Wannacry, Ransomware, and the Emerging Threat to Corporations

58 Pages Posted: 4 Sep 2018 Last revised: 14 Dec 2018

See all articles by Lawrence J. Trautman

Lawrence J. Trautman

Western Carolina University - College of Business

Peter Ormerod

Western Carolina University

Date Written: August 24, 2018


The WannaCry ransomware attack began on May 12, 2017, and is unprecedented in scale—quickly impacting nearly a quarter-million computers in over 150 countries. The WannaCry virus exploits a vulnerability to Microsoft Windows that was originally developed by the U.S. National Security Agency and operates by encrypting a victim’s data and demanding payment of a ransom in exchange for data recovery. Security experts have indicated that a North Korea-linked group of hackers—who have also been implicated in cyberattacks against Sony Pictures in 2014, the Bangladeshi Central Bank in 2016, and Polish banks in February 2017—is behind the attack.

Ransomware threatens institutions worldwide, but the risks for businesses are all the starker—potentially catastrophic. This article provides corporate executives with much of what they need to know about the evolving threats of malware and ransomware like Cryptolocker, Kelihos Botnet, Locky, Nymain, Petya, NotPetya, and WannaCry. First, we provide a brief definition and history of ransomware. Second, we look at the history of hospitals as ransomware targets. Third, we offer a description of the WannaCry virus, what is known about its development, method of action, and those who are believed to have deployed it; in this section, we also discuss methods to defend against this particular virus. Fourth, we discuss the Petya and NotPetya attacks. Fifth, is a discussion of municipal ransomware attacks. Sixth, we review the myriad and unique risks that ransomware poses for corporations—including expected refinements of the technique, such as to effect corporate sabotage. Seventh, we discuss the duties and responsibilities of corporate directors and the Ormerod-Trautman data security economic model. Eighth and finally, we review the current cybersecurity legal landscape with a particular focus on corporate best practices and how business executives protect themselves against cybersecurity-related liability. We believe this Article contributes to the sparse existing literature about ransomware and related cyber threats posed to corporate boards and management.

Keywords: AIDs virus, Ashley Madison, Bad Rabbit, bitcoin, Cryptolocker, cybercrime, Dark Web, data breach, duty of care, duty of loyalty, encryption, Gameover Zeus, Kelihos Botnet, Locky, malware, NotPetya, Nymain, Ormerod-Trautman, ransomware, cyber risk management, SamSam, SONY Breach, WannaCry virus

JEL Classification: H56, K10, K13, K14, K22, O31, O32, O33, K00, M38, L88, L9, L5

Suggested Citation

Trautman, Lawrence J. and Ormerod, Peter, Wannacry, Ransomware, and the Emerging Threat to Corporations (August 24, 2018). Tennessee Law Review, Forthcoming. Available at SSRN: https://ssrn.com/abstract=3238293 or http://dx.doi.org/10.2139/ssrn.3238293

Lawrence J. Trautman (Contact Author)

Western Carolina University - College of Business ( email )

204 Forsyth
Cullowhee, NC 28723
United States
828-227-2642 (Phone)

Peter Ormerod

Western Carolina University ( email )

United States

Register to save articles to
your library


Paper statistics

Abstract Views
PlumX Metrics

Under construction: SSRN citations will be offline until July when we will launch a brand new and improved citations service, check here for more details.

For more information