A Spectre Is Haunting Europe – A Spectre of Ransomware
By Amjed Saffarini, CEO CyberVista
This morning, in a barrage of Twitter notifications, numerous European hospitals, banks, and other organizations reported that they were victims of a serious cyber attack. The scale of the impact is already being described as “massive” with some hospitals closing their doors and entire networks, including phone systems, rendered inoperable and forcing physicians back to pen and paper records.
In the UK, 25 National Health (NHS) organizations have been affected, as well as several local hospitals, and these numbers are expected to climb. Meanwhile, according to law enforcement in Spain, several financial institutions have also been compromised. According to early online reports, within the first few hours of the attack researchers discovered 45,000 instances of this strain of ransomware in 74 countries around the world. It is possible that this form of ransomware is self-replicating: compromising workstations on a single network, then moving to its next victim using a software vulnerability the Windows operating system.
What is Ransomware
Ransomware is a special type of software that extorts money out of its victims by holding their data hostage. Ransomware encrypts the victim’s data, rendering it completely inaccessible to the owner until a payment is made to the attacker. Once payment is complete, the hacker will (maybe) unlock, or decrypt, the system or data. There can be multiple consequences of noncompliance with a hacker’s demands. Hackers can continue to make the data and systems associated with it unavailable indefinitely, destroy the data, or, if it is sensitive information, they can release it to the public, or sell it on the black market.
This particular strain of ransomware comes from the WannaCry family, spread through email communication. Generally the .WNCRY virus is contained within an attachment that is sent to an organization’s employee via a well-crafted phishing email. Like many organizations in the Healthcare industry, the UK’s National Health Services hospitals use computers that were vulnerable to a known bug discovered by Microsoft in mid-March after the leak of NSA spy tools. Though Microsoft released a patch for many systems, it also recommended that unpatched systems be disconnected from the Internet or shutdown – a warning that in this case was not heeded by these affected organizations.
Ransomware: A Known Global Threat
While the most recent ransomware grabbed patient data in Europe, American businesses are also vulnerable. In 2015, ransomware cost U.S. companies and individuals $1.6 million. In just three months last year, ransomware was responsible for a $209 million loss for U.S. companies. Security experts expect ransomware attacks to double in 2017.
Because ransomware attacks the data housed by an organization, those organizations which have users in Europe, whether employees or customers, are subject to reporting requirements to avoid violating the General Data Protection Regulation (GDPR), a significant new EU privacy regulation already signed and going soon into effect which has penalties that can amount to $21m or 4% of total company revenue, whichever is more.
Mitigating the Ransomware Threat
If your organization is already affected by a ransomware epidemic, your technology and security teams are likely working hard to restore systems and data. Questions you can ask as you work through your incident response:
- If our network is segmented, how and when do we turn off access to certain segments to prevent the malware from spreading? What is the business impact of such actions?
- When were the last complete off-site backups made, and how quickly can we do a full system restore if necessary?
- Have we engaged with cyber specialists or law enforcement to see whether this is a targeted attack or broader spreading epidemic, and if there are solutions readily available?
- What are our reporting obligations in the next 72 hours to our stakeholders, which include shareholders, customers, partners and suppliers, law enforcement, and regulators?
If you are looking to reduce the likelihood or impact of a ransomware attack in the future, here are some mitigations you can plan for ahead of time:
- User Awareness and Training: As we mentioned before, a common delivery method of ransomware is email. If an unsuspecting user opens a malicious link, then attackers are able to install malware such as ransomware. Organizations should train their employees to exercise data handling best practices and safe browsing behavior with simulated attacks.
- Backup Early. Backup Often: The most important thing that organizations can do to defend against ransomware is to maintain system backups. Some information simply isn’t replaceable; the ability to restore your important files on a new machine can turn a crisis into a comparatively more manageable inconvenience. If data availability is your main security objective, consider data backup options such as remote mirroring.
- Cyber Insurance: According to cybersecurity researcher Brian Krebs, when ransomware strikes, most organizations acquiesce to cybercriminals’ demands. A comprehensive cyber insurance plan is a useful tool for organizations in a crisis. Rather than paying “out of pocket,” insurers may cover the ransom costs, as well as assist the organization in conducting forensic investigations, recovering data, and constructing a crisis communications plan. However, these protections are unlikely to fall under a general Kidnapping/Ransom policy and more likely to be included in special Cyber coverage you would have to opt into prior to the event.
A People Problem with People-Centric Solutions
This morning, the consequences of ransomware became dire. This wide-spread, self-replicating malware should serve as a wake-up call to the life-threatening consequences of a cyber breach.
Despite a growing awareness of cyber risks, human error remains the leading cause of cyber incidents. The good news is that if the issue is human-error, the problem is fixable, but it will take serious commitment to change behavior.
Individuals at all levels of an organization have a role to play to ensure cyber resiliency. Senior leadership must take ownership of their organization’s cyber posture by ensuring an appropriate level of attention and resource allocation. Cyber practitioners should communicate with senior leadership about the technical controls that must be in place to protect their organization’s data and resources. And, finally, general users must commit to taking cyber threats seriously and being vigilant online and off, especially when human life is at stake.