Ransomware attacks just went big time. In a period of mere hours late last week, a global ransomware attack infected more than 200,000 computers and affected more than 100,000 organizations in over 150 countries. To put this attack in perspective, researchers estimate that there were about 4,000 ransomware attacks per day in 2016. While the latest worldwide attack has been temporarily halted by a kill switch, there are reports that new variants of the malware already have been spotted.

This attack has created systemic failures across a number of critical industries in Europe—including health care and telecommunications—triggering the first-ever use of EU-wide cyberattack response mechanisms. Although the United States appears to have fared far better, now is the time for all organizations to ensure that they have taken appropriate steps to prevent and respond to a ransomware attack directed at networked computers.

A little background on the recent Wana ransomware attack may help. In general, a ransomware attack involves launching malware onto a computer or mobile device that encrypts files on the device (and possibly on any networked devices) unless and until the victim pays a "ransom" for the decryption key to unlock the files. The malware in last week’s attack—known as "WannaCrypt," "Wanna Cry," or "Wana Decryptor"—appears to have been launched onto individual computers at least primarily by spear phishing emails. It then exploited a vulnerability in the Microsoft Windows operating system that allowed it to propagate across computers connected to local networks.

Thus, instead of infecting just one computer, this variant of ransomware infected all computers that were networked with an infected computer—an attack type that is much more dangerous and increasingly common. This is a vivid illustration of the notion that an organization’s cybersecurity is only as good as each individual user. It also proves that cybersecurity budget does not necessarily equate with security if organizations fail to practice basic cyber hygiene—like quickly patching critical vulnerabilities in operating systems.

Organizations evaluating their level of preparedness to prevent and respond to ransomware attacks should consider the following:

  • Determine whether your organization has cyber insurance that covers ransomware attacks. Not all cyber insurance policies cover these types of attacks, which are expected to increase significantly. Verify that you are covered against first- and third-party losses.

  • Train all device users on recognizing and avoiding the most common malware attack vectors. This includes spear phishing emails, other social engineering-based attacks, and drive-by website compromises (where malware 'jumps' through a browser when a user visits a website). Test users’ knowledge and facility at avoiding such an attack.

  • Create a weapons-grade backup system with daily backups of all sensitive data, stored in a separate and secure location that is not continuously connected to the internet. Backups should be routinely tested for accessibility and adequacy.

  • Implement robust anti-malware technical controls, including:

    • Automatically or quickly patching vulnerabilities in operating systems, firmware, software and browsers;

    • Disabling macros networkwide;

    • Sandboxing email attachments to identify malicious files;

    • Deploying intrusion detection and prevention systems;

    • Constantly updating anti-virus and anti-malware software;

    • Limiting software downloads to trusted sites/providers;

    • Enforcing strong password policies;

    • Using multi-factor authentication for remote access;

    • Protecting domain credentials;

    • Restricting user access based on the principle of least privilege; and

    • Encrypting personal data that may trigger notification obligations if targeted by ransomware while in an unencrypted state.

  • Ensure that your incident response plan includes an effective and tested strategy for ransomware attacks. Points to consider include:

    • Training incident responders and users on immediate steps to take upon detection of a ransomware attack. This should include protocols for shutting down devices and networks to avoid propagation.

    • Establishing both internal and external response teams that are experienced in responding to ransomware attacks.

    • Defining thresholds for activating a scalable internal and external incident response team appropriate to the needs of the particular incident.

    • Outlining key containment, remediation, and investigative steps based on scenarios built around known attacks and malware. This should include steps to contain, analyze, and eradicate the malware; identify and log ingress and egress traffic between the malware and command and control servers; remediate vulnerabilities targeted by the malware; catalog all investigative steps and collect all relevant evidence; and restore data, devices, and systems to return to normal business operations as quickly as possible.

    • Creating escalation thresholds for internal notification of different levels of management, the board of directors, business units, employees, partners, and other impacted parties.

    • Creating escalation thresholds for external notification of business partners/supply chain, customers, the media, governmental entities (including law enforcement agencies and regulators), and others who may be impacted.

    • Preparing alternate communications, operations, and investigative protocols and infrastructure for use during an attack that compromises or disables devices, data, or systems. This should include a means of obtaining and implementing alternate hardware, software, communications systems, and work sites to maintain or restore business operations and investigative activities.

    • Defining under what, if any, circumstances your organization will negotiate with attackers or pay a ransom. This should include identifying all necessary decisionmakers, setting amount limits, and establishing a means of obtaining and making payment in virtual currency.

    • Aligning related policies and procedures to account for ransomware-based interruption of operations or services; destruction of data, devices, or other equipment; and preservation of all evidence of the attack.

    • Preparing internal and external communications plans to address foreseeable ransomware incidents.

    • Cataloging all legal obligations and rights under statute, regulation, contract, and common law in the event of a ransomware attack, including notification obligations to regulators and impacted parties.

    • Testing your incident response plan under simulated attack conditions.

  • Irrespective of whether your organization is victimized, incorporate lessons learned for malware-based attacks to improve proactive defenses and incident response.

Members of Ballard Spahr's Privacy and Data Security Group regularly assist clients with cyber incident planning and response, crisis management, investigations, and litigation.

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices