Decoding the Petya Ransomware Attack

By Sunidhi Singh, Army Institute of Law, Mohali.

“Technology is a useful servant but a dangerous master.”

Christian Lous Lange

Computers were invented to help human beings perform tough and time consuming tasks accurately, within seconds and the internet was developed as a research and information sharing tool. However, our present situation is a total reverse. Today’s techno-savvy world, though sophisticated, is also a hub of several misdeeds. `Cybercrime’ is growing dangerously in a technical age where computers are used as a weapon to commit real world crimes.

Today’s world is witnessing an upsurge in the number of cybercrimes, an example of the same is the “Petya Ransomware Attack” which occurred for the first time in 2016 and again in June 2017.

What is Ransomware?

Ransomware is a type of malicious software which denies access to important data of the victim computer to its user and asks for ransom to restore access. Currently, it is a trending cybercrime. It creeps into the victim’s computer system by trying all possible ways to encrypt and corrupt confidential information, essentially aiming at deleting all the data and causing massive destruction with the absence of any financial aims.

Following the `Wannacry Ransomware Attack’ in May 2017, which affected more than 300,000 computers across the globe in about 150 countries, the much advanced `Petya Ransomware Attack’  affected numerous enterprises in countries such as Ukraine, USA, Australia, Russia and other major parts of Europe.

It chiefly targeted the data of Microsoft Operating System based computers of several prodigious firms such as Russia’s biggest Oil Company Rosneft, the global advertising giant WPP group, the Central Bank and an international airport of Ukraine.

Impact of the Petya Ransomware Attack on India

Due to the Petya Ransomware Attack, operations at one of the terminals of India’s largest container port, Jawaharlal Nehru Port Trust came to a standstill. The terminal is controlled by the AP Moller- Maersk group. Its Hague office got hit by the attack which affected its multiple sites and business. In  order to avoid losses, operations such as loading and unloading of containers were performed manually, which was a tough task.

Dealing with Cybercrimes : Legal and Regulatory Mechanism in India

“Cyber-attacks are not what make the cool war ‘cool’. As a strategic matter, they do not differ fundamentally from older tools of espionage and sabotage.”

Noah Feldman

Since cyber crimes involve criminal activities in which computers are either a source or a target of  the crime, they are subject to certain laws, which fall under the ambit of Cyber Laws. These are vital to regulate the activities and transactions taking place on the World Wide Web as they deal with the legal aspects of the cyberspace. They generally encompass laws related to Cyber crimes, Electronic and Digital Signatures, Intellectual Property, Data Protection & Privacy.

From the time of the institution of the Indian Constitution, no laws or legislatures existed to regulate the electronic transactions through the cyberspace. Since, at the basic level, cyber crimes involve a range of criminal activities such as theft, forgery, fraud, defamation etc., these come under the ambit of the Indian Penal Code. With the increased technical advancements and digital connectivity, their misuse became a frequent phenomenon which formed the foundation stone of the IT Act, 2000.

The Information Technology Act, 2000, provides a legal framework so that the information on the internet gets legal validity and is not denied legal action only on the ground that it deals with electronic records. In accordance with, Section 1(2) of the IT Act, 2000, the Act extends to the whole of India and also applies to any offence or contravention committed outside India by any person (Section 75). The Act mentions remedies for crimes such as tampering with computer source document (Section 65), hacking with computer system (Section 66), cheating using computer resource (Section 66D) and cyber terrorism (Section 66F). However, it is ill equipped and deficient when it comes to dealing with ransomware attacks. It also falls short in protection of privacy, civil liberties and does not address the issue of cyber security breaches.

Present Scenario in India

India has seen a rapid increase in the number of cyber threats and attacks against Government, Private and Financial Service Organizations. The sheer number of unsupported pirated operating systems and outdated computers across the country make India an easy target for such attacks. Not only is our present legal mechanism largely insufficient to deal with this menace, we even lack the necessary infrastructure to face such problems.

A study conducted by Fortinet, a cyber-security software firm, found that 94% of IT experts believe that information security practices in Indian Organizations are sorely inadequate and completely fail to protect from cyber-attacks in today’s world. One of the biggest reasons behind this is the limited awareness regarding cyber security and the need for specialized and customized cyber security measures. It is high time to reboot and ensure information security.  

Cyber experts are of the view that a new and comprehensive Cyber Security law covering all aspects of the cyberspace is the need of the hour. Moreover, the IT Act requires amendments to clearly chalk out the roles, responsibilities, accountabilities and liabilities of the Internet Service Providers as well as intermediary agencies to be able to better tackle cyber attacks.

Today, as the Indian Government has embarked on a mission to turn the country into a digital economy, it has triggered a fresh wave of economic growth, with more investment and new job opportunities. This poses a big challenge to our cyber security as India is now can now be a bigger target for cyber criminals. The recent Memorandums of Understanding between the National Cyber Security Agencies of India and those of countries such as the UK, USA, Spain, Bangladesh etc, is a step taken in the right direction as the exchange of technical information on cyber-attacks, security incidents and solutions will definitely improve the present scenario.

In August, 2017, the Union Ministry of Electronics and Information Technology announced the National Cyber Coordination Centre which scans the country’s web traffic to detect cyber security threats. It is of great use in terms of cyber security using metadata and various permutations to get a situational awareness and fend off such threats in a timely manner. It has powers under the Indian Constitution with provisions of section 69B of the IT Act, 2000 and is India’s first layer for cyber threat monitoring.

Conclusion

“Justice will not be served until those who are unaffected are as outraged as those who are.”

Benjamin Franklin

In 2017, India witnessed at least four ransomware attacks which include the Cerber Ransomware attack in the Delhi Office of the Quality Council Of India in January, the Locky Ransomware attack in the computer systems of the Maharashtra Revenue and Public Works Department in the month of May, the WannaCry Ransomware attack in many parts of India in May and the Petya Ransomware in the month of June. The Indian Computer Emergency  Response Team reported a total of 1,44,496 cyber-attacks in India in the last three years, which only adds on to the plethora of attacks which go undetected and unreported.

Although, the Petya ransomware attacking pattern suggests that it had only specific and fixed targets to hit, it does not necessarily mean that the others can take a sigh of relief.  When it comes to data privacy, such attacks reveal the increased vulnerability of our confidential data and are a reminder for all the countries and governments round the globe, to pull up their socks and be prepared for the worst if they don’t come together to address and rectify such a dangerous reality of the current world.

The Petya Ransomware attack is thus, synonymous with an alarm bell, urging all of us to wake up and be more attentive and vigilant when it comes to the safety and security of our data. It’s high time that we formulate strong defensive and offensive strategies, to deal with such cyber attacks for the protection of private data and further for the maintenance of national integrity.