WannaCry ransomware and vulnerabilities
During May, a large-scale cyberattack utilising a powerful strain of malware known as “WannaCry” took advantage of a flaw in the operating system of Windows-based computers. WannaCry was first brought to light during a recent WikiLeaks release of information (known as Vault 7) on the activities and capabilities of the U.S. government. WannaCry is ransomware that causes end-user frustration by encrypting any infected machine and making it unusable until the owner pays a ransom using the untraceable digital currency Bitcoin.
The attack first came to light mid-afternoon in the U.K. on May 12 and then spread across the globe, affecting computers in China, France, Germany, Japan, Russia, Spain and the U.S. The attack also impacted many industries, including health care providers (mainly hospitals), manufacturing, telecommunications, utilities, logistics, transportation and educational facilities.
The spread of the ransomware was slowed when a U.K. security research team found a kill switch within the ransomware and turned it on. While this action limited further spread of the malware, it did not resolve the issues for any computers that were already infected. In addition, it’s been reported that variants of this ransomware have been reprogrammed without the kill-switch function.
Although the flaw was discovered earlier this year and Microsoft released a patch to fix the vulnerability shortly thereafter, Friday’s widespread attack highlights the fact that many businesses (or individuals) either did not heed the warnings or delayed installation of the patch. As a result, more than 200,000 computers in 150 countries have been affected by the first wave of the attack.
WannaCry was likely enabled through phishing emails (i.e., employees had to click on an infected link, likely a malicious Microsoft Word file, to enable the ransomware). This is another reminder that employees are the weakest link in any organisation’s cybersecurity strategy and are also the strongest defence. As such, to effectively manage the people risk, organisations should consider the following:
Increase the level and regularity of employee awareness training in your organisation. It is important that employees are trained to review emails closely to ensure they are from trusted and known senders before clicking on links. A cyber-savvy workforce holds the key to your enterprise
Assess whether your organisation’s IT department has the right or sufficient talent and skills needed in today’s environment to effectively be prepared to handle these emerging threats. In this case, organisations that have been impacted should ask themselves why the patch that Microsoft made available was not installed in a timely manner. Was the lag in installation a talent or employee engagement issue?
Evaluate whether your organisation’s culture is supportive of cyber awareness and action- oriented behaviours. For example, do leaders model positive behaviours that encourage employees to do the same, and do employees truly know what actions to take to report a cyber incident?
Several technology providers, including BAE Applied Intelligence, recommend the following steps to mitigate exposure to your organisation’s network systems:
Ensure security updates are current for Microsoft and other operating systems.</li><li>Ensure your antivirus and anti-spam filters are current. Most of the credible antivirus/anti- spam providers have already updated their systems to detect and prevent this malware, but because variations are emerging, it is difficult for providers to stay current with real-time fixes (i.e., zero-hour protection).</ul>If your networks have already been impacted, consider the following:
- Restore your data from backup.
- Obtain legal advice on whether you should pay the ransom.
- Focus on patch and antivirus updates.
Cyberinsurance continues to play a central role in managing cyber risk and protecting your organisation’s balance sheet. In addition to cyber liability insurance policies, there may be some coverage under kidnap and ransom or property policies. Coverage may be available for the cost of legal counsel, computer forensics, data restoration, business interruption and the ransom itself. Most policies require notification to the insurer as soon as practicable or within a set period of time, and also require consent before engaging outside vendors or incurring expense. It is therefore imperative to address this step immediately upon discovery of an attack.
This type of attack, if not addressed quickly and effectively, could have far-ranging consequences to an organisation’s net income, network functionality and critical data.
Please contact us should you wish to discuss cyber liability insurance of if you have any questions relating to this incident or to report a claim.