Massive Ransomware Attack Hits NHS: Global Warning Issued as Attacks Spread

The UK’s National Health Service (NHS) has experienced its worst ever ransomware attack. The infections spread rapidly to multiple NHS trusts, forcing computer system shutdowns. Affected hospitals cancelled operations with the disruption to patient services still continuing.

The attack occurred on Friday and affected 61 NHS hospital trusts, causing chaos for patients. The NHS has been working around the clock to bring its computer systems back online and to recover encrypted data.

The massive ransomware attack involved Wanna Decryptor 2.0 ransomware or WannaCry/WanaCryptor as it is also known. There is no known decryptor.

The attackers were threatening to delete data if the ransom was not paid within 7 days, with the ransom amount set to double in three days if payment was not made. The ransom demand was reportedly $300 (£230) per infected machine. NHS Trusts saw the ransomware infection rapidly spread to all computers connected to their networks.

While the NHS was one of the early victims, the attack has spread globally with the Spanish telecoms company Telefonica also hit, along with FedEx, Universities in China, the German Rail operator and the Russian Interior Ministry. Infections are still spreading globally at an alarming pace.

Avast has reported there have been at least 57,000 worldwide infections in 100 countries. Infections are expected to grow over the next few days. This is already the largest ransomware attack in history, according to Mikki Hypponen of F-Secure.

The Department of Health and Human Services and the Department of Homeland Security have issued alerts about the threat, with the HHS saying yesterday there is evidence of the attack affecting U.S organizations.

Laura Wolf, Critical Infrastructure Lead at the HHS advised all healthcare organizations to “exercise cyber security best practices – particularly with respect to email.”

While the ransomware variant has been spread via spam email, the massive global attack is believed to have involved an exploit called ETERNALBLUE. The exploit was released by Shadow Brokers last month, after allegedly being stolen from the NSA. The exploit has been combined with a self-replicating payload that spreads without any user action required.

The exploit is for a vulnerability in Server Message Block 1.0 (SMBv1), which was patched by Microsoft in March, 2017 (MS17-010).

Any organization that has not yet installed the patch is advised to do IMMEDIATELY.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.