EternalBlue is the software hole that lay behind the well-known, world-spanning cyber attacks known as NotPetya, NonPetya, and WannaCry. It is a vulnerability in unpatched Microsoft’s Windows operating systems, exploited through a bit of malware that techies call the EternalBlue ‘exploit’. According to the Washington Post, the hole was discovered and the exploit developed by the U.S. National Security Agency, but the knowledge leaked. It has been published around the world on the dark web for anyone to adopt, adapt, and use to wreak cyber havoc. 

A great deal of the massive uptick in cyber crime has been effected through the distribution of variations of the EternalBlue exploit. The most damaging attacks (the Petya variations and WannaCry) have involved ransomware, which locks down computers until a ransom is paid, usually in a cryptocurrency.

The good news is that Microsoft has provided patches that eliminate the EternalBlue vulnerability. The bad news is that many organisations hadn’t bothered to install them, even after the high-profile attacks that occurred since EternalBlue was leaked and patched in 2017. 

Microsoft: ‘shared responsibility’

Days after WannaCry, Microsoft President Brad Smith blogged that the attack “demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect.”

Because of this, insurance claims arising from cyber crimes are largely the result of ransomware ‘infections’. They can be acquired through careless clicking of email attachments or downloading spoof software updates. More commonly of late, malware is sometimes ‘pushed’ onto victims’ computers through compromised IT service providers. Infection has now reached epidemic proportions. 

For cyber insurers, brokers, and corporate risk managers, getting to grips with such vulnerabilities is a critical step in any cyber risk management strategy. Some variants can be cracked, allowing computers to be decrypted and clients’ operations to continue, but others cannot. 

To pay, or not to pay?

In the latter case, ransom payment may be the best option. Knowing crackability in advance is extremely useful – if equally challenging – since losses almost always multiply as system interruptions are extended. However, outcomes are rarely clear cut. When NorskHydro refused to pay the ransom demanded during a 2019 attack arising from a variant of the malware LockerGoga (which exploits a different vulnerability involving PsExec tools), it enjoyed a share-price uplift – but such end results are rare. 

In any case, ransom may be only a small part of the cost. Data from the cybersecurity practice at Blake, Cassels & Graydon LLP shows that business interruption losses are often three to five times that of the cost of vendors such as lawyers, forensics, and PR. Cleaning infected systems is one of the most costly items.

At the very least, everyone involved in cyber risk should be aware of vector-specific types of attacks, the variants of each form of attack, and what they could mean for individual businesses. New types of ransomware are being introduced regularly, some of which gain ‘market share’ quickly. For example, Ryuk ransomware was first released in August 2018, to target large network organisations. Over roughly one year, the exploit and its many variants are now used in more than a quarter of all ransomware attacks. 

Meanwhile the modes of delivery are increasing according to Imran Ahmed, Partner at Blake, Cassels & Graydon LLP. “Phishing campaigns were once the norm, but today hackers are more likely to use legitimate tools like Remote Desktop Protocols to get inside systems, or to spoof the actions of third parties. In an example of the latter, the Sodinokibi ransomware was distributed by compromising Managed Service Providers to get to end customers.”

Take care

Avoidance is often easy: immediately installing all security patches issued is the most simple, and can be automated (in most cases, auto-patching must actively be disabled). Other steps include upgrading to new software releases, and backing up daily to allow timely and current restoration of compromised systems. However, dodging the ransomware bullet can also be very difficult. If your service provider is compromised, infection may be extremely difficult to avoid.

When attacks are successful, it is critical to have expert advice on tap. High quality cyber insurance and the advice of an informed intermediary will help to ensure that businesses at risk of cyber crime – which today is every business reliant on IT systems and software – are taking risk management measures seriously, and have specialists and adequate insurance coverage just a phone call away.