Worldwide ransomware attack cripples hospitals, schools and businesses
On Friday, May 12, 2017, a global cyberattack using ransomware known as WannaCry afflicted organizations in as many as 150 countries, including the United States. As a result, hospitals, universities, and businesses were unable to access critical data and experienced significant interruptions to their operations. This cyberattack highlights the escalating threat that ransomware poses to both small and large entities across various industries.
Ransomware attacks are a form of cyber-extortion in which the attacker freezes organizations' access to their electronic data files by "locking" them through encryption until a ransom is paid. According to the United States Computer Emergency Readiness Team (US-CERT), ransomware is "frequently delivered through phishing emails," and it often "exploits unpatched vulnerabilities in software."[1] Organizations under attack typically see a ransomware message on their computer screens that resemble the image above.
The impact of ransomware attacks on organizations relying on significant data to sustain their everyday business processes can be devastating. In the United Kingdom, for example, National Health Service hospitals that experienced the WannaCry ransomware attack could not access patient records, appointment schedules, and internal email systems. Many hospitals were forced to delay their provision of health care services to patients.[2]
The source of the WannaCry cyberattacks is currently unknown. It is widely understood, however, that the WannaCry ransomware variant takes advantage of an exploit of certain Microsoft Windows operating systems. The exploit, known as "Eternal Blue," was apparently developed by the U.S. National Security Agency (NSA) and was among those cyberattack tools stolen from the NSA and leaked online by a hacking group called the Shadow Brokers.[3] Eternal Blue targets a vulnerability in Microsoft Windows's use of Server Message Block (SMB), a network file sharing protocol. Seizing on the External Blue exploit, WannaCry automatically spread through file-sharing infrastructure and rapidly infected organizations around the globe. Eventually, a cybersecurity researcher in the United Kingdom inadvertently discovered a "kill-switch" that many hope will curtail the spread of the malware.[4]
Although Microsoft disseminated a security update in March 2017 to resolve the SMB vulnerability in several Microsoft Windows versions, many organizations throughout the world had not installed the security patch before the WannaCry ransomware attacks occurred. Further, organizations that still ran end-of-life operating systems for which Microsoft no longer offered security updates, such as Windows XP, Windows 8, and Windows Server 2003, were particularly susceptible to the ransomware attacks. In response to the unprecedented nature and scale of the WannaCry attacks, Microsoft has taken the "highly unusual step" of releasing public security patches for these obsolete operating systems.
It is highly possible that WannaCry or another variant of the ransomware will continue to wreak havoc on organizations worldwide. Stephen Jones, Director of Managed Services at Guide Point Security LLC, a cybersecurity firm based in Virginia, makes the following recommendations for safeguarding networks in light of the WannaCry attacks:
• Ensure all systems have been updated to the latest patch available from Microsoft. The patch specific to the Eternal Blue exploit is labeled KB4012598 or MS17-010 and should be evaluated for deployment immediately if it has not already been applied. This will prevent the SMB traffic from exploiting the vulnerability, and it eliminates initial infection vectors.
• Block certain TCP ports at perimeter firewalls to halt the flow of SMB traffic - specifically, TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139 for all boundary devices.
• Create and maintain offline backups of critical data, which will reduce the amount of damage a crypto-ransomware attack is capable of inflicting.
• Ensure your anti-virus definitions are up-to-date.
• If possible, use application whitelisting to prevent unknown/untrussed applications from running.
The U.S. federal government has advised organizations that experience ransomware attacks to immediately:[5] • Contact your FBI Field Office Cyber Task Force to report the ransomware event and request assistance.
• Report the incident to the US-CERT and FBI's internet Crime Complaint Center.
• Implement your security incident response and business continuity plan. Organizations should ensure they have appropriate backups, so their response is simply to restore the data from a known clean backup.
Additionally, the federal government has generally taken the position that affected organizations should not pay the ransom. As the US-CERT notes, "Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim's money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed." [6] Organizations hoping to regain access to their data by paying the ransom should keep in mind that cyber-attackers do not always follow through on their promises. However, whether to pay the ransom in a ransomware situation is always a business decision that must be evaluated on a case-by-case basis, after assessing the specific facts and circumstances.
Ice Miller's Data Security and Privacy Practice, led by lawyers with legal expertise and technology backgrounds and certifications, is available to assist your organization with preventing and responding to ransomware and similar cyberattacks. Specifically, Ice Miller's team can assist you with the following:
• Educating your employees on ransomware attacks to reduce risk, as well-trained employees are often the first line of defense to these attacks.
• Working with your organization's technical resources to implement cybersecurity best practices to minimize the risk of a successful ransomware attack.
• Building an incident response plan for your hospital that properly handles these types of events and assisting an organization in testing existing incident response plans.
Reviewing insurance policies for alignment with emerging cybersecurity risks, including ransomware and cyber-extortion.
• Providing legal guidance in the aftermath of an incident and helping your organization to respond appropriately and minimize legal risk associated with the cyberattack.
•Ice Miller's Data Security and Privacy Practice helps educate and train clients on data security best practices to address and mitigate risks. Stephen Reynolds, a former computer programmer and IT Analyst, is partner and co-chair of the practice. Stephen can be reached at stephen.reynolds@icemiller.com or (317) 236-2391. Kim Metzger is a partner concentrating her practice in drug and device litigation and data security and privacy and is a Fellow of Information Privacy through the International Association of Privacy Professionals. Kim can be reached at kimberly.metzger@icemiller.com or (317) 236-2227. Deepali Doddi, an associate, is a former HIPAA investigator with the U.S. Department of Health and Human Services and counsels clients on various privacy and data security matters, including security incident response. Deepali can be reached at deepali.doddi@icemiller.com or (312) 726-7134. This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.
Footnotes:
[1] United States Computer Emergency Readiness Team (US-CERT), "Alert (TA17-132A): Indicators Associated with WannaCry Ransomware."
[3] See https://www.nytimes.com/reuters/2017/05/13/technology/13reuters-britain-security-hospitals-nsa.html
[5] U.S. Department of Health and Human Services, Office for Civil Rights, "HHS Update: international cyber threat to health care organizations," Listserv Announcement, May 13, 2017; U.S.-CERT Alert (TA17-132A): Indicators Associated with WannaCry Ransomware."
[6] U.S.-CERT Alert (TA17-132A): Indicators Associated with WannaCry Ransomware."