A pleasant Saturday morning turned worrisome for thousands of corporates as well as government webpage developers when the news of cyber ransom attack spread. Individual users of internet, including me, were still anticipating that nothing will happen to us. It was still believed that the attackers were targeting the west and that too big data houses. We were all proved wrong within no time.
I first noticed the alert sign with a cyber attack in a Facebook post by Dr.Subhajit Basu, Associate Professor of Information Technology Law in School of Law, University of Leeds, who is also my senior in law college in the University of Calcutta, which mentioned about shutting down of the NHS websites due to some virus attacks.
He wrote “There has been a huge 'CyberAttack' on NHS. NHS services across England have been hit by IT failure, it seems to have happened because of large-scale cyber attack. Trusts and hospitals in London, Blackburn, Nottingham, Cumbria and Hertfordshire have been affected. It looks like a massive ransomware virus that has infected all computers on the NHS.” It must be noticed that this post was made on 12th May, 2017, and not many felt the graveness of this attack until 13th morning, except those who were working in the cyber security sectors.
In no time, we got to see that not the nations, but continents were affected by this virus and in Asia, India was in the top of the worst hit list.
What is ransom attack and how does it affect us?
By now, almost all of us have come to know that this malware known as Wannacry ransom attack is actually a virus which is spreading through “loaded hyperlink” which can be sent through mail, webpage etc. One popular explanation has been that this loaded hyperlink is sent through mails from senders who the victim may not suspect as a malicious sender; further, once opened, it may first decrypt only to encrypt the files which may not be encrypted otherwise.
Plainly, Wannacry virus is another form of privacy infringing mechanism which unauthorisedly accesses the data. The uniqueness about this is, it does not stop with encrypting the files against the wish of the data owner; the attackers play the hi-tech criminal part by demanding a ransom that may be in the form of cryptocurrency Bitcoin.
The uniqueness about this is, it does not stop with encrypting the files against the wish of the data owner; the attackers play the hi-tech criminal part by demanding a ransom that may be in the form of cryptocurrency Bitcoin
What is the form of attack? One may ask what sort of offence it may form? Attack on the computer? Attack on the computer networks? Damaging the files? Unauthorised access to the computer? Or something graver? In my opinion it indeed is a graver offence beyond simple attack on the computer. This may be explained as below:
In a way, it has proved a bunch of irresponsible hackers and hacking trainers’ thought “hacking is fun” at the cost of millions of people. It is like illegally breaking into a house and locking one’s valuables only to extort. It is nothing but hacxtortion: hacking and extortion.
Who should be careful about it and why?
Not to forget that we have just started an era of demonetisation where our physical lockers, purses carry less currency and virtual purses carry more money. Individuals engaged in digital transaction must, therefore, be extremely careful to protect their data. Apart from ordinary individuals, I see several other categories of people and companies who may be possible targets of wannacry racket and this includes writers, academicians, scientists and also film production companies. All these sectors may not only earn their reputation, but also livelihood by way of intellectual properties, which is generally stored in the personal computers.
The other sector which must be extremely cautious to protect their data and computer is obviously the "rights defenders", i.e., the lawyers and the courts as they may be seen as custodians of private data of many individuals, including the accused as well as the victims. I say this because already health sector may have been affected, resulting in partially suspending services to the patients.
Further, this has to be noted again that individuals not only store important data related to banking in their devices, we, especially women may also store something which we need to worry about: our private pictures/images. Professor K.Jaishankar and I have done extensive research (Cyber Crimes Against Women In India, Sage: 2016) on sextortion and revenge porn along with other sorts of cyber offences targeting women.
Imagine, if these women who are superstars suffer from such privacy infringement what happens to ordinary women who are being targeted by ransom attackers
But it must be noted that such offences, including sextortion may have been majorly interpersonal victimisation. In most cases, these may have been related to revenge porn or online grooming by unknown “frenemies” for the purpose of unethical profit making. It is well-known that nude or semi nude images of women get sold to adult entertainment sites.
Some of us may remember the biggest ever privacy infringement on film stars happened earlier this year when some hackers had stolen private pictures of film stars and posted it publicly. Imagine, if these women who are superstars suffer from such privacy infringement what happens to ordinary women who are being targeted by ransom attackers.
By now, several write-ups have been published to recommend how to save your computers and data from the ransom attack and almost every suggestions indicate that payment of ransom is no answer to recover the encrypted data. Speaking from legal perspectives, we must understand that our Information Technology Act, 2000 (amended in 2008) does provide some solutions if not fully; the attack may be regulated under S.43 (penalty, compensation for damage to computer, computer system) along with S.65 (tampering with computer source document) and 66 (computer related offences), along with provisions from Indian Penal Code, especially relating to extortion. Not to forget that our Information Technology Act has extra-territorial jurisdiction which may need to be executed in prosecuting cases.
However, there is definitely a loophole as there lacks a ratified treaty for cooperation in such cases. Moreover, our criminal justice administration, especially the police needs special training to nab the criminals, particularly when individuals are attacked.
But still then, we have come across a long way since the spreading of “I love you” virus which almost totally handicapped a nascent cyber-aware nation. A little awareness may make us more immune towards such attacks.