This is not a drill.
Companies and law enforcement agencies around the world have been left scrambling after the world’s most prolific ransomware attack hit over 500,000 computers in 150 countries over a span of only 4 days. The ransomware – called WannaCry, WCry, WannaCrypt, or WannaDecryptor – infects vulnerable computers and encrypts all of the data. The owner or user of the computer is then faced with an ominous screen, displaying a countdown timer and demand that a ransom of $300 be paid in bitcoin before the owner can regain access to the encrypted data. The price demanded increases over time until the end of the countdown, when the files are permanently destroyed. Hospitals and healthcare entities in the UK and elsewhere were particularly hard hit and continue struggling to recover, with doctors around the world blocked from access to patient files and multiple emergency room and even entire-hospital shut-downs. To date, the total amount of ransom paid by companies is reported to be less than $60,000, indicating that companies are opting to let their files be destroyed and to rely instead on backups rather than pay the attackers. Nevertheless, the total disruption costs to businesses is expected to range from the hundreds of millions to the billions of dollars.
Last fall, we warned our clients that ransomware – a newly popular form of cyberattack – would require a different approach to cybersecurity and to incident recovery. The urgency of that warning is now clear, as the WannaCry attack is unprecedented in its size and in the speed with which it spread. While healthcare entities in North America appear to have suffered minimal damage thus far, and while the particular ransomware variant involved in last week’s incidents has been largely neutralized, even small changes made to the malware code could reactivate it and rapidly deploy a new series of attacks. We are once again urging our clients to proactively prepare, consult with cybersecurity experts, and develop comprehensive cyber incident response plans which contemplate a variety of possible attacks.
What is ransomware?
Ransomware is malware that disables systems or encrypts data, critical system files and applications and demands a payment to re-enable or unlock them. There are two kinds of ransomware: “Locker,” which leaves data untouched but keeps owners from accessing it on their devices; and “Crypto-Ransomware” which leaves users with access to their computers but encrypts their files and applications; once the ransom is paid, the hackers send a decryption key.
How does ransomware infect companies’ systems?
Ransomware may be downloaded in a variety of ways: via “phishing” schemes, in which employees are induced to click on harmful links or download harmful files; by downloading infected apps; or through compromised ads (known as “malvertising”) on mainstream sites. Hackers are increasingly sophisticated and creative in using a wide variety of means to introduce ransomware onto computers and mobile devices.
Unlike typical ransomware, there is no evidence that WannaCry is being distributed via phishing schemes, a spam campaign, or through compromised ads. Instead, WannaCry propagates through a self-spreading worm, a form of attack popularized more than a decade ago but rarely seen since.
How did the WannaCry attack spread?
WannaCry ransomware exploits a flaw in the Windows operating system. Networks of computers, especially those in hospitals, are particularly vulnerable because the ransomware is spread through standard file sharing technology used by PCs. While Microsoft issued a patch for the flaw in March for currently supported operating systems, unsupported Microsoft Windows operating systems, including Windows XP – widely found in the healthcare sector, as well as in many of the foreign countries hardest-hit by the WannaCry attack – continued to be at risk. Microsoft has since released free patches for its unsupported systems.
Why is the healthcare industry so vulnerable to ransomware attacks?
First, the healthcare industry has historically lagged behind other industry sectors in spending on IT security, Second, many healthcare organizations continue to focus their cybersecurity efforts on “fighting the last war” rather than anticipating and guarding against new threats. The healthcare industry, which had focused on HIPAA compliance and avoiding laptop thefts and unauthorized disclosures of paper files, had a rude awakening in the wake of a series of mega-breaches at health insurers in 2015. Their subsequent efforts were focused on protecting the PHI in their databases, but added little to their defenses against ransomware attacks, which require regular and comprehensive backups of systems and data, as well as prompt patching of any known vulnerabilities.
Is it a HIPAA breach if ransomware infects a HIPAA covered entity’s or business associate’s computer system?
Possibly. According to the Department of Health and Human Services, whether or not the presence of ransomware would be a breach under the HIPAA rules is a fact-specific determination. The HIPAA rules define a breach as the acquisition, access, use, or disclosure of protected health information (“PHI”) in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI. Therefore, if any electronic protected health information (“ePHI”) is encrypted as a result of a ransomware attack, a breach has occurred and the entity must comply with applicable HIPAA breach notification requirements.
How do I protect my company from a ransomware attack?
- Regardless of your operating system, you should install any and all available security updates and patches immediately.
- If you are running an unsupported operating system – STOP! Upgrade all medical devices, machines, and computers to a supported system immediately.
- Never run unlicensed software on your system, as it will not receive the necessary patches or automatic updates.
- Back up all of your critical applications and data – and test the backup systems to be sure they can be restored and work properly before you have an attack. Ensure backups are not connected to the computers and networks they are backing up.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Make sure your system includes robust firewalls and your Intrusion Detection/Prevention Systems that are up to date and able to receive updates and patches.
- Whenever possible, keep data encrypted, whether in transit or stationary. While encryption will not prevent a ransomware attack, it will protect your data if attackers choose to export it or attempt to use it for financial gain.
- Restrict access to sensitive files and ensure personnel only can access the data necessary to perform their jobs.
- Ensure all employees are aware of the threats and methods of attack and are following sound cybersecurity policies:
- Train – and remind — your employees about the dangers of “phishing” attacks and how to report any attempted attacks
- Ensure employees verify the identity of the sender of any links and attachments
- Keep a copy of your emergency response plan – including phone numbers of key contacts – somewhere other than on your company’s systems.
What should I do if my company suffers a ransomware attack?
- Pay the ransom. The FBI does not support paying ransom to the adversary, especially as there is ultimately no guarantee that system access will be restored;
- If you have backups and redundancies, you may be able to restore your systems without paying the ransom;
- Call in a security/forensic company for assistance in freeing your systems;
- Alert a local FBI field office to report the event and request assistance.
If I choose to pay the ransom, how and where do I get bitcoin? How long does it take?
Do not follow the links suggested by the ransomware without the assistance of your IT department as they may lead to software that will further compromise your computers and files. In most cases, the ransomware will require payment by bitcoin because a payment by bitcoin cannot be reversed, and because it will be very difficult if not impossible for anyone to identify the recipient. If your law firm has experience responding to ransomware, then your law firm can help you with the logistics of buying and sending bitcoin.
You will need to open an account with reputable bitcoin exchange and purchase sufficient bitcoin. The exchange company will need you to link your bank account with the bitcoin wallet provided to you so that you can make an ACH transfer of dollars to your account. The exchange company will need to identify you to comply with its AntiMoney Laundering and Know Your Customer (AML/KYC) compliance procedures. How much information the company will need and how long this will take depends on the amount of the bitcoin you need to purchase, and the speed of the exchange company’s intake process. The exchange company will often require two or three days to pass after the ACH payment is initiated before exchanging the dollars sent for bitcoin. Once the bitcoin is in the bitcoin wallet associated with your account, you will be able to send it to any other wallet, anywhere in the world, nearly instantaneously. If you accidently send it to an address other than the ransomware perpetrator’s, you will have no way to reverse or recover the bitcoin.
Will my cyber insurance cover a ransomware attack?
In general, the largest expenses associated with a ransomware attack arise out of loss of operations. Cyber-insurance may cover the business interruption, although ransom amounts to date have generally been below most policies’ retention threshold. Also, the vector by which the ransomware entered your system may affect how your cyber-insurance treats the attack. Before relying or counting on its cyber-insurance, a company should have a clear understanding what type of events are expressly covered or excluded.
Remember, the side effects of the WannaCry attack are likely far from over. Healthcare entities must be vigilant, keeping an eye out for social engineering schemes (i.e. where an individual calls a business claiming to be from Microsoft and offering support if given access to its servers) and variant ransomware created by other attackers and used to exploit the WannaCry attack separately and independently.
If you have any questions, please contact Laura Jehl.
Sheppard Mullin’s Healthcare and Privacy & Cybersecurity Teams can help your organization assess its preparedness for a ransomware attack, data breach or other cyber incident.