Wannacry, Ransomware, and the Emerging Threat to Corporations
54 Pages Posted: 4 Sep 2018 Last revised: 28 Jul 2019
Date Written: August 24, 2018
The WannaCry ransomware attack began on May 12, 2017, and is unprecedented in scale—quickly impacting nearly a quarter-million computers in over 150 countries. The WannaCry virus exploits a vulnerability to Microsoft Windows that was originally developed by the U.S. National Security Agency and operates by encrypting a victim’s data and demanding payment of a ransom in exchange for data recovery. Security experts have indicated that a North Korea-linked group of hackers—who have also been implicated in cyberattacks against Sony Pictures in 2014, the Bangladeshi Central Bank in 2016, and Polish banks in February 2017—is behind the attack.
Ransomware threatens institutions worldwide, but the risks for businesses are all the starker—potentially catastrophic. This article provides corporate executives with much of what they need to know about the evolving threats of malware and ransomware like Cryptolocker, Kelihos Botnet, Locky, Nymain, Petya, NotPetya, and WannaCry. First, we provide a brief definition and history of ransomware. Second, we look at the history of hospitals as ransomware targets. Third, we offer a description of the WannaCry virus, what is known about its development, method of action, and those who are believed to have deployed it; in this section, we also discuss methods to defend against this particular virus. Fourth, we discuss the Petya and NotPetya attacks. Fifth, is a discussion of municipal ransomware attacks. Sixth, we review the myriad and unique risks that ransomware poses for corporations—including expected refinements of the technique, such as to effect corporate sabotage. Seventh, we discuss the duties and responsibilities of corporate directors and the Ormerod-Trautman data security economic model. Eighth and finally, we review the current cybersecurity legal landscape with a particular focus on corporate best practices and how business executives protect themselves against cybersecurity-related liability. We believe this Article contributes to the sparse existing literature about ransomware and related cyber threats posed to corporate boards and management.
Keywords: AIDs virus, Ashley Madison, Bad Rabbit, bitcoin, Cryptolocker, cybercrime, Dark Web, data breach, duty of care, duty of loyalty, encryption, Gameover Zeus, Kelihos Botnet, Locky, malware, NotPetya, Nymain, Ormerod-Trautman, ransomware, cyber risk management, SamSam, SONY Breach, WannaCry virus
JEL Classification: H56, K10, K13, K14, K22, O31, O32, O33, K00, M38, L88, L9, L5
Suggested Citation: Suggested Citation