On June 27, 2017, a widespread WannaCry ransomware variant referred to by a number of names, including GoldenEye, Petya, NotPetya, and ExPetr, began impacting computer systems around the world. Similar to the recent WannaCry ransomware attack, victims are being asked to pay a ransom of $300 in bitcoin.
1. Aon Risk Solutions
Professional Risk Solutions | Financial Services Group
Client Alert: More Cyber Ransomware
We’re here to
empower results
Kevin Kalinich
Global Practice Leader
312.281.4203
Kevin.Kalinich@aon.com
Christian Hoffman
National Practice Leader
212.441.2263
Christian.Hoffman@aon.com
Stephanie Snyder
National Sales Leader
312.381.5078
Stephanie.Snyder@aon.com
Rocco Grillo
Cyber Resilience Leader,
Stroz Friedberg
347.466.0832
rgrillo@strozfriedberg.com
Simon Viney
Vice President, Stroz
Friedberg
44 20.7061.2286
www.aon.com
Worldwide WannaCry GoldenEye / Petya Variant Attack Requires Continued
Enterprise Vigilance
What Happened?
On June 27, 2017, a widespread WannaCry
ransomware variant referred to by a number of
names, including GoldenEye, Petya, NotPetya,
and ExPetr, began impacting computer systems
around the world. Similar to the recent WannaCry
ransomware attack, victims are being asked to pay a
ransom of $300 in bitcoin.
According to new research from Lloyd’s, released
June 28, 2017, organizations could face a much
higher bill than they expect, or are prepared for, after
falling victim to a cyber-attack like this – especially if
aggregated losses impact reinsurance coverage and
pricing. Inga Beale, CEO of Lloyd’s, said:
The reputational fallout from a cyber breach is what kills
modern businesses. And in a world where the threat
from cyber-crime is when, not if, the idea of simply
hoping it won’t happen to you, isn’t tenable. To protect
themselves businesses should spend time understanding
what specific threats they may be exposed to and speak
to experts who can help handle a breach, minimize
reputational harm and arrange cyber insurance to
ensure that the risks are adequately covered. By reacting
swiftly to mitigate the impact of a cyber breach once it
has occurred, companies will be able to minimize the
immediate costs and their exposure to subsequent slow
burn costs.
The Lloyds report is apt considering that some of the
world’s largest companies, including WPP, Rosneft,
Merck and AP Moller-Maersk, were hit by this latest
attack, which also took critical government and bank
infrastructure in Ukraine offline, according to the
Financial Times.
What Is this Ransomware?
The variant used in this most recent malware variant
is derived from a family of ransomware whose
primary function is not to encrypt files, but instead
uses a bespoke bootloader to encrypt the Master
File Table (MFT). This means that when the victim
restarts their computer, the machine will not be able
to boot into the Windows operating system. More
recent versions include an additional module called
Mischa that is responsible for encrypting files in the
event that the MFT encryption fails.
The latest research on the ransomware used in
yesterday’s campaign reveals that although the
ransomware does share some code similarities
with prior iterations, there are also some significant
differences. In particular, prior iterations have a
different code base for the initial dropper and does
not have the Mischa component that encrypts files.
This new ransomware variant is designed to spread
very quickly through an organization’s network
once the initial infection has taken place - your
organization’s files can be permanently encrypted if
safeguards are not immediately put in place.
2. Aon Risk Solutions
Professional Risk Solutions | Financial Services Group
For Risk Managers - From an Insurance
Standpoint:
ƒƒ Aon is assisting clients with the May 2017
WannaCry incident and can assist you with the
June 27, 2017 incident with policy coverage/gap
analysis, insurance collection, remediation and
preparation for the next incident.
ƒƒ Cyber ransom, in this case to address ransom
demands of $300 (to be paid in Bitcoin), can be
included in many cyber insurance policies, subject
to the following:
– Most policies have a self-insured retention or
deductible greater than $300 so the payment
itself would likely NOT be covered.
– If the cyber ransom payment is covered by
the cyber policy, then most policies require
that the insurer be notified PRIOR to the cyber
ransom payment (“Notice Clause”) or the
ransom may be excluded from coverage.
– If the cyber ransom payment is below the
deductible, then the insured likely must still
engage the cyber insurer to comply with the
“Notice” and/or “Cooperation” clauses.
– As a general matter, a Cooperation Clause
requires the insured to engage the insurer in
certain decisions that could impact insurance
coverage. Failure to comply could result in
a subsequent multi-million dollar business
interruption, forensics or liability claim DENIED
because of failure to notice or comply with
the Cooperation Clause for the ransomware
payment (in this case, $300).
– Aside from ransomware, the larger financial
statement issues are business interruption,
forensics costs, lost productivity and potential
third party liability, which could potentially
include wrongful death actions in Healthcare,
Utility / Energy / Power, and Transportation
industries connected to the Internet of Things.
– Coverage for cyber extortion may not include
coverage for business interruption or forensics
as the may be separate coverages with
separate coverage grants.
– Many insurers have “failure to patch”
exclusions, which potentially exclude coverage
for certain damages, in the event that the
vulnerability had been previously identified and
not patched.
– A majority of insurers exclude coverage for
pirated software implementations. One of the
likely reasons for the disproportionate impact
on computer systems in Russia, former Russia
republics, China, and other Asian countries is
the purported high incidence of implementing
pirated software, which is not supported by
the software vendor.
– Some cyber policies exclude cyber terrorism
and cyber war, depending upon the specific
policy wording.
– Some cyber policies require the insured to
contact law enforcement to obtain approval to
pay the cyber ransom.
– Coverage could potentially be afforded via
third party liability coverage under Professional
Liability and/or General Liability policies.
– There could be potential business interruption
and forensics coverage under Property policies.
– There could be potential cyber ransom
coverage under Kidnap and Ransom policies,
which may include a $0 deductible feature.
– Affected organizations should immediately
review each of the policies mentioned above,
as well as their Director’s Officer’s, Terrorism,
and Crime policies
3. For CISOs and Technical Leaders - From
a Technical Standpoint:
ƒƒ Coordinate efforts between the Risk Management
and Technical teams before taking any action.
Understanding whether your organization
has a cyber liability policy, and if so, what the
requirements are for coverage is critical. Mitigating
efforts (however well meaning) taken by the
technical team in particular could impact the Risk
Manager’s ability to recover financial loss through
insurance.
ƒƒ It is highly unlikely that files can be recovered by
paying the ransom, as the email address of the
victims being provided has been blocked by the
email provider.
ƒƒ Blocking the attack vector (EternalBlue
vulnerability) should be a top priority. Steps to
mitigate include:
– Ensure your organization has applied all
current patches addressing the SMB server
vulnerabilities. Physical and virtual patching
capabilities are both readily available.
– If patching is not possible, segregate machines
that are not patchable or block access to
SMB ports on these machines (TCP/445 and
TVP/139 in particular). These ports should also
be blocked at the firewall and for any inbound
network traffic devices.
– After the initial infection, this ransomware
variant waits for approximately one hour before
rebooting to initiate the encryption process.
Shutting down infected machines before this
time period may prevent files from being
encrypted. A LiveCD or external machine can
then be used to attempt to recover files.
– Disable Windows Management Instrumentation
Commandline (WMIC).
– Ensure local end points do not have
administrative privileges and restrict non-
critical administrative access until additional
mitigating steps have been taken.
Despite the need to move swiftly in response to this
crisis, we recommend policyholders understand and
comply with the Cooperation Clause and Notice
provisions of their policies to help preservation of
rights to coverage.
Aon is ready to assist you in order to Identify,
Quantify, Assess, Test, Mitigate, Respond, and
Transfer cyber incident exposures and solutions.
Aon Risk Solutions
Professional Risk Solutions | Financial Services Group