WannaCry mayhem: Is India probing the cyber attacks?

After the initial mayhem, which affected over 200,000 computers in more than 150 countries, WannaCry’s spread seems to be shrinking. As the attacks reduce, focus will shift towards investigation. Surprisingly, however, in spite of India being among the worst hit, as per Moscow-based Kaspersky Labs, reports of compromise are relatively few. Even in these reported cases, there is hardly any news regarding possible investigations. Crime of this nature is not the handiwork of just those who perpetrated the attack. There are other players too. These other players include those who facilitated or abetted the crime, be it through selling vulnerable operating systems, paying up ransom or keeping their systems open to attack. In fact, instead of being investigated for complicity, a few of these players are blaming the attackers and also those who disclosed hidden vulnerabilities. This indeed is shocking.

If ransom notes were physically sent to 40,000-plus households in India to pay Rs 300 within 3 days or Rs 600 in 6 days, or else they stand to lose their property, investigations would have begun instantaneously. Massive manhunt would have been carried out by the police to trace the criminals. Investigations would have included deliverers of ransom notes, writers of ransom notes and the main conspirators. In case someone paid up the ransom amount he would have been included as abettor of such crime. But in the present case and many unreported in the past, there appears to be no such investigation.

One reason could be absence of criminal complaints. In situations where complaints are not forthcoming, the state has powers to suo moto investigate. Attacks like these certainly deserve such interventions. It’s a known fact that Windows platforms, though of older generations, were compromised and were eventually used to spread the attack. Stolen, EternalBlue tool of NSA, which possibly was used to spread the worm, was also disclosed in March 2017 by Shadow Brokers. If reports are to be believed, Microsoft had the patch ready for affected Windows XP systems about a month in advance but did not release it as they discontinued supporting Windows XP from April, 2014. Isn’t this a criminal negligence? The role of developers of such faulty operating systems, as possible facilitators of such attacks, needs investigation and liabilities apportioned.

Similarly, there are those who have silently paid up the ransom without reporting to any law-enforcement agencies. They have silently abetted the criminals behind WannaCry attacks. Finding these persons who paid up from India should not be difficult as payments were to be made in Bitcoins and Blockchains maintain complete transaction details. Fixing criminal liability on such persons is needed to stop funding of such criminal attacks in future.

Besides the above two obvious categories of facilitators and abettors, another category of persons who need to be penalized are those who negligently left their computers open to attacks. This may sound drastic, but in an interconnected world, strength of any security is measured only by the weakest link. While they may claim to be victims, attacks like these could spread to such gigantic proportions only due to easy availability of unpatched computers. Those who keep their systems open and let attackers use them need to be fined. This is on the same lines as the charge which is levied on polluting vehicles as pollutants emitted by them affect the surrounding environment.

While technical discourses regarding possible source and method used to spread the payload of the worm are welcome, such crimes can only be controlled by investigating each player in the crime. If this is overlooked, the threat from Shadow Brokers that June 2017 will see more severe attacks might lead to much louder shrieks than the present silent and hidden cries due to WannaCry.

The author is Certified Information System Security Professional (CISSP)