The Data Kidnappers

Over the past few months, org­a­nisations across the world have been targeted by a new form of cyberterrorism—ransomware. In a ransomware att­ack, the victim’s computer or network is locked and its data encryp­ted by hackers, who then demand money to rel­ease these back to their owners. While such ­assaults began as early as 2013, the last four months have seen repeated incidents all over the world.

In May, an attack using a new ransomware ‘cryptoworm’ called Wannacry brought many businesses in Europe to a standstill. This affected more than 230,000 computers in over 150 countries, badly hitting the Spanish telecom service provider Telefonica, the German state railways and the NHS, among others. Similarly. a new variant of the ­ransomware Petya, which caused a great deal of distress in Europe last year, surfaced in June. This time, the impact was closer to home as some systems in India were hit by the attack; this inc­luded the Jawaharlal Nehru Port Trust, whose terminals came to a halt. Later, in September, systems across the globe were assaulted by Locky. This was similar to WannaCry and posed such a serious threat to Indian systems that the Indian Com­p­u­ter Emergency Response Team (CERT-In) issued a warning against it.

The matter of concern is that there is no way to prevent an attack, as there are many variants of ransomware that surface from time to time. Worse, there is currently no way to dec­rypt affected systems and information without paying a ransom. So far, there is no way to unlock infected computers and networks. Sajan Paul,  the CTO of Juniper, explains, “Some of the public facing ­applications are not patched. The way the attack vector progresses, there are no signatures, so systems designed to recognise attacks cannot detect them. The biggest threats are those which attack like zero data and cannot be detected. Then there are people who want to adopt cutting edge and new software which are loosely written. This increases the threat.”

Another problem is that software and systems are failing to move as fast as these hackers. Tarun Kaura, director, systems engineering, Symantec, says, “We are not moving at the pace at which malicious code is moving. Even in large enterprises this is not being done, and they don’t upg­rade patches. In 2015, there were 13 variants of ransomware, which increased to 105 in 2016, and average demand for ransom increased from $ 297 in 2015 to $ 1077 in 2016.” The extortionists’ job has been eased by the spate of e-payment methods, with a majority now demanding payment by cryptocurrencies such as Bitcoin, which keep the recipients anonymous.

Ransomware typically spreads through malicious emails with attachments, ­infec­-ted software and infected storage. Thr­ough these, attackers gain control over remote machines and networks and hold them to ransom. Symantec’s latest internet security threat report, Email Threats 2017, states that people are more than twice as likely to encounter threats thr­ough email. In fact, one out of every nine email users will have had a malicious email sent to them in the first half of 2017. And the likelihood rises further depending on which industry the user works in. For INS­tance, if the user is in wholesale trade, that ratio climbs to one out of every four.

The magnitude of ransomware attacks has increased sharply over time, with hac­kers exploiting vulnerable technology and gaps in security frameworks, and ­targeting unsuspecting users and ­companies in possession of sensitive and confidential data. Such attacks can result in financial losses (customer data, IP), impact business continuity and cause reputational damage and loss of customer confidence. It is believed that about 30 per cent of ‘victims’ pay to regain their data,  thus adding to their losses. The impact  that this has on ­various industries can be significant, ­especially those relying ­heavily on data, such as IT-ITeS, e-commerce, ­retail and ­financial services.

Crucially,  India is still ill-prepared to fight such attacks, as most Indian systems do not invest sufficiently in security. In the words of Arpinder Singh, partner and head - India and emerging markets, fraud investigation & dispute services, EY, “India has seen an accelerated use of online and ­mobile platforms; for instance, financial transactions through internet banking and mobile wallets has risen considerably.  Consequently, the risks associated have also augmented, and a security breach can compromise the information of millions of users. Many companies in India still use outdated computer systems and hardware that can make them an easy target for hackers. The use of pirated or unlicensed software is high in India, increasing risks as OS patches will not fix them. Techniques such as phishing, spear-phishing, DDoS attacks, malware, key loggers, spyware and many others can also expose companies to significant threats.”

According to an EY report, Responding to cybercrime incidents in India, about 2/3 of businesses in the country were una­ble to detect a cyber-incident in real time due to insufficient understanding of the motive behind the attack. The report also stated that employees are one of the weakest links in the company’s defence systems. Currently, there is no legal requirement to report cases of cyber breaches, nor any obligation to inform ‘victims’ that their information has been compromised.

“In Indian industry, which is not regulated, there is very low involvement of cyber security, and [firms] are vulnerable. 67 per cent of attacks are on SMEs, and their vulnerability extends to larger org­anizations,” says Rajnish Gupta, regional director, India and SAARC, RSA.

In general, Indian companies outside banking and finance lack sufficient focus  on cyber security. Sridhar Iyengar, VP of IT management company Manage Engine, says, “India is going through a push tow­ards digital, and so cyber security should have been a priority. Unfortunately, that has not happened. Traditional industry has not invested in IT and will remain vulnerable to such attacks. The problem is that in India, there are still companies that don’t treat IT as a priority and don’t see it as a core department. They don’t have staff and tools to detect security flaws.”

An even more alarming facet of all this is that some ransomware, such as Petya and Wannacry, quickly spreads across other systems from a single machine. That is where India may be more vulnerable. “This is something most systems in India are unprepared for, and the impact can be severe and is a bigger threat. The attackers can hold the entire company to ransom and can affect the entire country. And since most organisations are networked, the attacker can quickly move from one machine to the entire network getting control over the whole system,” says Bryce Boland, CTO, APAC, FireEye.

Naturally, industry experts say that serious thought is already going into the matter of security, and that systems are being built to counter such attacks.  Srinivasan C.R., senior VP, Tata Communications, says, “As a response to an increasing number of ransomware attacks, the community of White Hats has been formed. The White Hats are computer hackers or security experts specialising in penetration testing and developing various testing methodologies to challenge the existing security of an organisation’s information system.”

But perhaps Indian industry needs a much greater degree of awareness and readiness to act in order to put in place a backup plan capable of coping with these attacks, which have put even developed economies on the back foot. The government must step in with both contingency plans and preventative measures. If this is not done, India’s fast move towards being an advanced digital nation could also make it an extremely vulnerable one.