Accessibility links

Interview: What We Know About The 'Ransomware' Attack

Vladimir Bizik, an analyst for the European Values think tank in Prague, spoke with RFE/RL's Pete Baumgartner on March 15 and 16 about the ongoing WannaCry "ransomware" attack on computer operating systems around the world.

Bizik discussed the origins of the outbreak -- which has affected everything from hospitals in Britain to schools and businesses in China and more than 100 other countries -- and how to prevent it from attacking your computer.

RFE/RL: Tell me a little bit about what "ransomware" is.

Vladimir Bizik: Ransomware is a type of malware -- malicious software -- that once it reaches a started computer and is launched and executed it encrypts all the information on the computer, or it can [just] be select information, and then it demands the user to pay a ransom if the user wants to recover the data. Generally the ransom is paid with crypto-currency, Bitcoin, to ensure complete anonymity so that the perpetrator cannot be traced.

RFE/RL: Is this attack something that has happened before, or is this really the first time we've seen it?

Bizik: This has happened many times...[but] it's been on quite an upsurge in the recent two or three years. And it can be said that right now it's among the most dangerous and the most prevalent type of malware that is in circulation.

RFE/RL: I saw Microsoft saying that they had issued a security patch for this a couple of months ago, and if people had just properly installed that patch on their computers this wouldn't have happened. Is that true?

Bizik: Exactly. That's one of the main problems, and I would venture to guess that more than 90 percent of all the cyberattacks like this happen because the user is not vigilant enough and doesn't use best practices to protect his or her data. And, generally, users consider it a nuisance to update their software and they tend to ignore all the prompts. And if they would do it, if it was like second nature to them [to upgrade their software], [the attack] wouldn't have happened to them because the patch completely closes the hole in the software.

So I guess it is a cultural problem. Because we are from early childhood taught how to close doors and how to lock the doors to protect our home; but now we have all our data and money and basically our whole lives stored on the computers and the Internet, and it's not yet a part of the culture to protect our data [on our computers].

RFE/RL: Is this the worst or the most widespread malware attack that we've had so far?

Bizik: Yes, to my knowledge it's the most widespread. Other outbreaks have been contained to hundreds or thousands of computers, but this so far has attacked around 200,000 so far and counting, though it's been slowing down. It seems that it has been contained for now, and no second outbreak has been reported as of now. Most of the new infections are reported in China, which is known for widely using counterfeit and unpatched software.

RFE/RL: Who could be behind such a thing? Is it just one small group or even a single person, or people spread out around the world? Who can we start to think might be behind something like this?

Bizik: The short answer is we have no idea. But it's not necessary for a big hacker group -- it doesn't take many people or a lot of skill to devise such malware. It could have easily been one person -- it's not technically very complicated to program, such software, and it exploits a hole in the Windows operating system that has been disclosed as part of a security leak from the American National Security Agency [NSA] and was available in the public for several months now. So anybody could have made use of that.

Malware researchers have found some links between WannaCry ransomware and North Korea. They found an identical code between WannaCry and several other pieces of malware that were traced back to North Korea, via the group of hackers that styles itself as Lazarus Group and has been responsible for causing hard drives in South Korea to self-destruct in 2013 and stealing almost a terabyte's worth of data from Sony Pictures in 2014.

The pieces of code are things that we already have at our disposal, though, and the link between the current ransomware and Lazarus Group is unclear -- and they have not claimed responsibility. So the link with North Korea is very faint, and it's impossible to tell what sort of objectives it could fulfill for North Korea -- it behaves just like any other criminal ransomware. One hypothesis would be that the malware was programmed by the same party that North Korea could have hired to perpetrate some of the attacks attributed to it in the past. We are in the dark as for their identity or domicile.

RFE/RL: And when was this security leak for Windows exposed and by whom, do we know?

Bizik: It was exposed by a group called the Shadow Brokers, which has gained some prominence last year, I believe. And they have gained access to a list of security exploits [or lapses] which were hoarded, basically, by the NSA in the United States to enter investigative computers. And this group, the identity of whom and even [the] location of whom we don't know about, they leaked this information and WikiLeaks actually published it.

So the culprits [of this malware outbreak], apart from the users who don't update their systems, are definitely the NSA, who uses these exploits and hoards them and doesn't disclose them to even Microsoft and then also [WikiLeaks], who didn't contact Microsoft first and they went on to publish these exploits immediately.

RFE/RL: Is there a way for us now that it is out? How are we going to get past this and prevent it from happening in the future?

Bizik: [For] this particular ransomware, the only thing to prevent infection is to have your system up to date -- if it's the Windows operating system, just make sure automatic updates are turned on; so just don't tamper with default settings and you should be fine. As for future attacks, again, just keep your system updated, there is no other single rule or advice apart from this.

What's out is already out; there is actually a person who found a "kill switch" for this specific malware, and he published it and it seems he has been getting a lot of death threats about this on the Internet but...there are new versions [of ransomware] which are already immune to this kill switch. Even after encrypting the files, one specific early version can be turned off [with the kill switch] without having to pay [a ransom] but newer versions are immune to that.