Deconstructing the largest NHS hack ever

The largest ransomware outbreak in history ripped through the UK’s National Health Service. How did it happen and could it happen again? 

On May 12 2017, the largest ransomware attack ever struck the NHS, knocking 40 hospitals offline and leaving 24 trusts without access to their computers. In an effort to regain access to these critical machines, NHS engineers continue to work tirelessly, days after the infection.   

The Wanna Decryptor ransomware also struck organisations across the world, with Russia, India, Ukraine and Taiwan amongst the worst-affected countries. The situation escalates daily and latest reports link North Korea to the massive ransomware attack. 

The UK’s public health service was amongst the most high profile targets and the attack has engendered heated debates in the run up to a divisive General Election. As the situation unfolds, what happened and what can be done to prevent the NHS being attacked in the future? 

How ransomware infected the NHS 

The backstory reads like science-fiction. A secret Microsoft exploit affecting , known as ETERNALBLUE, believed to be developed by the NSA, was leaked by a hacking collective known as the ShadowBrokers (TSB). 

On discovery of the ETERNALBLUE exploit, Microsoft released a security patch, but many organisations failed to update their computers accordingly. Plus, Windows XP and other unsupported operating systems did not receive this update. 

The ransomware used to attack the NHS, known as Wanna Decryptor or Wannacry, was developed to combine the ETERNALBLUE exploit with a self-replicating virus, spreading the contagious ransomware across connected machines. 

It’s still unclear how the ransomware infected NHS networks. Most ransomware uses phishing emails to convince users to open and download malicious email attachments. However, recent evidence suggests that phishing emails are not entirely to blame. 

The NHS has been denounced for using the outdated Windows XP operating system within its trusts, despite Microsoft discontinuing critical security patches in 2014 – including the patch needed to defend against Wanna Decryptor.  

Continued use of the outdated XP operating system was highlighted as one of the factors that enabled the ransomware attack to spread so easily across the NHS. Experts also cited a lack of discipline in patching new versions of windows as a larger contributing factor. 

The ETERNALBLUE exploit was well known. NHS Digital issued a patch capable of preventing the Wannacry ransomware through its cyber portal two months prior to the attack. It is understood that if this patch had been applied across every NHS trust, it would have prevented the Wannacry ransomware attack.   

However, the real controversy centres on a lack of cyber security investment within the NHS. Phishing could have provided the ransomware with its vector of infection, but a lack of cyber security awareness and investment gave Wannacry free reign inside the NHS. 

IT standards, including security, vary hugely across the organisation and some trusts do not have a single person responsible for IT sitting on their board. In 2013, when secretary of state for health Jeremy Hunt was briefed on security risks engendered by a lack of NHS IT standards, “Hunt never grasped the problem.”   

Where bits and bytes meet flesh and blood”   

NHS staff watched in horror as their computers were locked ‘one by one’ as the Wannacry ransomware took hold. 

The ransomware locked down critical NHS computers, displaying nothing but a message from Wannacry’s criminal architects. The ransom message contained detailed instructions on how NHS staff could pay to remove the ransomware, even recommending their victims to check the current value of Bitcoin before paying. Thoughtfully, a dropdown menu for language selection was also included. 

Once the ransomware infected the machines, it then travelled across the NHS network, spreading from computer to computer, trust to trust and hospital to hospital. At this point computers which were not updated with Microsoft’s ETERNALBLUE security patch were quickly compromised.   

The ransomware attack left almost 40 hospitals without proper access to their computers, leading to cancelled appointments, diverted A&E services, doctors unable to work as well as cancellations to time-sensitive and life changing operations. 

“Where bits and bytes meet flesh and blood” is a term coined by cyber security experts to signify a cyber attack in which physical harm is caused. Whilst no fatalities were reported as a result of the hack, a shutdown in critical NHS services has the power to devastate some of society’s most vulnerable. Without proper security safeguards it is just a matter of time until bits and bytes meet flesh and blood. 

Is it over? 

As a result of one accidental hero, the ransomware spread is halted for now, but reports suggest the malware is spawning new, more aggressive versions. 

Despite causing low financial and operational damage, the Wannacry attack remains a wakeup call, drawing attention to a critical lack of cyber security investment and awareness in the NHS.   

Cyber security remains a shared responsibility, the recent WannaCry attack makes this clear. That the NHS was so susceptible to the attack, despite warnings from Microsoft and NHS digital shows that top-level employees either don’t understand the risk or simply don’t care. 

Microsoft is now pointing the finger at governments for stockpiling vulnerabilities, like ETERNALBLUE. Instead of being responsibly disclosed, the exploit was leaked, giving Microsoft no warning and businesses even less. 

This isn’t the first time a government organisation has lost control of a stockpiled cyber exploit either and vulnerabilities stored by the CIA were recently revealed on WikiLeaks.   

"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage," wrote Microsoft's Brad Smith. "An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen." 

Blocking future ransomware attacks will require an investment in cyber security education, through industry recognised qualifications like GIAC’s GCIH certification. Cyber security personnel, new computers and a better standard of networking security are also crucial.   

This isn’t something that can be fixed quickly, but until the UK’s health service vastly improves its cyber security, these attacks will continue. This is not the end of Wanna Decryptor, it’s an intermission. 

Alex Bennett, Technical Writer, Firebrand Training 

Image Credit: Marbury / Shutterstock