Update on global cyber attack - WannaCry

This is a short summary of the cyber attack that started on Friday 12 May 2017. It’s meant to give an understanding of the events so far, the situation as it currently stands, and what we can expect from the near future.

The executive summary:

• A global cyber-attack was launched on Friday 12 May 2017, and has so far affected more than 200,000 companies in more than 150 countries (according to Europol). The attack has been nicknamed WannaCry.

• WannaCry is a Windows based ransomware attack, meaning that devices (laptops and servers) that operate on Windows are vulnerable.

• The underlying vulnerability has been known for some time and there are patches available for all versions of Windows, including those that are no longer supported. All companies should immediately update their Windows operating systems.

• Let me say that again, all organizations must update Windows immediately. This can’t wait.

• If infected, the infection will spread from device to device even without user interaction. Infected companies are therefore hit harder from this particular attack than the usual ransomware attacks that companies face every day.

• The spread of the attack was halted, but we expect the spread to gain speed again in the next few days. The criminals have already issued WannaCry 2.0, without the kill switch function that halted the spread initially.

• Cyber insurance could pay for the costs of systems investigations and the business interruption that comes as a result of the infection. It also provides access to expertise needed to manage ransomware incidents.

For those of you who want to know more:

The long version

On Friday, a new strand of ransomware started appearing in different organizations, initially predominantly across Europe, Russia and China, but eventually across the world. 

The ransomware is based on a so-called 0-day vulnerability, a flaw in Windows that in short allowed the virus to spread using a function (SMB) which is mainly designed for file-sharing. This vulnerability was included in the WikiLeaks publication called Vault 7 and a patch for supported Windows platforms was issued on March 14. For unsupported Windows versions (XP, Vista, Server 2003) there was no patch available. Organizations that applied the patch before Friday have not been affected.

When a device within an organization is infected, the ransomware is able to spread to other devices, meaning that large parts of the infected organizations were affected. This has led to a halt in operations for several very large companies and public institutions. Among the infected were a number of hospitals in the UK, who were forced to suspend some activities as a result. Also car manufacturers have had to shut down production as a result of the attack and telephone operators have experienced outages.

As with most ransomware infections, the infected devices are encrypted, and the information is unavailable unless the organization pays a ransom amount, roughly $300. If the organizations pay this amount, the attackers promise to give the encryption key to the infected organization. At the time of writing this, approx. 133 organizations have paid this ransom, for a combined total of about $35,000. It is not known if the attackers have given the encryption key to the paying organizations.

Companies that are infected usually only have a few options of actions:

• 1.They can pay the ransom and hope that the attackers will actually give the encryption key back. There is absolutely no guarantee that this will happen even if the organizations pay the ransom.

• 2.They can restore the affected parts of the network from the latest update. This is done by disconnecting the devices from the network, cleaning and restoring the server, then restoring it to the network. This can be a very time consuming exercise if large parts of the networks are affected, which is the case with WannaCry infections.

• 3.They can remove the affected devices from the network and carry on without them. This is typically not recommended, as it means that other devices can be infected as well.

The spread of the infections was halted on Saturday, as a security researcher found a way to stop the infection. The ransomware contained a “kill switch”, a function that was inserted into the malware to stop the infection. In short, it worked like this

• When infecting a device, the malware is designed to first try to connect to a certain website, a website that didn’t exist when the infection first started.

• If the website doesn’t respond, the malware encrypts the device.

• If the website responds, the malware doesn’t encrypt the device and the user doesn’t notice anything.

When the security researcher discovered this function, he registered the website and the infection subsequently stopped. However, the attackers have already redesigned the malware, and this function is now gone. The updated version of the malware is therefore spreading and infecting computers all over the world. Expect therefore that the spread picks up speed again on Monday and that more organizations will be infected.

If a company has cyber insurance, the insurance policy will not only pay for the necessary IT forensic and cleanup costs. It will also reimburse the company for loss of revenue and increased costs of work. In addition, it will put the company ahead of the long list of companies in need of such support.

Willis Towers Watson is the market leading broker in Scandinavia on cyber insurance, and we are in an exceptionally good place to help our clients with their cyber risks and cyber insurance. By buying cyber insurance, companies are in a better position to face the next big cyber event. Because if there is one thing we can be certain of, there will be a next big cyber event, bigger than this one.

If you have any questions, don’t hesitate to contact me.

Written by Kristoffer Haleen, Cyber Practice Leader at Willis Towers Watson

Kristoffer Haleen
Willis Towers Watson
Tel: +46 (0)73 159 59 65
Mail: kristoffer.haleen@willistowerswatson.com