In our 2017 BakerHostetler Data Security Incident Response Report, we addressed the increasingly ubiquitous scourge of ransomware, one of the fastest-growing types of malware causing data security incidents. We noted that ransomware attacks have been steadily expanding in both frequency and severity, and that those trends seemed set to continue for the foreseeable future.
Less than a month later, the most prominent ransomware attack to date swept the globe and dominated headlines. As we previously reported, on May 12, 2017, thousands of companies were affected by the so-called “WannaCry” ransomware variant, which exploited a known Microsoft Windows vulnerability (patched since March 2017) and spread rapidly across borders and industries. Despite the facial complexity of its origins, reportedly using an exploit revealed in National Security Agency documents, signs have emerged that the perpetrators of the WannaCry outbreak were perhaps less sophisticated than one might expect. Specifically, WannaCry’s authors seem to have included “amateur flaws” in their design, such as a straightforward kill switch, an “unsavvy” payment protocol and a poorly designed ransom function. As a result, WannaCry was halted by a simple domain name registration, and the financial yield for the perpetrators appears to have been surprisingly low.
WannaCry is an intriguing example of a ransomware attack that was both amateurish and successful, a dichotomy we explored in a recent article for The Richmond Journal of Law & Technology titled Ransomware – Practical and Legal Considerations for Confronting the New Economic Engine of the Dark Web. In that article, we discussed the business of ransomware and examined attacks that, like WannaCry, showcase the growing trend of would-be datanappers who lack the technical expertise to author attack software themselves but instead purchase ready-made exploits from more skillful criminal coders. Current reporting suggests that WannaCry operated using this “Ransomware-as-a-Service” model, which allows a much broader swath of the digital underworld to get in on the ransomware game.
Whether or not commercial ransomware specifically targeting the software flaw cited in the WannaCry outbreak was inevitable, an attack of this nature absolutely was foreseeable and certainly will not be the last. It may not even be the last ransomware attack associated with the release of classified government documents. Moreover, it appears that this dual-layer criminal enterprise, with sophisticated coders putting weaponized software into the hands of any criminals willing to pay, is likely to lead to even broader attacks exploiting known security vulnerabilities.
Regulatory authorities are using the WannaCry outbreak to highlight risks and encourage companies to implement reasonable cybersecurity measures. For example, on May 17, the Securities and Exchange Commission’s Office of Compliance and Investigations issued a risk alert noting that their recent sweep examination of 75 registered firms revealed that an alarming number of firms do not routinely update the kinds of security patches that could prevent a WannaCry-style infection. The Department of Homeland Security also issued a WannaCry alert (updated on May 19), as did the Department of Health and Human Services (available here). Regulated entities should consider how best to bolster their cyber defenses against ransomware and other malware threats now to avoid being caught flat-footed in the wake of future attacks.