With the commencement of the workweek, experts predict the WannaCry cyberattack will spread further through systems that rely on older or unpatched versions of Microsoft Windows. The following alert explains the WannaCry ransomware and its impact on businesses and organizations as well as the preventative measures they need to take immediately.
What: Like other forms of ransomware, WannaCry — aka WanaCrypt0r and WCry — locks users off their computers and gives malicious actors control of operating systems. This can result in the loss of system functionality (as long as the computer remains infected) and often involves the destruction of data.
Those in control of WannaCry seek ransom payments in the form of bitcoin. Ransom demands started at $300 and escalated to $600 before system files were being deleted. WannaCry is indiscriminate in its effects (i.e., it is not focused on a discrete target set or industry and it has the potential to continue to propagate through systems that have not taken appropriate defensive measures). Notably, it can spread among network users without users taking any action.
The WannaCry messages that users encounter are presented in the following safe images.
Who: While the originators of WannaCry are unknown, as of May 14, it had victimized at least 200,000 users in more than 100,000 organizations. Victims include the UK’s National Health Service (multiple hospitals and facilities); Federal Express in the United States; Chinese universities; Russia’s Interior Ministry; Telefonica, Gas Natural and Iberdrola (electrical) in Spain; and Renault in France.
Where: As of May 14, WannaCry had infected computers in over 150 countries (noting that the ransomware’s ability to operate in at least 27 languages has increased its transnational potency).
When: The new variant of WannaCry began creating significant effects on May 12, with infections and ransom demands expected to continue. Another strain of WannaCry began infecting computers over the weekend.
Why: WannaCry takes advantage of a known vulnerability (MS17-010 or ETERNALBLUE) in Microsoft Windows computers, and some experts believe it may have the ability to exploit other vulnerabilities. Because this vulnerability had been identified some time ago, Microsoft released a patch approximately two months earlier. However, many Microsoft users did not upload the patch.
The Way Ahead: It is possible that the variant of WannaCry discussed above (and its successors) will continue to wreak havoc on computer systems for the near future. Effects would be felt across industries globally.
Organizations should take preventative measures immediately:
- Ensure that all systems and software are protected against WannaCry. Windows users should confirm they have the latest Windows security updates installed (e.g., MS17-010) and organizations should only use supported versions of software. As always, organizations should systematically monitor patch availability and promptly download and implement available patches.
- Organizations that rely on internal cybersecurity defensive tools, software or services, or that use outside vendors or other external defensive options, should confirm they have layered defenses that account for, and are capable of addressing, the latest variant of WannaCry and its successors.
- Back up data, make certain that backup files are as current as possible, and implement measures to ensure resilience and business continuity in the event of infection by WannaCry. Backups should be isolated and segmented and interconnectivity should be avoided whenever it is not essential. Limit internal (workstation-to-workstation, server-to-server) communication and user permissions to help prevent the spread of WannaCry.
- Review incident response plans and update them as necessary to address distributed ransomware attacks. Conduct training exercises tailored to distributed ransomware scenarios.
- Deliberate now as to whether or under what circumstances the organization would pay the ransom — decisions driven by considerations specific to particular businesses. Considerations may include, but are not limited, to:
- harm to the business or those it serves if the system remains inoperable and/or files are destroyed;
- the cost of payment and whether that cost is incurred for a single computer or for multiple computers;
- whether there is a sufficient basis to believe that payment will result in the system and/or files being released to the user (noting that some of the recent ransomware attacks resulted in computers being left inoperable even after meeting ransomware demands); and
- the potential that payment in this instance will perpetuate ransomware attacks against the business and others in the future.
- Review insurance policies and consider whether they cover a WannaCry infection; whether additional coverage is needed; and whether they permit the use of outside cybersecurity vendors and qualified legal counsel, under what circumstances and when in the process (e.g., not until after notification to the insurer if the insurer will be responsible for paying for cybersecurity and legal services).
- Train and test — on a continuing basis — employees and other persons with access to company computer systems on identifying and avoiding phishing and spear phishing.
- Ensure comprehensive, functional and effective cybersecurity strategies and/or written information security programs are in place. These strategies and programs should address vulnerabilities created by the existence of disparate systems, networks and cybersecurity responsibilities that may exist across lines of businesses or business infrastructure and involve regular testing for vulnerabilities and strategy/program compliance.
- Review second-tier plans, policies, procedures and cyber hygiene practices to ensure they address vulnerabilities in other devices (e.g., tablets, mobile phones, personal laptops) that may connect to business systems and networks.
- Ensure that crisis response team members have been identified. Consider who, specifically, they will call for assistance (e.g., cybersecurity firm, outside counsel, public relations, government agency) in the event of an infection.
- Understand legal obligations with respect to a ransomware incident (e.g., must the organization report the incident to customers, employees, regulators, attorneys general, etc.?).
- Consider whether to join an Information Sharing and Analysis Center, if one exists for the specific industry, to share threat information and learn best practices for combatting cyber incidents.