By Richard D. Lutkus

Hacker attacking internetSynopsis:  Today we explore details regarding a worldwide ransomware outbreak, including some information about the attack campaign, how to avoid becoming a victim, and what to do if you already are one. 

Recently, a widespread global ransomware attack has struck hospitals, communication, and other types of companies and government offices around the world, seizing control of affected computers until the victims pay a ransom.  This widespread ransomware campaign has affected various organizations with reports of tens of thousands of infections in as many as 99 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan.  The software can run in as many as 27 different languages.  The latest version of this ransomware variant, known as WannaCryWCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly.

The risk posed by this ransomware is that it enumerates any and all of your “user data” files like Word, Excel, PDF, PowerPoint, loose email, pictures, movies, music, and other similar files.  Once it finds those files, it encrypts that data on your computer, making it impossible to recover the underlying user data without providing a decryption key. Also, the ransomeware is persistent, meaning that if you create new files on the computer while it’s infected, those will be discovered by the ransomware and encrypted immediately with an encryption key.  To get the decryption key, you must pay a ransom in the form of Bitcoin, which provides the threat actors some minor level of anonymity.  In this case, the attackers are demanding roughly $300 USD.  The threat actors are known to choose amounts that they feel the victim would be able to pay in order to increase their “return on investment.”

The ransomware works by exploiting a vulnerability in Microsoft Windows.  The working theory right now is that this ransomware was based off of the “EternalBlue” exploit, which was developed by the U.S. National Security Agency and leaked by the Shadowbrokers on April 14, 2017.  Despite the fact that this particular vulnerability had been patched since March 2017 by Microsoft, many Windows users had still not installed this security patch, and all Windows versions preceding Windows 10 are subject to infection.

The spread of the malware was stemmed on Saturday, when a “kill switch” was activated by a researcher who registered a previously unregistered domain to which the malware was making requests.  However, multiple sources have reported that a new version of the malware had been deployed, with the kill switch removed.  At this time, global malware analysts have not observed any evidence to substantiate those claims.

You should remain diligent and do the following:

  • Be aware and have a security-minded approach when using any computer. Never click on unsolicited links or open unsolicited attachments in emails, especially from sources you do not already know or trust.
  • Ensure that your antivirus and anti-malware are up-to-date.
  • Apply Security Updates! Enable automatic updates and reboot weekly.  Systems that are receiving automatic updates should already be protected against this malware.  If you aren’t sure, visit https://support.microsoft.com/en-us/help/3067639/how-to-get-an-update-through-windows-update
  • Backup your data! The risk of malware is losing your data.  If you perform regular backups, you won’t have to worry about ransomware. Make sure you utilize a backup system that is robust enough to have versioning so that unencrypted versions of your files are available to restore. Make sure your backup system isn’t erasing your unencrypted backups with the encrypted ones!

If your organization is the victim of a ransomware attack, please contact law enforcement immediately.

  1. Contact your FBI Field Office Cyber Task Forceimmediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
  2. Report cyber incidents to the US-CERT and  FBI’s Internet Crime Complaint Center.

For more information on this or any related topic please contact the authors, your Seyfarth attorney, or any member of the Global Privacy & Security (GPS) Team or the eDiscovery and Information Governance Team.

By Parnian Vafaeenia and Karla Grossenbacher

Seyfarth Synopsis: Pokémon GO’s popularity is at a fever pitch. However, the game poses several risks for employers including software security, privacy and workplace safety concerns.

Your employees may be on a quest to catch ‘em all. Over 15 million people have downloaded the Pokémon GO game since its release two weeks ago.  In this augmented reality game, players use their mobile devices to catch Pokémon characters in real-life locations captured by the camera in a user’s cellular phone.  Though the game is very popular with Pokémon GO players, employers may not like the game quite so much.

Data And Security Concerns

There are data security concerns that arise from use of the Pokémon GO app.

First, users that want to play Pokémon Go must sign in to the app. There are two ways to do so—through an existing Google account, or through an existing Pokémon Trainer Club Account.  Up until very recently, the Pokémon website did not allow users to sign up for Pokémon Trainer Club Accounts due to overwhelming demand.  Thus, for most people, the only way to play Pokémon GO was by signing in to the app with their Google accounts.  Even though the option to create a Trainer Club Account is now available, doing so requires more time and effort than signing in through an existing Google account.

On Monday July 11, it was discovered that users who signed in through their Google accounts were unwittingly giving Niantic Labs—the developer that created the game—full access to the information in their Google accounts. This included access to email.  The developer insists that it is not actually accessing all of the information in users’ Google accounts and claims that an update that was recently released apparently limited the scope of Niantic’s access.  Nonetheless, for employers who have employees that use Gmail accounts for work purposes, there has been and continues to be risks to information security presented by allowing such employees to play Pokémon GO.

To make matters worse, there is a malicious version of the Pokémon GO program that includes a remote access tool called Droidjack. This tool, which was uploaded to a file sharing service on July 7, can give hackers full control over android users’ phones.  If a Pokémon GO user is playing the game on the phone they use to send work-related communications or on which they store work-related documents, this means that hackers could conceivably access such communications and documents on infected android phones of Pokémon GO users.  This poses risk for employers as well.

Workplace Safety

Employers that have Pokémon GO players in their facilities may also face safety issues. Niantic teamed up with Google Maps to put Pokémon characters in real-life places.  When a Pokémon is nearby, the app informs the player of its location.  Additionally, certain locations such as “gyms” and “poké stops” are hotspots for catching Pokémon.  Certain characters in the game are harder to catch and more highly coveted than others, so finding one of these popular characters nearby often excites players, and they will “hunt” them in a wide variety of physical spaces.

As recent headlines have demonstrated, employees who are focused on the game while walking around work property could be putting themselves in danger of tripping, falling or otherwise injuring themselves while playing. Similarly, employees whose job duties include driving or operating heavy machinery, or whose jobs require them to work in the vicinity of heavy machinery, risk injury to themselves or others if they attempt to play the game during work hours.  Indeed, there may be heightened safety concerns for certain employers in highly regulated environments like healthcare, where patient safety and health could be impacted by a distracted workforce.  Indeed, even employers in the retail industry could suffer if their employees are too distracted to assist customers.

Takeaways

If an employer’s workforce is using company-issued devices, employers can simply disable access to the app on company-owned devices. In fact, some employers have already taken this step.  Though blocking the app on company-owned devices takes care of part of the problem, many employers have BYOD (Bring Your Own Device) programs and will have employees using the same device to perform work and play Pokémon GO. Employers in this situation should consider the following steps:

  • Have employees install encryption software provided by the employer to protect sensitive data and agree to not modify the software;
  • Monitor or prohibit employees from accessing and downloading of external programs, apps and files or specific ones that pose security risks, like Pokémon GO;
  • Review your safety policy to ensure it encompasses activities similar to safety risks associated with Pokémon GO (i.e., limited use of handheld devices in hazardous work areas, etc.);
  • Create guidelines that prohibit employees from playing games such as Pokémon GO during work time (even if it is downtime) and restrict when and where such games can be played on work property during non-work hours.

For more information on this or any related topic please contact the authors, your Seyfarth attorney, or any member of the Workplace Policies and Handbooks Team or OSHA Compliance, Enforcement & Litigation Team.

Data privacy issues keeping you awake at night?  Our colleagues, part of Seyfarth’s Global Privacy and Security Team (GPS), are here to help shed some light on this increasingly more complex body of law.  See the blog posted here.  Also, please consider joining us up for an upcoming webinar, on September 22, 2015, that will address Information Security Policies and Data Breach Response Plans.