WannaCry Attack FAQ

WannaCry Attack FAQ

img_blog-ransomware

Earlier this week, hackers released a new ransomware attack called WannaCry that quickly spread across the globe. This attack affected thousands of individuals and businesses worldwide and the damage ranged from causing significant interruptions in business operations to hardware failure, data loss and data theft. So far the estimated losses from ransomware attacks the year will be in the hundreds of millions. The following are some frequently asked questions concerning ransomware, including answers addressing potential legal implications for victims. If you have questions concerning this attack or other issues regarding data privacy and security, please contact Hodgson Consulting & Solutions at 847-906-5005 or email us at robertz@hodgsonconsulting.com.

What is ransomware and how does it work?

Ransomware is a type of malicious software (Malware) designed to block access to your computer system until a sum of money is paid. Ransomware is typically sent through a email infected with malware in an attachment or URL. If you open the email and/or attachment or click on the link embedded in the email, the malicious code encrypts all of the data in the computer or system. The hacker claims that the data can be decrypted with a key (a password) that only the hacker possesses. However, the hackers don’t always provide the key even if the victim pays a ransom. The hackers use scare tactics such as increasing the dollar amount requested as time passes. This creates a sense of panic and urgency in the victim, making them more likely to pay the ransom.

Are my systems vulnerable?

If you are using a Windows operating system that does not have the most current patch updates, yes you are vulnerable.

According to multiple reports, only machines operating Windows have been impacted. In addition, Microsoft has issued a press release indicating that recent security updates (issued in March 2017) would prevent this malware from being successful. It appears most of the victims were utilizing Windows computers with older software or had not yet had the opportunity to update their system. This vulnerability was made known to Microsoft only very recently.

Is this attack over?

NO. There were reports that the ransomware was stopped with a kill switch, however it was only slowed down. Companies should stay diligent and stay on top by keeping their systems up-to-date.

What can I do about this threat?

This past March, Microsoft released a patch for all supported of Windows. If you are on Windows XP, 8 or Server 2003, it is recommended that you have this latest security update installed. 
Although there's a kill switch, you can also whitelist the following domains:

  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Whitelisting should prevent your AV, URL Filters, and firewalls from blocking those addresses. You can also put the above-mentioned domain names on a system's hosts file and on the internal DNS servers to ensure that the kill switch servers never go silent but you must be certain that the machine(s) you point to are always available.

How do I protect my systems in the future?

  1. Back up your data. If you have all data backed up in another location, preferably offline or not connected to your main network, then there is no need to pay the ransom because you will be able to recover your data from another source.
  2. If you have not already done so, make sure that all software on your computers and servers are have the most current security update/patch installed. This should be done in consultation with your IT company since you may experience significant downtime implementing the patch.
  3. Educate your employees regarding the existence of this threat. This ransomware is particularly “contagious” and employees should be advised to avoid clicking links or emails from unknown sources, as it is currently believed that the ransomware is spreading at least in part through phishing emails.

What are the legal ramifications?

Illinois data breach law requires companies that are a victim of a “breach” to notify state regulators and individual victims under certain conditions. Whether targets of this most recent attack will be required to undertake any notification or reporting will depend, in the first instance, on applicable state law and in particular on the definition of “breach” in applicable law that triggers the notification obligation. It should be noted that the timelines for notification of state regulatory authorities can be very short. In New York, for example, it is only 72 hours for some entities. Therefore, victims will need to consult counsel quickly to understand their options and obligations.

With regard to federal regulation, the Department of Health and Human Services issued guidance in 2016 indicating their position that ransomware does constitute a breach under HIPAA. There are exceptions, however, so you should consult counsel before any formal notification. There may be other applicable regulations depending on the client; again, it is important to consult legal counsel regarding applicable state and federal law and obligations arising therefrom.

Whom should I notify? Should I pay the ransom?

Notify your IT consultant. There are security tools available to detect and remove ransomware. Also, make sure you have a current back up of your systems and data.

The FBI has very recently recommended that you do NOT pay the ransom. The FBI contends that paying the ransom encourages cybercriminals and also that there is no assurance that your data will be decrypted even if the ransom is paid. The FBI also requests that victims of ransomware notify their local FBI field office or the Internet Crime Complaint Center at www.IC3.gov. The decision to notify the FBI, pay the ransom, or both is complex and should be made in consultation with counsel.