In the aftermath of last week’s WannaCry ransomware attack, as a Certified Ethical Hacker, I have to say my opinion on the subject now, before my certification expires in a couple of months 🙂
The attack hit hard in multiple countries and high-profile organizations were affected, such as the British National Health Service, Deutsche Bahn (German railways), Telefonica (huge telecom company here in Spain and abroad) just to name a few. Ransomware is a type of attack that encrypts files on the hard drive with a strong algorithm and a long enough key to make un-decryptable in a reasonable amount of time and asks for a ransom in order to provide the decryption key.
And looks WannaCry’s case, like this:
What happens if you don’t want to pay? Can the files be decrypted? No! Yes…well, sort of. But generally, no!
How long does it take to break the encryption
Cracking an encryption, without a known weakness or a backdoor in the algorithm, relies on brute force, which means trying out all the possible alternatives. File formats usually employ checksums to detect data corruption, so any possible file outputted by the decryption process can be easily tested to see whether is the correctly decrypted information or just a false positive. But how long will that take?
The world’s current list of supercomputers is dominated by Sunway TaihuLight with 93.01 PFLOPS. This is the best we have so I will use that as a base for comparison.
93.01 PFLOPS = 93.01 x 1015 FLOPS (floating point operations per second)
Let’s assume first that testing a single combination takes 103 FLOPS (extremely optimistic, that number can be orders of magnitude higher). Then, using China’s Sunway TaihuLight, we will do:
93.01 x 1015 / 1000 = 93.01 x 1012 combinations per second
Now, the question is how many combinations are there to test. The answer depends on the used algorithm and the length of the key, but let’s assume that the attackers mean business and they’ve used AES with a 256 bits key. That will yield a whopping 1.1 x 1077 combinations. And knowing that there are 365 x 24 x 60 x 60 = 31536000 seconds in a year, the equation becomes:
(1.1 x 1077) / (93.01 x 1012 x 31536000) = 3.7 x 1055 years to crack it (more or less, with generous approximations)
Now, to put that in perspective, the Earth is around 4.5 billion or 4.5 x 109 years old and the entire Universe, in all its wonder, it’s just 14.8 x 109 years old. So if we were somehow able to start Sunway TaihuLight when the inflation stage of the Universe started and have it working non-stop until the present day, we wouldn’t have made any significant progress and still be looking at a counter showing 0.000000…a lot of zeros here…00001%.
So from a technological standpoint, the equation is simple: cough up 300 dollars or spend the next billions of years decrypting your files with the world’s most powerful supercomputer.
Who is to blame and who will be blamed
Given that a free patch addressing this exact issue was available for more than a month, I’d say the affected users are the first to blame. Especially in the big organizations, which are supposed to be able to handle critical data in a safe and secure manner and are expected to have proper security systems in place and staff trained in keeping them up to date, for them, this was a major fuck-up.
Then, the exploit itself was developed by the NSA, stolen and posted on the Internet. Governments everywhere have been stockpiling cybernetic weapons without the proper safeguards in place. Imagine what would happen if the air force would have several F-16s or Typhoons missing or the navy had a nuclear submarine stolen. So number two on the “to blame” list would be the government. These are weapons that can be used for cyber warfare or cyber terrorism and the casualty toll would be much higher than any other conventional means of attack. Imagine they hit a nuclear power plant or take control of the traffic lights in a crowded city.
But of course, politicians will be looking for more palatable scapegoats that may even help them further their agendas, which in this case will most likely be cryptocurrencies and encryption itself. Governments feel threaten by strong encryption that they can’t break and digital currencies such as bitcoin that they can’t tax. The sad part is that people will rally behind this. Or maybe this will be the wake-up call!?!
…and if you’re in need of a cool wallpaper for your friends, look no further. 🙂