Is the world ready for the next big ransomware attack?

WannaCry and NotPetya brought major companies to their knees and cost billions to remediate. A new report from Lloyds of London warns another similar ransomware attack would still be devastating.

The WannaCry and NotPetya ransomware attacks were massive incidents that impacted companies both large and small across large geographic areas. Both propagated quickly and brought massive organizations such as the UK’s National Health Service (NHS) and shipping giant Maersk to a standstill.

While the threat from those two individual attacks has been mostly mitigated, variants of both still continue to propagate out in the wild. A new report suggests that another global attack in the same style, if coordinated and executed properly, could cause even more damage and cost companies billions of dollars in damage.

The cost of massive global attacks

WannaCry is estimated to have infected 200,000 computers across 150 countries, spreading through unpatched versions of Microsoft Windows. NotPetya propagated through a compromised update of a popular Ukrainian tax application and affected companies in Ukraine and in other parts of Europe, with Russia accused of orchestrating the attack. Both used the EternalBlue exploit – developed by the NSA and leaked by the Shadow Brokers hacker group – which took advantage of vulnerabilities in the Windows Server Message Block (SMB) protocol.

WannaCry cost the UK’s NHS an estimated £91.5 million [$118 million], according to government calculations; £19 million for the attack itself and another £72.5 million in IT support to remediate and upgrade systems in the wake of the attack. Despite actual profits from the attack barely reaching $100,000, cyber risk modeling firm Cyence estimated the total global cost of the attack could be as high as $4 billion.

NotPetya was also widespread and costly. Shipping company Maersk and logistics company FedEx lost approximately $300 million each. Speech and imaging technology company Nuance says its own losses were around $90 million, while law firm DLA Piper paid 15,000 hours of IT overtime to remediate its impact. CyberReason’s study of quarterly earnings and investor statements from affected companies puts the global cost of NotPetya attacks at around $1.2 billion

To complicate matters, having cyber insurance might not cover everyone’s losses. Zurich American Insurance Company refused to pay out a $100 million claim from Mondelez, saying that since the U.S. and other governments labeled the NotPetya attack as an action by the Russian military their claim was excluded under the “hostile or warlike action in time of peace or war” exemption.

According to the Lloyds of London report, Bashe attack: Global infection by contagious malware, another global attack in the same vein as WannaCry and NotPetya could affect more than 600,000 businesses worldwide and cost $193 billion in lost revenue and remediation.

How the next WannaCry could cripple organizations across the world

The report aims to show how “the reliance of the global economy on connectivity significantly increases the scope of the damage caused by malware.” In the proposed scenarios, created in conjunction with the Cyber Risk Management (CyRiM) project and Cambridge Centre for Risk Studies (CCRS), a ransomware attack – known as Bashe – enters a network through a malicious email, propagates and encrypts any devices connected to the network, and further spreads itself by automatically forwarding the malicious email to all contacts. In the most severe version of the event, even the backups are erased.

The methodology draws on CCRS’s historical datasets around malware and security incidents, including infection rates, replication rates and damage costs. It predicts it would take six programmers to carry out a malware attack on a global scale within a year and assumes the poorly executed parts of previous large-scale attacks – such as the web-based kill switch within WannaCry or the poor decryption and payment processes of NotPetya – are done properly.

“Corporations regardless of size and sector find themselves in a panic,” reads the report, “as they are no longer able to process hard payments, communicate between sites via email, or run essential programs. Traders, police officers and healthcare professionals alike find themselves forced to revert to pen and paper to complete their daily duties. In 24 hours, the ransomware encrypts the data on nearly 30 million devices worldwide.”

While the proposed ransom would be relatively low at around $700 per infection (or $350 per device to clean up or replace without paying the ransom) the calculated costs include cyber-incident response, damage control and mitigation, business interruption, lost revenue, and reduced productivity, and vary from $85 billion to $193 billion depending on the severity of the attack. The criminal organization that developed Bashe would bring in $1.14 to $2.78 billion in extortion revenues.

Healthcare, manufacturing and retail are the three most affected industries in each of the different scenarios, losing between $9 billion and $25 billion per sector. Retail’s reliance on payment systems, healthcare’s abundance of legacy systems and equipment, and manufacturing’s need to constantly be in production were cited as the main reasons for their vulnerability.

The U.S. is the most heavily affected region in terms of costs due its large number of what the report describes as “premier-sized” companies. Europe is close behind in terms of impact due to its high number of small- to medium-sized enterprises (SMEs), which are traditionally have less in terms of security budget and resources.

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!