•  
  •  
 

Tennessee Law Review

Document Type

Article

Abstract

The WannaCry ransomware attack began on May 12, 2017, and is unprecedented in scale-quickly impacting nearly a quarter-million computers in over 150 countries. The WannaCry virus exploits a vulnerability to Microsoft Windows that was originally developed by the U.S. National Security Agency and operates by encrypting a victim's data and demanding payment of a ransom in exchange for data recovery. Security experts have indicated that a North Korea linked group of hackers-who have also been implicated in cyberattacks against Sony Pictures in 2014, the Bangladeshi Central Bank in 2016, and Polish banks in February 2017-is behind the attack.

Ransomware threatens institutions worldwide, but the risks for businesses are starker-potentially catastrophic. This Article provides corporate executives with much of what they need to know about the evolving threats of malware and ransomware like Cryptolocker, Kelihos Botnet, Locky, Nymain, Petya, NotPetya, and WannaCry. First, we provide a brief definition and history of ransom ware. Second, we look at the history of hospitals as ransomware targets. Third, we offer a description of the WannaCry virus, what is known about its development, method of action, and those who are believed to have deployed it; in this section, we also discuss methods to defend against this particular virus. Fourth, we discuss the Petya and NotPetya attacks. Fifth is a discussion of municipal ransomware attacks. Sixth, we review the myriad and unique risks that ransomware poses for corporations-including expected refinements of the technique, such as to effect corporate sabotage. Seventh, we discuss the duties and responsibilities of corporate directors and the Ormerod-Trautman data security economic model. Eighth and finally, we review the current cybersecurity legal landscape with a particular focus on corporate best practices and how business executives protect themselves against cybersecurity-related liability. We believe this Article contributes to the sparse existing literature about ransomware and related cyber threats posed to corporate boards and management.

Publication Date

2019

Share

COinS