In one of the most dramatic and widespread cyber attacks to date, on Friday 12 May 2017, a worldwide ransomware attack known as "WannaCrypt" or "WannaCry" began infecting hundreds of thousands of computers in over 150 countries. Starting in the UK and Spain, critical infrastructure operators around the world including those in the health, transport, finance, telecoms and energy sectors, as well as manufacturers and service providers were affected.
The attack utilises the "EternalBlue" exploit – rumoured to have been created or discovered by the United States' National Security Agency – which was leaked into the public domain earlier this year by the Shadow Brokers hacker group. Following the publication of the exploit, Microsoft, in March 2017, released a security patch addressing the vulnerability for the latest versions of its Windows operating systems. However, many organisations, including the UK's National Health Service, either did not apply the patch or were running older and unsupported versions of the Windows operating systems (for which no patch was available) and so were still vulnerable. On 13 May 2017, in an attempt to slow the spread of the malware and prevent future variants, Microsoft took the unusual step of releasing security updates for certain of its older and now unsupported versions of Windows (including Windows XP and Windows 8).
The malware works by first encrypting a user's files (so that they are not accessible without a unique cryptographic key), before then providing the user with an on screen prompt which includes: a ransom demand, a countdown timer and Bitcoin wallet into which to pay the ransom – Bitcoin, the cryptocurrency, was chosen for the ransom demand currency in order to help WannaCry's authors remain anonymous. To recover access to their computers and files, targets were prompted to pay the equivalent of $300 within 3 days or $600 within 7 days, failing which the files would supposedly be deleted. Of course, even if the ransom is paid, there is no guarantee that the hackers will provide the payor with the unique decryption key. The UK Nation Crime Agency's unwavering advice to the public is that affected individuals should not pay any such ransom. Notwithstanding the above, the attacker(s) is/are still thought to have received over $70,000 in Bitcoin payments within the first week of the initial attack.
It is still unclear exactly how the WannaCry malware infected the first machine, but the most likely methods are considered to be either via a phishing email or attachment, or via a Windows system with an exposed and unpatched implementation of the Server Message Block ("SMB") protocol (SMB being the Windows network file sharing protocol and the vector which EternalBlue and WannaCry exploit). Once a computer is infected, in addition to the encryption and blackmail steps referred to above, the malware scans for and spreads from machine to machine via other unpatched implementations of SMB – all with no user interaction required. As with most forms of ransomware attack, WannaCry is not believed to access personal data.
The European Union Agency for Network and Information Security ("ENISA") and several European Member States have worked together since the attack began to assess the situation from a European perspective. A dedicated team was set up at ENISA to support the first ever case of cyber cooperation at the European level. The EU Standard Operating Procedures (developed by ENISA and Members States to manage multinational cyber crises) are currently being used to this end.
In light of the WannaCry incident, it is unsurprising that on 19 June 2017 the Council of the EU issued a press release confirming that it has agreed to develop a framework for a joint EU diplomatic response to malicious cyber activities, the cyber diplomacy toolbox. The press release refers to the "continuously evolving challenges for EU external action" and states that such a framework would form part of the EU's approach to cyber diplomacy, which contributes to conflict prevention, the mitigation of cybersecurity threats and greater stability in international relations. The framework is expected to further encourage cooperation, facilitate mitigation of immediate and long-term threats and influence the behaviour of potential aggressors in the long term. The framework is expected to be proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of the cyber activity.
The incident also places the spotlight firmly back on the forthcoming EU Network and Information Security Directive (known as the "Cyber Security Directive") which intends to provide legal measures to boost the overall level of cybersecurity in the EU, by ensuring:
- cooperation among Member States;
- Member States are adequately equipped to respond to cyber threats for example via a Computer Security Incident Response Team and a national authority; and
- a culture of cyber security, with particular obligations placed on operators of essential services and key digital service providers.
Meanwhile, in the US, the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (which was signed by President Trump the day before the attack) also marks a further positive first step in the continued battle against cyber attacks and the need for coordinated cross border response efforts (refer to the related article below).
The "WannaCry" attack is "easily the biggest and most complex cyber incident the NCSC has had to manage so far" according to Alex Dewdney, the director for engagement and advice at the National Cyber Security Centre ("NCSC"). He went on to comment that, whilst unwelcome, "if you wanted to mount a national communications programme to make people sit up and take notice, you couldn’t have designed one better than this".
The NCSC was set up to help protect critical services in the UK from cyber attacks, manage major incidents and improve the underlying security of the UK internet through technological improvement and advice to citizens and organisations. In light of the attack, the NCSC has reemphasised the importance of following its guidance (first published last year) on how organisations can help to protect themselves from ransomware attacks. As expected the NCSC guidance states that deploying patches to operating systems, web browsers, browser plug-ins and applications is one of the most effective ways of preventing systems being compromised.
The healthcare sector ought to have been aware of the vulnerabilities in the IT systems that support the sector, as these were also highlighted by separate attacks which took place last year and exploited the out-of-date legacy IT systems for an NHS Trust Foundation (see our previous e-bulletin here).
The National Cyber Security Centre guidance can be found here.
The Council of the EU's press release on 19 June 2017 can be found here.
Andrew Moir
Partner, Intellectual Property and Global Head of Cyber & Data Security, London
Key contacts
Andrew Moir
Partner, Intellectual Property and Global Head of Cyber & Data Security, London
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.