With the global release by cybercriminals this past Friday of the Wanna Decryptor, a version of the WannaCry ransomware, hospitals, large corporations and/or government offices across Europe, Asia and the United States found they were locked out of their systems in which their data had been encrypted. The ransomware, spread through phishing email contained in encrypted zip files that bypassed security systems that were unleashed only after employees inadvertently opened them, ultimately encrypted critical network data and demanded ransom to unlock the encrypted data. The ransom demands are reported to be between $300 and in excess of $7,000 in Bitcoin, with the threat that the data would be destroyed if the victimized organizations do not pay the ransom within the specified time periods. Although payments by victims are reportedly off to a slow start, some analysts predict that the attackers will ultimately net in excess of $1 billion before the time expires for victims to unlock their data.
The hackers reportedly exploited a vulnerability in Microsoft Windows Servers for which the National Security Agency had developed a hacking tool for national security purposes. The tool was stolen from the agency and leaked to hackers. N.S.A. reportedly alerted Microsoft of the vulnerability after it learned that its methodology for exploiting the vulnerability had been stolen. While some analysts have questioned whether it was appropriate for the N.S.A. not to have notified Microsoft of the exploit it had discovered, thereby exposing tens of thousands of organizations to the cyber threats that emerged last week, coupled with the ensuing economic harm and the compromising of the safety of individuals; others have opined that, but for the theft of the N.S.A. hacking tools the exploit would not have been made public and, in any event, N.S.A. is required to identify security flaws in network systems as part of maintaining a robust national cybersecurity countermeasure/cyberwarfare program. Irrespective of the ethical debate, in or about March, Microsoft issued a security patch to address the vulnerability, but the hackers recognized many organizations are slow to act and would not have updated their networks with the security patch, leaving them exposed.
For those victimized organizations, they have two obvious choices: pay the ransom or not. The risk in paying is that (1) it encourages these types of attacks, which is why the FBI generally discourages paying ransom, (2) there is no guarantee that the hacker will have the decryption key (i.e., the ability to unlock the data, as they may be a downstream hacker who obtained the malware without the ability to unlock the encrypted data) or unlock all the data and (3) even if the hacker does have the encryption key, they may embed the malware on the network where it resurrects itself in the future, resulting in another ransom demand, essentially becoming an annuity to the hacker.
By contrast, if an organization has a full backup recovery system, they can restore their network data without ceding to the ransom demand. In that regard, part of any effective cybersecurity program must include a data recovery plan that provides for a full data backup. See Beating Ransomware. Furthermore, we have previously noted the importance of implementing written security information programs that include monitoring and installing critical security patches. Equally important is the need for employee training and awareness regarding phishing and social engineering schemes, designed to minimize the risk of malware intrusions due to employee error and inadvertence.
The latest ransomware attack serves as yet another important reminder of the need to implement cybersecurity programs designed to minimize risk to network attacks that disable and shutdown an organization’s operations.