HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

WannaCrypt Ransomware Attacks Stopped, But Only Briefly

The global WannaCrypt ransomware attacks that hit NHS Trusts in the UK hard on Friday have spread to the United States, affecting some U.S. organizations including FedEx. Figures this morning indicate there were more than 200,000 successful attacks spread across 150 countries over the weekend.

Fortunately, the variant of the ransomware used in the weekend attacks has been neutralized. On Saturday afternoon, a blogger and security researcher in the UK identified a kill switch and was able to prevent the ransomware from claiming more victims.

While investigating the worm element of the ransomware campaign, the researcher ‘Malware Tech’ found a reference to a domain in the code. That domain had not been registered, so Malware Tech purchased and registered the domain. Doing so stopped the ransomware from encrypting files.

The ransomware performs a domain check prior to encrypting files. If the ransomware is able to connect with the domain in the code, the ransomware exists and does not encrypt any files. If the connection fails, the ransomware continues and starts encrypting files. The purpose of this check is believed to be an attempt to avoid analysis by security researchers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The good news is that by registering the domain the ransomware attacks have been thwarted. The bad news is that while the version of the ransomware used in Friday’s attacks has been neutralized, a new version of the ransomware – without the kill switch – has reportedly been released already. Heimdal Security said a new version – a Uiwix strain – does not feature the kill switch.

Other security researchers have yet to confirm whether the new variant exists, but even if no new version has been released, it is only a matter of time before that happens.

WannaCrypt Ransomware Attacks Spread Like WildFire

The WannaCrypt ransomware attacks started in Europe with the NHS hit particularly hard. 61 NHS Trusts experienced ransomware infections, which spread rapidly through their networks encrypting all vulnerable devices. The attacks resulted in data being encrypted and computer and telephone systems being taken out of action. Hospitals were forced to cancel operations while IT teams worked around the clock to restore encrypted data. The NHS is still experiencing major disruptions to services.

The attacks took advantage of a vulnerability that was patched by Microsoft on March 13, 2017. Many organizations failed to install the update, even though the vulnerability was categorized as critical and an exploit for the vulnerability was released online last month.

Unfortunately for many organizations, the NHS included, the patch could not be applied to unsupported Windows versions such as Windows XP. Many hospitals still have computers running on the outdated Windows version, even though Microsoft stopped issuing patches on April 8, 2014. Many of the attacks affected older versions of Windows that could not be patched. Microsoft said in a recent blog post that the attacks were not performed on computers running Windows 10.

Microsoft Takes Unusual Step of Issuing a Patch for Unsupported Windows Versions

In response to the WannaCrypt ransomware attacks, Microsoft has taken a highly unusual step of issuing a patch for Windows XP, even though the operating system has not been supported for more than 3 years. The patch also addresses the vulnerability in Windows 8 and Windows Server 2003. Microsoft said in a blog post on the WannaCrypt ransomware attacks that “This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.” Healthcare organizations should ensure the patch is applied promptly to prevent future attacks using the exploit.

Microsoft may have issued an emergency patch for unsupported Windows versions, although other vulnerabilities remain unpatched and could potentially be exploited. Any healthcare organization still using Windows XP or other unsupported software is therefore taking a big risk. Continued use of unsupported software is a recipe for disaster as well as a potential HIPAA violation.

Useful Links on the WannaCrypt Ransomware Attacks

US-CERT Ransomware Alert

FBI Indicators Associated With WannaCrypt Ransomware

HHS Update: International Cyber Threat to Healthcare Organizations

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.