NHS hospitals hit in global ransomware attack

Major disruption

England’s largest NHS trust, Barts, which was hit by a cyber attack in January 2017, said it is experiencing a major IT disruption.

Although the January attack was initially thought to be a ransomware attack, in March the trust said the attack was not caused by ransomware, but exploited a zero-day vulnerability, which had since been patched by the software supplier concerned.

The trust, which runs the Royal London, St Bartholomew’s, Whipps Cross, Mile End and Newham hospitals, said the IT disruption is causing delays at all its hospitals.

“We have activated our major incident plan to make sure we can maintain the safety and welfare of patients. We are very sorry that we have to cancel routine appointments, and would ask members of the public to use other NHS services wherever possible,” a spokesperson said.

Ambulances are being diverted to neighbouring hospitals. The problem is also affecting the switchboard at Newham hospital, but direct line phones are working.

“All our staff are working hard to minimise the impact and we will post regular updates on the website,” a spokesperson said.

East and North Hertfordshire NHS trust has also reported a major IT problem, which is said was believed to be caused by a cyber attack.

The trust said it is postponing all non-urgent activity and asked people not to go to A&E departments, but instead call NHS 111 for urgent medical advice or 999 if it is a life-threatening emergency.

“To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need,” the trust said in a statement.

NHS Digital, which is the national information and technology provider for the health and care system, said that by 15h30, 16 NHS organisations had reported that they have been affected by a ransomware attack.

“The investigation is at an early stage but we believe the malware variant is Wanna Decryptor,” NHS Digital said in a statement.

“At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.

“NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations, ensure patient safety is protected and to recommend appropriate mitigations.”

Not only NHS affected

However, NHS Digital said the attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.

According to security firm Check Point, the malware involved is known by several names, including WCry,  WannaCry, and WanaCrypt0r.

The first version of the this ransomware was discovered in February 2017 and was used in a limited way.  Version 2.0 was detected for the first time on 12 May 2017, suddenly emerging and spreading very rapidly globally. 

As well as the UK NHS organisations, it has hit victims all over the world, in countries such as Russia, Turkey, Indonesia, Vietnam, Japan, Spain and Germany.  Telefonica in Spain has also been hit in this attack, as well as companies like Santander. 

Aatish Pattni, head of threat prevention, Northern Europe for Check Point, said:  "The ransomware used in this attack is relatively new, and it’s spreading fast, with organisations across Europe and Asia being hit. It shows just how damaging ransomware can be – and how quickly it can cause disruption to vital services.

“Organisations need to be able to prevent infections taking hold in the first place, by scanning for, blocking and filtering out suspicious file content before it reaches their networks.  It’s also essential that staff are educated about the potential risks of incoming emails from unknown parties, or suspicious-looking emails that appear to come from known contacts,” he said. 

Marco Cova, senior security researcher at Lastline said the malware exploits the US National Security Agency (NSA) “EternalBlue” vulnerability that was released recently in the Shadow Brokers data dump.

“The NSA has known about this vulnerability in Windows for quite some time now. This incident will certainly refuel the discussion on whether security agencies should responsibly inform vendors about vulnerabilities they find. The leak of the exploit enabled today's hack

According to Cova, the ransomware is an example of a worm, malware that can automatically spread from one machine to another without user intervention.

“The attackers can compromise one victim and the infected computer will automatically attempt to take over vulnerable machines reachable from the infected one. Of course, this is very efficient for the attackers,” he said.

Microsoft released the patch to address the EternalBlue vulnerability on 14 March, a month before the Shadow Brokers release.

“In other words, in this case there actually was time for people to patch. It's easy to blame people who don't upgrade, but in practice things are often more complicated.  An operations team may not touch legacy systems for a number of reasons. In some cases they may even be unaware that such legacy systems are running in their infrastructure,” said Cova.

Sensitive data targeted

Robert Edwards, a barrister and cyber crime specialist at St John’s Buildings barrister’s chambers, said criminals are now able to anonymously access huge banks of high-value information by exploiting access through one vulnerable unsecured device.

“It is of little surprise that organisations harbouring the most sensitive data are targeted. The NHS is a key example of this, and an increasing number of offences contrary to the Computer Misuse Act in recent years will be of significant concern to a service in possession of the medical and personal records for millions of people,” he said.

“Recent trends in cyber crime point to an increase in the value placed on personal information. Medical data can be used for ransom, while the data garnered through personal information such as email addresses and date of birth can be used to scam individuals.

“The ability of the NHS to guard against malicious activity relies on the enforcement of robust security countermeasures combined with education within the workforce. While a number of major companies are looking to secure their data through private contractors and complex firewalls, it is often the simplest procedures that are most effective.

“This can be as straightforward as installing general virus protection and anti-malware software, ensuring staff have strong passwords for their devices, and undertaking regular audits of who is privy to information and how they access it,” he added.

Brian Lord, former deputy director of GCHQ Cyber and Intelligence, now managing director of PGI Cyber, said the attacks appear to be wide ranging and well coordinated. 

“It was well thought out, well-timed, but fundamentally there is nothing unusual about its delivery. Something like this was always inevitable. While organisations are distracted by high profile dramatised threats, such as Russian election hacking, they are neglecting basic cyber hygiene measures which can prevent the mass effectiveness of mass ransomware attacks like this,” he said.

“Until basic cyber hygiene is taken seriously, these attacks will continue to happen at this scale with an impact disproportionate to the nature of the attack.”