Wannacry, Ransomware, and the Emerging Threat to Corporations

54 Pages Posted: 4 Sep 2018 Last revised: 28 Jul 2019

See all articles by Lawrence J. Trautman

Lawrence J. Trautman

Prairie View A&M University - College of Business; Texas A&M University School of Law (By Courtesy)

Peter Ormerod

Northern Illinois University College of Law

Date Written: August 24, 2018


The WannaCry ransomware attack began on May 12, 2017, and is unprecedented in scale—quickly impacting nearly a quarter-million computers in over 150 countries. The WannaCry virus exploits a vulnerability to Microsoft Windows that was originally developed by the U.S. National Security Agency and operates by encrypting a victim’s data and demanding payment of a ransom in exchange for data recovery. Security experts have indicated that a North Korea-linked group of hackers—who have also been implicated in cyberattacks against Sony Pictures in 2014, the Bangladeshi Central Bank in 2016, and Polish banks in February 2017—is behind the attack.

Ransomware threatens institutions worldwide, but the risks for businesses are all the starker—potentially catastrophic. This article provides corporate executives with much of what they need to know about the evolving threats of malware and ransomware like Cryptolocker, Kelihos Botnet, Locky, Nymain, Petya, NotPetya, and WannaCry. First, we provide a brief definition and history of ransomware. Second, we look at the history of hospitals as ransomware targets. Third, we offer a description of the WannaCry virus, what is known about its development, method of action, and those who are believed to have deployed it; in this section, we also discuss methods to defend against this particular virus. Fourth, we discuss the Petya and NotPetya attacks. Fifth, is a discussion of municipal ransomware attacks. Sixth, we review the myriad and unique risks that ransomware poses for corporations—including expected refinements of the technique, such as to effect corporate sabotage. Seventh, we discuss the duties and responsibilities of corporate directors and the Ormerod-Trautman data security economic model. Eighth and finally, we review the current cybersecurity legal landscape with a particular focus on corporate best practices and how business executives protect themselves against cybersecurity-related liability. We believe this Article contributes to the sparse existing literature about ransomware and related cyber threats posed to corporate boards and management.

Keywords: AIDs virus, Ashley Madison, Bad Rabbit, bitcoin, Cryptolocker, cybercrime, Dark Web, data breach, duty of care, duty of loyalty, encryption, Gameover Zeus, Kelihos Botnet, Locky, malware, NotPetya, Nymain, Ormerod-Trautman, ransomware, cyber risk management, SamSam, SONY Breach, WannaCry virus

JEL Classification: H56, K10, K13, K14, K22, O31, O32, O33, K00, M38, L88, L9, L5

Suggested Citation

Trautman, Lawrence J. and Ormerod, Peter, Wannacry, Ransomware, and the Emerging Threat to Corporations (August 24, 2018). 86 Tennessee Law Review 503 (2019), Available at SSRN: https://ssrn.com/abstract=3238293 or http://dx.doi.org/10.2139/ssrn.3238293

Lawrence J. Trautman (Contact Author)

Prairie View A&M University - College of Business ( email )

Prairie View, TX
United States

Texas A&M University School of Law (By Courtesy) ( email )

1515 Commerce St.
Fort Worth, TX Tarrant County 76102
United States

Peter Ormerod

Northern Illinois University College of Law ( email )

Swen Parson Hall
DeKalb, IL 60115
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics