WannaCry: Sizing Up the Impact in India, AsiaIndian Police and Banks Are Among the Ransomware Victims
Researchers at Kaspersky Lab say India apparently is one of the top five countries affected by the WannaCry ransomare outbreak, which has reportedly infected more than 200,000 endpoints in more than 100 countries worldwide.
For example, as of Monday, over 100 systems of the Andhra Pradesh police were confirmed to be impacted. Additionally, various Indian sources claim that some banks, an IT company, an insurance company as well as a hospital were also attacked.
WannaCry ransomware exploits a flaw in Windows server message block, or SMB, functionality present in every Windows operating system from XP to Server 2008 R2. Microsoft patched the flaw for currently supported operating systems in March. The existence of the flaw was revealed in April when the Shadow Brokers released an "Equation Group" dump, believed to be from the U.S. National Security Agency.
After the WannaCry outbreak began unfolding Friday, that night Microsoft suspended its practice of not offering free patches for operating systems that it no longer officially supports - unless customers pay for pricy extended-support contracts - and released free SMB patches for its Windows XP, Server 2003 and 8 operating systems.
Security experts say the WannaCry ransomware has been combined with an SMB-targeting worm that allows it to move between and infect systems that have not yet been patched. The mammoth attack hit Spanish telecommunications firm Telefonica, 48 U.K. National Health Service trusts in the United Kingdom, Renault and Nissan car manufacturing plants, Russian government agencies and many others.
DSCI Advising CISOs
IT teams at many companies in India worked through the weekend to deal with the crisis. Data Security Council of India, a focal body on data protection in India, reports that many companies and CISOs reach out to it to exchange information.
"Though there is enough information about the attack on the internet, individually organizations are still figuring out what to do," says Vinayak Godse, senior director at DSCI. "On our part, we have been disseminating the information available. In the past three days, we have reached out to organizations and CISOs. At this point, exchange of information is crucial and that is what most of us were doing the past two days."
Five experts at DSCI were assigned the task of communicating information to enterprises and practitioners.
Meanwhile, the Indian Computer Emergency Response Team held a webcast that provided information about the ransomware attack and what organizations and users should do to mitigate the risks.
"It's still not clear what would be the extent of damage that the ransomware could cause," says Na. Vijayashankar, a cyber law expert. "It is reported that a modified version, which does not have the kill switch, is now in circulation. Unconfirmed reports are suggesting that banks including Syndicate Bank, Union Bank, SBI, Karnataka Bank have been affected by the ransomware. Even [IT services company] is reported to have been affected," Vijayashankar wrote in his blog.
Saket Modi, co-founder and CEO at Lucideus, an IT risk assessment and digital security services provider, says ransomware attacks are relatively common in India. "Every week we have two to three firms reaching out to us about ransomware attacks," Modi says. "What is unique in this case is that the worm doesn't limit itself to a particular organization. Hence, the panic."
One Indian security practitioner, who asked not to be named, said that phishing emails are triggering the attacks in the region. "They are landmines. People need to be careful before opening any file, even if they happen to be from a known source," the practitioner said.
Impact on Other Asian Countries
Singapore also wasn't immune to the attacks. The Cyber Security Agency of Singapore reported, for example, that some retail malls were affected.
One of those malls is Tiong Bahru Plaze, where vendor systems for the digital directory service provided by a third-party vendor had to be disconnected from the digital directory board while a patch was being installed.
Karen Siow, general manager at the mall, said management became aware of the malware incident at about 5 p.m. on Saturday. She added, however, that there was "no other anticipated impact from this malware. We'll continue to monitor the situation with the third-party vendor and remain vigilant against any future incidences."
Dan Yock Hau, director of national cyber incident response centre at CSA Singapore, said the agency received a call for assistance from a retail shop. "SingCERT has advised the business owner on remediation measures to clean up its systems. SingCERT has also offered assistance to retail malls that are known to be affected," he said.
"While affected users may choose to pay ransom to access their files again, users are advised not to pay the ransom as there is no guarantee that their files can be recovered even if they have done so," Hau adds. "There have been instances where users were unable to access their files again."
A Singapore-based IT practitioner from a large advisory group, who asked not to be named, says the real impact of the ransomware in that nation remains to be determined. "The fact remains that around 80 percent of private organizations in Singapore rely heavily on government for cyber updates. There isn't much in-house capability," he says. "There are multiple organizations who still use old version of Microsoft Windows. I am sure in a few weeks we will hear more reports of the attack."
Meanwhile, CyberSecurity Malaysia, an agency under the Science, Technology and Innovation Ministry, issued an alert urging all internet users and system administrators to secure their machines and networks to protect against the "WanaCrypt0r 2.0" ransomware.
"We urge system administrators to patch their systems as soon as possible and keep their users aware of the new ransomware in order to prevent them from opening suspicious e-mails and files," said Dr. Amirudin Abdul Wahab, the agency's CEO.
Chuan-Wei Hoo, technical adviser for Asia-Pacific at ISC2, says there have not yet been any reports of government agencies being affected by the ransomware in Singapore and Hong Kong. "Only businesses have felt the burden of trying to play catch-up and fix the vulnerability and some inconvenience," he says.
Government officials have been advising the public of the need to take precautionary measures and remedial steps in the event of infection, he says.