If anything could possibly be more disturbing than a ransomware attack dubbed the biggest in history, it would have to be that the attack might not be over.
The infamous WannaCry ransomware has reportedly hit more than 300,000 victims in 150 countries at the end of last week, locking up computers and demanding that a ransom be paid to render them functional again. But what makes this particular piece of ransomware unique is that was used with a worm, Europol Director Rob Wainwright said on ITV last week. What that means is that if one computer in your network becomes infected, all your devices could be impacted.
He noted that many of the victims “will be businesses, including large corporations.”
According to Wainwright, few banks in Europe were affected because they have taken steps to fortify their networks after being frequent targets of cybercriminals. However, healthcare providers, like the National Health Service in the UK, were not so lucky. Europol is concerned that the healthcare sectors in many countries, which store sensitive data, are particularly vulnerable.
In addition to health systems, corporations like Nissan and FedEx have been hit, as have a number universities and gas stations in China, Spanish telco Telefonica and the Deutsche Bahn railway in Germany. Russia was hit particularly hard, with the Russian Central Bank, the Russian Interior Ministry, Russian Railways and the telco Megafon all being impacted to varying degrees. While all four entities indicated that the situation is under control, Kaspersky Lab told The New York Times that the virus targeted more computers in Russia than anywhere else.
Brad Smith, president and chief legal officer at Microsoft, criticized the U.S. National Security Agency for the critical role it played in WannaCry’s emergence, the Los Angeles Times reported. The NSA discovered a vulnerability in the Windows operating system, and that information was stolen by hackers and published online.
Microsoft released a security update to patch the vulnerability, but many large companies still haven’t bothered to make the upgrade. Smith called out companies for sitting on this crucial update for two months. “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” he said.
Although the ransomware slowed down on Friday, experts warned that more systems could be hit when employees returned to work Monday. It is still unclear at this point whether attacks ramped back up this week. But Europol said over the weekend that a new strain of the ransomware had been discovered.
“Friday’s attacks are a reminder of cyberrisk’s mounting scope and scale and it’s clear individuals, families, and groups of all sizes regardless of industry or location can expect escalating activity for several years more with increasingly climactic-like events before cybercriminals lose their edge and the cycle finally turns,” said Brad Deflin, president and founder of Total Digital Security, who spoke on cybersecurity at the 2016 AFP Annual Conference.
Wainwright told CNN that authorities will craft a decryption tool for WannaCry “eventually,” but for now, “it’s still a live threat and we’re still in disaster recovery mode.”
The topic of ransomware came up last week during the latest meeting of AFP’s Treasury Advisory Group. Sassan Parandeh, CTP, global treasurer of ChildFund International, asked the other members of the group if they have experienced ransomware attacks. “It’s beyond having insurance to compensate you, and it’s beyond having IT protect you against ransomware—when these people hold your data hostage, they want to be paid by bitcoin only,” he said. “Do you have a corporate policy in treasury to respond to that and act legally, rather than pay an organization in Russia in bitcoin?”
Although ChildFund has never experienced these types attacks, the non-governmental organization has had in-depth discussions about it. “Our treasury has indicated that if this ever happens, we cannot process payment to a cyber-terrorist,” Parandeh said. “If it ever did happen, in order to comply with the Patriot Act, we’d have to refuse to pay the ransom and instead just abandon the infected devices. It’s one of the issues that is on our minds all the time.”
Another treasurer present noted that insurance companies do provide insurance for ransomware, but organizations who invest in it run into the same complications as they do when they purchase policies for kidnapping and ransom. “The insurance company says, ‘We’ll cover you, but you need to hire a hostage negotiator.’ And once everything has been negotiated, the terrorist still has to be paid in a method that is clear and visible and follows U.S. laws. It’s a contradiction,” he said.
A third treasurer remarked that these are issues most corporate practitioners don’t have to worry about. Bear in mind that this conversation took place Wednesday. WannaCry was discovered on Friday.