Since 12 May 2017, WannaCry has claimed over 300,000 victims across 150 countries. Dubbed as one of the biggest ransomware attacks, WannaCry has unveiled a new face of crime in the digital age. But, more than a criminal activity, the malware has been a nuisance as it has disrupted numerous businesses and organizations worldwide. The malware exploits vulnerability in the Server Message Block (SMB) service of Windows operating system, published by “The Shadow Brokers” in April. The hacker group claims to have acquired it from a hack at the National Security Agency (NSA) of the US. The worrying part is that Shadow Brokers is going to offer this cache of undisclosed vulnerabilities and exploits as a service, and it is soon going to launch new monthly subscription model. Once the dump goes to the members, they are free to use these exploits in whichever way they want to, probably putting everyone at risk. Now, this would open up the Pandora’s Box, as innumerable exploits would be available to a host of threat actors, and WannaCry in that case would just be a precursor to a more threatening future.

 

Ransom + Malware = Ransomware

 

Once a ransomware infects a computer, it may either encrypt files/data on the system or deny access to the owner/legitimate user. To decrypt and retrieve these files or gain access, the victim needs to pay a ransom, which is usually in the form of crypto currencies, such as Bitcoin or Ethereum. Unless and until ransom is paid to obtain the decryption key, the victim cannot recover the files and might lose them forever. Now, depending upon the importance of these files and availability of any backup, the victim is either forced to pay the ransom or forego the data. Ransomware is not something new. Such attacks have been precisely targeting industries and critical services such as healthcare and financial services. Ransomware even accounted for 72 percent of healthcare malware attacks in 2016, and it happens to be the second-most targeted industry, second only to the financial sector. Ransomware can disrupt these services, and being time-critical, the victim is more likely to budge before the attacks and pay the ransom to restore its normal operations or business processes. Along with the safety of data, its availability and access is important for these industries, making them a soft and obvious target. At the outburst, WannaCry also disrupted patient care at National Health Service in the UK, even throwing planned surgeries and ambulance services into disarray. To add to the dismay, ransomware is now readily available as tool kits and utilities. With handy toolkits, even partially skilled programmers can devise a devastating ransomware.

 

The Windows vulnerability WannaCry targeted – EternalBlue exploit – was in fact updated by Microsoft in March this year. This malware also behaves like a worm, and it infects computers and servers on the same network. Such malwares target several of the vulnerabilities which have been left unpatched, despite their fixes/updates being rolled out. Unpatched systems due to the laxity on part of the organizations or individual users put such systems at risk from these kinds of attacks. WannaCry could create havoc with just one exploit, which was also a known one with an available fix. Imagine the situation when undisclosed vulnerabilities are used to target systems, and it would turn gruesome if these attacks are targeted at mobile platforms.

 

Beginning of the Era of Exploits

 

The Shadow Brokers came into limelight in the summer of 2016 when it published several leaks containing some of the NSA’s hacking tools. The group has announced its “The Shadow Brokers Data Dump of the Month” service, wherein the members would get access to web browser, router, handset exploits/tools and also the compromised network data from SWIFT providers and Central banks. In its note, Shadow Brokers has discounted the bug bounties offered by software firms for disclosing vulnerabilities found in their code, and calls The Equation Group as a worthy opponent. The Equation Group is a sophisticated hacking team, and it is believed to be operated by the NSA. Assuming the infamous Shadow Brokers to live up to their word, more exploits could surface in June.

 

If the trove of Shadow Brokers unravels exploits from a horde of desktop and mobile operating systems, presumably everyone is going to be at a risk, given the penetration of mobile phones in daily lives. Mobile phones, in addition to the basic communication services, enable two factor authentication for most of the email services, and they also host essential day-to-day applications for travel, navigation and messaging. A ransomware attack on mobile platforms, on the lines of WannaCry, would not just spread rapidly, but it could cripple millions or billions of mobile phone users with access denied to their own mobile handsets. A malware propagating over messaging protocols would be epidemic. As of now, some of the industry verticals such as healthcare and banking are more prone to ransomwares. With innumerable vulnerabilities in both the desktop and mobile sphere being put-up for sale, each and every individual or industry vertical is expected to be prone to such attacks from a wide cross-section of threats, for either disruption or monetary gains.

 

With close to 5 billion mobile phone users across the globe, the target base is quite enormous. The authors of such malwares have already realised this shift in the preferences, as mobile phones have become indispensable to carry out day-to-day business activities. But the modalities in the case of mobile phones are different. Since the data on mobile phones is generally synchronized and backed up at the respective applications over cloud, encrypting data residing on the handset may not be productive. Therefore, in this case, blocking the very access to the handset or the apps is something a ransomware would probably be designed for.

 

Shadow Brokers has already threatened to un-box the repository of exploits and tools. It has also offered the party, which has developed these exploits, to buy the trove, pointing towards the NSA. Either NSA buybacks its own cache from Shadow Brokers or it falls in the hands of seasoned or budding criminals, the threats loom large at billions of people who are dependent on their mobile handsets or desktop computers for their personal or professional needs. Both ways, these exploits would continue to undermine the security and integrity of information stored in the computing devices or of the operation systems itself. The era of exploits for weapons of mass disruption has just begun.

 

Disclaimer: The views expressed in this article are personal.

 

Munish Sharma, Associate Fellow (Cyber Security Project), Institute for Defence Studies and Analyses (IDSA), New Delhi.