Patch Early, Patch Often: If You Hit "Remind Me Later", It May Be Too Late
June 28, 2017
CSG Privacy & Data Security Law Alert
New Jersey Cybersecurity & Communications Integration Cell (or NJCCIC) reported yesterday of the latest ransomware attack. "No Petya" or "NotPetya" (depending on which headline you read) can be purchased on line as Ransomware-as-a-Service (or RaaS) for less than $30. The purchasers of this Ransomware launched it to cripple multinational companies across at least two continents in less than 12 hours on June 27, 2017. It appears that NotPetya, related to Petya (another Ransomware variant) could have been prevented had an available patch been timely installed. According to NJCCIC, this latest variant works by
overwriting the target computer's Master Boot Record (MBR), which prevents the operating system from loading. It then reboots the infected system, appears to run CHKDSK, and encrypts the Master File Table (MFT). Finally, it displays a ransom note in text on the screen. Previous versions of this variant could be decrypted using a publicly available decryption tool, but researchers suggest that recently developed versions cannot.
NJCCIC further explains that access to stricken systems has been gained by exploiting a critical Windows Server Message Block (SMB) vulnerability. Microsoft released a patch for this vulnerability on March 14, 2017. NJCCIC also cautioned that NotPetya may be "spreading via Microsoft Office email attachments using the CVE-2017-0199 vulnerability."
Three critical steps are essential to immediately reduce your exposure to these threats:
- Apply patches as soon as they become available. Verify from the source that the patches are "real", and then apply them to all of your systems as soon as possible! Remember that patching practices must be applied appropriately when there are multiple devices and/or services storing and/or accessing data.
- Promptly train personnel: clicking on links and/or responding to suspect emails are, in many cases, the means by which these attacks are released and spread.
- Remotely and securely back up data regularly.
Note: At the end of this alert is specific information about the patches and other resources available specific to NotPetya.
Failure to implement processes and procedures mandated by law, or to otherwise act “reasonably” to protect data, may expose your business to liability.
If you are in a regulated industry (healthcare provider, financial services, publicly traded, or insurance), you are bound by statutes and regulations to have security measures in place to protect data.
Regardless of whether you are in a regulated industry, if your systems maintain personally identifiable information[i], and that data is compromised, under applicable states' laws[ii] you have a duty to notify law enforcement and impacted individuals.
Contractually, many confidentiality undertakings mandate that a company take "reasonable measures" (if not best efforts) to protect the other party's data. Failure to do so will likely expose your company to liability (typically uncapped).
Finally, failure to take reasonable measures may result in denial of coverage from your insurance carrier.
Please contact us to understand your statutory, regulatory and contractual obligations. We are here to help you prepare and plan for, respond to and recover from cyber-attacks.
Patches and "Vaccines" for NotPetya:
The SMB patch is available online (MS17-010) and should be deployed as soon as possible. Please also visit the Microsoft website for other patches released for older (otherwise no longer supported versions of Windows, including Windows XP, Windows Server 2003, and Vista). Finally, NJCCIC "recommends organizations close ports 22, 23, 3389, and TCP 139 & 445/UDP 137 & 138, unless they are necessary for a particular business need or IT function."
Note that according to another source, there is a "vaccine" that can be applied[iii] to prevent "exposure" to NotPetya. The problem with this solution is that it must be applied to multiple devices (unlike the one-time "kill switch" that stopped the WannaCry worm in its tracks).
[i] 48 states have adopted state specific definitions of "personally identifiable information".
[ii] Those 48 states each have separate reporting requirements - to designated law enforcement officials and to individuals. Failure to properly and timely notify will result in fines and penalties imposed under each statute, and several of these statutes include private causes of action for impacted individuals.
For more information, please contact your CSG attorney or the authors listed below.
Michelle A. Schaap | Member of the Firm | firstname.lastname@example.org | (973) 530-2026
Frank Peretore | Member of the Firm | email@example.com | (973) 530-2058
Rhonda Carniol | Member of the Firm | firstname.lastname@example.org | (973) 530-2101
Robert L. Hornby | Member of the Firm | email@example.com | (973) 530-2032