When “WannaCry” Strikes: Preparing for and Responding to the Largest Ransomware Attack in History
As many around the world were preparing for the Mother’s Day weekend, the WannaCry ransomware attack hit over 70,000 organizations in nearly 100 countries in just one day, Friday, May 12th. After the weekend, the attack had affected over 150 countries and may yet continue to spread. It has become the largest ransomware attack in history.
Known as “WannaCry” (or “WCry” or “WanaCryptOr”), this ransomware encrypts your computer files – making them inaccessible – and then demands a ransom of about $300 worth of the digital currency Bitcoin in order to restore your computer files. The malware warns that this ransom doubles to $600 after three days and that the files are deleted after seven days. Of course, there is no guarantee that paying the ransom will lead to the recovery of computer files.
Like most malware, WannaCry is initially delivered through spear-phishing emails and compromised links. Once installed onto a vulnerable computer, the malware not only encrypts computer files but also operates like a worm to scan the victim’s network for other vulnerable machines. Furthermore, WannaCry utilizes special evasion techniques to avoid being exposed to antivirus security scans.
WannaCry attacks by exploiting a known vulnerability in the Windows operating system that was initially disclosed and patched by Microsoft about two months ago. Microsoft has also issued emergency patches for older, unsupported versions of Windows. However, such patches are not always installed promptly, especially by organizations handling large numbers of computers, and patches for Windows XP and other outdated versions of Windows only became available recently.
As of Monday, May 15th, WannaCry’s many thousands of victims included FedEx, Renault-Nissan, the UK’s National Health Service, the Russian Interior Ministry, Spanish telecommunications company Telefonica, German railway company Deutsche Bahn, over 40,000 entities in China, and a police department in India.
Given the widespread and ongoing impact of WannaCry, along with the likelihood of spin-off ransomware coming in the near future, corporate officials such as in-house counsel need to be informed and prepared. With that in mind, here are some basic action items to consider:
Preparing for a WannaCry Attack
Identify the Windows operating systems in your network that may be vulnerable to WannaCry or another spin-off ransomware and install the appropriate security patches. Indeed, it is important to stay up to date on security patches generally.
Create a backup copy of your organization’s computer system that can be used in the event that your system becomes encrypted by ransomware.
Develop or update your organization’s incident response plan to address ransomware. This includes not only planning for rapid investigation, containment, and remediation of an attack, but also planning for business continuity, public relations, cybersecurity insurance, and legal compliance.
Establish contacts with law enforcement, outside counsel, a cybersecurity remediator, your insurance company, and anyone else who you will need to coordinate with when responding to a ransomware attack.
Implement ongoing training of computer users on basic cybersecurity hygiene, including not clicking on suspicious links or opening suspicious email attachments.
Responding to an attack
Wherever possible, incident response measures should be taken at the direction of counsel in order to preserve attorney-client privilege and minimize legal risk.
Work with a cybersecurity remediation company and/or law enforcement to rapidly contain and remediate the ransomware attack. Among other things, this might include disabling the infected computer, restoring backup files, or counteracting the ransomware.
Fully investigate the ransomware attack, engage with law enforcement as appropriate, and implement cybersecurity measures to defend against additional follow-up attacks.
Determine the extent of harm to data subjects and consumers, comply with any applicable breach notification obligations, and take other steps to minimize legal risk.