Not a week goes by when you don’t hear about a new malware that’s making life hell for folks on the Internet. One of the most recent widespread examples of this was in May with WannaCry followed by Petya. Those who’ve clued into the who web security scene know that it started a couple of years back with CryptoLocker and every week there’s a newbie trying to unleash the next big ransomware onto the web to make a quick buck. While developers do prioritise security, there have been events which completely messed up their efforts. Recently leaked NSA tools have made life a lot worse for the common man and a lot easier for hackers. At the same time, the average internet user is becoming more aware of standard intrusion vectors and the job of your average joe hacker is becoming slightly more difficult. But since necessity is the mother of invention, they’ve found their ways, after all, they need to eat too you know. Even they have little script kiddies to feed.
What worries me is the next generation of such ransomware. What if they start evolving for the worse? (We’re all pretty certain that’s going to happen.) What if they stopped going after your precious personal data and went for something more valuable i.e. that Goa holiday photo when you finally had your first beer. Memorable? Indeed. Worth losing $300 over? Not at all. Most of us at Digit would rather not be bothered with the majority of files on our systems since we tend to keep backups. However, the vast majority out there have some of their most sensitive files kept right in the open. For example, let’s take my neighbour who had once given his iPhone to me to fix. The notes application on his phone had every single bank account details down to the pin numbers for each plastic currency. And this person is not alien to the current technology news. Even mainstream newspapers flash news pieces about WannaCry and all of its variants. Every other article mentions the dangers of not having multiple backups of your most sensitive files and yet we commit the most silliest of mistakes. It’s as if we want to be robbed.
Ransomware these days are quite simple – they encrypt your data and hold you ransom till you pay up a couple of hundred dollars. The maximum that anyone has had to shell out for a single machine is 13 Bitcoins which works out to around $33,683 and that’s a lot. But there’s still something a lot more valuable that the hackers can hold you to ransom for. Your life. It would take a very cold blooded sort of hacker to hold a human life ransom and it’s not an improbable scenario. We are in an era which is increasingly moving towards a greater level of digitisation. Autonomous cars, autonomous factory machinery, remote controlled pacemakers, automated home appliances and security systems are just the beginning. There are even policing software which use facial recognition and body language patterns en masse to identify suspicious behaviour. Now imagine this autonomous, interconnected world is a reality and we then fall prey to a ransomware attack. What if someone were to lock you in your home and prevent you from leaving without paying a ‘toll’? Or if someone were to threaten to crash your daughter’s autonomous car, to make all robots on your factory floor to go on a murderous rampage, to shut off your pacemaker or pull off even worse acts which can easily be defined as terrorism. These things can happen and some of the vulnerabilities which can make such acts possible have even been reported in the press. The question is, what have you done to mitigate such an attack should it ever happen?
People simply don’t care about something till it happens to them. There are very few who bother to take backups of their important files. People don’t even follow simple practices of forming strong passwords. We’re looking at you Mr./Ms. My-password-is-123456. One of the popular comebacks to this is the ‘you deserved it’ arguement. You didn’t use a strong password or didn’t take backups, hence, you deserved it. That’s wrong. Nobody deserves to be hacked, be held ransom or even be threatened with their life for a few bucks. Though there do exist means to reduce the chances of ending up in such a situation, it isn’t completely improbable. You need to start taking the measures prescribed to stave off such attacks. And you need to make it clear to your government that such acts need their requisite amount of attention. No digital product or service should be allowed to go scot free for not keeping their databases secure. With the advent of even greater number of devices going the digital way comes the need for a unified security framework to prevent attacks, identify vectors and punish those responsible.
This article was first published in the July 2017 issue of Digit magazine. To read Digit’s articles first, subscribe here or download the Digit app for Android and iOS. You could also buy Digit’s previous issues here.