United States: Wannacry Ransomware Attacks Should Be A Wake-Up Call For Cybersecurity Diligence

Last Updated: May 23 2017
Article by Joseph Facciponti and Joseph V. Moreno

Most Read Contributor in United States, July 2018

Last week's massive ransomware attack should serve as a wake-up call that companies across all industries and regions must take the threat of global cyber attacks seriously.  Although investigators are still uncovering details, three key lessons have emerged for businesses seeking to protect themselves.  First, ransomware attacks are going to become much more common.  Second, the attack might have been prevented if companies had been more diligent about implementing basic cybersecurity practices, such as patching software vulnerabilities and training staff to detect phishing emails, i.e., emails that appear legitimate but contain links or files that deploy computer viruses if opened.  And, third, companies that fail to take reasonable measures to prevent attacks might find themselves to be the subject of costly regulatory enforcement actions or private litigation.

What Is Ransomware? 

Ransomware is a form of malevolent software, or "malware," that typically encrypts or deletes data stored on computer networks, trapping the data and making it unavailable and unusable.  Hackers responsible for installing ransomware on victims' computer networks frequently demand payment (the "ransom" in ransomware) to have the data restored. 

Ransomware attacks can be tremendously costly.  Even in the best-case scenario, where victims are prepared for an attack and have maintained up-to-date archives, there are still significant remedial costs and business disruptions that come in the wake of an attack.  However, in the worst-case scenario, where victims do not have access to backup copies of their data, they find themselves in the no-win position of having to decide whether to pay the hackers or potentially lose their data forever.  Each option is unappealing – by paying the hackers, victims only encourage future attacks and there is no guarantee that the hackers will even restore the victims' data.  However, by refusing to pay, victims could effectively find themselves out of business. 

Ransomware has grown in popularity in recent years because it can be very profitable.  In a traditional data breach, financially-motivated hackers typically steal personal data such as bank or credit card information; however, that is only the first of several steps they must take before they can profit from their efforts.  They must then find buyers for the stolen data or themselves exploit the information through an identity-theft or other fraudulent scheme, each of which imposes additional risks and costs. 

By contrast, in a ransomware attack, hackers need not worry about dealing with a middleman or finding a way to exploit the stolen data themselves. They simply hold a victim's data hostage and demand payment.

What Happened in the WannaCry Attack?

Last week's attack focused on a vulnerability in computer networks running Microsoft Windows.1The vulnerability at issue appears to have been originally identified by the National Security Agency ("NSA") and was leaked online earlier this year by a group known as "The Shadow Brokers."  Several weeks later, an unknown group of hackers – possibly backed by North Korea2 – used a combination of the NSA exploit coupled with phishing attacks to infect computers with a type of ransomware known as "WannaCry" or "WannaCrypt."  Once a victim's network became infected, the ransomware quickly spread to other computers throughout the network, encrypting data and demanding approximately $300 in bitcoin in exchange for decrypting the data. 

Initially, the attack appeared to be focused on the computer network of the United Kingdom's National Health Service, which was forced to close emergency rooms and cancel patient appointments due to the temporary inability to access patient records.  The attack quickly spread to computers around the world, reaching at least 200,000 computers in 150 countries, including networks used by the Russian Interior Ministry and by thousands of schools in China.  Researchers estimate that victims have paid approximately $70,000 thus far to the hackers.3  The attack was effectively halted when a computer researcher reportedly discovered a "kill switch" in the ransomware's computer code and was able to prevent additional attacks.4  However, by then it was too late to rescue computers that had already been infected.  Even though the ransomware's continued spread appears to have been slowed or even stopped, and no significant follow-up attacks have emerged thus far, the damage is still being felt by victims who are struggling to restore their operations.

What Lessons Should Be Learned?

Lesson #1.  Ransomware attacks are going to become much more common.  As hackers realize that it is faster and more profitable to extort money directly from victims, rather than steal data and then engage in identify theft and money laundering schemes to profit from it, they will be encouraged to pursue attacks similar to what we saw last week.  The U.S. Department of Justice reported that there was an average of about 4,000 ransomware attacks each day in 2016, a 300 percent increase over the prior year.5 Some experts believe that ransomware may be one of the most profitable cybercrime tactics in history.6 

Lesson #2.  Companies must take certain basic steps to protect their networks, including regularly updating their software and training employees to better recognize phishing emails.  In this case, Microsoft issued a "critical" patch for its Windows operating systems in March 2017 that resolved the vulnerability that was exploited during the attack.7 Yet countless organizations remained vulnerable either because they were not diligent about installing software updates, were running older versions of Windows (such as Windows XP) for which Microsoft no longer issues updates, or were running pirated versions of Windows that are unable to receive security updates.8  Further, as it appears that phishing emails were used to deliver the ransomware, it is vital that companies train employees to recognize phishing emails and respond appropriately.  According to one study, nearly half of adults in the United States cannot identify a phishing email.9

Lesson #3.  Victims of future cyber attacks will face not only the time and monetary disruption caused by a successful breach, but also possible enforcement actions and civil litigation.  Indeed, last fall the former Chairwoman of the Federal Trade Commission warned U.S. businesses that "a company's unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the [Federal Trade Commission] Act."10  Other regulators, such as the Securities and Exchange Commission ("SEC") and the New York Department of Financial Services, might also consider a company's failure to timely implement updates or train employees as failing to take reasonable measures to safeguard customer data, prompting regulatory action.  And the Office of Civil Rights ("OCR") of the Department of Health and Human Services, which is responsible for bringing enforcement actions under the Health Insurance Portability and Accountability Act ("HIPAA") when health care companies fail to safeguard confidential patient data, issued guidance in July 2016 that stated that OCR would consider a ransomware attack to be a HIPAA breach if private patient data was compromised.11  OCR issued this guidance after a series of high-profile ransomware attacks on hospitals in the U.S. in early 2016, including one attack in which a California hospital was required to pay hackers $17,000 in bitcoin to restore access to its patient medical records.12 13

Conclusion

Most public companies and financial institutions are already subject to a host of regulations governing how they safeguard customer data.  However, last week's attack illustrates the importance of taking simple steps to protect data from ransomware.  In response to the WannaCry attack, the Federal Bureau of Investigation has posted a bulletin listing ways for companies to protect their data.14  Basic steps to protect data include:

  • Maintaining backups of critical data that are maintained separately from the organization's internal computer network and regularly testing the backups to ensure they work correctly.
  • Promptly installing software updates that are intended to address security vulnerabilities.
  • Screening incoming email traffic for potential phishing attacks and ensuring that employees are trained to detect and report them.

In addition, companies should consider consulting with legal counsel regarding the adequacy of their cybersecurity programs or, if they have been the victims of a cyber attack, to mitigate their potential liability.

 Footnotes

1 See Nicole Perlroth and David E. Sanger, Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool, The New York Times (May 12, 2017), available at https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html?action=click&contentCollection=U.S.&module=RelatedCoverage®ion=Marginalia&pgtype=article.

2 See Nicole Perlroth and David E. Sanger, In Computer Attacks, Clues Point to Frequent Culprit: North Korea, The New York Times (May 15, 2017), available at https://www.nytimes.com/2017/05/15/us/nsa-hacking-shadow-brokers.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=first-column-region®ion=top-news&WT.nav=top-news.  

3 See Sean Gallagher, WCry ransomware worm's Bitcoin take tops $70k as its spread continues, Ars Technica (May 16, 2017), available at https://arstechnica.com/security/2017/05/wcry-ransomware-worms-bitcoin-take-tops-70k-as-its-spread-continues/.

4 See Malwaretech, How I accidentally stopped a global Wanna Decryptor ransomware attack, Ars Technica (May 15, 2017), available at https://arstechnica.com/information-technology/2017/05/wanna-decryptor-kill-switch-analysis/.

5 See Department of Justice, Protecting Your Networks from Ransomware, available at https://www.justice.gov/criminal-ccips/file/872771/download.

6 See Tom Risen, Ransomware Is the Most Profitable Hacker Scam Ever, U.S. News & World Report (July 27, 2016), available at https://www.usnews.com/news/articles/2016-07-27/cisco-reports-ransomware-is-the-most-profitable-malware-scam-ever.

7 See Microsoft Security Bulletin MS17-010 – Critical (Mar 14, 2017), available at https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

8 See Dan Goodin, Wanna Decryptor ransomware: What is it, and how does it work, Ars Technica (May 15, 2017), available at https://arstechnica.co.uk/security/2017/05/what-is-wanna-decryptor-wcry-ransomware-nsa-eternalblue/.

9 See Angus Loten, Employee 'Weak Link' in Cybersecurity Efforts: Analysts, The Wall Street Journal (Apr 3, 2017), available at https://blogs.wsj.com/cio/2017/04/03/employees-weak-link-in-cybersecurity-efforts-analysts/.

10 Opening Remarks of FTC Chairwoman Edith Ramirez, Fall Technology Series, Ransomware (Sept 7, 2016), available at https://www.ftc.gov/system/files/documents/public_statements/983593/ramirez_-_ransomware_remarks_9-7-16.pdf.

11 See FACT SHEET: Ransomware and HIPAA, available at https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.

12 See Richard Winton, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, Los Angeles Times (Feb 18, 2016), available at http://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.

13 See Jimmy Hoover, SEC Suits Over Cyber Reporting Could Be On Horizon, Law360 (Apr 20, 2017), available at https://www.law360.com/articles/915377/sec-suits-over-cyber-reporting-could-be-on-horizon.

14 See FBI Flash, Indicators Associated With WannaCry Ransomware, MC-000081-MW (May 13, 2017), available at http://www.himss.org/sites/himssorg/files/flash-fbi-wannacry.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions