By Joseph Wang
On May 12, 2017, major companies around the world walked into their offices to discover a message on their computers. Their files had been encrypted, the message said, and in order to retrieve their data, the companies would need to pay $300 to the attackers.
This was the beginning of the WannaCry cyberattack.
Within a single day, the virus had spread around the world, hitting companies like Telefónica, FedEx, and even the United Kingdom’s National Health Service. Suddenly, the world was made abundantly aware of a form of cyberattack they had never heard of—a new way to exploit people and make some ill-gotten money.
Microsoft released a security patch just two days later, but by that point the damage had been done. According to Europol’s cybercrimes division, at least 75,000 computers in 99 different countries had been hit; other sources cite nearly 200,000 computers being hit. And although the attack didn’t make the attackers a lot of money, it still crippled major companies for days.
Although WannaCry may have been news to some, the exploit was not a new idea. Most of the world may have been blissfully unaware of ransomware until the WannaCry outbreak, but hundreds of companies a year are hit by these kinds of viruses, and have been since 2012 when ransomware first emerged. The words “ransomware” and “cryptovirus” send shivers down the spines of systems administrators the world over because they test the most fundamental parts of your IT infrastructure—disaster recovery policies.
So, what is ransomware, what is a cryptovirus, and how do they work? The former is an implementation strategy; the latter is the software behind it all; and the two work in tandem to make for a very frustrating, and often expensive, problem to fix.
A cryptovirus operates on a very simple principle: data encryption. Data encryption has been around for as long as there have been computers. As long as people have found value in data and what that data represents, there have been ways of locking that data up and making sure that people don’t have a way to read it if they’re not supposed to.
Today, data encryption is used practically everywhere. The next time you browse to a website, notice if the URL starts with “http://” or “https://”. The “s” in “https” stands for “secure,” and it means that all data being transmitted to and from this site is being encrypted. This is especially important for sites like Amazon and Facebook, where the things you’re typing and sending are sensitive, but it’s becoming common practice for sites that don’t transmit any sensitive information to also have this type of encryption.
Another place you’ll often see data encryption employed is hard drive encryption, and this is the type of encryption that is the foundation of the cryptovirus. Both Windows and Mac have built-in encryption that you can enable (Bitlocker in Windows’ case, and Filevault in Mac’s case), but there also other third-party drive encryption vendors like Checkpoint and TrueCrypt. While encryption is usually symbolized by a lock and key, this iconography gives the impression that the data is just locked away, intact and whole, and the only barrier to the data is some kind of key. Instead, it makes a bit more sense to think of disk encryption like a Rubik’s cube. When your data is unencrypted, it’s like a Rubik’s cube that hasn’t been randomized. Once you encrypt the data, though, you begin swiveling and turning the parts of the Rubik’s cube, eventually making an object that will take a lot of time, patience, and effort to return back to its original state.
Once encrypted, the data on the hard drives—the actual 1’s and 0’s that are written on the drives—get scrambled in much the same way. This means that if you were to try and read the data after it’s been encrypted, all you would get would be a jumbled mess that doesn’t make any sense at all to the program trying to read it. The way to read the data, then, is to have the key. Returning to our Rubik’s cube analogy, the encryption key is the set of instructions that remembers how many times you twisted each piece of the Rubik’s cube as you randomized the puzzle. The encryption key is a very, very large number, and the encryption software uses this number and the mess of data that is your encrypted data to do a very complicated bit of math, unjumbling the data. Without this key, the data is completely useless, and it will be nearly impossible to align all the colors on the same faces.
Cryptoviruses work on the same principle. They encrypt your data, turning your Word documents and database files into a mess of useless 1’s and 0’s, but the encryption key is held by the individuals who are holding your data ransom. This is how we get to the idea of ransomware. Ransomware is any software that holds your data ransom, demanding that you pay them some amount of money to get your data back. While most ransomware attacks use cryptoviruses, not all ransomware attacks use encryption as their means of holding your data hostage.
In most cases of crypto-ransomware attacks, the virus will leave a text file in each of the folders that have been encrypted with a message explaining that your data has been taken hostage, and demanding that a certain amount of money—usually in the form of bitcoins—be transferred to them. Unlike in real-world ransom situations, the attackers never have to show their face. They favor bitcoin because it’s untraceable; they will often direct you to some shady website where you can enter the bitcoin code that allows them to access the money. The whole affair is conducted electronically, making it that much more difficult for authorities to get involved.
The truly nefarious thing about ransomware attacks is that the perpetrator does not need to have any computer knowledge. Most cryptovirus attacks are executed using a virus that someone has bought from a programmer. All they have to do is find a target and send the virus in their direction. This means that the number of possible attackers is not limited to those with a highly specialized knowledge. They are not the sorts of people you think of when you think of a hacker: These folks are just ordinary criminals, brandishing a virtual gun they bought from a friend and demanding money. They are also not necessarily looking to target only major companies. My company provides IT services to small businesses in Maryland and northern Virginia, and every year we deal with two or three clients that have been hit by a ransomware attack. These companies usually have around a hundred employees, and are not particularly famous in our area. The attacks are truly random and have no more direction than the wind does. Often, the victim is just whoever was unlucky enough to have gone to the wrong website or opened the wrong email.
Every time a client of ours is hit with a ransomware attack, they always ask the same thing: How do we prevent something like this from happening again? Good antivirus and solid password requirement enforcement will go a very long way to making sure that you’re not hit by these sorts of attacks, but these methods are also a bit like whack-a-mole. Antivirus companies like Kaspersky and ESET regularly update their programs with a list of known viruses and ways to stop them.
Because attackers usually use a program they’ve bought from someone else, antivirus companies will usually see trends in which programs are gaining popularity and will have ways to counteract them. The worry, then, is something called a zero-day exploit. These are exploits in the basic security of the Windows and Mac operating system that nobody has ever found before, and they are able to exploit these vulnerabilities faster than Microsoft and Apple can patch them.
WannaCry was one of these types of exploits. It took advantage of a security loophole in the Windows operating system that nobody had ever noticed, and although Microsoft released a software patch two days later that fixed the vulnerability, that patch was two days too late. WannaCry had attacked on the zeroth day.
Beyond having a good antivirus and patching strategy, having good backups will help to dig your company out of a hole if hit by ransomware. While attackers would like to make you believe the only way to retrieve your data is to pay the ransom, if your IT company has been diligent about backing up all of your corporate data, foiling the attack and getting your company back on its feet is as simple as restoring the data from before the attack occurred. The cost of data backups can be quite a large and daunting figure, but your company’s policies around data retention and backup frequency can often mean the difference between a cryptovirus being an unfortunate speed bump in your year, and an absolute disaster.
At present, the only way to deal with cryptoviruses is to turn back time, in a way. Smart, nefarious hackers will always find a new exploit. They will always find a new way to break in. And while Microsoft and security companies will work as quickly as possible to patch any found exploits, this process usually takes a couple of days—and in that time, thousands of computers could be compromised, and hundreds of companies could have their businesses threatened. Cryptoviruses are a topic at nearly every cybersecurity conference because they are so prevalent today, and until either a new flavor of virus becomes trendy, or someone figures out a way to systematically shut down cryptoviruses, companies will need to be on their toes about these sorts of attacks and how to properly counteract them.
In the end, the WannaCry attack was foiled by a web security researcher named Marcus Hutchins. He discovered in the code of the WannaCry virus a reference to a website that the virus would check before doing anything. When he attempted to go to that website, he found that the site didn’t exist. As it turns out, the WannaCry virus checked to see whether that website existed before doing anything else; if it did not, the virus would begin encrypting files on your computer. Marcus created a site at that URL, effectively activating the so-called kill switch in the WannaCry virus and halting the attack. This was on March 15—three days after the attack began and one day after Microsoft’s security patch was released.
Experts estimate that the economic impact in lost productivity over these three days at anywhere from hundreds of millions of dollars to nearly $4 billion. Because of the way bitcoin works, every bitcoin transaction is public (if also anonymous), and so it is possible to see how much money was transferred due to the attack. Law enforcement agencies had been monitoring the accounts that the attackers demanded the bitcoin be transferred into, and on Aug. 3, the money in the accounts finally and suddenly disappeared. The amount in those accounts was estimated to be around $140,000. Some quick math shows that this is less than a dollar per computer, meaning the vast majority of victims were able to recover their data in one form or another. This is also a rather paltry sum of money, in the grand scheme of things, to have committed an international crime for.
It’s impossible to know what the motivations are for these sorts of attacks, but the fact is that someone felt it was worth it, and others have felt so as well. In June 2017, just a month after the WannaCry attacks, another massive attack using a virus called Petya was perpetrated around the world; the monetary earnings from that attack were even smaller than WannaCry’s.
But even absent a large headline monetary loss, as long as these cryptoviruses find a way in, companies are going to find themselves crippled from a lack of access to their data. The cat-and-mouse game of hackers and security companies is very much ongoing—but IT departments can arm themselves with good protocols to minimize the disruption to their business.
JOSEPH WANG is a systems analyst for an independent IT consulting firm with more than 25 small business clients.