Researchers have found a way to save Windows files encrypted by WannaCry. Cybersecurity is a five-trillion-euro problem. The list of companies that have already been hacked, attacked, and breached—suffering business interruptions and intellectual-property losses and exposing their customers to identity theft—reads like a who’s who of the retail, tech, telecom, manufacturing, and financial services industries, among others. The finances, operations, customer data, R&D, intellectual property, and brand reputations of all companies are at risk, which makes cybersecurity a fiduciary responsibility of the board and senior management. Yet in many organizations, top executives and board members still believe that cybersecurity is just an IT issue.
WannaCry, which started to sweep round the globe last Friday and has infected more than 300,000 computers in 150 nations, threatens to lock out victims who have not paid a sum of $300 to $600 within one week of infection.
IT alone will never be able to address cybersecurity in a meaningful way. Sustainably addressing cyberrisk requires an organization-wide, cross-functional approach and the integration of cybersecurity and business strategy. Boards and senior management play a pivotal role in creating the organizational and cultural environment for such a joint approach. Top management and board members must recognize the risks involved and take steps to ensure that they are prepared for the day that their company is compromised—because it’s all but certain to happen.
A loose-knit team of security researchers scattered across the globe said they had collaborated to develop a workaround to unlock the encryption key for files hit in the global attack, which several independent security researchers have confirmed.
The researchers cautioned that their solution only works in certain conditions, namely if computers had not been rebooted since becoming infected and if victims applied the fix before WannaCry carried out its threat to lock their files permanently.
Europol said on Twitter that its European Cybercrime Centre had tested the team’s new tool and said it was “found to recover data in some circumstances”.
The group includes Adrien Guinet, who works as a security expert, Matthieu Suiche, who is an internationally known hacker, and Benjamin Delpy, who helped out by night, in his spare time, outside his day job at the Banque de France.
“We knew we must go fast because, as time passes, there is less chance to recover,” Delpy said after a second sleepless night of work this week allowed him to release a workable way to decrypt WannaCry at 6 am Paris time (0400 GMT) on Friday.
Delpy calls his free tool for decrypting infected computers without paying ransom “wanakiwi”.
Suiche published a blog with technical details summarizing what the group of passing online acquaintances (goo.gl/iIFDZs) has built and is racing to share with technical staff at organizations infected by WannaCry.
Wanakiwi was quickly tested and shown to work on Windows 7 and older Windows versions XP and 2003, Suiche said, adding that he believed the hastily developed fix also works with Windows 2008 and Vista, meaning the entire universe of affected PCs.
“(The method) should work with any operating system from XP to Win7,” Suiche told Reuters, via direct message on Twitter.
Delpy added that so far, banking, energy and some government intelligence agencies from several European countries and India had contacted him regarding the fix.
By practicing the implementation of incident response, business continuity, and disaster recovery plans in a simulated cyberattack, board members and senior executives can gain a comprehensive understanding of how these attacks unfold, the variety of potential impacts, and their individual roles during a response, including potential interaction with law enforcement, regulatory officials, shareholders, employees, and customers. For this reason alone, such an exercise ought to be an essential part of any cybersecurity program.
The most effective way of learning is by doing. Think about kids learning to play soccer, for example. The same theory applies to learning basic cybersecurity concepts. Doing via immersion in a simulated cyberattack gives executives a working knowledge of the wide variety of cybersecurity concepts that they need to understand to properly support the cyberresilience of their organization.
Cybersecurity is a complex field. The first step is defining a standard syllabus of subjects that need to be covered, which can include liabilities, mandatory regulations, voluntary guidelines, common threats, assets, methods of protecting assets, risk management, methods of detecting intrusions, forensics, and other key capabilities. The second step is taking teams of executives and board members through immersive scenarios using interactive simulations in which the concepts of the syllabus come into play and the impact of board decisions on the organization’s P&L is modeled. For example: What are the liabilities to the company (and to the board members) if the company continues operations in the face of a known cyberbreach? What systems and protections does the company have in place to redress a cyberincursion? What are the legal and regulatory (and common-sense) requirements for notifying customers, shareholders, employees, and other stakeholders?
In our exercises, participating executives may operate as a single collaborative team, or they may be divided into two or more teams that compete to see which obtains a better score and finishes the exercise with the highest profits in its virtual P&L. Using such a hypothetical business case approach, the board and senior management learn cybersecurity concepts by experiencing them, and our research shows that they emerge with an excellent understanding of what otherwise seems like a daunting technical challenge.
Companies use laboratories to test products and processes before they are put into production. In a similar vein, tabletop exercises enable companies to test, evaluate, and refine cybersecurity strategies and, in so doing, to convert ideas and invention to systematic and scientific discipline.
When executives are immersed in a properly constructed scenario, they see how the cyberdefenses they have built, or plan to build, actually perform, and they see the benefits that can be achieved by investing in further vulnerability prevention, attack detection, attack mitigation, and recovery. By living through a simulation using the company’s own cybersecurity investment plan, the board and senior management can experiment firsthand the impact of each proposed investment, from training to technology. At the end of the exercise, they can consider changes and improvements—and whether a different cybersecurity investment plan might have provided a better outcome. For example, would a greater investment in multifactor authentication, advanced biometrics, or both have negated the attack? Would a larger investment in supply chain cybersecurity have made a difference? What would be the benefit of implementing a company-wide training program over 6 months rather than over 18 months? The goal is tangible output from the workshop, including a roadmap of next steps and a set of action items that optimize investments for cyberdefense.
These immersive exercises allow organizations to focus on how to plan and budget to maximize the business resilience, including the cyberresilience, of the company. Sometimes the best investments may be ones that reduce the consequences of an attack, rather than trying to prevent the attack outright. A properly designed exercise enables board members and senior management to make more informed tradeoffs and decisions on how to best invest in cyberresilience.
Handling cyberattacks is a company-wide concern. Building an effective cybersecurity strategy and culture is an essential competitive differentiator and business enabler. Culture starts with leadership, and leadership starts at the top. Through immersive tabletop exercises, leaders will gain understanding and can start to create in their organizations a culture of cyberresilience.
Every day we hear more stories of people being fooled by IRS scammers or celebrities who had their cloud storage hacked and now there’s a photo leak. All it takes is one misstep and all your data could be compromised, and you could even leave those around you vulnerable with your actions as well. Being the victim of a hacking scheme does not mean you are stupid- hackers are very sophisticated and they are continually refining their techniques.
Administrators at Hollywood Presbyterian Hospital suddenly discovered they had lost access to their computers. Doctors were locked out of their patients’ medical records, and they couldn’t access their own reports. Their system data had been encrypted by malicious software. While all this data was being held hostage, staffers had to direct sick people to other hospitals. After two weeks of writing everything down on paper, the hospital paid a $17,000 ransom in Bitcoin to regain access to their computer systems. Ransomware not only cost money, it endangered lives.
If you told me a few years ago that executives would be scrambling to digital currency exchanges to pay malware distributors, I wouldn’t have believed it. However, that’s exactly what has happened. Individuals, businesses, and larger institutions alike have all fallen prey to this growing type of cyberattack. C-suite executives now find themselves hostage to these data hijackers.
Ransomware — the term comes from ransom and software — is a type of computer virus that prevents users from accessing their systems until a sum of money is paid. Preying on human error, cybercriminals trick users into activating this malicious software. Often disguised in email as HTML links or attachments, ransomware encrypts data using a private key only the attackers possess. Users are locked out of their machines; ransom is demanded. To evade law enforcement, these attackers are using anonymous payment methods such as Bitcoin.
Ransomware distributors, the criminals overseeing these attacks, have figured out a pricing strategy that works. The average demand for consumers and small business owners is between $300 and $500. That’s a sum many can deliver when faced with the possibility of losing all their valuable digital assets.
Of course, there are more costly and dangerous situations, such as Hollywood Presbyterian Hospital’s experience. The FBI estimates the annual cost of ransomware is $1 billion in the United States. The agency says more than 4,000 cases of ransomware occur daily.
It’s not just the rapid rise of ransomware that’s so alarming; its targeting is, too. A new global survey finds that nearly half of United States organizations report ransomware attacks in the past year. Of those, 43% affected middle managers and 25% affected senior and C-level executives. These rates are lower in other countries. The two industries most commonly targeted globally are financial services and health care.
Because ransomware is so pervasive and the damage can be so costly, we are always surprised when C-levels have not put it on their radar. Many times, they have relegated ransomware prevention to IT. But we encourage the executives to make ransomware prevention a central piece of their cybersecurity strategy, to review that strategy at least once a year with their board of directors, and to engage their entire organization in education and prevention.
One reason ransomware attacks are spreading is because fraudulent email containing links or attachments for the unsuspecting user to click on have become much more sophisticated. These so-called phishing emails, called whaling emails when they target C-suite executives, are no longer sent from self-described dispossessed potentates from faraway lands looking to bequeath you a portion of their ancestral wealth once you have provided some sensitive information.
Nowadays, infections arrive via well-written, typo-free emails, often disguised as official documents with corporate logos and signatures. Some look like typical business correspondence or legitimate reminders to upgrade applications. One attorney received a polished email with a promising resume attached.
Even scarier, user interaction is not always required. Instead, ransomware can spread through gaps in security systems or un-patched, outdated applications. There’s a new type of ransomware each week, it seems, and the number of ways that ransomware infiltrates systems continues to grow.
Another factor in the spreading phenomenon is access to the digital currency Bitcoin. The ease of anonymously collecting payments from afar has boosted the ranks of cybercriminals. These days, you don’t have to know that much about ransomware to use a do-it-yourself kit. The deal is, you agree to share your earnings with the large syndicates.
Law enforcement is responding to the growing cybercrime, and in the U.S. the FBI takes ransomware seriously. The agency has published prevention guidelines for CEOs and for CISOs. It also discourages victims from paying the ransom, noting that payment incentivizes repeat attacks. Some defenses against ransomware are improving. In testing labs, researchers have developed software that detects some variants of ransomware. Cybercriminals have figured out how to wreak havoc even at companies that take the right precautions, and detection and decryption tools don’t always work. Still, there are some things you can do.
Guinet, a security researcher at Paris-based Quarks Lab, published the theoretical technique for decrypting WannaCry files late Wednesday and Thursday, which Delpy, also in Paris, figured out how to turn into a practical tool to salvage files.
Suiche, based in Dubai and one of the world’s top independent security researchers, provided advice and testing to ensure the fix worked across all various versions of Windows.
His blog post links to a Delpy’s “wanakiwi” decryption tool which is based on Guinet’s original concept. His idea involves extracting the keys to WannaCry encryption codes using prime numbers rather than attempting to break the endless string of digits behind the malicious software’s full encryption key.
“This is not a perfect solution,” Suiche said. “But this is so far the only workable solution to help enterprises to recover their files if they have been infected and have no back-ups” which allow users to restore data without paying black-mailers.
As of Wednesday, half of all internet addresses corrupted globally by WannaCry were located in China and Russia, with 30 and 20 percent of infections, respectively, according to data supplied by threat intelligence firm Kryptos Logic.
By contrast, the United States accounts for 7 percent of WannaCry infections while Britain, France and Germany each represent just 2 percent of worldwide attacks, Kryptos said.
Only 309 transactions worth around $94,000 appear to have been paid into WannaCry blackmail accounts by Friday (1345 GMT), sevens days after the attack began. That’s just under one in 1,000 of the estimated victims.
This may reflect a variety of factors, security experts say, including scepticism that attackers will honor their promises or the possibility that organizations have back-up storage plans allowing them to recover their data without paying ransom.
Whether we are small business entrepreneurs, IT advisors, or C-level board members, we are all vulnerable. That makes us responsible for adequate ransomware education and prevention for employees at all levels, and responsible for an action plan that can be followed without confusion if and when our systems are attacked.
Education is key to making sure our employees and systems don’t become victims. Protect your company’s perimeters with firewalls and solid network security. Use antivirus software and make sure it’s updated on schedule. Unfortunately, human error accounts for the majority of ransomware distributions. So take additional safeguards. One way to render a ransomware attack ineffective is by storing a duplicate of your data. Ransomware becomes meaningless if you can quickly restore your systems and data to a time before the infection.
If you are victimized, do not be embarrassed. Instead, be prepared. As soon as you’re aware of an attack on your computer, file server or network, immediately shut down all file sharing activity and alert the proper people in your company. Use your antivirus software to determine where the infection happened. If you can’t do that with the antivirus software, examine the infected file’s properties to find out the last user or computer to make changes to the file — this will tell you where the infection originated. Then, assess the extent of the infection and the damage, and remove the virus by deleting all infected files. Hopefully you have a backup service in place, so you can recover clean versions of the infected files.
Ransomware may be spreading, but so is awareness. Cybercriminals have more sophisticated tools than ever, but we all have access to security and backup technology that can keep computers and companies running. Yes, we are all vulnerable, but we can take responsible steps to make ransomware attacks as rare and ineffective as possible.
Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities or an IT security company. This may be done by assuming control of the domains used by the criminals or IP addresses. When employed at a 100% scale, infected computers can no longer reach the criminal command and control computer systems and so criminals can no longer control the infected computers. The sinkholing infrastructure captures victims’ IP addresses, which can subsequently be used for notification and follow-up through dissemination to National CERTs (Computer Emergency Response Teams) and Network Owners.
Bot is a software that runs automated tasks, scripts, over the Internet. Bots perform tasks that are both simple and structurally repetitive. The largest use of bots is in web spidering, web crawler, in which an automated script fetches, analyzes and files information from web servers. More than half of all web traffic is made up of bots.
Botnets are networks of computers infected with malware, which are under the control of a cybercriminal. Botnets allow criminals to harvest sensitive information from infected computers, such as online banking credentials and credit card information. A criminal can also use a botnet to perform cyberattacks on other computer systems, such as denial-of-service attacks.
Botnets are used to commit click fraud. Click fraud is a scheme to fool advertisers into thinking that people are clicking on, or viewing, their ads. There are lots of ways to commit click fraud, but the easiest is probably for the attacker to embed a Google ad in a Web page he owns. Google ads pay a site owner according to the number of people who click on them. The attacker instructs all the computers on his botnet to repeatedly visit the Web page and click on the ad. Dot, dot, dot, PROFIT! If the botnet makers figure out more effective ways to siphon revenue from big companies online, we could see the whole advertising model of the Internet crumble.
Similarly, botnets can be used to evade spam filters, which work partly by knowing which computers are sending millions of e-mails. They can speed up password guessing to break into online accounts, mine bitcoins, and do anything else that requires a large network of computers. This is why botnets are big businesses. Criminal organizations rent time on them.
But the botnet activities that most often make headlines are denial-of-service attacks. Some botnets have been worked from some angry hackers, but more financially motivated groups use these attacks as a form of extortion. Political groups use them to silence websites they don’t like. Such attacks will certainly be a tactic in any future cyberwar.
Fast flux technique is an evasion technique used by botnet operators to quickly move a fully qualified domain name from one or more computers connected to the Internet to a different set of computers. Its aim is to delay or evade the detection of criminal infrastructure. In the double fast flux setup, both the domain location and the name server queried for this location are changed.
When companies are hacked and their data is stolen, that data often appears for sale on the so-called darknet. User data from both the mega-hack of Yahoo (500 million accounts) and the uTorrent breach (400,000 accounts) showed up on the darknet’s illicit marketplaces. The darknet is where your stolen identity goes to live. Think of it as mass e-commerce for the black market.
And it isn’t a problem just for consumers. Valuable corporate assets — from intellectual property to pirated software to stolen code bases and other digital products — appear for sale on these marketplaces more and more. The darknet is enabling criminals to more easily profit from failures of corporate cybersecurity. To better protect both their businesses and their users, company leaders need to familiarize themselves with the darknet and its threats and opportunities.
When many people think of the internet — websites, message boards, marketplaces, and so on — what they’re actually thinking of is the open web, or surface web. The open web is what you see when you start up a web browser and use a search engine to find what you’re looking for. Sites on the open web are accessible to anyone.
The darknet as a whole is much like the open web. It consists of websites, message boards, and marketplaces. But the darknet’s sites can’t be found with search engines, and they can only be accessed through anonymizing software such as Tor, which obscures the user’s IP address. This is useful for people who don’t want to give away their location and identity to internet service providers or other parties, such as government agencies, that can track network activity.
Of primary interest to corporate leaders is darknet marketplaces (DNMs). The first DMN to hit mainstream awareness was Silk Road, the black market for illegal drugs that was shut down by the FBI as part of a multiagency effort in 2013. New, more robust DMNs immediately took its place, and research indicates that DNMs continue to grow and thrive.
DNMs sell their products and services to an effectively anonymous clientele, who often buy with Bitcoin for even greater anonymity. The combination of Tor and Bitcoin has helped DNMs’ popularity explode.
As the darknet becomes mainstream, more people may decide to actively split their online activities between a public face on the open internet and a private face on the darknet. Our lives have become permeated with personalized services and technology, allowing strangers to see intimate details of our lives through social media and search engines. The kinds of anonymous environments provided by the darknet may offer an appealing escape.
As a result, human resources and legal teams will need to come to terms with the fact that employees may have obscured digital identities. Facebook, LinkedIn, and Twitter profiles will contain nothing but inoffensive content and activity; any kind of controversial thought and digital engagement will move to dark spaces. Employers will have to adapt to the new reality that employee online activity will be harder to monitor, control, or enforce. The sunny days of getting a full picture of someone through their social media profiles may disappear into a darknet night.
Easy access to the darknet will also make it easier for anyone to sell corporate access and critical information without exposing themselves directly to the criminal underground. For example, it seems inevitable that insider information will become available on the darknet. How might corporations or executives be put under suspicion when sensitive information made available on the darknet moves stock prices in a way that benefits insiders?
Companies, already taxed with controlling access to systems, defending against cyberattacks, and keeping mission-critical systems online, need to start monitoring the darknet and DNMs. A corporation can be hit with a denial-of-service attack, even one initiated by a nontechnical person renting botnet time through a darknet market, at any time. And any employee with access to the Tor browser can solicit anonymous bids for sensitive corporate data, code, or access. The bar to accessing criminal technology and digital capabilities has never been lower.
Fortunately, as a consequence of the open-but-anonymous nature of DNMs, it is now easier for businesses to monitor the cyber criminal underground and react to potential threats and stolen assets. Which is exactly what happened, for example, when proprietary source code for PilotFish, a health care software vendor, appeared for sale on the DNM AlphaBay and was detected by the underground research team at infosec firm Infoarmor.
Here are the key points for companies about dealing with corporate darknet threats:
- Use strong encryption on all sensitive data and keep the encryption approach up to date. Yesterday’s encryption methods quickly become obsolete, so make sure your IT department has an encryption strategy in place.
- Build or hire a strong cyberthreat monitoring and reaction ability. Detecting an intrusion is critical to dealing with threats before they get out of control.
- Monitor DNMs and the darknet in general for corporate-specific threats. There are firms emerging that specialize in identifying and reacting to darknet activity or that include darknet monitoring as part of their cybersecurity offerings.
- Monitor employee hardware and network use and investigate darknet access.
- Put a response plan in place to guide the corporate response to sensitive data or IP appearing on the darknet. Consider how you will deal with customers , legal issues, and stakeholders in the event of a breach.
Going forward, business leaders will need to think about darknet monitoring and analysis in a range of departments, from IT to legal to HR to marketing. As more corporations begin to take darknet issues seriously, information security firms dedicated to darknet analysis and monitoring will thrive and new business models will emerge to control, document, and react to threats either emerging from or facilitated by darknet technology. Business leaders take note: You live in interesting times.