India prone to malware attacks: Kaspersky honcho

By Balamurugan Selvaraj Published on Jul 10, 2017 05:25 PM IST

Chennai: Like two sides of a coin, cyber crime and security stand opposite each other. Recently, e-crimes such as malware threats, ransomware attacks, bank frauds have become a menace for online and offline users across the world.

News Today had an e-mail interview with Kaspersky security team. Kaspersky, chief security expert of global research and analysis team, Alexander Gostev, answered the questions.

On the rise of ransomware attacks...

In early 2017, Kaspersky Lab’s researchers discovered an emerging and dangerous trend, where more and more cyber criminals were turning their attention from attacks against private users to targeted ransomware attacks against businesses. The attacks are primarily focused on financial organisations worldwide. Experts here have encountered cases where payment demands amounted to over half-a-million dollars. The trend is alarming as ransomware actors start their crusade for new and more profitable victims. There are many more potential ransomware targets in the wild, with attacks resulting in even more disastrous consequences.

The geography statistics show that attackers switch to previously untouched countries, where users are not as well prepared for fighting ransomware, and where competition among criminals is not so high. The worrying thing here is the fact that ransomware attacks are becoming increasingly targeted, hitting financial infrastructure across the globe. The reason for the trend is clear – criminals consider targeted ransomware attacks against businesses potentially more profitable than mass attacks against private users. The numbers show that ransomware on PCs are still on the rise – albeit at a slower growth rate.

Elaborate yours and your team's experience during last month's WannaCry havoc...

On Friday 12 May, organisations across the world were hit by a massive ransomware attack, named WannaCry, which exploited a (now patched) Microsoft Windows vulnerability revealed in the Shadowbrokers dump on 14 March. Kaspersky Lab researchers have continued to track the evolution of the threat over the weekend.


The total number of variants in circulation on 11th is still unclear – but over the weekend, two notable variants emerged.  Kaspersky Lab does not believe any of these variants was created by the original authors - most likely they were patched by others keen to exploit the attack for their own ends. The first one started spreading on a Sunday morning, at around 2 UTC/GMT and was patched to connect to a different domain. Kaspersky Lab has so far noted three victims for this variant, located in Russia and Brazil.

The second variation that appeared during the weekend appears to have been patched to remove the killswitch. This variant does not appear to be spreading, possibly due to the fact it has a bug.


It is difficult to estimate the total number of infections. Our own telemetry indicates that over 45,000 users have been attacked, but this represents a fraction of the total numbers of attacks. A more accurate picture of the world situation can be drawn from the sinkhole for the kill switch hardcoded in most versions of WannaCry. Currently, the Malwaretech sinkhole, which is collecting re-directions from the ‘kill switch’ code, has registered about 200,000 hits. This number does not include infections inside corporate networks.

How does one survive an attack?

Run a robust anti-malware suite with embedded anti-ransomware protection such as System Watcher from Kaspersky Internet Security. Make sure you update Microsoft Windows and all third-party software. It’s crucial to apply the MS17-010 bulletin immediately. Do not run open attachments from untrusted sources. Back up sensitive data to external storage and keep it offline.

Kaspersky Lab corporate customers are also advised to check that all protection mechanisms are activated as recommended; and that KSN and System Watcher components (which are enabled by default) are not disabled. An additional measure for corporate customers is to use Application Privilege Control to deny any access (and thus possibility of interaction or execution) for all the groups of applications to the file with the name 'perfc.dat' and PSexec utility (part of the Sysinternals Suite).

For sysadmins, our products detect the samples used in the attack by these verdicts: UDS:DangerousObject.Multi. Generic, Trojan-Ransom.Win32.ExPetr.a, HEUR:Trojan-Ransom.Win32. ExPetr.gen

Recently, Kaspersky has filed an antitrust complaint against Microsoft. Do you think there is any business motive behind Microsoft proceedings in terminating the usage of Kaspersky in Windows 10?


Kaspersky Lab has applied to the European Commission and the German Federal Cartel Office seeking their consideration of Microsoft’s actions with regard to compliance with the respective articles of the antitrust legislation, concerning abuse of its dominant position in the market for computer operating systems and unfair competition in the market for solutions for protecting against computer threats.

With the release of Windows 10, Microsoft started to (i) create obstacles to compete manufacturers of security solutions, and introduce different ways of pushing users to forgo third-party software in favor of its own Windows Defender. These actions by Microsoft lead to lower level of protection for users, a limitation on their right to choose and financial losses both for users and security solutions manufacturers. Kaspersky Lab has asked the respective agencies to review Microsoft’s compliance with competition law.

We heard that your firm too supports and had been creating free decryptor tools through NMR - No more ransomware project. Share a few things about the work experience and decrypt tool creation for NMR.


Launched in 2016, the No More Ransom project is an joint initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and Intel Security – with the goal to help ransomware victims recover their encrypted data without having to pay the criminals, using ransomware decryption tools available free of charge on this platform. The platform is available in 14 languages and offers 46 decryption tools at the moment.

This initiative is under non-stop development. This is illustrated when Kaspersky Lab updated Rakhni and Rannoh Decryptors, which were already available on the site to make them even more effective against ransomware. Other tools developed by Kaspersky Lab include CoinVault, Wildfire and Shade Decryptors. Since the launch, dozens of organisations from all over the world supported the initiative. The project now has more than 40 partners.

According to recent KSN data Q1 report of 2017, India has been ranked in sixth place in smartphone based malware attacks. What is the reason for such attacks. Do we in India lack proper antivirus software?

There could be a lot of factors that rank India in the sixth place for smartphone-based malware attack, such as lack of IT-security knowledge, not using mobile antiviruses and the use of jailbroken or rooted mobile devices. It is best to seek clarification from Check Point about this. In our statistics, India ranks outside the list of top-20 most attacked countries with the exception of sixth place for mobile malware.

(The second and last part of the interview will be published tomorrow.)