How safe are we?
After the unprecedented worldwide cyberattack in mid-May when large corporations, hospitals and government agencies were affected, the question now is whether the world faces a cybersecurity problem of epidemic proportions.
The malicious attack—which began on Friday, May 12 and spread throughout the following weekend—mainly affected European and Asian countries, as well as the United States, through the use of a ransomware known as “WannaCry,” which launches cyberattacks after identifying vulnerabilities in Microsoft’s Windows operating systems.
It is estimated that more than 200,000 systems in over 190 countries were affected by the virus attack, which encrypts the data so it can only be accessed through a “key” that will be offered to affected parties after paying a sum deemed as ransom.
Although this virus did not cause great damage to the infrastructure of the United States—as opposed to England and China—the Federal Bureau of Investigation, National Security Agency and Department of Homeland Security remain alert to other possible attacks.
Experts said this is the most significant global software attack since March 2009, when the Conficker virus managed to infect 6% of computers worldwide by taking advantage of Windows Server vulnerabilities in the Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008 systems.
According to Luis Valencia, vice president of Puerto Rico Computer Services, experts in computer systems and cybersecurity, the proliferation of this type of virus will be part of future war scenarios.
“My very personal opinion, and I could be diametrically wrong, is that all these recent attacks are a drill for the next world war. When analyzing the facts, I realized there is a pattern, especially with this latest attack,” the expert said.
Valencia pointed out that the May attack crippled the British healthcare system, interrupted communications in Spain and affected transportation in Germany.
“I haven’t the slightest doubt that the next war will be of a cybernetic [nature] because this is attacking a nation’s capabilities. The only thing the ransomware failed to affect was the finance [sector] and that is relatively simple. To give you an example, if you halt Wall Street, you halt the United States,” he said.
Valencia expressed great concern about the May attack as, despite having previously interceded in ransomware situations locally, he said the ease with which the hacker gained access to plant the virus in the systems is extremely alarming.
In addition, the professional with 42 years of experience explained that this type of attack using ransomware is not new, as the first virus of this type coming from Russia was recorded in 2000. The difference is that now they have evolved to possess more intelligence.
“All this is done anonymously and when they ask you for ransom, you have to use a special type of browser to connect to the internet called Tor. That browser is anonymous, leaves no trace of who is connecting to it or from where,” Valencia said.
The expert explained that all this activity is done in a virtual realm parallel to what is commonly known as the World Wide Web. This clandestine black market-type realm is known as the Dark Web and uses its own means to carry out these types of transactions with its own currency called bitcoins.
“When you’re going to make an anonymous payment to one of these ransomware [owners], you don’t know who you’re paying. They also ask you to pay using bitcoins—an untraceable currency—and you end up paying, but you don’t know who your payment went to or where your payment was sent. Under that same concept, you hope the person will send you the key to open the encrypted files, but you don’t have a guarantee; it’s like playing Russian roulette,” Valencia said, adding that he has had local customers who either paid and failed to receive the key, or the key they were sent failed to work or only partially worked.
How it works
Possibly the most alarming thing about ransomware is that anyone can go to the Dark Web and acquire a code to develop it for as little as $100, $500 or $1,000—depending on the type of virus. In addition, he said that not only companies are vulnerable to this type of attack but also anyone who accesses the internet using a digital device.
Valencia explained that ransomware is “planted” within a network system and the virus begins to gather intelligence about its components. Once it disarms the existing antivirus software, it erases the entire backup and then begins to encrypt the documents, which can only be recovered using a code that only the hacker has.
“For example, a computer center usually has a server, what is called the Active Directory, which is where all the accounts, passwords, etc. reside and typically they are from Microsoft. After that, you have the data servers and another server that is your engine to do the backups and you place those in the repository, but you have another firewall where you have the console and the engine to distribute the antivirus throughout your company,” he said.
“The hacker then plants ransomware in the system, which in 99% of cases is done through a link sent in an email, and the virus begins to learn how the network works. [The ransomware] identifies the Active Directory server, monitors administrative accounts, identifies the administrative account that connects to the antivirus and the one that connects to the backup, collects the information and does a systemwide check. If the antivirus is active, it detects it, and since it already knows which administrative account controls the antivirus, it simply stops it,” he explained.
Valencia assured he has handled cases in Puerto Rico in which those involved lost up to 12 years of irrecoverable historical information. The expert predicted that in the future, each new virus strain would be more aggressive than the one before it.
How to protect yourself
The simple act of going online using a digital device puts any individual at risk of falling prey to these attacks, since by connecting to the World Wide Web you are sharing that cyberspace with people around the planet. However, Valencia said that prevention is the best way to avoid becoming a victim of ransomware.
“There is no cure for these viruses because when antivirus companies find the vaccine for one, there are 20 more strains out there. Hackers always are one step ahead,” he said.
“Your weakest point determines your [level of ] security. You can invest all the money in the world to install security systems, but you have a single machine using Windows XP or Windows Server 2003 and that determines your security,” he added.
Valencia’s first suggestion is to use common sense and not open emails from names and addresses you do not recognize and never access the links included in them.
“When you receive an email and see the link, place the mouse on it and a little window will come out and that will tell you where that site is going. If you see a strange address, click on the right button, go to ‘Properties’ and it will tell you—not the alias they are using, but rather what the real address is,” he said.
In addition, it is always a good idea to keep a company’s antivirus fully updated, as well as keeping backups on personal computers.
“People buy an antivirus, install it and believe it will last a lifetime. You must configure it so the vaccines are updated regularly and do pay the registrations because in this market, there is no [such thing as a] free lunch. Backups are also important and practically nobody does them on their personal computers,” he noted.
The expert mentioned other techniques used by companies, such as Air Gap Backup, which is simply systems that connect only when doing a backup and then disconnect, ruling out the risk of being attacked.
Valencia also said tape backups have recently become relevant in light of the increasingly more aggressive virus strains being developed since storing the information in this analogous manner prevents virtual attacks.
In addition, he suggested removing obsolete operating systems such as Windows Server 2003, Windows XP and Windows 2000 as there are no updates for these systems, which have been withdrawn from the market by Microsoft itself.
Valencia further explained that companies often hire an expert to develop a program tailored to the corporation and he/she uploads it using the existing operating system at the time. However, companies fail to update these systems and that is where the risk increases considerably.
“Here in Puerto Rico, you would be surprised by how many people have these operating systems installed in their companies—renowned companies you believe are at the forefront of technology,” he said.
For his part, Javier Ortiz of Falcon Cyber Investments said it is important for companies to keep their employees up-to-date regarding new internet security protocols.
“Organizations must effectively train their employees so they can identify a potential cyberattack and have the technology needed to mitigate its impact and prevent noncompliance,” he said.
Ortiz pointed out that any computer is constantly at risk for an attack simply by being connected to the internet. However, he said the federal government has a robust infrastructure so he does not foresee any breach that would allow a major cyberattack.
“In the ‘dot gov’ domain—mostly used by civil government agencies—the Department of Homeland Security is using a very active program called ‘continuous monitoring.’ In essence, it is a way to constantly monitor all potentially malicious activities operating within these domains to prevent any breach. Therefore, the federal government is being very active in that space,” he said.