Alert
Alert
By James P. Bobotek,
05.19.17
On May 12, a massive ransomware cyber-attack infected over 100,000 computers in more than 150 countries. This malware, a Trojan virus known as “WannaCry,” “WanaCryptor,” or “Wcry,” encrypts files, and then threatens to destroy them, unless the victim pays a ransom. As of May 14, WannaCry had victimized at least 200,000 users in more than 100,000 organizations, including the UK’s National Health Service, global shipper FedEx, Chinese universities, Russia’s Interior Ministry, Telefonica, Gas Natural and Iberdrola, and Renault. The attack, which continues to spread, reinforces the need to procure cyber insurance, and to ensure that coverage extends to exposures resulting from ransomware attacks.
What is WannaCry?
WannaCry takes advantage of a vulnerability in older versions of Windows, including Windows 7 and Windows XP. In March, after the NSA discovered the “EternalBlue” exploit that would later be used by WannaCry, Microsoft issued a security update that prevents WannaCry and other malware from affecting computers and networks using Windows 7. However, many Microsoft users did not upload the patch. Further aiding the hackers is the fact that, while Microsoft no longer supports Windows XP, many still use it. Or, as is common in some Asian countries, users are running pirated versions of Windows and are afraid to run updates and risk discovery. As a result, computers without security patches for the various Windows versions in use are common in some areas, and easy prey for WannaCry.
Those in control of WannaCry seek ransom payments in the form of Bitcoin. The initial ransom demand starts at $300, with a threatened increase to $600 if not paid within 3 days. The hackers claim that, absent payment within 7 days, the encrypted files will be deleted and all data not backed up elsewhere will be forever lost.
WannaCry is indiscriminate in its end product. It is unfocused on a distinct target or trade. Even worse, it is designed to spread throughout systems that have not taken appropriate defensive measures. Remarkably, it can spread through networks without users taking any action.
What Is Ransomware?
Ransomware is a form of malicious software that penetrates computer systems or networks and uses tools like encryption to deny access or hold data hostage until the target pays a ransom, frequently in Bitcoin. A ransomware attack is typically delivered via an e-mail attachment which could be an executable file, an archive or an image. Once the attachment is opened, the malware is released into the user’s system. It can be in the form of encryption (individual PCs or a server), lock screen, or mobile device (typically affecting Androids).
The infection is not immediately apparent to the user. The malware operates silently in the background until the encryption mechanism is deployed. Then, a dialogue box appears that tells the user the data has been locked and demands a ransom to unlock it again. By then it is too late to save the data through security measures.
Ransomware attacks are on the rise—there are now more than 50 families of this malware in circulation—and it is quickly evolving. With each new variant comes better encryption and new features. This is not something to ignore. One of the reasons why it is so difficult to find a single solution is because encryption in itself is not malicious. In fact, many benign programs use it.
Do Not Despair—There Is an Insurance Product that Covers Many Ransomware Damages.
The necessity of cyber insurance in some form or another cannot be questioned today. Reliance on cyber insurance in some form or another has become a necessity. Most cyber insurance policies offer various grants of coverage on an à la carte basis. One of these grants is commonly referred to as “cyberextortion” or “ransomware” coverage. Typically, this coverage will pay for: (i) the money necessary to meet the ransom demand; (ii) the costs of a consultant or expert to negotiate with the extortionist; and (iii) the costs of an expert to stop the intrusion and block future extortion attempts. Another commonly available coverage, typically referred to as “business interruption” or “time element” coverage, may cover lost business income arising from an attack.
What Should You Do if You Are the Victim of a Ransomware Attack?
What Can You Do to Prevent a Ransomware Attack?
Don’t Let It End in Tears.
Aside from enterprise risk management endeavors such as vigilance, secure data backup to media not connected or mapped to a live network, disabling macros, and diligent installation of software updates and patches, inclusion of cyberextortion coverage as part of your cyber insurance program is not only recommended, but is gaining acceptance as a best practice in today’s commercial risk management world. Not having it in today’s world will surely make you WannaCry.