Global Ransomware Client Alert
- 1. GLOBAL RANSOMWARE ATTACKS - WANNACRY McGRIFF, SEIBELS & WILLIAMS, INC. URGENT CLIENT ALERT! TherecentglobalcyberattackusingWannaCryransomwarereminds usthatproperinformationsecurityhygieneandappropriateback-up management and software patching protocols are critical to attack prevention and loss minimization. To refresh, a ransomware attack spread throughout the world over the weekend, infecting systems in over 150 countries. The attack used software code stolen from the National Security Agency that was posted online. WHAT DOES THIS ATTACK MEAN? What is interesting about this is how different it is and the precedent it is setting. This is the second known usage of a hacking toolset leaked from the NSA in 2017. It is the first time it was used to execute this type of large scale extortion en masse. The hacking toolset was tweaked just slightly and relatively quickly. Attackers had to strike blitzkrieg-style – all at once and against many locations -sincetheywerefullyawarethatafixwouldberelativelysimple.So, itisclearthatthiswasacoordinatedandplannedevent,designedto take advantage of a hunting technique within the attack itself that is constantly looking for additional targets. That is why it propagated so quickly and why, eventually, it will reach every part of the globe. As already reported, this attack is primarily affecting Russia, Eastern Europe, UK and Taiwan, which is an incredibly interesting mix - the outliers in this initial attack were clearly Taiwan and the UK. While we cannot know for sure, this could have just been opportunistic, or possibly,agameofmisdirectionintendedtoobfuscateanyattemptat attribution. The attack itself is new and unique, but not sophisticated. Microsoft, for the most part, released a patch for this exploit one month ago. Bottom line: the attackers behind this operation developed an attack based upon new techniques disclosed in the NSA leak and they preyed upon companies and their machines that remained unpatched. In a sense, it was very avoidable. MORE ON THE “HUNTER MODULE” This is an exploitive feature that scans for any vulnerable systems within a target organization’s ecosystem. Companies that have adhered to the best patching protocols could still be accessed through connections with their supply chain and external vendors who have vulnerable devices. All the attackers need is one hook (one weak machine) and then they can swim laterally within the networktocausemaximumdamage.Asthesayinggoes,“anetwork is only as secure as the least secure network connected to it.” WHAT’S NEXT? This is just the beginning. We can assume that the attackers used this as a pilot project and that they will adapt based on what they learned with this effort. The NSA toolset that was leaked was vast and there are people analyzing these tools and working on ways to alter them slightly for their own nefarious purposes. The key will be knowledgeofthetechniquesandpersistentpatchingandupgrading worldwide. But, keep in mind, not all of the tools the NSA used involved unpatched computers - far from it. This hack was built to exploit the blind spots in traditional security. Even though responders were able to identify and activate a kill switch (safety valve) that was embedded by the attackers, this is no panacea and will be bypassed soon. Hackers have adapted based on what they learned from this past attack and we can expect the next wave within 24 hours. Plus, you should note that corporations do not benefit from the kill switch since it takes advantage of a network protocol that most large corporations do not use. In other words, private citizens are currently safer but companies must be hyper-vigilant.
- 2. In collaboration with our external cyber security advisors, please review the following tips carefully with your Incident Response Team (IRT) One Premier Plaza, Suite 500 | 5605 Glenridge Drive | Atlanta, GA 30342 (800) 476-2541 | (404) 497-7500 | www.mcgriff.com ©2017 McGriff, Seibels & Williams, Inc. McGRIFF, SEIBELS & WILLIAMS, INC. Timely patching is a must. Do not leave it up to a third partyanddonotputitonadelayedschedule.Malicious actors conducting pre-attack surveillance can very easily determine patch state of hardware and software as well as exposed TCP/IP protocols such as Port 445. Back-ups will be critical to your survival – prioritize data and systems that must be redundant for your business needs and for compliance with legal and regulatory duties around the protection of the data of your clients, patients, customers and employees. Ensure that legacy preventative controls such as anti-virus and firewalls are deployed and properly configured. Audit and reduce privileged account holders to only those necessary. Sunset (retire) outdated equipment and software – if you do not maintain it, get rid of it. And, if the vendor no longer supports it, upgrade to a higher version immediately. Take out of use equipment offline – disconnect and/or shutdown machines that are no longer in use. Conduct targeted susceptibility training with your employees (i.e. spear phishing tests) and incorporate awareness methodologies into the training curriculum so that employees are kept updated on current and emerging threats. Manage your supply chain, hold them to the highest informationsecuritystandardsandauditthemregularly. Be diligent in your threat awareness and continually update your Incident Response Team. 1 6 7 8 9 2 3 4 5 KNOW YOUR INSURANCE POLICY • Check your K&R policy for possible coverage; note deductibles (maybe none?) and policy limits available for ransomware events (sub-limits?); review and advise internal resources what the event notice obligations are and whether you will have access to cyber security specialists provided by your insurer; • Check your cyber policy for reporting obligations, policy limit and retention; verify whether you must have insurer consent prior to engaging any cyber security resources; discuss with your internal resources whether you want to use insurer pre-approved vendors or if you would retain your own specialists; seek and obtain insurer consent to use your own vendors prior to any event; make certain your IRT fully understands insurance policy requirements and seeks Risk Management advice immediately upon detection of any suspected or actual cyber incident. • Many cyber policies contain exclusions or coverage limitations for losses arising out of the “failure to maintain minimum security standards” or “failure to patch or remediate software errors or vulnerabilities”. Talk to your broker and check your policy wording; ideally, it’s best to not have these exclusions or to secure a carve-back for otherwise covered loss (i.e. limit exclusion to the costs to patch or remediate). THE THREAT CONTINUES According to our threat monitoring experts, current sensors are showing more than 1.5 million machines worldwide that are still vulnerable to this attack (unless they have been patched properly in the last 24-48 hours). Beware that once the hackers relaunch and remove the kill switch, all 1.5 million (or the remaining machines that have not been patched) could, in theory, become infected.