your data is there in a hacker's control. And it may lead to privacy issues, if the actor leaks it."