Ransomware made you WannaCry?

Posted on Sunday, 21 May 2017
Reading time:
4 minutes

This month, the world at large woke up to a very scary reality – we are all vulnerable to ransomware and other cyber-attacks, either directly in our personal capacity or indirectly through the services to which we rely upon daily.

Friday the 12th of May saw over 100,000 computers in over 70 countries hit by a strain of ransomware known as Wcry or WannaCry. Deployed using a computer worm or infected email attachment, WannaCry encrypts a computer’s files leaving them inaccessible to users. Each encryption generates an asymmetrical password for the attacker which will only work for that specific victim. A pop-up will then appear on the victim’s computer’s screen demanding a ransom of $300 in Bitcoin within three days. Failure to comply will result in the price doubling and after seven days, WannaCry will render the data permanently irretrievable. Bitcoin is an online currency infamous for its anonymity and preferential status as a medium of exchange amongst black-market traders and Dark Web criminals. While companies might be able to shell out $300 to get their crucial information back, individuals in their personal capacity can hardly afford to do such – and there’s no guarantee that the criminals will release the unique encryption key upon receipt of payment. Paying a ransom, especially in Bitcoin, is a considerable gamble as it is challenging to locate the beneficiary of the payment should they opt to not release your keys. One should always remember that these malware (malicious software) engineers are cyber criminals, and there is very little honor amongst thieves.

By Saturday morning, however, hope seemed to crest the horizon when a 22-year-old security researcher known by his twitter handle, @MalwareTechBlog, managed to accidentally activate a ‘kill switch’ in WannaCry’s programming. While reviewing the ransomware’s code, he realised that the program continually attempted to ping a specific website. Upon further investigation, he discovered that the particular website had not yet been registered. Paying a meagre £8, he managed to purchase the domain – inadvertently activating a kill switch which prevented the ransomware from replicating itself further throughout networks once it has successfully contacted the website. Whilst infected computers remained encrypted, his actions managed to halt the further spread of the malware.

The kill switch activation came little too late for over 126,000 computers in 104 countries, cybersecurity firm Avast reported. Russia, Ukraine, and Taiwan appear to be the countries most affected by the ransomware, with more than half of the infection reports coming from Russia.

The ‘accidental hero’ cautioned that he had only managed to stop a single strain of the virus and that would-be-attackers would quickly adapt to circumvent this. Unfortunately, he was to be proven correct as WannaCry 2.0 hit the web shortly after the initial victory. Europol Director Rob Wainwright, speaking on ITV, stated that as of Sunday morning on 14 May, the latest count showed over 200,000 victims in at least 150 countries - most of those victims being businesses. It is far from over though, as he is concerned that the statistics will continue to spiral as businesses will commence and continue to trade in the week following the incident.

Fortunately, there is still hope – Windows Defender contains a patch which can be downloaded for free, effectively blocking variants of WannaCry from infecting your computer. While this single attack may be thwarted by prudent patching and up-to-date Antivirus software, it highlights an uncomfortable reality for many of us: We are all vulnerable.

Whether through our own personal laptops which may be compromised, our healthcare systems such as the NHS hospitals in Britain or infrastructure such as the railway stations in Russia – our lives are inextricably linked to computer systems. There will not always be a shining hero who finds a kill switch, and the next virus may enter our systems through a previously unidentified zero-day-exploit.

From a risk transfer perspective, insurance is one of the greatest risk management tools available to businesses who wish to migrate potential costs and losses on to another party. Camargue is well positioned in the cyber risks market and offers a comprehensive policy which, amongst other exposures, provides cover for the costs incurred in getting your network back up and running, the lost income while your systems were down and even the ransom monies should you choose to pay. Cyber Risks insurance is set to be a challenge for insurers, as it is poised to become the next class of insurance to experience catastrophe losses (due to the high frequency and severity). Traditionally, these losses were limited to insurance classes where a massive hail storm or an earthquake would result in thousands of individual claims arising suddenly from a single or series of event. Malware, such as WannaCry, may just prove to be the hailstorm of the cyber world; crashing down on a global scale to put a dent in our day.

Ethan
Pitts
Trainee Underwriter
+27 (0)11 778 9140