The WannaCry attack and the NHS

Perhaps the most infamous cybersecurity incident of the past decade was the WannaCry ransomware attack on hospitals and NHS Trusts in England and Wales in the spring of 2017.

The exploit would simultaneously cause national panic and expose the shocking fragility at the heart of Britain’s public sector IT.

Since the 1990s, with the invention and proliferation of the internet and networked computing, state-backed hackers have attempted intrusions into critical national infrastructure.

But this was the first time that cyber warfare truly hit the mainstream in the UK.

It all began on Friday 12 May when an apparently co-ordinated malware attack hit 47 hospitals and primary care organisations.

Staff came in to work that day to find themselves locked out of their own PCs, with their normal desktop displays replaced with messages that claimed to have encrypted all the files on the network.

Pop-ups flashed across their screens, reading: “What happened to my computer? Your important files are encrypted. Many of your documents, photos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.”

Hackers demanded cash ransoms of between $300 and $600 to be paid in the Bitcoin cryptocurrency, promising to unlock the encryption by sending each payer a special decryption key.

As the day wore on, fear spread as it became clear that the worm had infected all computers sharing the same network inside hospital trusts and Accident and Emergency triage centers.


What happened next?

As staff could not access patient records, ambulances had to be turned away from the affected hospitals.

East and North Hertfordshire NHS was one of the first to make a public statement: “The Trust has experienced a major IT problem, believed to have been caused by a cyber attack. Immediately on discovery of the problem, the Trust acted to protect its IT systems by shutting them down. It also meant that the Trust’s telephone system is not able to accept incoming calls.”

Thousands of critical and emergency operations were canceled, along with thousands of routine appointments across NHS organisations.


Who was responsible and how did it happen?

A joint investigation by GCHQ and the National Cyber Security Centre concluded that hackers from North Korea most likely lead the attack.

Security experts at anti-virus company Kaspersky noted in a blog post how the invasion spread, and how the ransomware was developed from software stolen from the NSA, America’s spy agency, and sold on the dark web.

They wrote: “In these attacks, data is encrypted with the extension .WCRY added to the filenames. Our analysis indicates the attack is initiated through an SMBv2 remote code extension in Microsoft Windows. This exploit, codenamed ‘Eternal Blue’, has been made available on the internet through the Shadowbrokers dump on April 14 2017, and patched by Microsoft on March 14.”

Kaspersky researchers noted how “many organisations have not yet installed the patch”, suggesting that the ransomware exploited a known vulnerability in Microsoft’s aging XP operating system.

Freedom of Information requests in March 2017 had revealed that XP was still being used in more than 5% of all NHS computing. Over half of the UK’s NHS Trust still used the outdated XP, despite Microsoft ending support for it in 2014. In some Trusts, the number was as high as 76%.


Why is this a problem?

It will not necessarily surprise anyone in England to find out that the IT systems in the NHS are outdated from years of underfunding. While this may have caused no greater problem than it taking a long time to open computer programs or still having the paperclip assistant in Microsoft Word, outdated or unpatched software presents a very real threat.

The problem here is that vulnerabilities multiply the older a software package becomes.

Microsoft XP was released in 2001; by 2017 any large organisation still using it would find their computers not just out of date but dangerously leaky.

Patching is what it sounds like. It’s an update to a piece of code which basically patches or papers over a hole or deficiency, which if left alone could allow unscrupulous people to hack their way into a computer system. Patching is very common in IT, as it’s not often clear how certain programmes will interact with others out in the real world.

Microsoft did not already have a patch to correct the flaw in XP that the WannaCry ransomware exposed, and so took the highly unusual step of hurriedly developing and releasing a patch for all those people and organisations still using XP.  


Five lessons we learned from WannaCry

It total, one-third of all of England’s NHS Trusts were affected by WannaCry along with 8% of GP surgeries.

A report by the government’s Department for Health and Social Care found that the malware attack was contained within 48 hours. However, the monetary fallout from WannaCry was vast.

It cost the service £19m as a results of cancelled operations and appointments, along with a further £73m in additional IT costs to recover data and restore systems hit in the attack.

A lessons learned document released by NHS England in February 2018 stressed the importance of greater use of managed security services providers across the organisation, upskilling IT workers in the latest threats, along with making sure staff know their responsibilities in the post-incident period.


Lesson 1: Stay up to date

Keep your computers up to date and install patches as soon as they become available.

Any managed security services provider worth their salt should take control of patching. If your IT team does not already do this, or you don’t have an IT team (if your IT team consists of just you), then this is something to give serious thought to.

You don’t have to buy your staff the latest Macbook Air or i7 PC but at the very least you should be running operating systems that are still supported by the manufacturer and preferably fairly current. (Windows 7, 8 or 10)


Lesson 2: Train staff and train them again

Ask yourself this question: if my receptionist got a ransomware message on his computer, would he know what to do? (By the way, the answer is to touch nothing and immediately alert your managed security service provider.) Might he try to negotiate on his own, and would he know who to call?


Lesson 3: You’re not paranoid if they really are after you

While it may not be a pleasant task to prepare for a cyber attack, security should be an extremely high priority for any business owner. Ransomware, in particular, is relatively simple to deploy and can be very lucrative so there is little stopping a determined criminal from attacking you.

The amount of lost custom and lost productivity from ransomware or another kind of cyberattack can be extremely painful. Prevention is always better than cure.


Lesson 4: Have a plan in place and be prepared to deploy it

Ensure there are clearly laid-out standards and procedures to follow during and in the aftermath of a cyber attack. This time can be extremely stressful for all concerned and so definitive planning can bypass much of the heart-stopping anxiety associated with cyber security issues.

Who are your emergency contacts in the minutes after discovery? What steps are in place for the first two hours? Do you have real-time protection and reporting planned? Who should have administrator access to your systems in the event of an attack?


Lesson 5: Research your managed security services provider thoroughly

IT is an acutely skilled profession but not every team is the same. Questions you will want to ask when outsourcing your security are: do they have a Security Operations Centre for real-time support? What specialisms does your incident response team have? What experience do they have with companies of your size?   ————————————————————————————————————————–

To speak to our team about your organisation’s needs, or just to run through our affordable plans, call us now on 01242 335549. Our support teams are live and available 24/7 in the event of an incident.