Ransomware as the New Cyber Threat



The growing cyber threats across the world calls for more engagement and vigilance in order for banks and other financial institutions to pre-emptively protect themselves and customers from software vulnerabilities, writes Obinna Chima

About a fortnight ago, the WannaCry ransomware outbreak infiltrated systems across the globe. From home computers, to NHS systems, news of the infection spread like that of an epidemic.

The situation was so frightening that some financial institutions in Nigeria had to advise their members of staff against opening some particular e-mails, so as not to endanger the organisations.

But security companies originally claimed the breach was the result of a malicious spam campaign, but WannaCry was not distributed by email.

According to The Wired, UK, information also suggested that WannaCry infections used the alleged NSA-leaked EternalBlue software to exploit underlying vulnerabilities in public facing server message ports.

However, Security company, Malwarebytes has claimed its threat intelligence team has traced the spread of WannaCry back to its source. Using packet captures, binary files, and content from within the ShadowBrokers dump, Malwarebyte’s Adam McNeil suggested that EternalBlue was the original culprit of the ransomware spread.

While some Information Technology experts alleged once more that North Korea’s secret cyber hackers were probably responsible for the attacks that crippled governments, hospitals, businesses and more than 230,000 computers in 150 countries, pointing to “Unit 180”, a special cell in the country’s spy agency, the latest development clearly calls for more vigilance on the part of regulators and institutions in Nigeria and other countries.

Ransomware is a type of malware that restricts access to an infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system’s hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key, while some may simply lock the system and display messages intended to coax the user into paying.

Hacking Attempts on Global Banks

Last year, the US Federal Financial Institutions Examination Council pointed out a sharp rise in ransomware attacks, and the implications for financial services. According to the council, ransomware attacks on businesses increased three-fold last year, from an attack every two minutes to once every 40 seconds.

Also, a recent report had shown that North Korea’s hacking operations were growing and getting bolder and increasingly targeting financial institutions worldwide. Just like the fresh allegation, North Korea was linked to attacks on banks in 18 countries, including Nigeria, according to a new report from Russian cyber security firm Kaspersky.

According to a news report by the Cable News Network (CNN), two international security experts believe that the stolen money was likely being spent advancing North Korea’s development of nuclear weapons. Banks and security researchers have previously identified four similar cyber-heists attempted on financial institutions in Bangladesh, Ecuador, the Philippines and Vietnam.

But researchers at Kaspersky said same hacking operation — known as “Lazarus” — also attacked financial institutions in Costa Rica, Ethiopia, Gabon, India, Indonesia, Iraq, Kenya, Malaysia, Nigeria, Poland, Taiwan, Thailand and Uruguay. The hackers can be traced back to North Korea, according to Kaspersky researchers.

To hide their location, hackers typically launch cyber attacks from computer servers far from home. According to Kaspersky, the Lazarus hackers carefully routed their signal through France, South Korea and Taiwan to setup that attack server.

But there was apparently one mistake spotted by Kaspersky: A connection that briefly came from North Korea.

“North Korea is a very important part of this equation,” Vitaly Kamluk, who leads Kaspersky’s Asia-Pacific research team said.

Kaspersky is one of the world’s top cyber security firms, providing popular anti-malware protection to computers at homes and companies worldwide. Its researchers are known for exposing some of the most complex global hacking operations. US law enforcement remains suspicious of the firm’s ties to the Russian government, but Kaspersky strongly denies Kremlin influence on the company’s business.

North Korea’s targets have been shifting in recent years. In 2013, when South Korea’s banks and broadcasters were attacked, that government blamed its neighbour to the north. In 2014, the US government blamed North Korea for the hack on Sony Pictures. Clues in both cases pointed to Lazarus.

By late 2015, the Lazarus hackers shifted their attention to the global financial system, according to researchers at BAE Systems, FireEye and Symantec.

The earliest known victim was a Vietnamese commercial bank. The latest attacks, observed by Kaspersky in March, included operations attacking financial institutions in Gabon and Nigeria in Africa. Though most of the attacks were not successful in stealing money, several were, according to Symantec.

Researchers at several cyber security firms theorise that North Korea is attempting to build a network of infected banks to move around stolen money. For example, millions of dollars were taken from Bangladesh’s account at the New York Federal Reserve last year and moved to Sri Lanka and a casino in the Philippines, according to investigators.

Call for Vigilance

The Director General/CEO, National Information Technology Development Agency (NITDA), Dr. Isa Ali Ibrahim Pantami, pointed out that as IT systems have now become part of our lives, there was the need for all to be vigilant and proactive.

For users of Microsoft systems, he recommended that the following:

• Old operating systems should be upgraded to the latest version (of Windows 10). This will enable them get the latest protection from Microsoft;

• The recent security update released by Microsoft, MS17-010, should be installed as soon as possible; and

• Where necessary, Windows Defender Antivirus should be enabled as it helps in detecting this ransomware and similar attacks.

Furthermore, Pantami pointed out that for systems that had been attacked, tools have been developed to unlock the files locked by this ransomware – the WannaCry or Wannakey.

They have been found to have successfully decrypted systems infected with the ransomware, he said

NITDA is an agency under the Federal Ministry of Communications. The agency was created in April 2001 to implement the Nigerian Information Technology Policy and co-ordinate general IT development and regulation in the country. Specifically, Section 6 (j) of the Act mandates NITDA to advise the government on ways of promoting the development of Information Technology in Nigeria including introducing appropriate information Technology legislations and ways of enhancing national security and the vibrancy of the industry.

On his part, the Chairman of the Nigeria Electronic Fraud Forum (NeFF) and Director at the Central Bank of Nigeria (CBN), Mr. Dipo Fatokun, has said reports of incidence of ransomware was an indication that regulators and operators in Nigeria needed to put in place the necessary preventive measures.

Fatokun explained recently: “In Africa, it is said that it is better to look for a black goat during the day and not at night. If you search for it at night, you might never find it. Ransomware is not a threat in Nigeria for now, but it is just by our border post. It is something that has been reported in Ghana and if it has been reported in Ghana, it means it can happen here.

“So, we don’t want it to happen here and that is why we are organising this forum. Ransomware is nothing but holding the computer system of an organisation to ransom, kidnapping it so to say electronically and demanding that ransom be paid before the system can be released for use. If this happens to any bank in Nigeria, you know the effect it will have on the customers and even the financial system.

“So, because we don’t want it to happen, we are meeting to put in preventing measures that will ensure we do not experience that in the Nigerian banking space.”

Fatokun added the central bank has continued to sensitise banks and other stakeholders on the dangers of ransomware, a computer malware that hackers use to hold their victim’s data hostage.

He explained further: “You know ransomware is electronic kidnapping. Just like physical kidnapping where the law enforcement agencies would always advise against paying ransom because if you pay it may never end, what we did was to tell the banks that instead of paying ransom which may not end, they should have good back up arrangements.

“If your system is kidnapped or held hostage so that you cannot use it, you fall back on the backup server so that you continue with your operations. Of course, if somebody is holding you hostage and noticed that your operation is still continuing, it means he has not achieved his aim and will be forced to leave you.”