A cyberattack has been affecting millions of PCs running Windows since this Monday. From the Kiev metro to the Chernobyl nuclear power plant, the attack is “unprecedented,” said Mounir Mahjoubi, secretary of state for digital. Partner in charge of cyber risk management activities at Deloitte, Michael Bittan goes back over the origin of the virus and the precautions to take in order to protect oneself from such a large-scale attack.
Where does this virus come from?
The attack started in Ukraine and Russia and then spread. However, it is impossible to know exactly where it came from. There are many guesses. One of them mentions North Korea, but we consider this to be a rumor. The interventions we are currently conducting in connection with this incident lead us to believe that at least some of the attacks have absolutely no connection with North Korea. Again, it is difficult to pinpoint the country or even the region where the virus originated. The hackers are using bounce zones, which makes me skeptical that we will ever discover the unique origin of the attack.
It is impossible to trace the instigator also because of the site used for payment. In Bitcoin, you don’t give out your banking information, so it’s impossible to trace the origin, the source. There is no way to trace things. The money passes from hand to hand, from country to country, there are states used as gateways. It is finally the 21st century equivalent of cash ransom in the form of small bills.
The virus uses the same Windows operating system vulnerability as its parent WannaCry. A vulnerability is a flaw. There are hundreds of them in any operating system. If we take the smartphone, the last Android update patched 101 vulnerabilities. There are fixes every day.
Following the WannaCry attack, Microsoft had sent a patch to its users. A patch is a tool that fixes the vulnerability. All users who updated their system corrected the vulnerability that had allowed the WannaCry attack thanks to the patch. However, in large companies, when a patch is received there is a whole procedure to follow in order to test it before installing it on all PCs. Unfortunately, this procedure is sometimes too time-consuming and leaves time for hackers to reuse the same flaw, in the case that interests us this flaw is called Petya.
How does the infection of the operating system take place?
The software is similar to WannaCry in that it is so-called ‘ransomware’, i.e. the virus enters through the Petya flaw and then encrypts your data and asks you to pay a ransom to decrypt it. The encryption of the data is done in an almost transparent way, the user is not aware of it at all. Once the encryption is complete, the computer restarts. When it turns back on, an image pops up on the laptop screen, explaining that the $300 ransom must be paid via the Bitcoin website in order to recover the decrypted data, without which it is impossible to use the laptop as it is completely blocked.
If you pay, you will receive a code via SMS that normally allows you to unlock your computer. Only few people who paid in previous attacks actually received the code. If you decide not to pay, the best way is to ask a professional to reset your entire laptop, which means that if you only had items saved on this computer, you lose everything. This is why more and more companies are working on shared spaces that are already protected against this type of attack. As an expert, I would advise you never to pay because even if you do, you are not safe from the fact that other viruses have been deposited in the system for a later attack. As a rule, when the laptop is hit it is doomed to be reset.
In order to protect yourself from this kind of attack, you just need to follow some basic rules: train and make users aware of security, avoid clicking on emails from strangers who tell you that you’ve won the lottery, don’t let a stranger use your computer and especially with your identity,… This will prevent 80% of attacks of this kind. The digital industry is based on trust, you wouldn’t let a stranger into your home and it’s better to do the same for computer tools.
What are the hackers looking for that caused this attack?
I don’t understand the reason for this attack. Already in the case of the WannaCry attack a month ago, we were puzzled about the initial intention. Given the financial gains generated, we wondered if it was not rather a forceful operation to demonstrate a certain capacity, a certain power.
As far as yesterday’s attack is concerned, I don’t see it as a show of force because it uses the same flaw as WannaCry and may appear to be less virulent than WannaCry depending on the country. It is not a purely financial operation either, it seems that the email address used to receive payments is no longer in use since this morning (which means that it is definitely no longer possible to recover the encrypted information since it is no longer possible to pay the ransom). It is even less of a political claim since the attack affects the Kiev metro via banks, large corporations and the Chernobyl nuclear power plant, yet there is no link between these targets.
I really think that this type of attack is bound to happen again. This is just the beginning because the hackers have tested their ability to execute large-scale attacks. The contest is on, everyone will want to launch their own attack to see if they can do any harm. The worst is yet to come.
On the other hand, I don’t think that just anyone can create this type of attack. I think it is more likely to be a criminal organization or a state organization than a single person. A single person would not be able to create a virus with a long enough life span so that it is not immediately countered and has time to act. It’s a long-term job, you need the ability to build a technical environment that is conducive to this kind of attack.