On May 12, 2017 computers around the world were hit with the largest ransomware attack ever. As of noon Central Time on May 15, 2017 the attack has hit over 200,000 computers in 150 countries. The map below shows the extent of the attack 24 hours after it was launched.
The attack is raising a lot of questions, a few of which I’ll try to answer below.
A form of ransomware called WannaCry (also known as WannaCrypt, WannaCrypt0r, Wcry, and Wanna Decryptor) began spreading on May 12, 2017. Investigators initially thought the malware was introduced into computer systems through phishing attacks. Now the method of introduction is unclear.
Once in a computer system, the malware spreads easily to other computers because it takes advantage of an exploit developed by the US National Security Agency called EternalBlue that makes use of a vulnerability in the Microsoft Windows operating system. WannaCry encrypts files on a computer and demands payment of a $300 ransom in Bitcoin to decrypt the files. The ransom increases to $600 if the $300 is not paid within three days. If that is not paid within seven days the files are permanently lost. Here is a screen shot of what an unfortunate user sees when the ransomware is launched:
The attack has hit some high profile victims including the UK National Health Service, FedEx, Nissan, the Deutsche Bahn railway company in Germany, and the state police in India.
Is the Attack Over?
No. The attack does appear to be slowing though. That is due in part to the efforts of Marcus Hutchins, a 22 year old cybersecurity researcher in the UK known as “MalwareTech.” He discovered a “kill switch” in WannaCry in the form of an unregistered internet domain that could be registered by the cyber criminals to prevent the ransomware from functioning. Mr. Hutchins registered the domain and has reportedly prevented over 100,000 additional attacks. You can read his own account of his work here. There have been reports that the ransomware has reappeared in a form without the “kill switch,” so it is likely that versions of the ransomware will continue to spread.
Could the Attack Have Been Prevented?
Yes, and no. Shortly after the EternalBlue exploit was revealed in April 2017 Microsoft released a patch that eliminates the vulnerability in newer versions of Windows. Systems running older versions of Windows remained vulnerable, however. (Microsoft has since issued patches for older versions of Windows.) Companies also could have avoided the attack by disabling the vulnerable aspects of Windows, and by configuring their firewalls to block attacks that target the ports used by the vulnerability. Antivirus software also might have detected the ransomware. Unfortunately, many companies did not apply the patches after they were released last month, or take the other steps that would have prevented the attack.
What Should a WannaCry Victim Do?
As with most ransomware attacks that encrypt files, victims of WannaCry are left with the choice of restoring the encrypted files from backups or paying the ransom. They must also eradicate the malware from all computers. Law enforcement authorities are encouraging victims not to pay the ransom because it will show cyber criminals that attacks like this one are successful. Authorities are also referring victims to https://www.nomoreransom.org/ for advice on how to prevent and recover from ransomware attacks. As of May 15, 2017 at 3pm Central Time the total amounts paid are $56,309.
In addition to addressing the attack itself, victims should immediately notify insurers under any potentially applicable insurance policies.
What Should Companies Do to Avoid Becoming Ransomware Victims?
There are several steps a company should take:
- Patch systems regularly. As vulnerabilities come to light companies like Microsoft quickly issue software patches that resolve them. The patches typically will not be automatically installed, so companies need to put procedures in place to ensure that they learn about and apply patches on a regular basis.
- Back up systems regularly. A ransomware attack can be quickly resolved by restoring the encrypted files from backups. Backups should be kept on a different system so that a ransomware attack cannot encrypt the backup.
- Install and conscientiously update antivirus software.
- Train employees to recognize phishing attempts to minimize opportunities for ransomware to enter computer systems.
- Ensure that the company has an incident response plan to follow when a ransomware attack takes place.
Can Cyber Insurance Assist in a WannaCry Ransomware Attack?
Cyber insurance can play a critical role in any ransomware attack. When the attack occurs a company must investigate what happened and take the necessary steps to end the event. Unlike the ransom demanded by the WannaCry ransomware, the costs incurred to evaluate and resolve an attack can be significant. Those costs can be covered under a good cyber policy. They may also be covered under a kidnap and ransom policy. In addition to having coverage in place, the policies provide the added benefit of the insurers’ experience with similar situations and their relationships with investigators and other service providers that have expertise in such attacks.