1) A global ransomware attack called WannaCry spread to over 150 countries using hacking tools stolen from the NSA. It exploited a Windows vulnerability that Microsoft had already released a patch for. 2) The attack was well-coordinated and planned to spread quickly by searching for vulnerable systems within networks. Once it infected one system, it could spread laterally across the network. 3) Future attacks are expected to be even more sophisticated as hackers adapt their techniques. Companies need to ensure timely patching of systems and careful management of supply chain security to avoid falling victim.

1. GLOBAL RANSOMWARE ATTACKS - WANNACRY
McGRIFF, SEIBELS & WILLIAMS, INC.
URGENT CLIENT ALERT!
TherecentglobalcyberattackusingWannaCryransomwarereminds
usthatproperinformationsecurityhygieneandappropriateback-up
management and software patching protocols are critical to attack
prevention and loss minimization. To refresh, a ransomware attack
spread throughout the world over the weekend, infecting systems
in over 150 countries. The attack used software code stolen from
the National Security Agency that was posted online.
WHAT DOES THIS ATTACK MEAN?
What is interesting about this is how different it is and the
precedent it is setting. This is the second known usage of a hacking
toolset leaked from the NSA in 2017. It is the first time it was used
to execute this type of large scale extortion en masse. The hacking
toolset was tweaked just slightly and relatively quickly. Attackers
had to strike blitzkrieg-style – all at once and against many locations
-sincetheywerefullyawarethatafixwouldberelativelysimple.So,
itisclearthatthiswasacoordinatedandplannedevent,designedto
take advantage of a hunting technique within the attack itself that is
constantly looking for additional targets. That is why it propagated
so quickly and why, eventually, it will reach every part of the globe.
As already reported, this attack is primarily affecting Russia, Eastern
Europe, UK and Taiwan, which is an incredibly interesting mix - the
outliers in this initial attack were clearly Taiwan and the UK. While
we cannot know for sure, this could have just been opportunistic, or
possibly,agameofmisdirectionintendedtoobfuscateanyattemptat
attribution. The attack itself is new and unique, but not sophisticated.
Microsoft, for the most part, released a patch for this exploit
one month ago. Bottom line: the attackers behind this operation
developed an attack based upon new techniques disclosed in the
NSA leak and they preyed upon companies and their machines that
remained unpatched. In a sense, it was very avoidable.
MORE ON THE “HUNTER MODULE”
This is an exploitive feature that scans for any vulnerable systems
within a target organization’s ecosystem. Companies that have
adhered to the best patching protocols could still be accessed
through connections with their supply chain and external vendors
who have vulnerable devices. All the attackers need is one hook
(one weak machine) and then they can swim laterally within the
networktocausemaximumdamage.Asthesayinggoes,“anetwork
is only as secure as the least secure network connected to it.”
WHAT’S NEXT?
This is just the beginning. We can assume that the attackers used
this as a pilot project and that they will adapt based on what they
learned with this effort. The NSA toolset that was leaked was vast
and there are people analyzing these tools and working on ways to
alter them slightly for their own nefarious purposes. The key will be
knowledgeofthetechniquesandpersistentpatchingandupgrading
worldwide. But, keep in mind, not all of the tools the NSA used
involved unpatched computers - far from it. This hack was built to
exploit the blind spots in traditional security.
Even though responders were able to identify and activate a kill
switch (safety valve) that was embedded by the attackers, this
is no panacea and will be bypassed soon. Hackers have adapted
based on what they learned from this past attack and we can
expect the next wave within 24 hours. Plus, you should note that
corporations do not benefit from the kill switch since it takes
advantage of a network protocol that most large corporations
do not use. In other words, private citizens are currently safer
but companies must be hyper-vigilant.

2. In collaboration with our external cyber security advisors,
please review the following tips carefully with your Incident
Response Team (IRT)
One Premier Plaza, Suite 500 | 5605 Glenridge Drive | Atlanta, GA 30342
(800) 476-2541 | (404) 497-7500 | www.mcgriff.com
©2017 McGriff, Seibels & Williams, Inc.
McGRIFF, SEIBELS & WILLIAMS, INC.
Timely patching is a must. Do not leave it up to a third
partyanddonotputitonadelayedschedule.Malicious
actors conducting pre-attack surveillance can very
easily determine patch state of hardware and software
as well as exposed TCP/IP protocols such as Port 445.
Back-ups will be critical to your survival – prioritize data
and systems that must be redundant for your business
needs and for compliance with legal and regulatory
duties around the protection of the data of your clients,
patients, customers and employees.
Ensure that legacy preventative controls such as
anti-virus and firewalls are deployed and properly
configured.
Audit and reduce privileged account holders to only
those necessary.
Sunset (retire) outdated equipment and software – if
you do not maintain it, get rid of it. And, if the vendor
no longer supports it, upgrade to a higher version
immediately.
Take out of use equipment offline – disconnect and/or
shutdown machines that are no longer in use.
Conduct targeted susceptibility training with your
employees (i.e. spear phishing tests) and incorporate
awareness methodologies into the training
curriculum so that employees are kept updated on
current and emerging threats.
Manage your supply chain, hold them to the highest
informationsecuritystandardsandauditthemregularly.
Be diligent in your threat awareness and continually
update your Incident Response Team.
1 6
7
8
9
2
3
4
5
KNOW YOUR INSURANCE POLICY
• Check your K&R policy for possible coverage; note deductibles (maybe none?) and policy limits available for ransomware events
(sub-limits?); review and advise internal resources what the event notice obligations are and whether you will have access to
cyber security specialists provided by your insurer;
• Check your cyber policy for reporting obligations, policy limit and retention; verify whether you must have insurer consent prior
to engaging any cyber security resources; discuss with your internal resources whether you want to use insurer pre-approved
vendors or if you would retain your own specialists; seek and obtain insurer consent to use your own vendors prior to any event;
make certain your IRT fully understands insurance policy requirements and seeks Risk Management advice immediately upon
detection of any suspected or actual cyber incident.
• Many cyber policies contain exclusions or coverage limitations for losses arising out of the “failure to maintain minimum security
standards” or “failure to patch or remediate software errors or vulnerabilities”. Talk to your broker and check your policy
wording; ideally, it’s best to not have these exclusions or to secure a carve-back for otherwise covered loss (i.e. limit exclusion to
the costs to patch or remediate).
THE THREAT CONTINUES
According to our threat monitoring experts, current sensors are showing more than 1.5 million machines worldwide that are still
vulnerable to this attack (unless they have been patched properly in the last 24-48 hours). Beware that once the hackers relaunch
and remove the kill switch, all 1.5 million (or the remaining machines that have not been patched) could, in theory, become infected.