Wednesday, 28th October 2020

The attack that changed the world of cyber security for ever

You may be surprised to learn that one of the first computer viruses to bring millions of computers to a halt was borne out of a student’s bedroom in the Philippines, just over 20 years ago. Mark Nutt, EVP EMEA at Veritas, is taking a look back at when the computer virus was unleashed and the ripples it sent forward in time. Not only did “LoveBug” infect over 45 million devices, but it became a catalyst for the multi-billion-dollar ransomware crime industry that we know today.

“LoveBug” was only supposed to steal the credentials of a few local internet providers, however, it quickly multiplied across the globe and infected millions of computers. This simple piece of malware became the first to take businesses offline in a significant way and changed the world of cyber security forever.

LoveBug may have been the first cyber-attack to have such globally widespread impact, but it certainly wouldn’t be the last. This attack proved to be a turning point in malware: it prompted the advent of the global ransomware challenge we’re all navigating in the present day.

The legacy

11 years before anyone had heard of LoveBug, the IT industry witnessed the first real case of ransomware, in the form of AIDS Trojan.AIDS Trojan was spread through infected floppy disks sent to HIV researchers as part of a knowledge-sharing exercise.It worked by encrypting file names and then demanding that victims post a cheque to a PO Box in Panama to regain access to them.

AIDS Trojan was limited though – victims needed to receive and install the file by disk, and they needed to pay by cheque.The hacker, Dr Joseph Popp, was quickly apprehended and no one got rich as a result of the virus.It was not an example that many people wanted to follow.It did, however, birth the anti-ransomware movement.Since AIDS Trojan used synchronous encryption, good actors were able to help restore files without victims needing to pay.This started a giant game of cat and mouse, with the data protection industry always trying to stay one step ahead of the hackers.

What was critical with LoveBug, was the shift of malware from limited exposure to mass destruction. Forty-five million compromised devices a day, could equal 45 million daily payments.The ‘love child’ of LoveBug and AIDS Trojan was the ransomware that followed, with GPCoder and Archievus hitting businesses around the world.Hackers also harnessed ecommerce sites to find better ways to receive payments.

The protection industry reacted again, with good actors working together to crack the encryption code on which Archievus relied, and sharing it widely to help victims avoid paying any ransoms.Since then the cat-and-mouse game has continued with viruses like CryptoLocker, CryptoDefense and CryptoLocker2.0 building new attack strategies, and the protection industry implementing new defences.By the time that WannaCry launched, it was able to infect 230,000 devices, in over 150 countries, demanding ransoms in 20 different languages and receiving payments in cryptocurrencies.

So, what have we learned?

Ransomware has become more sophisticated and more prevalent.Targets today are less likely to be individuals, since big businesses can pay big sums of money.According to Coveware, an average ransom is now around $110k. Travelex is reported to have paid hackers $2.3m in an attempt to recover from an attack in January.The actual costs of the ransoms are also a small fraction of the impact of the attacks. It’s reported that it cost Norsk Hydro $75m to recover from a ransomware attack in 2019, when you account for downtime, loss of business and lost production.

At the same time, data protection has become more sophisticated too, with four areas that should now be part of every business’s ransomware strategy: protect, detect, respond and recover.

·Protect:Educating end users and deploying anti-malware are key.But, more so is having a backup copy of business data, that is complete, stored offsite, airgapped and immutable.

·Detect: The faster you can respond to a ransomware attack, the faster you can recover from it, so intrusion detection, anti-malware and file-anomaly detection can keep a business safe

·Respond: Once you know that you’re being hit, you need to be able to rapidly shut-down systems to prevent further infection and quickly identify when the infection occurred on each impacted system.

·Recover: Businesses need to be able to recover large numbers of servers quickly and roll-back to a known good point in time.

What can we expect next?

Just as AIDS Trojan targeted the healthcare sector, the ransomware criminals of today continue to target such organisations due to their heavy reliance on mission-critical information. In order to provide the best line of defence against these attacks, organisations need to improve their data visibility and further automate their backups, especially as threats are becoming increasingly diverse.

Today we’re seeing that hackers are changing tack and stealing personal data to publish it in the public domain. It’s becoming increasingly common for these criminals to view exposure as a more effective means of manipulation, as leaking data might be a more effective way of getting businesses to pay up. If (or rather when) a business is faced with this threat, it’s essential to have backup copies of data, and to understand the nature and value of the information that might have been compromised.

Phishing and human curiosity are the factors that ransomware hackers have always capitalised on in order to ensure success. The LoveBug was impactful not only because of its far-reaching nature (it instantly infected 45 million devices across the globe) but because it relied on social engineering. The hack was successful because human’s innate curiosity was used against us. Had the subject line not been ‘I love you’ individuals may have been more cautious about clicking through, and the spread of the malware would have been more limited.

There is always a risk, no matter how small, that hackers might get past your line of defence, which means that businesses are putting themselves in danger if prevention is their only means of protection. There will be constant innovation from both corporations and criminals in the world of ransomware, meaning the end result is often a Catch-22. However, businesses can have the upper hand by ensuring that backup copies of data are readily available should they come under attack.

Mark Nutt is SVP EMEA, at Veritas, a global market leader in data protection and availability, which has completed more backups and restores than any other company. With over 30 years’ industry experience, Nutt drives Veritas’ business across over 100 countries, setting business strategy, leading the team and driving success.

A recent HP panel discussion sought to provide some answers to this question – topics covered includ...
Pascal Geenens, director of threat intelligence, Radware, offers some fascinating insights into some...
How IT managers protect corporate networks from targeted attacks By Chris Connell, Deputy Vice Pre...
Why business decision makers should expand their network security strategy, By Chris Connell, Deput...
By Miles Tappin, Vice President, EMEA at ThreatConnect.
By Mikkel Stegmann, Principal Scientist at Fingerprints.
Digital transformation needs security at heart, says Jonathan Whiteside, Principal Technical Consult...