WannaCry Global Ransomware Attack

Cybersecurity and Privacy Alert

Client Alert


What happened

A global ransomware attack began early last Friday and has affected businesses and government entities in 150 countries, including Britain’s national health system, FedEx, Spain’s Telefónica, and the Russian Interior Ministry. The ransomware virus used in the attack, dubbed “WannaCry,”gains access to an organization’s servers either through Remote Desktop Protocol compromise or by exploiting a critical vulnerability in Microsoft’s Windows software. One possible method of infection is phishing emails.

This variant of malware is touted by computer security experts as the world’s first “ransomworm,” a type of ransomware that has the ability to spread throughout computer systems without user intervention or interaction. Microsoft released a security update in March addressing this vulnerability and widely encouraged its users to implement it. However, many targeted organizations had not yet implemented the security update or were using Windows XP, a legacy system for which Microsoft no longer issues security patches. Many experts believe this ransomware campaign to be the result of leaked NSA documents and hacking tools that identified this particular vulnerability, which were stolen from the NSA and released online by Wikileaks.

Ransomware attacks have been increasingly prevalent in recent years. What is novel about this attack is its size and scope – it targeted a popular Windows operating system used worldwide, and the apparent motivation of the hacker group behind the attack is to collect small sums from thousands of victims rather than a single large ransom. The average ransom amount requested from each company has been roughly $300, payable in Bitcoin.

Latest developments

The attack was slowed down over the weekend by a security researcher’s discovery of a “kill switch” embedded in the virus’ code. However, most computer security experts do not believe it has been halted completely, and there is at least one new strain of the ransomware that is unaffected by the kill switch, which has been slowly spreading.

On Sunday, Microsoft took the unusual step of releasing a new patch for the old Windows XP system to address the vulnerability, which is an indicator of how serious the threat is. Microsoft is making the update widely available for download on its website. Microsoft also criticized the NSA for so-called “stockpiling” vulnerabilities that may be stolen by hacker groups. As the workweek began on Monday, affected companies across the world are struggling to restore their computer systems and return to full functionality.

Impact on the U.S. healthcare industry

So far, Britain’s national health system (“NHS”) has been the healthcare organization most impacted by the attack. Sixteen NHS hospitals were forced to cancel critical surgeries and divert patients to other hospitals when they could not access medical records. However, the U.S. Department of Health and Human Services issued an alert on Friday afternoon stating that there is evidence of the attack occurring in the U.S. as well. There has not been word from HHS yet on how pervasive the ransomware has been domestically. HHS issued an email alert on Monday to the Healthcare and Public Health Sector warning organizations of a reported “exploitative social engineering activity” in which an individual called a hospital claiming to be from Microsoft, and requested access to the computer system. The alert warned of the likelihood that malicious actors will try to take advantage of the current situation in similar ways.

Healthcare organizations in the U.S. that are affected by WannaCry or other forms of ransomware need to be familiar with HHS’s ransomware guidance, which was issued last year. The guidance advises that when electronic protected health information (“ePHI”) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (since unauthorized individuals have taken possession or control of the information). Unless the organization can demonstrate that there is a low probability that the PHI has been compromised based on the factors set forth in the Breach Notification Rule, a breach is presumed to have occurred and notification is required.

Recommended actions

  • Regularly conduct security awareness training to remind your staff of the importance of good email hygiene. Phishing attacks with software downloads or links and attachments to malware are often the first sign that a ransomware event is looming.

  • Implement the latest security updates and patches for your operating system, and keep them up to date at all times. If you are operating on Windows XP, download the security patch from Microsoft’s website until you can move to a supported operating system.

  • Before your organization has been attacked by WannaCry or another ransomware variant, review and update your security incident response plan, including considering whether you will contact the FBI or other law enforcement when faced with a demand.

Review and update your disaster recovery plans and make sure your data is backed up so that in the event of an attack, the organization can quickly recover.

Further resources on WannaCry

FBI Alert on WannaCry

Report – How to Protect Your Networks from Ransomware

HHS Ransomware Guidance

Republished with permission. This article, "WannaCry Global Ransomware Attack" first appeared in The American Health Lawyers email newsletter on May 16, 2017.