"Unprecedented" Cyber Attack Hits 2 Lakh Computers In 150 Countries; India 3rd Most Affected

Since Friday, 12 May, the world has been hit by a massive cyber attack. It has affected 230,000 computers in 150 countries, leading to crises in hospitals, schools, government offices, and any industry that relied on computers – which is to say, all industries. The attack has been described by Europol, Europe’s police agency, as “unprecedented”, and it continues to affect computers around the world, with analysts warning about the possibility of renewed attacks in coming days.

What is the attack all about?

The attack involved “WannaCry”, a ransomware that targets Microsoft Windows operating systems. It exploited loopholes in older versions of Windows to send phishing emails to users. Phishing is a method to obtain sensitive personal information of users, like usernames, passwords, credit card details etc., by sending emails pretending to be from an official entity. When an unsuspecting user opens these emails and/or downloads the attached files, their information is compromised and their system is locked/encrypted.

Once the information is encrypted, a message is displayed on the screen declaring the same and asking the user to pay USD 300 (in Bitcoin) if they wish to retrieve their data.

Phishing emails employ “worms” to spread the attack in a local network. If even one of the computers in a local network is compromised because of a phishing email, the worm spreads rapidly and automatically encrypts data in all computers in the network. This is why Friday’s attack spread so rapidly across the world.

Fresh IDR based heatmap for WanaCrypt0r 2.0 ransomware (WCry/WannaCry).
Also follow @MalwareTechBlog's tracker: https://t.co/mjFwsT3JzH pic.twitter.com/SPeZfBpckm

— MalwareHunterTeam (@malwrhunterteam) May 12, 2017

Who are affected?

WannaCry swept across Europe and Asia quickly, locking up critical systems like the UK’s National Health Service (NHS), a large telecom in Spain, and other businesses and institutions around the world, all in record time.

How did the attack affect India?

India was among the worst-hit countries of Friday’s attack because many Indians still use Windows XP, the operating system whose loopholes were exploited by WannaCry. Presently, a critical alert has been sounded against the spreading of the ransomware.

News agency IANS reported that police computers across 18 units in Andhra Pradesh’s Chittoor, Krishna, Guntur, Visakhapatnam, and Srikakulam districts were affected. However, apart from that, there was no immediate information on the extent of the ransomware’s hold on Indian systems.

Gulshan Rai, chief of cyber security, said, “There are about a 100 systems attacked in India and as of now there are no more threats … We understand systems in Andhra Pradesh are impacted, but so far our assessment is that there isn’t much impact.”

Rai went on to add that a better understanding of the ransomware’s effect in India would only happen on Monday after offices open.

How was the attack contained?

Friday’s attack was slackened after a random researcher (known online as MalwareTech) accidentally found a kill switch to combat WannaCry’s spread. Had the kill switch not been discovered, the impact would have invariably been far more catastrophic.

While this has given authorities time to patch up and update systems and cyber-security, there is high probability of other strains of WannaCry striking in the coming days, and these strains could be immune to the kill switch.

Who are the perpetrators?

It is still unclear as to who caused the attack. Europol stated that a massive international manhunt, a “complex international investigation”, was underway to locate the criminals.

Many commentators criticised the US National Security Agency (NSA) for having indirectly caused the attack. The NSA had prior knowledge of the Windows loophole that the hackers exploited on Friday, but the agency did not disclose this loophole as they planned to exploit the same themselves to their benefit. This exploit, known as EternalBlue, was stolen by a group of hackers, who made it freely available in April. The perpetrators of Friday’s attack used EternalBlue to engineer the fast-spreading worm.

If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened https://t.co/lhApAqB5j3

— Edward Snowden (@Snowden) May 12, 2017

Microsoft said on Friday it would roll out the update to users of older operating systems “that no longer receive mainstream support”, such Windows XP (which the NHS still largely uses), Windows 8, and Windows Server 2003.

Meanwhile, the NSA finds itself on the crosshairs, attacked by cybersecurity activists and government officials who opine that the agency has overreached in its power and influence. The NSA also finds itself on the crossroads, fighting to keep a balance between protecting computer systems and hacking them too.