The ransomware incident is a microcosm of global cybersecurity

On May 12, more than 75,000 computer virus attacks occurred in 99 countries and regions around the world. The culprit was a ransomware called WannaCry. The virus is a worm-like ransomware that actively spreads and infects victims by exploiting the Windows vulnerability "Eternal Blue" numbered MS17-010. After the computer is infected, the files will be encrypted and locked, and they can only be decrypted and restored after paying the Bitcoin ransom demanded by the hacker. In addition, WannaCry is also said to have a new variant that can infect 3,600 computers per hour, about one computer per second.

According to information released by well-known cybersecurity organizations at home and abroad, this global cyber attack is the largest in history. As of May 17, more than 150 countries and regions around the world have been "hit", more than 300,000 computers have been blackmailed, and the ransom has reached 72,000 US dollars. According to statistics, China, Russia, Japan, Britain, Spain, Ukraine and other countries have been "hit", among which the British medical system has been paralyzed and a large number of patients cannot see a doctor; China National Petroleum Corporation has been affected, 20,000 gas stations have been disconnected from the Internet; Japan has also had 2,000 computers attacked by hackers. According to the monitoring of the National Internet Emergency Center, as of 10:30 on May 14, 2.423 million IP addresses in my country have been attacked by the "Eternal Blue" vulnerability; nearly 35,000 IP addresses have been infected by ransomware, and another 5,471 IP addresses are connected to the built-in domain name and IP of the Wannacry worm virus, indicating that they may have been infected with the virus. In response, international cyber experts warned that a new wave of larger-scale cyber attacks is coming, and the goal may be to use tens of millions of infected computers to obtain the virtual currency Monero.

The Internet "battlefield" is filled with smoke

Although governments at all levels around the world quickly launched emergency response, a large number of users, especially universities and institutions, still suffered attacks, and the deep-seated problems reflected behind these attacks sparked public discussion.

——Ransomware has become a mature business model. In the future, hackers may launch attacks with more complex technical means and a wider impact range.

Zheng Wenbin, head of 360 Security Technology, said that ransomware is not a virus, but a business model. As long as there is property that can be obtained in the network environment, there will be endless variants. Li Baisong, director of the Security Research and Emergency Response Center of Antiy, said that some illegal hackers may also be inspired by the ransomware attack and combine more technical means with ransomware. The resurgence of worm viruses driven by the ransomware model is inevitable. Hackers may use botnets to distribute viruses, and may also create and spread virus software based on the vulnerabilities of IoT devices. These problems will occur. Not only that, the hacker group that leaked the vulnerability used by the WannaCry virus also warned that it would release more malicious code. PricewaterhouseCoopers said that the possibility of a new round of ransomware attacks is more realistic because the virus has been updated and effectively infected the website.

——Behind the ransomware virus is a global network security issue that deserves vigilance

As early as 2012, the media broke the news that the FBI asked the social network Facebook to leave a backdoor for it. In 2014, it was revealed again that the National Security Agency of the United States used backdoors and implanted viruses to steal secrets from the websites and internal networks of some large companies. Public opinion accused the National Security Agency of the United States (NSA) of being involved in the whole incident and becoming a de facto "accomplice."

The hacker tool "Eternal Blue" used in the cyber attack originated from the cyber arsenal leaked by the NSA in the early days. It is no exaggeration to say that this incident is one of the major consequences of the US cyberspace strategy. This ransomware virus once again proves that NAS and other institutions have the "software" to break into the global interconnected system and cultivate more similar "Trojans" to deal with various types of tracking and cracking information. "Eternal Blue" is just one of the vulnerability attacks, but it can cause such great destructive power. What is the purpose of NAS institutions "cultivating" these Trojans? Does it implement comprehensive monitoring of the global network? How to protect user privacy? How to prevent these Trojans from being stolen, etc., are the most disturbing and the first thing to reflect on. As human daily life becomes more and more dependent on the Internet, the out-of-control US Security Agency and CIA cyber arsenals have become the de facto "cyber arms suppliers" of criminals and the source of global public hazards. If no timely action is taken, it will inevitably further aggravate the trend of disorder and loss of control in the global cyberspace.

——Cyberspace has become a new battlefield for “wrestling” between countries

British media hinted that there were Russian traces in the recent large-scale cyber attacks, because soon after the US attacked Syria, the hacker group Shadow Brokers began to spread computer viruses, and many experts believe that it seems to confirm the connection between cyber scammers and Russia. It is also reported that since May 12, many computers around the world have been infected by viruses. Security experts said that from past history, some of North Korea's hacker activities seem to be related to cash shortages or personal revenge, and North Korea has a close connection with some large-scale attacks.

In addition, Symantec and Kaspersky said on May 15 that some code from earlier versions of WannaCry also appeared in programs used by the Lazarus Group. Researchers from multiple companies have confirmed that the Lazarus Group is a hacker group operated by North Korea. U.S. and European information security officials said it is too early to determine who launched the attack. However, North Korea cannot be ruled out as a suspected initiator.

Countries joining forces is the only choice

After the ransomware incident, Russia has launched a new information security system called "Shield-Electronic Warfare", which is a Russian military information security assurance system developed in accordance with the new version of the "Russian Federation Information Security Doctrine". In addition, Russian President Vladimir Putin also signed the "New Strategy for the Development of Russia's Information Society", which excludes any anonymity, clarifies the need to use anti-hacking resources to protect infrastructure, and requires the use of encryption technology in federal electronic communications.

In the United States, the White House recently issued two executive orders on the government's use of information technology, requiring a review of federal information technology and cybersecurity resources; the U.S. Congress also plans to legislate to ban the stockpiling of cyber weapons and require proper review of all software and hardware vulnerabilities to avoid large-scale leaks of NSA hacking tools and cyber weapons; at the same time, the U.S. Congress also proposed the "Protecting Anti-Hacking Capabilities Act" to improve federal cybersecurity and transparency.

In Europe, the Netherlands Ministry of Security and Justice issued a proposal for a "Hacker's Rights Act" on May 15 based on the country's Computer Crime Act, aiming to expand the government's investigative capabilities through online tools.

Despite this, this global ransomware attack has far exceeded the scope and control of any one country. As globalization continues to advance, countries joining forces will surely become the only choice to deal with the "war" in cyberspace.