Ransomware Attack on the NHS
Across the UK, hospitals and GPs are experiencing widespread IT failures due to a form of ransomware that has effected the National Health Service (NHS).
Tweets by NHS employees and other health officials show screenshots of them locked out of their systems, presented instead with a “ransom note” demanding $300 in Bitcoins within 3 days to unencrypt their files. If the ransom is not paid within the 3 days the amount will double, if still not paid after 7 days, all files will be deleted forever.
The ransomware is forcing many hospitals to divert emergency patients and advise citizens not to go to the A&E unless it is a genuine emergency, as they have no access to record systems or results.
There is not much available at the moment about how the NHS became infected, but it is known that they had experienced a problem with their email servers crashing, which was quickly followed by their clinical systems and patient systems going down.
Ransomware attacks like the one the NHS is currently experiencing tend to be activated by a user clicking on a phishing email designed to get the user to download the ransomware file so that the scammers can gain access to their systems.
One of the NHS organizations effected, East and North Hertfordshire NHS trust, has released a statement saying “Today (Friday, 12 May 2017), the trust has experienced a major IT problem, believed to be caused by a cyber attack.
“Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust’s telephone system is not able to accept incoming calls.”
The life-threating cyber-attack highlights the importance of proper cyber and email security protocols as well as the dangers that uneducated users can have on any organization.
As more organizations are reported to be effected by this attack, the NHS has released the following statement:
“A number of NHS organizations have reported to NHS Digital that they have been affected by a ransomware attack.
The investigation is at an early stage but we believe the malware variant is WannaCryptor.
At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.
NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support effected organisations, ensure patient safety is protected and to recommend appropriate mitigations.
The attack was not specifically targeted at the NHs and is affecting organisations from across a range of sectors.
Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHs colleagues and will share more information as it becomes available”
It is reported that the version of WannaCryptor that has taken down 16 NHS organizations and has also effected Telefonica, a Spanish telecommunications giant.
The Telefonica attack has hit computers at the company’s headquarters in Madrid, and prompted the company to send out an internal email stating, “Urgent: turn off your computer now. Shut down the computer and do not restart it until further notice”
Movistar, O2, and Vivo are just a few of the popular brands owned by Telefonica, though it appears as they have not been impacted.
Along with Telefonica and the NHS, Spanish firms, Iberdrola and Gas Natural, have also been a victim.
Spain’s National Cryptology Centre has released the following.
“There has been an alert relating to a massive ransomware attack on various organizations, which is affecting their Windows systems.
The ransomware, a verison of WannaCry, infects the machine by encrypting all its files and is distributed to other Windows machines on the same network.”
The attack exploits a critical vulnerability (MS17-010). A patch to fix the vulnerability had been sent out on March 14th, with Microsoft warning,
“The most serve of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages.”
The effected systems are:
- Microsoft Windows Vista SP2
- Windows Server 2008 R2 and R2 SP1
- Windows 7
- Windows 8.1
- Windows RT 8.1
- Windows Server 2012 and R2
- Windows 10
- Windows Server 2016
It is reported that most of the NHS organizations effected by this attack were using the outdated Windows XP and Windows Vista operating systems.
Users on Twitter have been tweeting photos of infected computer with user @dodicin tweeting the picture below of the ransomware spreading to multiple university computers within their computer lab.
A NSA tool, called EternalBlue, an exploit of Microsoft Windows, may be being used by WannaCry as a method of spreading the ransomware across the world.
The outbreak has hit systems in at least 11 other nations, with Russia has been the hardest hit with Spain being under serious attack as well.
Over 11,200 have been effected in Russia, 6,500 in China, and 1,600 in America.
As of 10PM GMT, over 45,000 organizations in 74 countries have been hit by the WannaCry ransomware attack, bringing ransomware into the public eye.
Major companies such as FedEx have been compromised by the attack, which was first reported by Telefonica as early as midday on May 12th, 2017. Once infected, computer screens would turn blue and accessing files became impossible.
FedEx has since released a statement,
“Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible”
The WannaCry ransomware has been found in organizations around the world, with the ransom notes being shown as transcribed into English, Spanish, and Romanian so far, though none appear to be written by native speakers.
Both the Russian and Romanian government have come forward and announced that their government institutions were targeted by the attack, but luckily the attacks were thwarted before any damage could be done.
The British Prime Minister, Theresa May, also took a break from the election campaign trail to respond to the attack, where she highlighted the fact that the NHS was not targeted and that patient information remained safe. She also went on to explain that attacks like these show just how important addressing cyber security issues are in today’s world.
This statement comes as more NHS trusts come forward as victims of the WannaCry ransomware attack. Adding to the list, there is now more than 23 NHS trusts effected by the attack. The lack of access to lab results and patient history has lead to doctors and nurses around the UK tweeting about using pen and paper to treat patients that they have no prior knowledge on.
Here is a current list of some of the effected NHS organizations:
- Aintree Hospital
- Northumbria Healthcare
- North Cumbria Hospitals
- Morecambe Bay Hospitals
- Blackpool Hospitals
- Southport Hospital
- East Lancashire Trust
- Barts Health
- East and north Hertfordshire
- Derbyshire Community Health
- University Hospotals North Midlands
- North Essex Partnership University FT
- London North West Healthcare Trust
- York Hospitals
- East Cheshire Trust
- Aintree University Hospitals
- The Royal Liverpool and Broadgreen Hospitals Trust
- Liverpool Community Trust
- United Lincolnshire Hospitals
Chris Hopson, a representative of the heads of NHS has released the following statement:
“The scale and scope of what looks to be an extensive malware attack on the NHS is not yet clear.
Given the potential impact, NHS trusts take this type of attack very seriously. They have detailed and well rehearsed contingency plans in place to deal with incidents of this type and these plans have worked effectively when they have been triggered on an individual trust basis in the past.
Trusts will rally round support each other to cope with the disruption and early feedback suggests that this is already happening in this case. However, it is likely that some services will be affected, at least in the short term.
The trusts affected will now be doing all they can to minimize the impact on patients, and to get their services back to normal as quickly as possible.”
Twitter user @MalwareTechBlog has posted the following map of organizations effected by the attack, noting the prominence of attacks in Russia and Europe.
In one of the first indicators of how the WannaCry ransomware infected computers, East Kent hospital tweeted that it was infiltrated by an email with “Clinical Results” in the subject line.
Trust staff: we are aware of the national cyber attack – DO NOT open any emails that have “Clinical Results” in the title or similar.
— East Kent Hospitals (@EKHUFT) May 12, 2017
There have also been reports of the infected email having subject lines relating to fake invoices and job adverts as well.
The seriousness of this attack has brought to light the importance of software patches and backups, as the ransomware can only effect those who haven’t updated their OS and those who don’t have backups of their data.
Backups are very important as it is the only sure-fire way to ensure that your data is recoverable, even users that pay the ransom on time may continue to find themselves locked out of their data. Paying the ransom on attacks like these does not mean you can recover your information, instead, it funds and inspires other criminals to make attacks like the one seen today.