The NHS takes center stage as the latest victim of a ransomware cyber-attack, with services across England and Scotland experiencing locked computers and inaccessible patient data. Despite the limelight falling on the NHS, the attack is believed to be widespread with multiple organisations around the globe being demanded a ransom payment of £230m in bitcoin per device.
It is understood that the ransomware came from an embedded file within a word document, sent via email to NHS staff. From there the malware first encrypts large portions of the user’s data, rendering it inaccessible, but recoverable after the ransom had been paid. The second aim of the ransomware is simple, to spread as far as possible, it does this by scanning both the local network, and attempting to scan random points on the internet, exploiting any device it deems as vulnerable along the way.
The exploit used is recently released, originally developed by the US government, and since released by hackers after finding the exploit amongst other data on a server used by the developers. Since then, Microsoft has released an update to protect the affected services, services that are found on most Windows devices. In addition to this, it has been reported that the malware is spreading via authenticated sessions on other machines, meaning that patching the hosts will only go so far to prevent the spread of the malware.
The use of this exploit to create ransomware is not surprising, the ease with which criminals could acquire and use the vulnerability from its release is almost unheard of, and its inclusion in malware should have been expected as a result. The NHS, and other organisations failure to react to the threat is unsurprising, the size of the bureaucracy in these organisations, and the reliance on legacy software preclude the possibility of patching all systems.
It appears then that the failure of the NHS to patch their devices, and educate their staff on potential attack methods is the reason for this attack, it should be noted that it is not uncommon for organisations with hundreds of devices on hundreds of sites to take significant lengths of time to patch their devices. In addition, well thought out phishing emails can be effective against even the most educated users, especially when there are so many points of failure, and only requiring a few to fail in order to have a significant effect on business functionality.
What Can Be Done?
The NHS would have to invest in a significant amount of time and money in order to get their cyber estate to a level high enough to protect against this kind of attack. The areas within the NHS where extra resources had been invested in cyber security, saw a reduced rate in infections and in some cases no instances of WannaCrypt, this was down to the use of up to date software and ensuring that well maintained patching policies were in place.
Organisations that fall victim to these attacks need to ensure that where security companies are employed to test for issues, an action plan is put in place to fix any findings. Where possible, staff training should be given to improve cyber awareness and prevent attack vectors such as phishing and malware infested websites. Finally, ensuring when critical patches are released, a business plan is in place to deploy these patches within a timely manner, if this can’t be done mitigations are put in place.
IRM’s CEO, Charles White has said the following about the attack “If this global attack highlights anything it shows us why cyber security cannot be solved with a clever piece of hardware or software, but must become embedded into the culture and operation of the organisation if it has any chance of mitigating the risk.”
How Cyber Aware Are You?