Whack-A-Mole in Ransomware – Suggestions for Fighting the Evolving Problem

As you may have heard, a serious cyber security ransomware attack called WannaCry surfaced on Friday, May 12, and has spread across the globe. It has been described as a cyber pandemic. The initial attacks shut down hospitals in the U.K. and also Asia. Ransomware refers to malware that locks or threatens to lock a user’s computer systems unless a sum of money is paid.  Ransomware, like most forms of cyber attacks, constantly morphs in response to successfully deployed defenses. As defenders succeed in blocking a pathway, the malware pops up in a morphed version, requiring further changes in defensive tactics. Dealing with ransomeware is just like playing Whack-A-Mole, but with serious potential consequences. In today’s world, where attackers are often very well-funded, it is important to work together with others to mount a successful defense.

As the WannaCry ransomware is tackled, new variations are emerging. Even though the initial WannaCry Malware attack was thwarted when the kill switch was discovered, new more sophisticated variants are emerging that are more difficult to address. The WannaCry malware appears to be focusing on human vulnerability, namely the tendency of untrained users to open unexpected documents or click on unknown links, so a first step in addressing the attack starts at the ground level –by educating ourselves and our employees to detect the signs of malware attacks. Getting the word out can help others be prepared. In the event of an attack, it is important to respond quickly as the attacks are serious and ransomware continues to morph and spread.

Ransomware attacks, in addition to creating technical IT challenges, also create legal issues. In many instances, inability to access data may trigger contractual and other legal obligations. In the U.K. over the weekend, hospitals saw the effect of this when they were unable to care for patients. Patients had to be turned away and sent to other hospitals. The impact of an attack like this has the potential to kill people – particularly in the United States if rural or regional hospitals are impacted and the nearest alternative hospital is not at all near.

Because an organization falls victim to the WannaCry attack or others like it does not mean that the organization is at fault—this kind of malware is VERY difficult to thwart. It is masked to trick the tools used by IT to identify and defend against it. It also targets human nature—all it takes is for someone to open an attachment. Even among highly trained people, this kind of attack can be effective. In many instances, malware is designed to evoke a moment of panic that is intended to cause a person to act quickly before thinking. Again, good training will go a long way to remind people to pause and think before acting; but, even the best training on this issue will not be 100 percent effective.

As you know, all systems are different, so what works well for one may not work well for another. In an effort to be helpful, we have a few practical suggestions to consider.

Top Priority Suggestions:  

In many organizations, the IT team already is well-prepared. That said, attackers often target vulnerabilities that typically are not top priorities for limited resources. With this in mind, it may help to receive an early alert about the situation and consider making the following three items top priorities:  

1. Alert your employees, vendors, and anyone who accesses your system. Reminders to not open unexpected attachments and encouraging a call to the sender to verify expected attachments before opening them can be helpful.

2. Address backups: It is important to back up all data and applications, with critical data and applications being backed up frequently and securely.

3. Be prepared to communicate effectively, not only internally, but also with stakeholders, the public, and/or the press. In preparing to respond, there are a few things to consider including legal protections and legal defensibility while balancing competing needs with appropriately prioritizing safety and privacy. Additionally, if service levels suffer, customers may have needs to be addressed. Your response may impact your reputation and defensibility. It is important to consult with counsel at the outset, as contract and notification obligations may be triggered.

As you are preparing your response and protection going forward, remember that malware will continue to evolve. It will be important to stay connected, learn from other victims and work together to maintain a strong defense.

In the wake of the WannaCry attack, how to enhance resilience and preparation for more attacks like this one is a primary concern. Now, more than ever, it is important for management teams and boards of directors to continue addressing cyber issues—ransomware and more traditional hacks. While there is no cyber equivalent yet to GAAP for accounting, practical steps can be taken to continuously improve the organization’s ability to protect sensitive information, defend against attacks, and respond well to serious situations in a manner that protects customers and consumers, enhances legal defensibility, and protects the organization’s brand.