The global ransomware event, called WCry, WannaCry or WannaCrypt, is a wake-up call for governments and business alike, but it is unlikely to be the last large scale cyber attack.
On May 12, the first news of the attack broke when hospitals and doctors in the UK reported being locked out of files, causing some to cancel operations and close accident and emergency departments. However, it soon became evident that the attack was global, affecting a wide range of industries and public sector organizations.
The ransomware caused widespread disruption, from petrol stations in China, to car manufacturing plants in Europe, rail operators in Germany, telecoms companies in Spain, electronics firms in Japan, and cancer hospitals in Indonesia. Kaspersky Lab counted 45,000 attacks by WannaCry, which targets a vulnerability in unpatched and older versions of Windows, in 74 countries in just the first day. It is now thought to have infected more than 300,000 computers in 150 countries.
The scale of the attack and the rapid spread of the ransomware were “unprecedented” according to Europol. Cyber security firm Symantec said that it had blocked some 22 million attempted WannaCry ransomware attacks globally, making the attack the largest of its kind.
While unprecedented, the WannaCry attack was, however, not unexpected, and can be seen as part of the evolving global cyber threat landscape, which has seen a broadening of attack methods and targets in recent years.
The global ransomware attack underscores the potentially widespread impact of a single cyber vulnerability, as well as the threat of a catastrophic or systemic cyber attack.
According to catastrophe modelling firm RMS, the WannaCry attack was arguably the first ever cyber-catastrophe, clearly demonstrating the systemic nature of cyber risk.But there are many other scenarios that would cause widespread disruption and economic damage. The Cambridge Centre for Risk Studies (CCRS) ran a scenario stress test that envisages malicious interference with updates to a popular brand of data base software. The total predicted losses to global GDP output over a five-year period ranged from USD 4.5 trillion to USD 15 trillion.
Other potential catastrophic cyber scenarios include an attack against a major internet infrastructure service provider, cloud service provider or a key payment processing company. In one scenario developed by CCRS and Lloyd’s, a cyber attack on the US electric grid was estimated to cause USD 1 trillion in economic damage and USD 70 billion in insurance claims.
Security experts have also warned that the WannaCry attack may not yet be over. Cyber criminals may yet adapt the malware or use the vulnerability in new attacks.
The ransomware uses a vulnerability called Eternal Blue, which was stolen from the USA National Security Agency (NSA) by a cyber crime group known as the “Shadow Brokers”. That group threatened to release other vulnerabilities from the NSA on a regular basis.
Cyber security firms have already identified another attack using vulnerabilities released by Shadow Brokers. Cryptocurrency miner Adylkuzz also uses Eternal Blue and is potentially larger than the WannaCry attack, although so far less disruptive.
Cyber insurance policies will respond to ransomware attacks, and depending on policy wordings will pay ransoms, as well as the cost of the breach response, data loss and business interruption. However, many cyber policies require companies to maintain regular updates.
It is still too early to count the cost of the WannaCry attack, and the true cost will probably never be known. Though insurance claims are not expected to be catastrophic, the attack will be seen as a test for this relatively young market.
The impact on the insurance industry is also likely to be limited by the global nature of the attack. Cyber insurance uptake is highest in the US, which accounts for as much of 90% of policies.
Most businesses outside the US do not yet purchase cyber insurance, and Europe has been slow to catch on. But this is changing. Tougher data protection laws, such as the EU’s General Data Protection Regulation and Australia’s mandatory breach notification laws, are expected to drive demand.
WannaCry is also likely to raise awareness and drive increased demand for cyber insurance outside the US, and not just from companies holding large amounts of personal data.
WannaCry showed just how vulnerable all companies are to a wide spread cyber event. The attack saw manufacturers in Europe shut down production lines as they sought to fight off the attack, while a coal port in New Zealand temporarily closed to upgrade its systems.
WannaCry is a salient reminder of the consequences of not taking cyber security seriously. According to Verizon, despite the prevalence of ransomware, many organizations still rely on out-of-date security solutions and aren’t investing in security precautions.
The chief of Europol, Rob Wainwright, noted that companies with robust cyber security, such as banks, appear to have been largely unaffected. He said that other sectors, such as healthcare, should “sit up and take notice” and follow the example of the banking sector, which has learned from painful experiences how costly cyber incidents can be.
Yet saying that companies should “just patch” and avoid this sort of incident is perhaps overly simplistic. There are a myriad of reasons, particularly in industries reliant on legacy systems and internally developed software, in which simply applying a patch isn’t feasible. However this underlines the importance of taking mitigating steps when a patch can’t be applied; in this case disabling the feature where the vulnerability lies. As cyber criminals become more sophisticated, organizations must protect themselves against threats and update their systems.
For further information, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services on ClientFirst@jltcanada.com