August 16, 2017

August 16, 2017

Subscribe to Latest Legal News and Analysis

August 15, 2017

Subscribe to Latest Legal News and Analysis

August 14, 2017

Subscribe to Latest Legal News and Analysis

When “WannaCry” Strikes: Preparing for and Responding to the Largest Ransomware Attack in History

As many around the world were preparing for the Mother’s Day weekend, the WannaCry ransomware attack hit over 70,000 organizations in nearly 100 countries in just one day, Friday, May 12th. After the weekend, the attack had affected over 150 countries and may yet continue to spread. It has become the largest ransomware attack in history.

Known as “WannaCry” (or “WCry” or “WanaCryptOr”), this ransomware encrypts your computer files – making them inaccessible – and then demands a ransom of about $300 worth of the digital currency Bitcoin in order to restore your computer files. The malware warns that this ransom doubles to $600 after three days and that the files are deleted after seven days. Of course, there is no guarantee that paying the ransom will lead to the recovery of computer files.

Like most malware, WannaCry is initially delivered through spear-phishing emails and compromised links. Once installed onto a vulnerable computer, the malware not only encrypts computer files but also operates like a worm to scan the victim’s network for other vulnerable machines. Furthermore, WannaCry utilizes special evasion techniques to avoid being exposed to antivirus security scans.

WannaCry attacks by exploiting a known vulnerability in the Windows operating system that was initially disclosed and patched by Microsoft about two months ago. Microsoft has also issued emergency patches for older, unsupported versions of Windows. However, such patches are not always installed promptly, especially by organizations handling large numbers of computers, and patches for Windows XP and other outdated versions of Windows only became available recently.

As of Monday, May 15th, WannaCry’s many thousands of victims included FedEx, Renault-Nissan, the UK’s National Health Service, the Russian Interior Ministry, Spanish telecommunications company Telefonica, German railway company Deutsche Bahn, over 40,000 entities in China, and a police department in India.

Given the widespread and ongoing impact of WannaCry, along with the likelihood of spin-off ransomware coming in the near future, corporate officials such as in-house counsel need to be informed and prepared. With that in mind, here are some basic action items to consider:

Preparing for a WannaCry Attack

  • Identify the Windows operating systems in your network that may be vulnerable to WannaCry or another spin-off ransomware and install the appropriate security patches. Indeed, it is important to stay up to date on security patches generally.

  • Create a backup copy of your organization’s computer system that can be used in the event that your system becomes encrypted by ransomware.

  • Develop or update your organization’s incident response plan to address ransomware. This includes not only planning for rapid investigation, containment, and remediation of an attack, but also planning for business continuity, public relations, cybersecurity insurance, and legal compliance.

  • Establish contacts with law enforcement, outside counsel, a cybersecurity remediator, your insurance company, and anyone else who you will need to coordinate with when responding to a ransomware attack.

  • Implement ongoing training of computer users on basic cybersecurity hygiene, including not clicking on suspicious links or opening suspicious email attachments.

Responding to an attack

  • Wherever possible, incident response measures should be taken at the direction of counsel in order to preserve attorney-client privilege and minimize legal risk.

  • Work with a cybersecurity remediation company and/or law enforcement to rapidly contain and remediate the ransomware attack. Among other things, this might include disabling the infected computer, restoring backup files, or counteracting the ransomware.

  • Fully investigate the ransomware attack, engage with law enforcement as appropriate, and implement cybersecurity measures to defend against additional follow-up attacks.

  • Determine the extent of harm to data subjects and consumers, comply with any applicable breach notification obligations, and take other steps to minimize legal risk.

Copyright © 2017 Womble Carlyle Sandridge & Rice, PLLC. All Rights Reserved.


About this Author

Allen O'Rourke, Womble Carlyle, Cybercrime Prosecution Lawyer, Breach Investigations Attorney

Drawing upon years of experience prosecuting cybercrime, Allen comes to the aid of clients affected by data breaches and cyber-attacks. He works with clients’ legal and information security teams to investigate cybersecurity incidents, coordinate the remediation of any breach, interface with law enforcement as appropriate, and ensure compliance with applicable data breach laws and regulations. In addition to incident response, Allen defends clients facing government investigations, regulatory enforcement actions, consumer class actions, and other litigation arising from...