Data Protection Report - Norton Rose Fulbright

In this post, we summarize key facts regarding the WannaCry ransomware attack, provide an abbreviated list of known affected companies, and offer an overview of the legal issues and the response to the attack. This post is an update to our prior coverage of WannaCry.

Key Facts

  • WannaCry is “ransomware” designed to spread quickly among computers on the same network, and encrypt files using strong encryption, enabling perpetrators to demand ransom from users to then decrypt the files.
  • WannaCry is effective against computers with Microsoft Windows that do not have a security patch (patch “MS17-010”) that Microsoft issued in March 2017. The Microsoft Windows vulnerability that WannaCry exploits – EternalBlue – was discovered by the NSA.  The NSA developed it as an exploit to enable surveillance. This NSA hacking “tool” was stolen and released publicly on WikiLeaks earlier in 2017.
  • These Microsoft Windows vulnerabilities – if unpatched – allow WannaCry code to spread quickly on computers that have not applied the security update. Once the vulnerability is exploited, the ransomware remotely accesses relevant computers and installs encryption software.  WannaCry is able to find additional computers in the same network to infect by identifying and exploiting file-sharing arrangements a particular computer might have.
  • After files are encrypted WannaCry demands ransom in the form of relatively small amounts of Bitcoin ($300-$600 per affected computer) to unlock the files.
  • The ransomware is also understood to include additional malware (known as DoublePulsar), which allows hackers a “backdoor” to later gain further access to infected systems.
  • WannaCry attacks were first recorded in Europe at 3:24 am EDT on the morning of Friday, May 12, 2017. Using social engineering, hackers embedded the WannaCry virus in .zip files sent to users as an email attachment.
  • On Friday, May 12, 2017, a security researcher in London identified and purchased the domain of the web address where the first WannaCry strain was attempting to communicate. This effectively stopped the first attack, however over the weekend, hackers developed several additional strains.  Some of these later versions did not have the “kill switch” requiring communication with a web address. These new strains exploit the same Windows vulnerability as the initial strain of WannaCry, but cannot be disabled as easily.

Known Affected Companies

As of the morning of May 17, 2017, WannaCry has affected at least 100,000 organizations in 150 countries. The following represents an abbreviated list of these companies:

Energy Companies

  • West Bengal State Electricity Distribution Company: The Indian state power distribution company confirmed that WannaCry infections had been detected at four of its offices.
  • Iberdrola: Spanish electric utility Iberdola reported infection after the utility shut down various systems in order to respond to the attack.
  • Petrobras: State-owned Brazilian oil company Petrobras, along with Brazil’s Foreign Ministry and the social security system, reportedly turned off its computers as a precaution to respond.
  • Gas Natural: Spanish natural gas firm reportedly infected; staff urged to turn off their computers.
  • PetroChina gas stations: Customers were forced to pay cash at Chinese gas stations after payment systems went down.

Other Utilities

  • Telefonica: The largest Spanish telecommunications firm was the first company to report an attack. The company’s headquarters in Brazil were affected.
  • Portugal Telecom: The firm acknowledged being hit by the attack but said it has managed to contain the ransomware from spreading.
  • MegaFon: Largest Russian telecommunications firm MegaFon confirmed infection.
  • Telenor Hungary: Hungarian telecommunications provider affected.

US & Global Companies

  • FedEx: FedEx announced it had been hit on Friday, and apologized to customers whose packages may be delayed.
  • Renault: French automobile maker Renault was forced to halt production at sites in France and its factory in Slovenia as part of measures to stop the spread of the virus.
  • Nissan: The firm’s manufacturing plant in Sunderland, northeast England, was affected.

Other Companies

  • Deutsche Bahn: German train operator Deutsche Bahn was affected, and travelers tweeted pictures of hijacked departure boards showing the ransom demand instead of train times. The company did not shut down, and reported that trains were running as normal.
  • Russian Railways: The ransomware infected Russian Railways’ IT systems. The organization said that they were working to eliminate the threat and upgrade their anti-virus protections.
  • Sberbank: Russia’s largest lender reported infection but also stated that they defended against the attack.
  • Bank Of China: Bank of China ATMs across China malfunctioned, displaying the WannaCry ransom demand on machines.
  • Singapore malls: Display boards of Tiong Bahru Plaza and White Sands showed the ransomware message.
  • Sandvik: Swedish IT firm Sandvik reported various computers in administration and production being infected.

Governmental Entities & Offices

  • NHS: Hundreds of clinics and hospitals across UK were forced to cancel or delay surgeries and X-rays, and medical services were reduced following a massive outage from the attacks.
  • Russian Interior Ministry: Reported that ransomware had occurred, but the scope of the attack is unclear. One spokesperson reported that around 1,000 computers had been affected.
  • Andhra Pradesh (Indian police): State police reported being locked out of their systems in as many as 18 different police units.
  • Chinese traffic police, immigration and public security bureaus: Agencies reported that they had shut down many of their systems in order to respond to the attack.
  • Brazil Foreign Ministry, social security systems and court systems: Brazil’s social security systems were affected, and the organization was forced to disconnect computers and cancel public access to the agency. The Foreign Ministry also reportedly shut down computers as a precaution, and various court system computers were infected.
  • Russia Central Bank: The bank said they detected the ransomware but had successfully thwarted the attack.

Legal Issues and Response

  • Organizations responding to this attack thus far appear to be viewing it as an IT/technical issue, not yet a legal one. Some companies have retained forensic firms to assist in responding and remediating their systems. There have not yet been reports of any exfiltration capabilities associated with this strain of ransomware.
  • In the short term, potential legal liability may stem from data integrity and data availability risks and resulting business interruption (e.g., not having the necessary data to continue manufacturing or other industrial operations, perform surgeries or otherwise service customers), or inability to comply with legal or other obligations (e.g., a hospital’s inability to substantiate medical procedures or obtain payment for procedures, or an employer’s inability to pay employees).
  • To the extent the attack includes the installation of back doors that may allow for broader unauthorized access to systems, personal and confidential information may be exposed, which could lead to compliance obligations, regulatory scrutiny and litigation risk.  Moreover, at least one regulator – the U.S. Department of Health and Human Services –  has indicated that the encryption of personal information itself could be a form of “unauthorized acquisition” (i.e., a “security breach”), which could trigger legal obligations (e.g. breach notification).
  • In the long term, affected companies may face regulatory action and shareholder and director suits on allegations of having failed to maintain up to date security on their systems, and failure to disclose the resulting risks.  The viability of such investigations and suits will depend on the ultimate financial (or bodily injury) impact of the attack on business operations.
  • Moreover, for publicly-traded companies, based on SEC guidance on cyber security, to the extent that this attack poses a material financial risk to companies, or if companies are vulnerable to a similar attack that could have a material financial impact, it may be necessary to make certain cyber-related disclosures in the companies’ financial statements.
  • Beyond addressing the specific threat, WannaCry is another indicator of the connection between cybersecurity and business operations. Experts are expecting additional,  similar, and more severe attacks to follow WannaCry.

Norton Rose Fulbright’s global data protection team is available to assist companies that believe they may be subject to a ransomware attack and to help companies prepare to guard against ransomware attacks. For more information, please visit our website.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.