Share this article on:
The Department of Health and Human Services (HHS) has issued a cyber notice to alert healthcare organizations of the continuing problems caused by the WannaCry ransomware attacks on May 12, 2017.
Following the attacks, the United States Department of Homeland Security (DHS) issued a statement saying the U.S. had suffered ‘limited attacks’ with only a small number of companies affected. However, the problems caused by those attacks have been considerable. The HHS says two large, multi-state hospital systems are still facing significant challenges to operations as a result of the May 12 attacks.
The Windows SMB vulnerability (MS17-010) exploited by the threat actors was addressed by Microsoft in a March 14, 2017 update, with an emergency patch released for unsupported Windows versions shortly after the attacks took place. The patches will prevent the MS17-010 vulnerability from being exploited and thus prevent WannaCry from being downloaded.
The encryption routine used by the WannaCry malware was deactivated quickly following the discovery of a kill switch. While the encryption process has been blocked, that does not stop infection. Vulnerable devices could still be infected if the patch has not been applied.
Further, if a device has already been infected prior to the patch being applied, the malware will still be present on the infected system. The HHS likens the patch to quarantining a patient. While that action will prevent the spread of the infection to other individuals, simply placing a patient in quarantine will not remove the infection in that patient.
While the ransomware component of the malware is not active, the presence of the malware on computer systems will have some effects. Those are dependent on the Windows version installed.
If the malware is present, it will be capable of scanning the network for other vulnerable devices and spreading to those devices.
The HHS says that if a device has been infected with WannaCry, reimaging and applying the patch will remove the virus and prevent it from being installed again. However, HHS explains that while the patch addresses a vulnerability in the Windows Server Message Block version 1 (SMBv1) protocol, that may not be the only vulnerability that is exploited to download WannaCry. Even patched systems may still be infected if the threat actors exploit a different vulnerability to introduce the malware. Patches must therefore be applied promptly after they have been issued to prevent future WannaCry – and other – malware attacks.
If you have been affected by WannaCry, the HHS recommends contacting your FBI Field Office Cyber Task Force or the US Secret Service Electronic Crimes Task Force to report the incident and request assistance.
The HHS also recommends contacting the FDA’s 24/7 emergency line at 1-866-300-4374 if a suspected cyberattack affects medical devices.
HHS has issued the following advice to healthcare organizations on mitigating the risk of WannaCry infection: