#WillingToCry? What amazes me is so much amazement!

Ignoring the events of May 12th would, in reality, be a very difficult exercise. And since it's been 2 weeks - which in the technological world is an eternity - and many people have already wiped their tears, I will then return to the topic of computer security, namely ransomware , which I had already warned about in February this year - remember up?

In my article Help, my hotel was hijacked! , using a specific case, I defined the threat, the prevention measures and above all the risk to which businesses are subject when “computer (in)security” reigns in hotel units – an expression 'stolen' from my dear friend João Pronto, who has also already looked into the topic .

Most security companies, and especially antivirus companies, have been warning about the increased prevalence of ransomware in recent years. We have all been warned that it is a disaster waiting to happen, and we are all aware of a few that have already happened, but have not made the news.

Source: Symantec

So it is. So let's try now, with a little calm, to understand what happened and above all realize that what amazes me is so much amazement!

WHAT HAPPENED

• On Friday, May 12, 2017, several organizations worldwide were affected by a new strain of ransomware .
• The success of ramsomware was mainly due to the use of a vulnerability that allowed it to spread across networks.
• The vulnerability used had already been fixed in March by Microsoft for Windows versions.
• The exploited vulnerability, known as ETERNALBLUE , is part of the Vault 7: CIA Hacking Tools Revealed project , made public in March 2017 by WikiLeaks and which, over the following weeks, made available a set of tools used by the US national security agency. United States of America (NSA).
• However, new variants were detected to spread in the following week.

HOW THEY WERE INFECTED AND THE CONSEQUENCES

• Email: the 'infections' originated from attachments that arrived via email and that users opened.
• SMB: affected organizations had vulnerable systems (not updated), thus exposing the network and facilitating spread.
• Files with specific extensions were encrypted.
• A ransom demand was displayed on the screen, worth the equivalent of $300 USD in Bitcoins, increasing to $600 USD after 3 days and claiming that at the end of 7 days the files could no longer be recovered.
• The ransomware installs a “backdoor” that allows remote access and can be used to compromise the system later.

In summary, the consequences in terms of the three aspects of security are:

Confidentiality – By installing the aforementioned “backdoor”, the malware makes system data subject to access and theft in the future, although the malware itself is not responsible for this process.

Integrity – In addition to data encryption, malware does not cause changes to it; however, the installed “backdoor” can again be used to cause additional damage.

Availability – Organizations lose access to encrypted files, making recovery uncertain, even if the ransom is paid .

X-ray of the victim

From the figure below and the information available online, we quickly realize that we shouldn't be astonished.

Source: Symantec

The scale and profile of the attack, which was amplified in the media, is what was already a reality before May 12th. In this case, the organizations affected were many and varied in size - finance, insurance companies, telecoms, public bodies, health, hotels (yes, hotels), retail, small and medium-sized companies,... In this always-connected world, no one is free .

To be fair, even the term “attack” seems inappropriate to me since there was no specific target, nor an obvious relationship between the affected organizations. Perhaps “cyber-assault” would be the best name for what happened.

In my opinion, this was the result of a growing wave of cybercrime, which many experts had already warned about when the NSA tools were released, which was based on these same tools, and using a distribution list with email addresses , available on the internet (the result of a few security breaches like that of Yahoo ), sent emails with their respective attachments hoping that a few unwary people would open them and profit from it.

This organized crime behavior is much more similar to “trawling” than an attack itself, and, therefore, most of the time we are being caught by default and not being a specific target. It may, however, also indicate a test for new attempts of greater magnitude. It is important to bear in mind that, in this, as in other cases, there is a vacancy effect, often associated with time zones and peak working hours and that just because your hotel was not immediately affected you should not let your guard down because in a second or third vacancy may already be.

The recovery was more or less slow, depending on the information security maturity of each organization, but a week later there were still those who did not have their systems and business at 100%. It is therefore important to reinforce the ideas in the article Help, my hotel was hijacked! : PREVENT , DETECT , REACT .

Because this is not the exclusive responsibility of IT professionals, it is a policy that they apply under the responsibility, authority and budget provided by the administrations. And without a budget there is no security!

Finally, and because in this business hijacking, what we are really talking about is risk assessment, I would like to leave here another line of concern that is not so digital: fraud can reach your hotel using legal tools. There is currently a concern in Spain, which may sooner or later appear here, with a system based on consumer protection standards in England, which allows a few 'artists' to organize themselves to get holidays without paying. To do this, simply use the existing legal mechanisms for complaints and compensation, presenting false complaints and thus obtaining compensation. The 'joke', during 2016, in Spain, was estimated at 60 million euros. So, if your 'portunhol' is up to scratch, here is How to blow up a Spanish hotel . Read, reflect, and as with any risk that may affect your hotel, prepare yourself.