Does the WannaCry attack mark a new age of piracy on the high internet?

Posted by | July 4, 2017 | Latest Audit Information & News, Uncategorized

Our guest blog this month is courtesy of Vladimir Berezansky, Thought Leader for the Compliance Practice FIDS (Assurance) at EY.

This month Vladimir provides us with his insights on the future as a result of the WannaCry attack.

Future Shock

Ages of Piracy

Throughout human history, each new era of travel and exploration has provided highly attractive opportunities for banditry and marauding. Forays into unknown lands and uncharted waters have entailed unquantifiable (by definition) risks, including, not the least of which, those presented by individuals and groups who inhabit such unexplored territories.

There are usually at least two reasons why encounters with inhabitants of unknown parts were so perilous: (1) they were often the misfits and outcasts of long settled, well ordered societies (think Botany Bay); and (2) they found illicit (meaning borderline, such as smuggling and slave trading) and/or violently criminal activity to be more lucrative than ‘honest’ trades. Often, this happened sequentially – i.e., being condemned by ‘polite’ society as a misfit or outcast compelled such persons to commit themselves wholeheartedly to a life of illicit and/or criminal activity.

The Bible is filled with stories involving lawless bandits and thieves; and the often fatal dangers posed by ruthless highwaymen were chronicled throughout the Middle Ages in Europe and along the routes of the Silk Road between China and the ports of the eastern Mediterranean. But most contemporary English speakers think of piracy – not without justification – as taking place on the high seas.
The Age of Exploration soon begat a parallel age of seaborne looting and marauding – including, no less, by the navies of competing emerging European powers. Much of the naval and merchant marine histories of the seventeenth and eighteenth centuries involved state sanctioned piracy, especially among the commissioned naval fleets of the kingdoms of England, Spain and Portugal, and the newly independent Dutch Republic. In this era, ‘pirates’ often had highly respected ranks and titles such as captain and commodore.

Even today, ‘traditional’ seaborne piracy remains a tangible threat, especially in the highly dangerous waters off the Somali coast to the east of Africa. Peering perhaps not so far into the future, it would not be too great a stretch of imagination to posit a period or phase of rampant interplanetary piracy in the context of regular, commercial space travel between the Earth, the moon and Mars. So the advent of cyber piracy in our time should not come as much of a surprise.

The WannaCry ransomware cryptoworm

The WannaCry ransomware attack commenced on Friday, 12 May 2017. Within twenty-four hours, it was reported to have infected more than 230,000 computers in over 150 countries. Parts of the UK’s National Health Service (NHS), Spain’s Telefónica, the Russian Interior Ministry, FedEx, and Deutsche Bahn were all significantly affected, along with many other countries and companies worldwide.

Technically, the WannaCry ransomware cryptoworm targeted computers running an outdated but still widely used version of Microsoft Windows (XP) by encrypting data and demanding ransom payments in bitcoins. Once inside a targeted system, the WannaCry ransomware would create encrypted copies of specific file types before deleting the originals, thus leaving its victims with encrypted copies which couldn’t be accessed without a decryption key.

WannaCry would then replace the computer’s wallpaper with a message instructing the victim to download the ransomware from Dropbox before demanding the specified amount of ransom to be paid in bitcoins.

Shortly after the WannaCry attack began, a 22 year-old web security researcher who blogs as ‘MalwareTech’ discovered an effective kill switch by registering a domain name he found in the ransomware’s code. This greatly slowed the spread of the infection, effectively halting the initial outbreak by Monday, 15 May 2017; but new ransomware versions have since been detected that lack kill switches. Researchers have subsequently found ways to recover data from infected machines in certain circumstances.

Guerrilla theatre for the 21st century

On the one hand, this was a long-anticipated and widely discussed type of event. Much like a geographic region situated over a tectonic fault line (think Italy, Japan, or California), this sort of cyber attack had to happen somehow, somewhere before much more time had passed. On the other hand, this in-your-face, guerrilla theatre-type event was not, apparently, a huge success – perhaps even largely unsuccessful, in the main – if judged by what should be the most obvious metric of success in such situations – i.e., the amount of money that this cyber-crime yielded. Reliable media reports have estimated the total take from this attack as being less than USD50,000 – hardly an ‘Italian Job 2.0.’

In retrospect, the hackers’ selection of bitcoin as their chosen method for receipt of ransom payments seems highly problematic. Bitcoin is easily traceable — every transaction is written on a public ledger called the blockchain — meaning that any payment can be traced throughout the network.

The WannaCry payment instructions directed ransoms to be addressed to three specified ‘wallets,’ each of which can be easily examined. Moreover, anyone can see exactly how much ransom has accrued at any given time.

This particular ransomware attack did, in some ways, seem to be intended as more demonstrative than useful – i.e., purely remunerative – to its perpetrators. Indeed, the WannaCry assault can be seen as overblown by design – i.e., intended primarily to make a simple, chest-thumping message: ‘Know who we are and fear us!’ In this light, perhaps the choice of bitcoin as their conduit for collecting ransom was intended to be more trendy than furtive – as more of a flourish or fashion statement than a coldly rational choice. Relevant historical analogies – perhaps not on all fours, but in the same spirit – might be the taking of The Bastille or the Bolsheviks storming the Winter Palace: As satisfyingly high-profile and cathartic son et lumière, to be sure, but more of a diversion from the movement’s main assault on the existing order. Che Guevara, it would appear, has taken up writing code.

A new unholy trinity

And yet, the WannaCry assault was more substantive than a Molotov cocktail tossed into the Internet. The plotters behind this cyber attack managed to unleash a novel combination of three disparate features: ransomware + (Stuxnet-like) worm features + exploiting a software flaw in an outdated but still widely used version of Windows = a new unholy trinity.

And just as with the Bourbons and the Romanoffs, there is clearly a strong undertow of tension between haves and have-nots in this new cyber context – not the least being the widespread prevalence and reliance on an outdated version of Windows by the unwashed, whose no doubt equally antiquated hardware doesn’t automatically soak in the very latest software fixes and apps as it shuts down for the evening – in fact, such an overused work station might very well be kept running ‘round the clock in what perhaps passes for the administrative office that might manage a dodgy, dreary Third-world sweatshop.
There was also some delicious internecine mayhem up at the top of the socio-economic pyramid from l’affaire WannaCry: During the height of the attack, Microsoft took a viciously feline paw-swipe at the NSA for having developed the very malware that WannaCry’s perpetrators were using to exploit the software weaknesses in the outdated version of Windows that served as their Trojan horse.

Finally, and certainly not the least of these matters, are the Compliance-relevant issues that will no doubt merit our attention for the foreseeable future, including: 1) the WannaCry gang took full advantage of blockchain technology to move through and past the Internet without leaving their fingerprints or other incriminating evidence; and 2) at first blush, it seems that Compliance’s traditional arsenal of AML techniques are suddenly useless in this context. In order to catch this rabbit, Compliance may need to throw away the old handbook and start over.
Regulatory guidance

Several days after the initial WannaCry assault and its subsequent containment, the Financial Conduct Authority (FCA) issued guidance under the rubric ‘Cyber resilience:’ First, the FCA put the banking and financial services sectors on notice that WannaCry was their wake-up call: ‘Cyber risks pose a threat to all financial services firms. Firms should be aware of the threat, able to defend themselves effectively, and respond proportionately to cyber events.’ Thus having reminded the regulated community of their responsibility to develop and implement adequate countermeasures, the ‘Cyber resilience’ release provides a link to a one-page infographic that provides an overview on ‘Effective cyber security practice.’ WannaCry was our moment of future shock.

It’s clear that the FCA expects each of its licensed entities to deploy a robust cyber security programme before the next, sadly inevitable incident of this nature occurs.

(This article has been publised courtesy of ‘inCOMPLIANCE,’ July 2017)

1096 total views, 1 today