North Lincolnshire and Goole NHS Trust
North Lincolnshire and Goole NHS Trust

The National Health Service in the UK has been caught up in a wave of ransomware infections that has infected over 200,000 computers worldwide.

A total of 40 NHS trusts across the UK have confirmed they are dealing with outbreaks of WannaCrypt0r 2.0.

NHS England confirmed that hospitals were hit by a simultaneous cyber-attack which affected units all over the country. The UK Department of Health has called it a ‘major incident'. The prime minister Theresa May convene a meeting of COBRA, the government's emergency response team, to discuss the threat.

Security experts are blaming the rapid spread of WannaCrypt0r on the fact that the attackers have packaged the malware with EternalBlue. EternalBlue is a worm developed by the National Security Administration (NSA) in the US to exploit a vulnerability in Microsoft SMB.

EternalBlue, along with other vulnerabilities, was stolen from the NSA last year by a group called Shadow Brokers. It tried to auction the vulnerabilities and when that failed, it published them via Github on 14 April.

Microsoft issued a patch for the exploit on 14 March, so in theory no one should have been affected by the leak. Microsoft described the vulnerability as critical when it issued the security update.

However, a lack of patching on the part of users and the fact that many organisations are still using operating systems that are no longer supported by Microsoft, means EternalBlue is still able to exploit the SMB vulnerability and worm its way around networks.  

An NHS Digital Statement has confirmed that the variant behind the attack is WannaCrypt0r and did not specifically target the NHS, but affected a variety of sectors.

The problems stem not from the ransomware attacking computers per se, but from the remedial action that network administrators are having to take – namely shutting down the network – to stop the spread of the malware.   

NHS Digital said that there was no evidence that patient data has been accessed. It said, "NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected."

Computer systems and phones are being shut down with one NHS source telling the Evening Standard that the attack “seems to be growing”.

East and North Hertfordshire NHS released a statement saying that the trust “has experienced a major IT problem, believed to be caused by a cyber-attack.” It added that “immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust's telephone system is not able to accept incoming calls.”

The trust will be suspending non-urgent activity for the day and the statement encouraged people not to come to A&E.

The Twitter account for East Kent Hospitals sent a message to all staff suggesting that the ransomware may have been within an email labelled ‘Clinical results'

A statement from the Patients Association, an independent charity,  reads: “We should be clear that the responsibility for today's apparently extensive attack on NHS IT systems and for any harm that occurs to patients, as a result, lies with the criminals who have perpetrated it.”

However, the statement added, “That something of this sort should happen will surprise few people. It has long been known that the NHS struggles with IT in multiple respects, and that this includes serious security problems.”

The message demands $300 in bitcoins, suggesting this is a consumer-grade ransomware attack

Costs will be higher than the ransom

With a ransom demand of just $300, the costs of fixing the damage from this attack will certainly be more than the ransom itself.

Specialist cyber insurance provider, CFC is reporting a “significant spike in claims”.

Graeme Newman, chief innovation officer at CFC Underwriting, said, “WannaCrypt0r is spreading like wildfire and in just a few hours has already affected internet-users in a dozen countries – from Russia and Taiwan to Spain and Turkey. If it continues at its current rate, it's easy to see how this could end up costing UK businesses in excess of £100 million… This particular strain is one of the fastest-spreading and most damaging that we've seen.”

He added that the cost of paying the ransom – or not – is arguably the least of the NHS' worries right now. “Previous attacks on hospitals like this one have racked up bills of well over £1 million [with]  patient diversion, system restoration, and a whole host of other costs.”

WannaCrypt0r 2.0 exploits the Microsoft Windows vulnerability identified in bulletin MS17-010, code-named EternalBlue which was described by Microsoft as “critical” in its 14 March security update for SMB Server (4013389).  

It was noted at that time that the most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.  Microsoft issued a security update patch that addressed the vulnerabilities by correcting how SMBv1 handles specially crafted requests.

It did not specify who reported the vulnerability (or rather set of vulnerabilities) but it was believed to be among four stolen NSA exploits (EternalBlue, EternalChampion, EternalSynergy and EternalRomance) released by Shadow Brokers a month later.

The NCC group recently warned about the threat of ransomware to the UK's health service, given that many trusts continue to use outdated systems and staff are largely ignorant of the issues of cyber-security.

A Freedom of Information request filed by the company in 2016 found that 47 percent of NHS Trusts in England had already been hit with ransomware attacks.  Ben Jepson, director of risk management and governance at NCC Group, told SC via email, “It's clearly something all Trusts are grappling with – as are the vast majority of other organisations, both public and private.

“If a private sector business is held to ransom it can potentially hit its reputation and sales, but the consequences can be more acute when it comes to hospitals. It's not just patient privacy on the line but in some cases it's the hospital's ability to operate, impacting patient care.”

Meanwhile, the ransomware used on Telefonica is a purportedly a new variant of the one currently affecting NHS trusts and both are apparently using the same bitcoin address to claim funds. There are currently four transactions registered in that bitcoin wallet, although neither the recipients nor the senders are identifiable.

Thomas Fischer, threat researcher and security advocate at Digital Guardian, told SC: “This definitely looks like it is a campaign, the attacker looks to have found a new variant that is unknown enough to break through some weak defences. As far as I've seen, the two attacks are not related in terms of the ransomware being used, as the attacks originating in Spain are using a new variant of WCry.”

However, David Emm, principal security researcher at Kaspersky Lab, disagreed: “If the screenshot in reports is accurate showing that attackers are asking for US$300, this suggests it is a random attack rather than a targeted attack; if a cyber criminal can impact so many systems at once, why not ask for lots of money? Further, we've seen cyber attacks on a number of other organisations across Europe today; however it's unclear whether they are connected.”

Of course, added Fischer, “We can't rule out that the same party might be running different ransomware attacks. It does seem that these variants are spreading due to a known vulnerability in Windows SMB. The NHS was probably badly affected because it lacks the resources to properly patch its software.”

Telefonica has apparently shut down much of its operation to prevent further infection. Fraser Kyne, EMEA CTO at Bromium, told SC, "The fear of further infection has caused Telefonica to effectively create a quarantine zone and shut down its operations until further notice. While these measures do illustrate that the company is taking the threat seriously and is making efforts to stop the contagion from spreading, the response is far from ideal and could end up costing Telefonica a lot in lost productivity."

WannaCryptor, or WannaCry, was first discovered earlier this year by a Malwarebytes researcher. Since then it has been detected 36,000 times in the wild and is apparently prolific in Russia, Ukraine and Taiwan. Version 2.0 was discovered by MalwareHunter, who spotted it spreading aggressively, earlier today. It has already infected targets in 11 countries.  The team tweeted this morning...

The exact origin of the campaign is not yet known.

What is EternalBlue?

WannaCrypt0r 2.0 exploits the Microsoft Windows vulnerability identified in bulletin MS17-010, using an exploit developed by the NSA and code-named EternalBlue. It was described by Microsoft as “critical” in its 14 March security update for SMB Server (4013389).  https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

It was noted at that time that the most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.  Microsoft issued a security update patch that addressed the vulnerabilities by correcting how SMBv1 handles specially crafted requests.

It did not specify who reported the vulnerability (or rather set of vulnerabilities) but it was believed to be among four stolen NSA exploits (EternalBlue, EternalChampion, EternalSynergy and EternalRomance) released by Shadow Brokers a month later. At the time Microsoft was saying that none of the exploits worked against Microsoft products because it had issued the patches in advance – but of course, not everyone keeps their patching up to date.