All around the world organisations have been affected by the WannaCry ransomware attack. The attackers have so far been effective due to the ransomware’s ability to compromise a single machine on a network and then spread to other systems within that network.
In the UK the BBC reported that 61 NHS organisations have been affected, making it a seriously impactful for the service.
Hospitals affected by the attack were forced to cancel patient appointments and use pen and paper as computers needed to be shut down.
Digital Health Age reported the story last week. To follow-up we reached out to a number of organisations within the digital health sector to see what they had to say about the incident.
Speaking for health IT consultancy organisation AbedGraham, Dr. Saif Abed said: “’We must be careful at this stage not to play the blame game. Clearly, there is a technical vulnerability at the heart of this attack but more importantly cybersecurity must now be seen as a clinical risk and patient safety issue. Health IT investment needs to be protected and cybersecurity must rise to be become a board level priority. There will be further attacks in the future and we must ensure that we are investing in people and processes both from IT and clinical backgrounds so that we are prepared for every eventuality.’
Andrew Barratt, managing principal for cyber risk management company Coalfire said: “I’m sure we’ve all seen Windows XP PC’s in hospitals around the country. Since the PCs are no longer patched by Microsoft, it’s highly likely these devices are unprotected and potentially littered with vulnerabilities that could be exploited by a cyber criminal. With stretched budgets, the NHS is constantly under scrutiny to maximise their investments and this can often mean a deprioritisation of security protection and IT support, leaving them completely exposed and at the mercy of a large ransomware attack. As someone who has worked with the healthcare industry for more than 10 years – I know that the NHS IT infrastructure has a number of vulnerabilities plagued with legacy applications that could not be patched and were relatively under governed by the trusts. While the UK government did make steps to improve IT security by issuing the NHS Information Governance toolkit, it mostly consisted of a bundle of high-level legal requirements and lacked clear technical direction or audit management. This meant that NHS trusts have inconsistent security at best, or at worst, are vulnerable to lots of different attacks.”
Telehealth organisation Now Healthcare’s CTO Tim Ng spoke about the challenges the NHS is facing, saying: “NHS are caught between a rock and a hard place – everyone being blamed for outdated systems and misconfigured systems. It isn’t that easy. Imagine a replica model of the Eiffel tower built with wooden planks and then being told to replace sections of it with metal girders, without tearing the whole thing down. And allow people to still come in and view it, go up it and keep it running as usual. Now you have an idea of the scale and complexity of the systems in the NHS. Governance is key to bring order and process but can also be a millstone that slows innovation meaning that outdated technology is still being used. Many in governance are not from a technology background but have the ability to dictate how things should be done. Technologists have evolved and many are process and business savvy. I feel for the teams that trying to deal with the hack and fully support them. Embracing new technology is a risk but not doing so can be riskier.”
Israel Barak, CISO at cybersecurity company Cybereason, comments: “We know that ransomware purveyors are often savvy e-marketers that know their targets, and it is not uncommon for a ransomware gang to run multiple campaigns at the same time, with tiered pricing based on a variety of parameters such as vertical industry, region, age, etc. However, the attacks on the NHS trusts across the UK seem to show particularly ruthless calculation even by criminal standards, banking on the trusts having weak defences and being especially desperate to restore access to their systems due to health and even lives being at stake.
While ransoms have surpassed the hundreds of thousands mark, the goal is to set a price that makes it either cheaper or easier for the victims to pay the ransom then to recreate or restore the compromised systems, especially when the victim has a sense of urgency. Today’s ransoms show that this can still be very costly, especially when it comes to lost operational time and data. We’ve seen many examples where companies didn’t have the proper backups in place and decided to pay the ransom so that they could resume normal business operations, and that will obviously be a pressing concern for the affected trusts.”
Allan Liska, senior solutions architect at threat intelligence company Recorded Future states: “The ransomware infection that is spreading throughout the United Kingdom, and the world, is version 2.0 of WanaCypt0r (aka WCry, WannaCry, and WannaCryptor). Recorded Future saw the first appearance of this ransomware on March 31st, but the version that is rapidly spreading has made some significant changes.
Specifically, the new version takes advantage of the SMB vulnerability outlined in Microsoft Security Bulletin (MS17-010), also known as the EternalBlue exploit. This means that once the ransomware gets into a network it can spread quickly through any computers that do not have that patch applied. The worm-like capabilities are the new feature added to this ransomware.
The attacks that have taken place do not appear to be targeted attacks, instead they appear to be part of a phishing campaign, though that has not been fully confirmed. Infections of the new version of WanaCypt0r started in Spain earlier today, but have since spread to the United Kingdom, Russia, Japan, Taiwan, the United States and many more.
Given the relative ineffectiveness of the first version of WanaCypt0r, it is likely the author did not expect this type of success from the new campaign, which could cause problems for any organisation that attempts to pay the ransom. For now, the best advice is to ensure that all Windows systems are fully patched, to ensure that firewalls are blocking access to SMB and RDP ports, and to educate users to watch out for suspicious emails.”