Cyber-lawyer explains ransomware attacks, what businesses can do to avoid them

The threat of WannaCry, the ransomware that was slated to wreak havoc over the past weekend, seems to have subsided.It would have been worse if not for a 22-year-old in the U.K. who accidentally found the “kill switch” Friday.

But companies remain vigilant and more alert than ever before about the realities of cyberthreats, especially ones that can sneak into a system without the accidental clicking of a dirty link.

Peter Fu, an associate in Atlantic City-based Cooper Levenson‘s cyber risk management practice group, spoke with NJBIZ about the steps taken since last week as well as what companies can do moving forward to protect themselves.

NJBIZ: What should companies know about the way this malware spread?

Peter Fu: Because of the way this malware works, people working from home were more likely the source of infecting the professional server. Even though the security construct of an enterprise server may not be fully upgraded and updated, they usually have strong firewalls. The tech side of this malware is interesting. It almost passes off like an electronic cough. Normally, when you get malware on your device, you have to actively download it through clicking a link or in an email. (WannaCry) spreads through your system simply by being hooked up to the network.

NJBIZ: Why was this so successful in targeting major corporations and government entities?

PF: It had to be written by someone who came from the tech services or customer support services or something like that, because they leveraged against knowledge that most people don’t know. When you are dealing with an enterprise (business) structure, there is a gap between when a critical update is rolled out and when it reaches devices (on the network). It takes a couple of days or a week or maybe even a month for your huge organization or health care system to have all its devices updated or upgraded or patched. This bug … targeted enterprise organizations knowing it takes that time to upgrade.

NJBIZ: Who is most at risk for something like this?

PF: In order for something like this to succeed, you would have to know that the organizations you are targeting aren’t patched up with regards to security. Unfortunately, those organizations are usually the biggest ones. The bigger you get, the more complicated it is to push that update to everyone’s devices.

NJBIZ: What makes it complicated?

PF: If the infrastructure is set up so that the IT department can’t automatically update or upgrade the system for users, they are relying on users to do it upon notification (or through an email). If those individuals keep hitting ignore … it might be too late.

NJBIZ: What is the legal world doing in light of the threat of WannaCry?

PF: We are going to have to walk people through the regulatory disclosure process. Under New Jersey law, anytime personally identifiable information is released, you’re supposed to make a disclosure to the state police. Realistically, it is going to be hard for the state police to track down whoever did this, because they are already inundated with volume, and adding more complexity with cases like this can make the process even longer. Also (we advise) putting your insurance carrier on notice to see if the company can be reimbursed if it pays for the release of the data. But there should be a cost-benefit analysis (of paying versus using a forensics specialist). We don’t ever recommend customers pay the ransom, because there is no guarantee the information will be released after payment. Insurance companies don’t always hold the companies harmless, so that is a battle affected companies may face. Getting an independent panel, if you can afford it, is the way to go. For cybersecurity firms, local is better, because you will have a face and a name.

NJBIZ: Reports show the situation is dying down. Should companies still stay alert?

PF: There is some evidence that there are already offshoots of WannaCry. The evolutions of malware come from copycats or could even be (part of the) plan of the attack. Unless you identify which version you were attacked by, you can’t determine if you need to make the disclosure (to officials) or not. The reason why this whole thing is slowly developing is there may not be a release of the information. What is happening is (for WannaCry, not an offshoot) they are encrypting the data so you can’t access it until you pay the ransom … there is no transfer of the data.

NJBIZ: What lesson can be learned here for companies with in-house IT?

PF: In the fallout of people who get infected by this malware, there is going to be a trigger reaction to blame your tech guys for not ensuring the enterprise security was up to date. That reaction is not wholly inappropriate, but it’s not helpful. Everyone who you hire in your tech support team, they are hired to make sure your systems are operating on a day-to-day basis. They are the equivalent of hiring front door security for your building, who makes sure people coming in and out are legit, but in the event your company gets held up, your phone call isn’t to the front doorman, it’s to the police. If people do want to prevent these attacks in the future, they really are going to have to fund their tech shops.