"WannaCry" and "ransomware" are unfamiliar terms that over the last month have suddenly entered the global spotlight in connection with the cyber attacks suffered by many organisations around the world, such as the National Health Services in the UK and the Spanish telecommunications company Telefónica.
Although TAP was not affected, TAP IT's security services remained on the alert. António Carrilho, responsible for Information Security at TAP IT, gave an interview to WHAT'S|up, and explained what ransomware is and the role of security systems in stopping it.
What is ransomware?
Ransomware is a specific type of malware or malicious software. Due to the success it has had in financial terms for criminals, it has been one of the more common forms of software. There are currently more than 400 known variants of ransomware.
Ransomware acts in the following way: it begins by encrypting the files on a computer or mobile device. "Encrypting" means changing the files with a mathematical algorithm, which renders them unreadable unless the encryption key is known. It is this encryption key criminals sell to the victim, who is given a deadline to transfer the money. It is therefore a form of kidnapping files with a ransom demand - hence the name ransomware.
The recommendation is that you never pay the ransom; firstly, because there is no guarantee that the victim will receive the encryption key, and secondly because it encourages this form of criminal activity to continue.
One way of combating malware is to reduce its economic profitability. Unfortunately, ransomware was responsible for the largest increase in attacks in 2016 - 50% - estimated at billions of US dollars in income for criminals.
The average amount of a ransom request is one thousand dollars and is usually demanded in bitcoins (a virtual currency), which makes it very difficult to trace.
Recently there was extensive media coverage of one specific international ransomware attack - WannaCry. What was this attack? Who was affected? How widespread was it around the world?
The WannaCry attack may be a milestone in the history of computer security, not only because of its size and consequences on the companies affected, but also because of what caused it and its sophistication.
The creators of WannaCry succeeded in getting their ransomware to spread extremely quickly by exploiting a vulnerability in the Microsoft operating system that had recently been announced by a group of hackers.
WannaCry is the result of developments in cybercrime business models, which currently use the logic of the market, with producers, integrators, distributors, etc.
This is the increasingly far-reaching and complex reality for which we have to be prepared. It is estimated that WannaCry has affected businesses and individuals in at least 150 countries. The estimated losses from the attack range from a few hundred million to four billion euros. It is difficult to establish actual figures because we are dealing with the costs of lost productivity as well as systems recovery. Paradoxically, this attack will have yielded little to the cyber criminals - tens of thousands of euros only.
How can people prevent this type of attack?
When I am asked this question, my immediate advice is to keep regular backups, and keep these backups disconnected from the computer. Depending on each person’s needs and budget there are several options: from a backup to an external disk, to services in the cloud. I give this advice because the most important thing is to be able to recover the information if you are a victim of ransomware, and it can happen to anyone.
I also give a series of recommendations that you should follow to avoid being a victim of any kind of malware:
- Keep your antivirus up to date;
- Install patches to your operating system and applications as soon as possible, as soon as manufacturers make them available;
- Adopt the principle of "minimum privilege" - typically you do not need users you work with to be system administrators; so, if you are infected, the malware will cause less havoc;
- Finally, a piece of general advice: be cautious. Is the source of an e-mail trustworthy? If you did not request a document (word, pdf or other) be suspicious - do not open attachments and do not click on links.
Was TAP affected by WannaCry? If so, how? How was it resolved?
Fortunately, we were not affected and this was due to a combination of factors. First, our peripheral defences prevented any direct attack from the outside. Our external exposure to this attack was greatly reduced. The only way this type of ransomware would have to enter TAP is via e-mail, but the information and co-operation channels worked well, and we received very useful technical information that allowed us to detect and block the attacks we received by e-mail.
At the same time, we decided to accelerate our systems upgrade to prevent it being propagated internally. This risk was already greatly reduced because when the attack was declared we already had most of the systems up to date. Upgrading systems is a relatively time-consuming process because there are thousands of PCs and more than 700 servers, and we try to do this with the least possible impact on TAP's business and operations. The decision we made on 12 May was to accelerate this upgrade process for the remaining systems, with occasional interruptions of certain services for short periods. We did it uninterrupted until the early hours of the following day, 13 May.
What security measures does TAP adopt against this type of attack?
We have implemented various security measures that can be classified into two main strategic vectors: the establishment of security perimeters and the layered defence. I will give an example of the latter. At TAP we have security controls where e-mail comes in, on mailboxes, on computers and on the accesses to the internet. These controls typically prevent more than 99% of attacks. However, when they fail there is still a final security layer, which is us as individuals, and the assessment we make of an unsolicited e-mail, whether we consider it suspicious or not, whether to open the attachments in it and click on the links.
This is a constantly evolving area. New forms of attack are created around the world every day. How does TAP protect itself against these?
This is in fact the main challenge for security systems: being able to prevent the unknown. This is done on three levels.
In technological terms, we try to stay abreast of developments in security. Because there are no universal turnkey solutions we need to study which product combinations best suit us given our risk pattern and the financial resources we are willing to commit.
Procedures are also fundamental, because technology does not work by itself. It is necessary, for example, to make an ongoing analysis of events in order to maintain effective safety standards. In the event of an incident, early detection and rapid reaction are critical to avoiding damage and minimising impact. Speed is, in fact, the key word. Criminals are getting faster in their time-to-market. They innovate and put their products onto the market with shorter and shorter lead times, so our security procedures have to keep pace with this dynamism.
The third level of protection is the human factor. If we are aware of the risks and take defensive action, we expose the company, our colleagues and ourselves to less risk. The situation is comparable to many others in our daily lives, such as on the road: a careless or inattentive driver can put their and others’ safety at risk however many rules and safety systems there may be in place.