WannaCry, the ransomware that affected nearly 200,000 computer systems across the world over the weekend may have been slowed down thanks to a lucky break, but the attack leaves a lot of questions unanswered. We know WannaCry spread because it acted like a worm to replicate itself. How exactly did that happen and could the worm have also modified affected files? We approached Saket Modi, CEO of Lucideus Tech, the cyber security startup behind the Indian government’s ambitious UPI and BHIM projects, to understand just how WannaCry spread across 99 countries in a matter of a few days.
Digit: What is your threat assessment of the WannaCry Malware? Is it just beginning it’s destructive streak?
Saket Modi: Majority of the hacks are happening in Russia. In India, on the other side, we’ve seen certain instances of ransomware, and it is not a new thing. On an average, we get three to four queries about ransomware from individuals, not companies, on a weekly basis. Most queries are from people whose personal laptops or PCs have been encrypted by ransomware. Ransomware is pretty common in India now. 3-4 a week might not be a big number for now, but it is just starting now. There have been companies that have reported instances of WannaCry or a similar ransomware, but I would say it’s not as bad as it happened to Russia or the UK.
Digit: Yes, even CERT believes India is not badly hit by WannaCry, but there are conflicting reports that India is one of the worst affected. Are those baseless?
Saket Modi: Just think of it like this – any critical company in India, or any govt entity in India, when they get affected, it is a mandate from the law’s side to make a public announcement. For example, the RBI mandates every bank, if it gets breached, to be reported in six hours. So, not reporting in India is not an option. Now, when the government body, which is the apex body for anything to do with cyber security in India, is saying it’s not that bad, then it’s not being reported correctly. There are also companies like ours who actually do the security for multiple corporates in India. We are the people who would actually get calls about these things. Even we are saying it is not a big deal in India. If you want to make an epidemic seem bigger that it is, that story definitely sells much more. But, it should not be about selling a story, it should be about facts.
Digit: So, why was India not badly hit by WannaCry?
Saket Modi: I would say that probably we were not at that level of connectivity and digitisation has still not taken us to a point like the UK has been. So it is a parallel right? When the global recession happened, India was not so adversely affected, not because there weren’t any problems here, but most money was black money, in terms of cash, that’s one of the reasons why the recession didn’t take a toll on us.
Digit: We understand that maybe we are not so connected, but since you deal in the security of large organisations, and one of the reasons why WannaCry spread was because systems did not install the March security patch provided by Microsoft or they were running older versions of Windows, do you think systems are updated regularly in Indian organisations, which is why the spread in India is contained?
Saket Modi: Firstly, simply updating a patch for a person like you or me, who deal with technology on a daily basis, looks like a very easy thing to do, and it is something that we understand the importance of. The other side of the story is that when you talk about a large company in India, it typically would have tens of thousands of employees. When you talk about that many computers, for security reasons, most companies disable the auto update as a patch, because it can be a potential vulnerability. That patch has to be pushed by the IT teams of these companies. When you tell ten thousand people in a company that they have to update their OS, for which a computer is busy for a few hours, it is a big problem. 99% of people in a company are not tech savvy, it is a huge hurdle. And, this is not just an India problem, it is a global problem. Pushing an update is far more difficult than what generally people perceive it to be.
Digit: Moving to WannaCry and how it spread, can you elaborate on how a worm actually works?
Saket Modi: The way a worm works is that you definitely need to execute a particular worm, either on a standalone computer, or one that is connected to a network. Till that point, a virus and a worm are pretty much the same. The only difference is that a worm automatically knows how to spread itself. Suppose you are in your corporate network, now if you click on an executable, not only does that malware get installed on your computer. You see, every computer has an IP address, this IP address is a part of something called a subnet. Subnet, simply, is an array of IP addresses pre allocated to a range of computers in an organisation, so that they can communicate with each other. What a worm does is it simply goes ahead and scans the range of an IP address from the computer in which it belongs to the subnet of. When it scans the range of IP addresses that are there, the next step is that it simply tries to ping it and take certain specific values. When that happens, one can actually fingerprint the operating system of the remote IP that is being pinged. When that happens, the range of IPs which are switched on are further probed and the ones running a Windows OS can be found out remotely, without alerting anyone. Once those machines are identified, the exploit (in this case, EternalBlue) penetrates the operating system, from the attacked IP to the range of computers in that subnet. All of this happens in a manner of minutes and in an automated fashion. This is why worms are so deadly, once inside a machine, it’s literally there anywhere and everywhere.
Digit: Can a worm also modify files as it spreads? Does WannaCry have the ability to modify files, rather than just encrypting them?
Saket Modi: Once it takes over the computer, you can execute whatever you want in that computer with certain special privileges that are there. That’s a good point you are making, you need to know about something called Doxware, an evolved ransomware which not only allows for modification, and hackers can actually go to a point where they not only hold you on ransom, they threaten you to make you information public, along with inserting some embarrassing pictures of yours, which will convince people that it is your data. So absolutely, there is something which can be done, but from what I understand, WannaCry is not doing that.