On May 12, 2017, media outlets began reporting a widespread cybersecurity event involving the ransomware known as "WannaCry" (also known as"WCry", or "Wanna Decryptor"). The same day, the U.S. Department of Homeland Security published National Cyber Awareness System Notice TA17-132A – Indicators Associated With WannaCry Ransomware (the "Notice"), which provides information on the attack. In this short bulletin, we provide high level information about the outbreak and suggested considerations for organizations in Canada.
What is WannaCry?
The WannaCry ransomware has reportedly been spread primarily through sophisticated phishing emails that appear to contain legitimate file attachments. Such attachments, if opened, allow WannaCry to access victims' servers either by exploiting a Windows vulnerability, that has reportedly been known and flagged by Microsoft as a critical vulnerability since mid-March. The initial infection may also have spread through vulnerabilities in certain defenses, thus obviating the need for a phishing email.
Once WannaCry gains access to a system, it encrypts the victims' files, leaving them inaccessible. WannaCry then demands that victims pay a Bitcoin "ransom" in order to have their files decrypted. The following screen pops up to the user on an infected computer:
Click here to view image.
Victims are warned that failure to pay the ransom within a specified time period will result in the permanent loss of their files. Various sources have reported that paying the ransom does not guarantee recovery of the encrypted files or the removal of WannaCry from affected systems.
WannaCry reportedly operates in approximately 27 languages and is currently responsible for hundreds of thousands of infections in 150 countries. As of the time of writing, the number of affected systems is expected to continue to grow, including in Canada.
According to Notice, users cannot rely upon antivirus software to protect their systems against WannaCry. Windows users are urged to download various Microsoft security patches and updates, although Microsoft has advised that "Those who are running Microsoft's free antivirus software or have Windows Update enabled are protected."
For additional information, see: ICS-CERT Releases WannaCry Fact Sheet.
Implications for Organizations
If your organization has not been affected, it is critical to consider performing an immediate audit to ensure that Microsoft patching has been performed in full, with particular emphasis on the vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. Microsoft released a "Critical" advisory, along with an update patch to address this vulnerability on March 14, 2017. Servers or computers running older Microsoft operating systems including Windows XP, Vista, Windows Server 2008 and 2012, Windows 7, and Windows 8.1 should also be identified immediately. These older operating systems may be running because of, for example, legacy applications and programs. Serious consideration should be given to the replacement of such applications and programs that cannot run on upgraded and supported Windows systems.
Organizations that have been affected by the attack must quickly decide how to respond and whether to pay the ransom. As with all ransomware threats, organizations must consider, among other things:
- initiating your Incident Response Plan;
- isolating the malware as soon as possible to prevent further spread across computers and networks;
- immediately conducting a competent and defensible investigation into the matter, including with the involvement of in-house or external legal counsel for potential protection of privilege in association with forensic analysis and communications, and the potential involvement of third party forensics experts with experience in ransomware attacks and payments;
- the vector/manner and scope of the attack, including whether the attack was perpetrated through a vulnerability which may give rise to broader considerations about the security of an organization (well beyond the immediate threat of the ransomware itself);
- assessing your backups, and the cost and time that may be associated with restoring operations and information from backups, including whether backups are sufficiently accurate and complete;
- the possibility that purchasing a decryption key to unlock their data could introduce additional malware within the key itself;
- the opportunity to negotiate a ransom demand (particularly in large scale attacks), the risks associated with sharing information with attackers in paying a ransom as opposed to engaging experts to assist in making anonymous payments, as well as the potential for ransom demands to escalate;
- whether payment is being made to individuals or groups on prohibited watch lists;
- whether the organization has cyber extortion or other insurance coverage in respect of the investigation, ransom payment, and any potential third party liability, and making timely notification under any applicable insurance policies. Considerable care may need to be taken in managing notice and other requirements in relation to insurance policies - consider consulting with legal counsel, risk management and your insurance broker regarding the appropriate steps to consider; and
- whether to contact law enforcement regarding the matter.
Ultimately, while law enforcement generally advises against paying, organizations must also consider the risk that their data could be permanently lost, with consequential impacts on operations and individuals, and weigh the potential costs and downtime that could be associated with restoring information and operations from backups.
Legal Risk Management
In the course of the investigation and containment of an attack, organizations could also take the following steps:
- confirming whether there has been unauthorized access to confidential information held by your organization, including the personal information of clients, suppliers, or employees, as well as any strategic financial, commercial, scientific or technical information relating to third parties with whom you conduct business. Such access may not have occurred through the operation of the ransomware itself, but instead through the manner in which the attack was perpetrated;
- where it is determined that unauthorized access has occurred, assessing the degree of importance of any data the attackers may have accessed, whether they could be used to cause harm, and whether the organization is under contractual or legal obligations to notify affected individuals, other organizations or regulators;
- considering what steps can be taken to prevent such an attack from occurring in future (e.g., through enhanced security measures, backups, patches, improved employee training regarding phishing and related risks), and to better mitigate against the harms should such an attack take place; and
- developing effective potential internal and external communications to manage reputational and related considerations in the wake of an incident (including through the involvement of legal counsel), recognizing that a large number of employees in an organization often learn directly that the organization has been the subject of an attack (since the demand may pop up on their screen and they may be unable to work).
The current outbreak serves as an important reminder of the importance of planning for ransomware attacks. Organizations are well advised to have effective Incident Response Plans which include consideration of ransomware threats and how the organization would respond to such an attack.