Over the weekend an unprecedented ransomware attack spread malicious software known as 'WannaCry' around the world. Britain's National Health Service was one of the more high-profile victims, with the service forced to cancel surgery, close emergency rooms and divert ambulances as a result of the attack. And while a British-based, self-confessed 'accidental hero' managed to halt the spread of the WannaCry virus, and Australia appears to have escaped the worst of the fallout, the consequences for business, government and individuals are far from complete, with the Australian Prime Minister's cyber security expert warning 'this is not game over'.
Computers have been affected globally by a form of ransomware known as the WannaCry virus. Ransomware is a type of software that restricts access to affected computer systems and demands that a ransom be paid in order that the restrictions are removed. The WannaCry virus works by encrypting files, then provides the user with a prompt including a ransom demand, a countdown timer and a bitcoin wallet to pay the ransom.
As we've said before, cyber risk is no longer the domain of the IT department. Given the potential scale and severity of damage to organisations as a result of a cyber incident, the issue has been elevated beyond the realm of IT alone to an enterprise-wide risk requiring appropriate board and management oversight.
Organisations should work closely with their IT departments to ensure that critical data, systems and services are protected from ransomware attacks. While investigations into the cause of WannaCry are ongoing, it appears the virus may have been caused by self-replicating software exploiting known vulnerabilities in Microsoft Windows. The Australian Cyber Security Centre (ACSC) recommends that Australian organisations:
The ASCS has confirmed that organisations already implementing the Australian Signal's Directorate (ASD) Essential Eight mitigation strategies are not affected by WannaCry. Organisations that are not already implementing the ASD's mitigation strategies should review this decision with their IT department in the aftermath of this latest threat.
You can find the ASCS's full alert here. Australian businesses may prefer to contact CERT Australia, the national computer emergency response team and part of the ASCS, directly on their hotline number 1300 172 499.
While the mandatory notification of eligible data breaches will not commence until 23 February next year, the voluntary notification of data breaches to the Office of the Australian Information Commissioner (OAIC) and affected individuals is encouraged by the OAIC where there is a real risk of serious harm as part of organisations' ongoing compliance with their data security obligations under the Privacy Act 1988 (Cth) (Privacy Act). These obligations include putting in place reasonable security safeguards and taking reasonable steps to protect personal information held from misuse, interference and loss, and from unauthorised access, modification and disclosure.
While the encryption of data by ransomware is caught by the obligation to put in place reasonable security safeguards, generally, the balance will not be tipped in favour of voluntary notification following a ransomware attack such as the WannaCry virus, as there is generally no evidence of a real risk of serious harm to affected individuals. This is because the data is encrypted, not stolen. Obviously organisations subject to the Privacy Act, or subject to other specific laws relating to the protection of data, should closely monitor developments and seek legal advice if in any doubt of their regulatory obligations.
There are a number of issues at play here. The Australian Prime Minister's cyber security advisor, Alistair MacGibbon, has cautioned against paying the ransom before exploring opportunities to regain access to compromised data. Security experts generally advise against the payment of a ransom, as doing so may encourage criminal organisations and individuals to perpetrate future attacks. Further, if an organisation has backed-up its critical data appropriately then it should generally be possible to restore access to the data without paying a ransom.
There are also legal considerations relevant to the payment of ransoms. Australian organisations and individuals may face criminal penalties for providing financial support to terrorist organisations or infringing sanction regimes. It is possible that the payment of a ransom in the context of an extortion threat may contravene Commonwealth legislation governing sanction regimes and criminalising the financing of terrorist organisation. Organisations affected by ransomware should therefore seek advice before making any ransom payment.
This is a timely opportunity for organisations to update existing policies in relation to email and internet usage, password protection and the use of mobile devices, and to remind all users of the risks of opening email attachments received from unknown or suspicious sources. Organisations should also revisit their cyber incident response plans in the aftermath of WannaCry.
If an organisation has taken out cyber risk insurance and is impacted by WannaCry, it should review the policy wording and schedule with its broker and determine whether a notification should be made.
There is no obligation on the part of organisations to involve law enforcement, such as the Australian Federal Police (AFP). Instead Australian organisations are encouraged to contact the ACSC in the first instance.
For more tips on improving your organisation's cyber resilience in the aftermath of this latest development, download MinterEllison's latest cyber security survey report: Perspectives on Cyber Risk 2017.