IF there’s one benefit from slow speed of Internet in the Philippines, it could be that the country is less vulnerable to cyber attacks, according to a network security provider’s top executive.
Fortinet Senior Pre-Sales Consultant for Southeast Asia and Hong Kong Nap Castillo, warned, though, that local companies and even the general public should not be complacent about this, as the country remains a target of cyber criminals.
“Nobody is exempted from this,” he told the BusinessMirror at the sidelines of the company’s recent news briefing in Makati City.
Unlike in the previous years, the new digital economy means organizations rely on data as both a critical resource and an essential source of revenue.
Given this, cyber felons have upped the stakes once again with the new high-profile attacks that are more sophisticated than ever.
“For the last two quarters, there have been reports about the various online threats, especially some of the kinds of ransomware that are happening right now in the Philippines,” said Jeff Castillo, Fortinet regional director for Southeast Asia and Hong Kong.
He cited the spread of WannaCry, which reportedly hit a couple dozen of companies here, and Petya recently.
WannaCry pioneered a new sort of ransomware/worm hybrid, something Fortinet calls a ransomworm, released by a hacker group known as the Shadow Brokers.
Petya, on the other hand, uses the same worm-based approach of WannaCry, even targeting the exact same vulnerability, but with a much more potent payload that can wipe data off a system, and even modify a device’s Master Boot Record, rendering the device unusable.
These types of ransomware, nevertheless, were quickly curbed unlike the worms of the past that launched massive attacks, some of which affected exponentially more devices and organizations than this latest round of threats.
“I believe that the WannaCry and Petya attacks were simply shots across the bow. They are part of an insidious new opportunistic strategy of targeting newly discovered vulnerabilities with massive, global attacks and increasingly malicious payloads. This is just being the tip of the iceberg and potentially the start of a new wave of attacks we are in for in the future in the form of ransomworms,” the regional director said.
New breeds of ransomware in PHL
CITING the latest data from FortiGuard labs, Nap Castillo bared that the incidence of WannaCry in the domestic market is more than that of Petya.
“But compared to other countries, we have actually very minimal number of cases,” he stressed, citing that WannaCry has infected around 230,000 computer systems from over 150 nations worldwide. Japan has recorded the highest rate of infection at 67 percent, followed by Taiwan and Mexico at 7 percent each. Both India and Finland registered 4 percent, while Hong Kong, Peru and Thailand posted 3 percent. China and Uruguay recorded only 1 percent.
Contrary to a couple of thousands detected daily by Fortinet alone in these countries, the company has tracked only about 50 to 250 incidents a day in the Philippines.
“I think the benefit of having a very slow Internet is this one. They [cyber criminals] are not able to proliferate WannaCry to the Philippines unlike Japan, etc., with very fast Internet,” Castillo said. “Luckily, there’s still no major complaint that appears over the Internet that they have been victimized by WannaCry in the Philippines.”
The senior consultant recalled that spikes on WannaCry ETERNALBLUE and Double Pulsar detected by Fortinet only came after The Shadow Brokers released a group of exploits, including ETERNALBLUE, allegedly created by the US National Security Administration (NSA).
The NSA toolkit started to leak on April 28. The WannaCry ransomware came out on May 13.
“Maybe someone’s got the NSA toolkit and developed a ransomware out of that ETERNALBLUE toolkit,” he shared. “So, before May, we already saw some attempts to exploit this toolkit. The same with the DoublePulsar exploit kit, [which] we have detected several attempts, as well.”
On June 28 the industry was again attacked by another ransomware infection that was Petya. Immediately after, NotPetya also emerged.
“They are almost the same; like twin brothers. But they have very slight differences, like the way they encrypt the Master Boot Record and the notification. Petya shows a blinking skull after encrypting your computer; NonPetya doesn’t,” Castillo said.
Another Petya variant was recently detected by Fortinet. It’s called the GoldenEye, which, according to him, the “technique is also the same”, though, with “a little modification”.
Ransomware rises on digital economy
THREAT intelligence on ransomware has shown significant strength, which, over the past three years, increased by more than 150 times.
This type of malware inhibits some aspects of access or control. From the name itself, it demands payment to bring back the system to normal operation.
It attacks both enterprise networks and regular computer users. This malicious software comes in three forms: blocking, locking and encrypting ransomware.
Locky is by far the most active and famous ransomware. The most common attacked vectors are still the e-mail, Adobe, MS Office and web sites.
“And now, this ransomware exhibits worm-like behavior to crawl over the network to find possible victims to infect,” the senior consultant of Fortinet revealed.
The success of ransomware could be attributed to wide adoption of digital currencies or crypto currencies, such as bitcoin, litecoin ukash, dogecoin, ripple and monero, among others.
“These are the financial or the ransom that they accept nowadays. And these bitcoins, or these digital currencies, have monetary value,” he explained, while citing bitcoin as the most popular digital currency they demand for payment since “it costs around $2,700 apiece”. “For WannaCry, they actually ask for around 20 bitcoins. And to round down the value it’s over P2 million.”
Apart from being easy to monetize ransomware, cyber criminals are also adopting digital currencies because they can be transferred from one digital wallet to another with a very impossible traceability.
“So, unlike the old days, wherein there are some money used and fictitious bank accounts that you need to open to transfer this ransom, digital currency is more easy to move around,” Castillo said.
Ransomware is, likewise, rampant these days due to angst over loss of documents and files, as well as limited timescale for payment,
“In the event that your computer has been encrypted by a ransomware, reporting it to the law enforcers doesn’t make any help because it’s already a loss data,” Castillo noted.
While most of the victims do not come in the open to admit that they paid ransom, different studies show that this is the case for some.
In fact, three CryptoLocker studies deduced payment rates at 41 percent, 3 percent and 0.4 percent. Following takedown, analysis suggested that around 1.3 percent of the victims have actually gave in to the demands of their attackers.
The regional adviser of Fortinet cautioned the victims that paying ransom should be their last and desperate resort.
“It depends on the data that have been compromised. If it’s really worth paying the ransom, then you can also assess if there’s really a possibility that the system will return to normal operation. Once you’re infected, your’e already at the mercy of the owner of the ransomware. So it’s a case-to-case basis,” he pointed out.
Top target verticals
HEALTH-CARE and education industries are the prime targets of cyber criminals, with 31 percent and 20 percent incident rates, based on statistics from FortiGuard Labs.
“They are the ones who have the capability and possibility to pay,” Castillo said, while citing other sectors are also becoming easy preys for the fraudsters on the Web.
These include technology at 14 percent; telco/carrier, 8 percent; government, 7 percent; manufacturing, 5 percent; banking/finance, 4 percent; retail/hospitality, 3 percent; construction, 3 percent; food and beverage, 2 percent; energy and utilities, 2 percent; and media/communications, 1 percent.
Since there are a lot of big companies or conglomerates in the Philippines that also do business abroad, as well as establishments or companies that host personal records, he also cautioned them to be wary of cyber attacks.
“These big companies are good targets for cyber criminals, and ransomware is the easiest way to infect their networks,” he said. “Actually, one of the targets of the owner of WannaCry is the Philippines, that’s why they have the Filipino [as among the 28 languages] version of ransomware note.”
Moving forward, the threat horizon remains wide and is expected to expand further, per the 2017 risk predictions from FortiGuard Labs.
“Fortinet sees that ransomware is just the gateway of malware. There will be more ransomware coming up,” Castillo added, while enumerating that there will be very focused attacks against high-profile targets, such as celebrities, political figures and large organizations.
Another prediction is that the technology will have to close the gap on the critical cybersecurity-skills shortage.
“Nowadays, the cybersecurity skills are becoming lesser and lesser as the cyber criminals are becoming advance and more creative. We also need to cope up. We need to educate all users on the Internet that they need to be careful whenever they see some interesting topics on social media or attachment on your e-mails. So think first before you click,” he pointed out.
With the increasing trend on mobility, Jeff Castillo, on the other hand, projected that this could also be a new channel for cyber felons to thrive in.
“One of the things that we’re looking at right now is, because of the widespread of the smartphone, it can be a triggering device to get anything from your side,” he said. “I think each person is very responsible for his action. So it means if you’re aware or not, or even not sure, you can verify it first before you open up.”
The Internet of Things being widely adopted, likewise, is a potential area for online threats that the public should also take extra caution with.
“This is also something that we need to be careful of. That’s why we suggest we do our own part to avoid infection. Thats the key,” Nap Castillo said.
“Let’s be proactive and, as much as possible, safeguard our networks at the very beginning. We must see to it that our computer system is always up to date and all the necessary security patches are installed. Don’t stop the virus scan scheduled on your computers. Let it run.”
“The good guys like the Fortinet, we don’t let the bad guys reign. We don’t let them do all of these stuff freely. So we are here to help the customers and the cyber world users. That’s why we came out with these signatures, infection and blocking techniques to help our customers to stop these kinds of threats.”
Image credits: Nuvolanevicata | Dreamstime