On May 12, a massive ransomware cyber-attack infected over 100,000 computers in more than 150 countries. This malware, a Trojan virus known as “WannaCry,” “WanaCryptor,” or “Wcry,” encrypts files, and then threatens to destroy them, unless the victim pays a ransom. As of May 14, WannaCry had victimized at least 200,000 users in more than 100,000 organizations, including the UK’s National Health Service, global shipper FedEx, Chinese universities, Russia’s Interior Ministry, Telefonica, Gas Natural and Iberdrola, and Renault. The attack, which continues to spread, reinforces the need to procure cyber insurance, and to ensure that coverage extends to exposures resulting from ransomware attacks.
What is WannaCry? WannaCry takes advantage of a vulnerability in older versions of Windows, including Windows 7 and Windows XP. In March, after the NSA discovered the “EternalBlue” exploit that would later be used by WannaCry, Microsoft issued a security update that prevents WannaCry and other malware from affecting computers and networks using Windows 7. However, many Microsoft users did not upload the patch. Further aiding the hackers is the fact that, while Microsoft no longer supports Windows XP, many still use it. Or, as is common in some Asian countries, users are running pirated versions of Windows and are afraid to run updates and risk discovery. As a result, computers without security patches for the various Windows versions in use are common in some areas, and easy prey for WannaCry.
Those in control of WannaCry seek ransom payments in the form of Bitcoin. The initial ransom demand starts at $300, with a threatened increase to $600 if not paid within 3 days. The hackers claim that, absent payment within 7 days, the encrypted files will be deleted and all data not backed up elsewhere will be forever lost.
WannaCry is indiscriminate in its end product. It is unfocused on a distinct target or trade. Even worse, it is designed to spread throughout systems that have not taken appropriate defensive measures. Remarkably, it can spread through networks without users taking any action.
What Is Ransomware?
Ransomware is a form of malicious software that penetrates computer systems or networks and uses tools like encryption to deny access or hold data hostage until the target pays a ransom, frequently in Bitcoin. A ransomware attack is typically delivered via an e-mail attachment which could be an executable file, an archive or an image. Once the attachment is opened, the malware is released into the user’s system. It can be in the form of encryption (individual PCs or a server), lock screen, or mobile device (typically affecting Androids).
The infection is not immediately apparent to the user. The malware operates silently in the background until the encryption mechanism is deployed. Then, a dialogue box appears that tells the user the data has been locked and demands a ransom to unlock it again. By then it is too late to save the data through security measures.
Ransomware attacks are on the rise—there are now more than 50 families of this malware in circulation—and it is quickly evolving. With each new variant comes better encryption and new features. This is not something to ignore. One of the reasons why it is so difficult to find a single solution is because encryption in itself is not malicious. In fact, many benign programs use it.
Do Not Despair—There Is an Insurance Product that Covers Many Ransomware Damages.
The necessity of cyber insurance in some form or another cannot be questioned today. Reliance on cyber insurance in some form or another has become a necessity. Most cyber insurance policies offer various grants of coverage on an à la carte basis. One of these grants is commonly referred to as “cyberextortion” or “ransomware” coverage. Typically, this coverage will pay for: (i) the money necessary to meet the ransom demand; (ii) the costs of a consultant or expert to negotiate with the extortionist; and (iii) the costs of an expert to stop the intrusion and block future extortion attempts. Another commonly available coverage, typically referred to as “business interruption” or “time element” coverage, may cover lost business income arising from an attack.
What Should You Do if You Are the Victim of a Ransomware Attack?
- Notify your insurers immediately. Some cyber insurance policies provide coverage only for costs incurred after the insured notifies the insurance company. Some policies also require that the policyholder inform the applicable law enforcement agency and obtain the insurer’s consent before making any ransom payment. Therefore, despite the urge to move swiftly in response to this crisis, we recommend policyholders understand and comply with the notice provisions of their policies in order to preserve their right to insurance coverage.
- Consider whether you will pay the demanded ransom. Paying the ransom is tempting, but there is no guarantee that paying will actually lead to your files being decrypted. In addition, you are supporting the criminal’s business model and thus are partly responsible for more and more people getting infected with ransomware.
- Document your losses. Properly documenting your losses is crucial. Establish separate accounts to track losses, including any extra expenses, professional fees, mitigation costs, and other expenses associated with the attack. Keep a log of all actions taken. Save all receipts and other records of additional expenses.
- Engage It is usually prudent to engage professional claim consultants, such as forensic accountants, particularly where there is business interruption loss. Additional experts may be needed to model the unique financial aspects of your business. Their professional fees and other mitigation expenses are frequently covered under cyber/privacy policies, subject to sub-limits, and usually subject to carrier pre-approval. It is also a good idea to retain an experienced insurance coverage lawyer, not just when you need an advocate, but to help you protect the privileged nature of your communications and to avoid many of the traps for the unwary when presenting your insurance claim. Counsel may work in the background, without revealing their involvement to carriers. Carriers usually do the same thing. Cooperate with the insurance company adjuster, but don’t forget they work for your insurer, not for you. If you need an advocate, hire your own.
What Can You Do to Prevent a Ransomware Attack?
- Confirm that all of your computers and networks are current with security updates. Windows users should confirm they have the latest Windows security updates installed, and should only use fully-supported software. Failure to do so could impact coverage under many policies.
- Implement application “whitelisting.” Only allow systems to execute programs known and permitted by your security policy.
- Secure backup. Make certain that you have secure data backup to media not connected or mapped to a live network.
- Implement incident response plans. Address distributed ransomware attacks and perform “tabletop” exercises tailored to ransomware scenarios.
Don’t Let It End in Tears.
Aside from enterprise risk management endeavors such as vigilance, secure data backup to media not connected or mapped to a live network, disabling macros, and diligent installation of software updates and patches, inclusion of cyberextortion coverage as part of your cyber insurance program is not only recommended, but is gaining acceptance as a best practice in today’s commercial risk management world. Not having it in today’s world will surely make you WannaCry.