MY TAKE: ‘Bashe’ attack theorizes a $200 billion ransomware raid using NSA-class cyber weapons

By Byron V. Acohido

A report co-sponsored by Lloyd’s of London paints a chilling scenario for how a worldwide cyberattack could trigger economic losses of some $200 billion for companies and government agencies ill-equipped to deflect a very plausible ransomware attack designed to sweep across the globe.

Related: U.S. cyber foes exploit government shutdown

The Cyber Risk Management (CyRiM) project lays out in detail how a theoretical ransomware attack – dubbed the “Bashe” campaign – could improve upon the real life WannaCry and NotPetya ransomware worms that plagued thousands of organizations in 2017.

The exercise was commissioned by Lloyd’s of London, the Cambridge Centre for Risk Studies and the Nanyang Technological University in Singapore, among others. In their construct, the fictional cyber ring behind Bashe leverages lessons learned from missteps made in WannaCry and NotPetya, with the aim of making Bashe “the most infectious malware of all time.”

It should not be forgotten that WannaCry and NotPetya made use of some of the  69 cyber weapons stolen from the NSA and released publicly by a group known as Shadow Brokers. These weapons were designed by NSA software engineers to take advantage of heretofore undisclosed security vulnerabilities in Windows, Linux, IBM and other core operating systems and applications widely used in commerce and government.

EternalBlue pedigree

Keep in mind, globe-spanning ransomware worms are just one of endless ways the NSA weapons, often referred to as “EternalBlue,” could be leveraged. While the Lloyd’s study focuses on the ransomware scenario, it’s reasonable to believe threat actors of every stripe are developing other ways to utilize EternalBlue-class cyber weaponry.

This creates a responsibility for every organization to consider this report and assess what damage control might entail, says Darin Pendergraft, vice president of product marketing at STEALTHbits Technologies, a Hawthorne, NJ-based supplier of systems to protect sensitive company data.

“Damage control depends on the privilege level of the employee’s user account,” Pendergraft says. “Right now, it’s highly common to find that regular users have Administrative rights on their PCs.  This allows email viruses that are opened to run with Administrative privilege – allowing them to become highly aggressive and to infect hundreds of other PCs and to even spread outside the organization.”

Pendergraft points out that a “least privilege access model” (LPAM) can recognize that not all users need full administrative access on their work computers. “In fact, most don’t need it at all,” he says. “In the case of ransomware and many other types of malware, the more access a compromised user has, the greater the damage.”

Technology and guidance for achieving LPAM is readily available to  most organizations. “Maybe Lloyds’ findings will wake companies up to this,” Pendergraft says. “Right now, too many companies give users Administrative level permissions on their PCs – which is the digital equivalent of storing large quantities of gasoline in your family home. It’s just asking for trouble.”


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone