The Menace of the Ransomware Attacks

This is a first of a series of articles on cyber security we intend publishing. Since the wide-spread use of computers for record keeping and day-to-day office work, security of computer records, their dissemination and storage have become important. Meant for the general reader, these articles are aimed at providing an introductory understanding of computer and network security.

You may have read recent news reports on the spate of “ransomware” attacks that crippled computer systems in Britain and across Europe. Did you ever wonder what a ransomware attack is? Let’s try to get to the bottom of how these attacks are carried out. It is not easy to understand details of such cyber-attacks and how to prevent them. The reason is that such an understanding requires expertise in multiple disciplines such as computer operating systems, computer networking on the one-hand, and cryptography – theoretical computer science and pure mathematics, on the other. Alas, there is no silver bullet that can protect you from such attacks. An effective protection strategy involves layers of defense, and even then, there is no guarantee that your computer system is a hundred percent safe. In this article, and others to follow, we attempt to lay the background for a deeper understanding of cyber security as it relates to common, day-to-day, electronic office transactions.

The ransomware attack is the cyber version of the well-known ransom demand for the release of a captive or goods. Only in this version, the attacker demands a ransom to restore a computer system and related data to its pre-attack state. In the more familiar ransom attack, a human or goods are physically moved to a location under the control of the party demanding the ransom. In the cyber ransom attack no such physical removal takes place. The data stored on the computer is altered in place in such a manner that the attacker, and only the attacker, can restore the data at will.

In the recent ransomware attacks, certain types of files stored on the infected computers were encrypted by malware rendering data inaccessible to the users of the computer. (Malware is a generic term for a computer program that has an undesirable impact on the user of a computer system. The undesirable impact can take many forms—the data may be deleted, altered or exfiltrated. Malware has several functional components: One component is used to propagate the malware from one computer to other computers, reachable via a network akin to a disease spreading in a human or animal population–hence the terms “virus” and “infected computer”. Another component performs the action resulting in the negative impact for the user such as deleting or encrypting data stored on the computer. There could be other components which, for example, could attempt to obfuscate the presence of the malware on the computer or change the malware before it is copied to other computers attempting to make its detection difficult.)

The cyber ransom attack is extremely effective: It can be launched from a few computers that are connected to networks. If the propagating function discovers other computers vulnerable to the malware, the attack will be self-propagating. Since no movement of data over the network except the malware itself is involved, network monitoring does not detect unusually large amounts of data moving across networks. Only the attacker, at his or her whim, can decrypt the data by revealing the “secret key” used to encrypt it.

Why is this attack such a problem? Surely, the data can be restored by using a backup. This is true in the case of the most recent ransomware attack called “wannacry”. The original data was recoverable from the last valid back up. This may have delayed some day-to-day operations of the victims. Nevertheless, the data was recoverable from the back up. Incidentally, this shows the importance of data backup.

In a more virulent form of the ransomware attack, even the backups are encrypted, and the attack continues for months. The attack is revealed only when the attacker demands a ransom by which time the recent backup data is inaccessible, and the last useful backup may be several months old. If the data changes rapidly such as the user information on an active commercial web site the older backups are of limited use. The information regarding recent transactions may not be recoverable from the last valid back up. An attack of this type which made a commercial web site go out of business was reported just a few years ago.

How does the attacker unscramble, i.e. decrypt, the data when the ransom is paid? The attacker knows the secret key used to encrypt the data. All the attacker needs to give the ransom payer is this secret key. Why cannot the secret key be computed, using computers which are known for their speed for calculations? This turns out to be a fundamental question that involves theoretical computer science. The gist of it is that, there are limits to what is computable within a reasonable time using even the most powerful computers ever built. These limitations were discovered and described by several giants in the field of computation, including Alan Turing, the British code-breaker whose efforts, portrayed in the 2014 film “The Imitation Game”, were instrumental in breaking the German “Enigma” cyphers during the second world war. We shall discuss some of these interesting issues in later articles. For now, what is important is that, when a key of sufficient length is used to encrypt data, for all practical purposes it is not feasible to compute the secret key using only the encrypted data. With current computer capabilities, a 2048-bit key is sufficient to provide an unbreakable encryption of data. (A bit, i.e. a binary digit, is a 0 or 1. An example of a four-bit key is 0110.) We hedge this claim by saying “for all practical purposes” since it may be possible to use purpose-built hardware computer chips at enormous costs, for the sole purpose of breaking such an encryption. It’s most likely that only a state with substantial resources would be able to achieve such a task.

There are other aspects of this attack which are also of interest. For example, how can the attacker use a secret key to encrypt the data without revealing it? Also, how is the ransom paid without revealing the identity of the attacker? Let’s discuss the first of these issues concerning the key used for encryption.

There are two main methods for encryption of data: symmetric key and asymmetric key encryption. In the symmetric key encryption, the same key is used for encryption and decryption, where as, in the asymmetric key method, there is a pair of keys called the private and public keys. The amazing thing about the asymmetric key encryption is that when the public key is used to encrypt data, the corresponding private key is needed to decrypt it. That is, the public key used to encrypt data cannot be used to decrypt the encrypted data! This type of asymmetric encryption scheme, also called public key encryption, can be used by an attacker to launch the ransomware attack without having to reveal the corresponding private key. The private key is known only to the attacker.

The public key cryptography scheme is the backbone of Internet commerce. It is how your credit card information is kept secret from eavesdroppers on the Internet. More about this next week.

Read about our Information Technology Law Services in Sri Lanka

This is only an overview of the applicable law, and should not be relied upon as legal advice or recommendation by D. L. & F. De Saram, a leading law firm in Sri Lanka. If you require our advice, please be good enough to contact us on [email protected]