As the latest malware virus spread around the world, surreal images appeared on Twitter: bemused Ukrainian shoppers standing around supermarket checkouts, watching screens fill up with ominous lines of text; ATM machines showing the same display. The red text on a black background reads: “Ooops, your important files have been encrypted… Send $300 worth of Bitcoin to the following address”. There’s a reason this sort of virus is called ‘ransomware’ – though it’s not known if any of the people who paid the ransom actually got their files back.
Another image that cropped up regularly was a world map showing the concentration of still-vulnerable computers by country, shared by exasperated hackers and experts. Because it was just six weeks ago that 300,000 computers were infected with the ‘WannaCry’ ransomware, which crippled the NHS and many other organisations. Old versions of Windows had a fatal vulnerability – and despite the advice given, and the damage caused by the last attack, many still hadn’t applied the security update, so were sitting ducks for the next attack.
The malware was initially thought to be a version of ‘Petya’, used by criminals to extort money, but this turned out to be a disguise, earning it the nickname ‘NotPetya’. On closer analysis it seemed NotPetya was designed with maximum damage, rather than financial gain, in mind. It struck first in Ukraine and quickly unfurled across the continent, affecting infrastructure such as the vast Maersk shipping network.
The most extraordinary aspects of these malware attacks are where they are said to originate, and how they are often to be stopped. For months, experts and the hacking community have been warning about a dangerous cache of ‘cyber weapons’; vulnerabilities that had allegedly been hoarded by the National Security Agency, then leaked online. Despite being responsible for creating them, the agency took no action when the tools were used, in both May’s attack and yesterday’s. Instead, it was independent hackers – the much-maligned global community of expert coders which came up with a way to stop the spread of the malware.
When WannaCry hit in May, its lethal trajectory was halted by hacker @malwaretechblog, who found the ‘kill switch’. This time round it was Amit Serper, a security researcher in Boston, working with an anonymous hacker on Tuesday night. Serper updated Twitter followers as he worked, first issuing cautious advice to those infected with the ransomware, followed by instructions once the temporary fix was certain. Later in the evening he posted a picture of the team celebrating. “Thanks for saving the world!” people tweeted in reply, not particularly ironically. When the radiation monitoring systems guarding Chernboyl have to be switched off, it’s not a joke.
It all echoes what computer scientist Lauri Love, who is currently appealing a US extradition order for alleged hacking, described in his talk at Byline festival recently. Painting a bleak picture of irresponsible state agencies and opportunistic criminals, Love emphasised how it’s often down to the open source community to find the fix to catastrophic cyberattacks. Love tried to get the severity of the situation across to the audience. “WannaCry almost led to loss of life. The next one could kill people.”
While altruistic hackers fix ransomware attacks overnight, governments seem to flounder. Just after Tuesday’s attack began to spread, UK defence minister Michael Fallon told parliament that the military could bomb hackers, threatening a “response from any domain – air, land, sea or cyber”. The statement was greeted with hilarity online, but is an indication of how central cyberattacks are becoming to geopolitics. ‘NotPetya’ hit Ukraine first, targeting public sector organisations and major infrastructure.
Given the timing – just a day before the Ukrainian public holiday celebrating the constitution – fingers have been pointed at Russia, though Russian companies were affected too. In a separate attack last week the British Parliament was targeted, affecting less than 100 email accounts but causing widespread disruption. As more and more sophisticated cyber tools are deployed in this escalating digital conflict, the argument for listening to those in the hacker community using ther skills for good is stronger than ever.