NHS hospitals hit in global ransomware attack

National Health Service hospital trusts in the United Kingdom were forced to divert ambulances and reschedule surgeries on Friday, May 12 after their IT networks were swept up in an apparent global cyber attack. We’re following the latest in the liveblog at the end of this story. NHS Digital said in a statement that it was working with NHS England, the Department of Health and the National Cyber Security Centre to support the affected organizations.

A number of NHS organisations have reported to NHS Digital that they have been affected by a ransomware attack. The investigation is at an early stage but we believe the malware variant is Wanna Decryptor. This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors. At this stage we do not have any evidence that patient data has been accessed. NHS Digital statement

See more

Screenshot of apparent ransomware attack message sent to NHS England trusts https://t.co/jODkWomGPA pic.twitter.com/uc2HlGH9yM

— BBC Breaking News (@BBCBreaking) May 12, 2017

Screenshots of NHS computers showed that the malware encrypts a computer’s files and demands a $300 (£233) Bitcoin “ransom” to unlock the files.

[If] if want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled. Also, if you don’t pay in 7 days, you won’t be able to recover your files forever. We will have free events for users who are so poor that they couldn’t pay in 6 months. Ransomware message seen on NHS computers

At least 16 NHS organizations in England were known to be affected by the large-scale attack, although media reports indicate many more are impacted. Trusts have been affected in London, Blackburn, Nottingham, Cumbria, Debyshire, Northumbria, Blackpool and Hertfordshire, according to the BBC. The Scottish government said it was working with NHS after four surgeries were reportedly affected by the malware. As many as 11 NHS boards in Scotland and the ambulance service were impacted, according to The Guardian. See more

.@scotgov working with NHS boards to minimise the impact of potential cyber incidents, confirms @ShonaRobison https://t.co/XxWvr0WOke

— Scottish Government (@scotgov) May 12, 2017

NHS declared a major incident, and some emergency centers have had to turn away patients and divert ambulances. Others are reportedly registering patents by hand. There is no indication patient data has been compromised. The NHS is organised into a large number of trusts, consisting of either individual hospitals or a small number of medical centers grouped together.

WannaCry ransomware

The Guardian explained that the malware affecting NHS computers took down other systems, including the telecom Telefonica in Spain. The software identified by NHS Digital as Wanna Decryptor is also called WanaCrypt0r 2.0, WCry 2 and WannaCry 2. It targets a vulnerability in Windows operating systems. Security researchers MalwareHunterTeam detected the software at 9:45 a.m. on May 12, and it had spread to NHS computers four hours later. See more

There is a new version of WCry/WannaCry ransomware: "WanaCrypt0r 2.0".
Extension: .WNCRY
Note: @Please_Read_Me@.txt@BleepinComputer pic.twitter.com/tdq0OBScz4

— MalwareHunterTeam (@malwrhunterteam) May 12, 2017

See more

36,000 detections of #WannaCry (aka #WanaCypt0r aka #WCry) #ransomware so far. Russia, Ukraine, and Taiwan leading. This is huge. pic.twitter.com/EaZcaxPta4

— Jakub Kroustek (@JakubKroustek) May 12, 2017

WannaCry was soon reported in other countries, including Italy, Poland, Russia, Taiwan, Spain and Ukraine. American delivery company FedEx told NBC News it was also experiencing “interference with some of our Windows-based systems caused by malware.” On Saturday morning, French auto manufacturer Renault said it halted production at its facilities after being swept up in the attack. See more

#WannaCry Full Spectrum Cyber Pew Pew Live map showing realtime botnet check-ins around the world. https://t.co/RB4E4MSa0Z pic.twitter.com/HpqSr0YaDN

— 乇ﾒoｲﾉc ｱﾑﾘﾚoﾑd丂 (@0c0d_) May 12, 2017

Kaspersky Lab’s Global Research & Analysis Team (GReAT) said on Friday that it had detected more than 45,000 attacks of the WannaCry software in 74 countries, mostly in Russia. Russia’s RIA news agency said the country’s central bank and state-owned rail system detected and thwarted a “massive” cyber attack. The Russian Interior Ministry said on Friday that around 1,000 of its Windows-operated computers were affected. Security software company Avast said on Friday (1915 GMT) that it detected 75,000 instances of WannaCry in 99 countries.

Obsolete systems

CNBC reported the malware was first leaked by a group called Shadow Brokers, which released a number of hacking tools purportedly stolen from the US National Security Agency. Microsoft patched the vulnerability in March, but many of the computers affected by WannaCry had not been updated or used operating systems that were no longer supported by the company, including the 15-year old Windows XP. See more

Microsoft releases #WannaCrypt protection for out-of-support products Windows XP, Windows 8, & Windows Server 2003: https://t.co/ZgINDXAdCj

— Microsoft (@Microsoft) May 13, 2017

Microsoft released an update to protect outdated products – including Windows XP – from WannaCry. Windows XP support ended on April 8, 2014, but some governments and companies still rely on the stable operating system. In December, a Freedom of Information request revealed that 90 percent of NHS trusts still use Windows XP, which no longer receives security updates. The Register reported that the UK government decided in April 2015 to discontinue a deal with Microsoft to get specialized Windows XP security updates. In June 2015, the US Navy Space and Naval Warfare Systems Command renewed a $9.1 million contract for Windows XP support. Ars Technica reported that the US Army and Internal Revenue Service also paid Microsoft for Windows XP support until they could upgrade to Windows 7, which is now also obsolete. Just three weeks ago, Daryl Haegley, the program manager for the Assistant Secretary of Defense for Energy, Installations and Environment admitted that about 75 percent of the Pentagon’s control system devices use Windows XP or other nonsupported operating systems, and some even use Windows 95 or 98.