Publications

5 Ws about WannaCry: From a Hong Kong perspective

16/05/2017

1. What is WannaCry?

WannaCry is a ransomware that actively exploits computers using outdated Microsoft Windows PC by encrypting most of its files with virtually unbreakable encryption. The computer screens of an infected computer will display a message informing the user of the infection and demanding a ransom to be paid in the form of Bitcoin. The message will contain two countdown clocks: one indicating how much time remains before the ransom is doubled, and the other indicating how much time remains before the encrypted files are deleted.

Further, WannaCry tends to target the computer networks of business corporations or organisations. Once it is inside a computer network, it will spread to nearly all of the connected outdated Microsoft Window PCs and encrypt most files therein.

2. What is the latest status so far in Hong Kong?

According to the Hong Kong government, there are 25 reported cases of the WannaCry ransomware virus in Hong Kong as of Tuesday morning (16 May 2017), two of which involved commercial computers, and the rest were personal computers. The government confirmed that none of their computers have been infected so far.

Most of the infected computers used the Windows 7 operating system, while one of the infected commercial computer server used the Windows Server 2008 system.

3. Who’s in most danger?

As Hong Kong Computer Emergency Response Team (HKCERT)’s cybersecurity expert, Mr. Leung Siu-Cheong explained, WannaCry” is different from previous ones where users got hacked only if they downloaded a file in an email or clicked on a link”, this malware “required no active action at all”. He further elaborated that this malware actively scans the internet for users who do not have the latest security updates to block malicious internet traffic, which makes industries or users that commonly use outdated Windows operating system for basic tasks, for example, the retail sector, highly vulnerable targets.

4. What should be done?

As the WannaCry ransomeware mainly targets outdated Windows systems, the HKCERT has recommended all computer users to take the following remedial measures:

  • Update the Windows system and install the security patch provided in the Microsoft Security Bulletin MS17-010;
  • Use Firewall to protect the network and do not expose the SMB service in the open network (i.e. close the public access to TCP ports 139 and 445); and
  • Regularly backup data and keep an offline copy.

If your computer is infected and you need assistance, you can call the Hong Kong Computer Emergency Response Team at 8105 6060 to report the case. There is nearly no way of decrypting the encrypted files and it is not a wise move to pay the ransom as there is no sign that the persons behind the attack will unlock the files even if you pay the money.

5. What about the law?

The ransomeware attackers’ Legal Liabilities in Hong Kong

The Hong Kong police has so far treated the reported cases as blackmailing, which is an offence contrary to Section 23 of the Theft Ordinance, Cap.210. The legislation specifically prohibits any person from making any unwarranted demands with threats with a view to gain or with intent to cause loss to another person.

Such ransomeware attack may also be caught under one of the following criminal offences, including:-

(i) Unauthorized Access to a Computer by Telecommunications (Section 27A of the Telecommunications Ordinance, Cap. 106) – it is an offence if the person accessing the computer is not the person entitled to control access to the computer, has no authorization to access the computer, does not believe either that he or she has that authority or that authority would have been given had it been applied for. The offence is punishable by a fine of HK$20,000. This is the typical “Hacking” offence in Hong Kong.

(ii) Criminal damage (Section 59(1A) and 60(1) of the Crimes Ordinance, Cap. 200) – it is an offence if a person misuses a computer, without lawful excuse, by interfering with the function of a computer, altering or erasing any programme or data stored in the computer, or adding any programme or data to the contents of a computer. The offence is punishable by up to 10 years’ imprisonment.

(iii) Access to a computer with criminal or dishonest intent (Section 161 of the Crimes Ordinance, Cap. 200) – it is an offence if any person obtains access to a computer with: (a) intent to commit an offence; (b) a dishonest intent to deceive; (c) a view to dishonest gain for himself or another; or (d) a dishonest intent to cause loss to another. The offence is punishable by up to 5 years’ imprisonment.

(iv) Burglary (Section 11 of Theft Ordinance, Cap.210) – it is extended to include unlawfully causing a computer to function other than as it has been established and alerting, erasing or adding any computer program or data (e.g. malware or virus). The offence is punishable by up to 14 years’ imprisonment.

Other than criminal liabilities, the victims of ransomeware in theory are also entitled to initiate civil proceedings against the wrongdoers mainly based on tort and seek to recover some damages. Yet, it is technically difficult to track down the wrongdoers; and even if they can be located, most of the time they reside overseas and therefore it is impracticable or commercially not viable to pursue in court.

Your duty to safeguard proprietary data

The WannaCry ransomware attack also brings out the importance for all Hong Kong businesses and organisations to take reasonable steps to update their computer systems and anti-virus software from time to time, in order to safeguard their own confidential information, trade secrets, intellectual properties and staff’s personal data, as well as similar data of others stored on their system and network.

Under the Personal Data (Privacy) Ordinance, Cap.486 (“PDPO”), any party, who is in possession or control of the other’s personal data, shall take all practicable steps to ensure that such personal data is protected against unauthorized or accidental access, processing, erasure or other use. Business proprietors are expected to implement regular updates of your Windows and other software to protect others’ personal data , and failure to do so, which results in loss or compromising of personal data, will likely constitute a breach of the Data Protection Principle 4 under Schedule 1 of the PDPO.

For businesses which hold others’ confidential information, trade secrets or intellectual properties, e.g. banks, accountants, law firms, tax consultants, design companies, software houses, etc., by their nature of services, they owe a fiduciary and/or contractual duty to implement reasonable security measures to safeguard all such important data against unauthorized access, copying or impairment. Failing to meet such reasonable standard will likely amount to a breach of such duty. Professional advisers may also contravene the relevant codes of conduct applicable to their respective industries.

No doubt, there are significant adverse legal implications for not regularly updating your Microsoft Windows or other operating systems or software on your computer. Why not avoid the risk and hassle by a click of mouse, giving yourself a coffee break and allowing the installation of Windows’ latest patches to shield you from WannaCry2.0, 3.0, etc. and other variations of malwares and viruses?

Authors :  Alan Chiu, Managing Partner

                 James Choi, Associate

Date       : 16 May 2017