Computer systems around the world have been impacted by the largest cyber-extortion attack in history. According to news reports, the “ransomware” attack hit more than 200,000 victims in 150 countries since it started on Friday, and the numbers continued to climb as people returned to work Monday morning. Companies and organizations in all types of industries were affected, including FedEx, hospitals in Britain’s National Health Service, automakers Renault and Nissan, Russia’s Interior Ministry and Central Bank, Germany’s national railway service, and universities and gas stations in China. No one has claimed responsibility.

The attack originated with the leak of U.S. National Security Agency hacking tools used as part of its surveillance arsenal. Microsoft released updates in March that were designed to address the issue, but many computers remained vulnerable, because either system administrators failed to apply the patch or their organizations use outdated software.

While the attack swept quickly across Asia and Europe, its momentum slowed before it caused significant damage in the United States. First, an analyst called MalwareTech discovered and implemented a temporary “kill switch” that bought more time for systems not already infected by the ransomware to be patched. Second, Microsoft released a rare emergency patch to better protect Windows XP devices, even though it officially stopped supporting XP in 2014. But the kill switch and security patch are not permanent fixes, and there are already reports that a second, more powerful version of ransomware has been released.

This update analyzes:

  • How ransomware works
  • How to protect your company from victimization
  • Immediate steps to take if and when you are attacked

How It Works

Ransomware is a type of malware that is often transmitted by email. The malware encrypts all of the files on a computer using a key only the attacker has, and prevents the user from accessing any data unless a ransom is paid. The ransom is time-sensitive and usually requested in the digital currency bitcoin, with the amount increasing as time elapses. If the ransom is not paid before the final deadline, the data is deleted and could be lost forever. 

Infection of “patient zero” machine. Generally, ransomware attacks are triggered by clicking on links or attachments to fraudulent emails. There is a high chance this attack was transmitted in this manner.

Spread of malware to other machines. Kevin Beaumont, a security architect, says that the malware spreads to unpatched machines through corporate VPNs, insecure Wi-Fi networks and other intranets.

Activation of ransomware on infected machines. Once machines are infected, the malware is activated and data is encrypted. The desktop background changes, and a window appears with instructions to recover the data. A timer is displayed, which incentivizes victims to pay quickly to avoid scheduled increases.

The ransomware used in this attack is known as WanaCryptor 2.0, or “WannaCry.” Here is a screenshot of the ransom demand:

How to Avoid Being a Victim and How to Immediately React If Attacked

We recommend that companies take the following actions:

Install all updates. As noted above, Microsoft released a security update in March and additional security patches in recent days. The company released a statement on May 12, 2017: “Those who are running Microsoft’s free antivirus software or have Windows Update enabled are protected. Given the potential impact to customers and their businesses, Microsoft released updates for Windows XP, Windows 8, and Windows Server 2003.”

Unfortunately, many companies still use old operating systems and other software that developers no longer support. Such arcane software should be replaced immediately.

Properly train employees. As the U.S. Department of Homeland Security stated on May 12, 2017: “Individual users are often the first line of defense against this and other threats, and we encourage all Americans to update your operating systems and implement vigorous cybersecurity practices at home, work, and school.”

  • IBM estimates that ransomware is present in 40% of spam emails.
  • A study done by Nuix showed that 84% of hackers utilize social engineering while carrying out their attacks. Ransomware is most commonly spread through attachments in emails (pdf, doc, etc.). Education of company personnel goes a long way toward preventing breaches.
  • Do not click on unfamiliar links. 
  • Continually review security policies with all employees, and train employees on how to recognize and prevent phishing.

Ensure IT policies and procedures are best-in-class.

  • Use daily automatic file backup and offsite storage. Automatic data backups to offsite storage areas ensure that, if devices are infected, minimal loss will occur. 
  • Ensure that your IT department updates spam filters and firewalls daily.
  • Have a system in place for automatically updating security patches within an hour of receipt.
  • Disable macros, auto-play and file-sharing in employee email settings.

How to Respond If Your Company Is a Victim

  • Isolate the Malware

You may be able to prevent the malware from spreading to other systems by isolating the malware. Disable connections between infected computers and resources and other parts of your network immediately.

  • Assess Backup Resources

Determine when your last uninfected backup occurred. If you have strong backup practices, meaning that you back up frequently and your backups are not directly connected to your network, you may risk only losing a day’s work as a result of the ransomware attack.

  • Initiate Your Incident Response Plan

Now is the time to use the Incident Response Plan you had the foresight to adopt. Get the right decision-makers on the field, follow your escalation plan, consult your outside vendors, activate your crisis communications, consult with outside counsel and work the problem until it is resolved.

  • Contact the Authorities—But Maintain Realistic Expectations

Contact law enforcement. Hopefully, you’ve established a relationship with your local FBI or Secret Service Cyber Unit. Understand that in the event of a widespread attack the FBI may be inundated with victim complaints. Law enforcement probably won’t have the technical resources to resolve the ransom demand, but reporting demonstrates a proactive response. 

If you have not identified a law enforcement point of contact in your Incident Response Plan, contact your local FBI Field Office directly (www.fbi.gov/contact-us/field provides a list of office by geographic location) or file an online complaint with the FBI’s Internet Crime Complaint Center (IC3) at www.IC3.gov. Regardless of the option you chose, be prepared to provide the following information:

  1. Date of infection
  2. Ransomware variant (identified on the ransom page or by the encrypted file extension)
  3. Victim company information (industry type, business size, etc.)
  4. How the infection occurred (link in e-mail, browsing the internet, etc.)
  5. Requested ransom amount
  6. Actor’s bitcoin wallet address (may be listed on the ransom page)
  7. Ransom amount paid (if any)
  8. Overall losses associated with a ransomware infection (including the ransom amount)
  9. Victim impact statement (how the attack disrupted the business, shook company morale, etc.)

Review All Potentially Relevant Sources of Insurance and Provide Prompt Notice

Ransomware may trigger many different types of coverage. A company should immediately review its entire insurance portfolio when attacked and promptly notify all potentially relevant insurance companies. Below are the insurance steps that should be taken immediately.

Step One:  Assess Potential Coverage

While cyber insurance policies are the first obvious insurance policies to review, do not overlook the possibility of coverage in your company’s crime, property policies, directors’ and officers’ policies, errors and omissions policies or bundled liability policies. All of these policies may contain coverage that could be applicable to a ransomware attack. 

For example, the following types of coverages may be found under multiple types of policies:

  • Specific Ransomware Coverage: Commonly called “Cyber Extortion Coverage,” this coverage pays ransomware demands and expenses in addition to other extortion schemes, such as threats to conduct a denial-of-service attack or unauthorized public disclosure of stolen personal or company information. This coverage often includes reimbursement of expenses incurred in obtaining the ransom currency on short notice (bitcoin, foreign currency, etc.) and applicable legal expenses.
  • Forensic Investigations Coverage: Ransomware demands may be diversions. Companies are still determining the extent of the breaches that occurred at the end of last week. Often ransomware is only the beginning, and the hackers place additional malware on the computer system at the same time. Systems need to be swept and forensic investigations are needed to determine whether data was compromised or stolen.
  • Breach Response Coverage: Almost all U.S. states have breach notification laws. Since the ransomware attack may have compromised your data, if notification is required by law, breach response coverage will pay for these costs along with the cost of obtaining privacy counsel.
  • Regulatory Coverage: If the ransomware attack also included a breach of sensitive data, regulatory investigations may be warranted. Regulatory coverage often includes the costs of counsel needed to respond, as well as potential coverage for fines and penalties imposed against the policyholder.
  • Data Restoration Coverage: Found in multiple types of policies, this is first-party coverage companies can use if they need to recreate lost data, decrypt data or reinstall data from backup servers.
  • Business Interruption Coverage: Given ransomware amounts are often low, business interruption costs regularly account for the greatest losses to the policyholder. Ransomware events result in a loss of income while the policyholder is unable to access its computer system. This downtime may be extremely costly, especially for healthcare, retail and e-commerce organizations. Business interruption coverage will pay for the loss of income and/or extra expenses needed to help restore the system, after the application of an hourly waiting period, a self-insured retention or both.

Further, depending on whether your company’s clients were affected, there may also be a case to be made for coverage under certain errors and omissions policies. Do not be discouraged when policy exclusions may initially appear to preclude coverage. The caselaw in this area is still in its infancy, and many policies contain ambiguous language that should ultimately be construed in favor of coverage. If you are unsure of whether coverage exists, you should reach out to experienced coverage counsel.

Step Two:  Notify Your Insurers

Once you have reviewed your policies, provide prompt notice of claims, and determine whether to provide notice of circumstances under other policies. Your notice letters must conform to the requirements of the language in the particular insurance policy.

Further, depending on the nature of the known facts at the time of discovery, you should consider entering into nondisclosure agreements with your broker and insurance carriers that are specific to the attack. Companies should not wait until investigations are complete to provide notice. Instead, inform your insurance companies that you are still investigating and determining the facts, and update them as the investigations proceed.

Step Three: Watch Your Words

What you say to whom and how you say it, even in the initial notice letter, may make the difference between a covered and an uncovered claim. Be careful in the initial stages when characterizing your claims or discussing coverage with your insurance companies, your brokers or any outside consultants.

There are a number of issues that can significantly affect the existence or amount of an insurance recovery. For example, the coverage a claim falls under within a single policy may not be obvious initially. It may require a legal judgment that should not be made until the policyholder understands how the decision affects the amount and scope of the insurance coverage it may collect.

This could involve layers of analysis, including the law on the definition of fraud in all potentially relevant jurisdictions, the relevant deductibles, limits and sub-limits under the policies and how the investigation into the attack is developing. Outside coverage counsel can work with risk managers and in-house legal counsel to ensure that a policyholder meets its reporting obligations without compromising potential coverage. Policyholders should avoid being bullied into making premature calls.

Step Four: Select an Insurance Spokesperson

To maintain a single cohesive message with insurers and your broker, you should identify one point of contact in your company who will communicate with the insurance companies and broker, along with outside counsel, throughout the life of the claim. This is usually the risk manager or in-house counsel. In addition to carefully watching what is said to your insurance companies, this individual should also be careful when discussing coverage issues with brokers or any outside consultants. In many jurisdictions, communications with a broker or outside consultants are not subject to any privilege. Thus, any unprotected communications may be discoverable if a coverage dispute ultimately arises.

Step Five: Carefully Manage Forensic Consultants’ Scope of Work

Your forensic consultant’s scope of work should be limited to determining how the attack occurred, restoring the computer system and files, and, if applicable, how your company’s computer system was breached. If the fraud is a covered claim, these forensic costs are usually covered expenses under your insurance policy. Be careful, however, not to expand the scope of work into a full analysis of your company’s policies, procedures and security controls. The forensic reports will be discoverable in any future coverage litigation. Any expansion in the scope of work, beyond the specific details of the current fraud could lead to ultimate findings by your forensic consultants that the insurance carriers may use to attempt to deny your claim or rescind your coverage.

Step Six: Demand Your Insurers Fulfill Their Coverage Obligations

Policyholders must demand that their insurance companies meet all contractual obligations. They should not accept any denial as final. Instead, a denial is often the beginning of the dance with an insurance carrier.

If policyholders eventually need to file suit or to arbitrate against their insurer, they should review the policies, and determine what steps need to be taken. Some policies contain mandatory waiting periods and mediation or arbitration prior to bringing a coverage suit. Policies also may contain suit limitation clauses that limit the policyholders’ time to bring a suit or notice arbitration.

Since ransomware is fairly new and pervasive, policyholders should determine early which potentially relevant jurisdictions may apply and whether those jurisdictions have competing caselaw. If there is competing caselaw, the insurance company may “jump” the policyholder and file a declaratory judgment action in the less favorable jurisdiction. If you determine that you may have competing caselaw, you should consider filing a declaratory judgment action against your insurance carrier to preserve the forum of your choice.  

© 2017 Perkins Coie LLP