This post was updated Monday 15/05/17 at 15:00
NHS Trusts and hospitals across England were hit by a severe cyber attack on Friday. This attack then preceded to spread across the world. A ransomware strain called WannaCry was behind the attack and infiltrated 150 countries.
It is now, however, slowing down. Since 06.00 UTC/GMT on Monday 15th May, Kaspersky Lab has noted about 500 new attempted WannaCry attacks across its customer base – by comparison, on Friday 12th there were six times as many attempts during the first hour alone. This suggests the infection may be coming under control. The hunt for the perpetrator continues.
In the UK, the attack brought down IT/computer and phone systems for 61 NHS Trusts, which was confirmed by the East and North Hertfordshire NHS Trust on Friday. As a result, the Trust has postponed all non-urgent activity.
In England, 48 National Health Service (NHS) trusts reported problems at hospitals, doctor surgeries or pharmacies, and 13 NHS organisations in Scotland were affected. Reportedly three in Ireland were also infected.
Some GP surgeries had to shut down phone and IT systems, while A&Es have told people not to come unless it is a real emergency. Blackpool Hospitals NHS Trust asked people not to attend A&E as well, unless it was an emergency because of computer issues.
Health Secretary Jeremy Hunt said: “We’ve not seen a second wave of attacks and the level of criminal activity is at the lower end of the range that we had anticipated.” Hunt is expected to attend a Cobra committee meeting on cyber-security, chaired by Home Secretary Amber Rudd later.
Dr Jamie Graves, CEO, ZoneFox said that this “large-scale cyber attack on our NHS today is a huge wake-up call. The effects of this data breach include hospitals having to divert emergency patients, with doctors reporting messages from hackers demanding money, a clear signal of ransomware activity. It also highlights the ever-increasing importance of having a 360-degree visibility of activities and behaviour around business-critical data – particularly for large organisations like hospitals.”
“The underlying issue with cybercrime,” said Nik Whitfield, CEO, Panaseer, “is that the relationship between cybercriminals and organisations is asymmetric – the criminals only need to succeed once, whereas defenders have to get it right every single time. It is becomingly increasingly impossible for organisations to be 100% secure – the key is ensuring that they are ‘secure enough’. In a complex technology environment, like the NHS, cyber hygiene can a huge challenge but the risk of neglecting it means that it was only a matter of time before an attack was successful.”
Elsewhere in the world, Australian officials said that three small-to-medium sized businesses had been locked out of their systems, while New Zealand’s ministry of business said a small number of unconfirmed incidents were being investigated.
FedEx was affected in America and in Japan, both Nissan and Hitachi reported some units had been affected. In China energy giant PetroChina said that at some petrol stations customers had been unable to use its payment system. If the issue of cyber security was not on any governments or businesses radar before this weekend, it certainly will be now.
Microsoft has said this attack, indeed, should be a wake up call to organisations. It has blamed the attack on governments for storing data on software vulnerabilities, which were easily accessible to hackers.
The WannaCry ransomware, according to Microsoft, exposes a flaw in Microsoft windows that was identified and stolen by US intelligence.
Andrew Clarke, EMEA director for One Identity said that “this is an unusual move by Microsoft and serves to demonstrate the seriousness of this type of attack. In an update blog Microsoft declared, “Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003.” IT teams with these type of platforms need to act quickly and implement the update to enable them to operate safely next week.”
“With hindsight, this incident stresses the importance of continual risk assessments of an organisation’s business operations; from fundamental patch management to wider issues that consider access. It re-enforce the significance of getting Identity and Access Management right, as it was only a matter of time before an attack happened on this large of a scale to take advantage of those organisations who haven’t taken this critical step.”
Ransomware strikes again. This strain of malware has erupted in the last five years, plaguing both public and private organisations. It is in many experts’ opinion, the greatest threat facing businesses.
Europol’s chief told the BBC the ransomware was designed to allow “infection of one computer to quickly spread across the networks…That’s why we’re seeing these numbers increasing all the time.”
Just the beginning
MalwareTech, who helped limit the rate of infection, said that an attack on Monday was likely: “another one coming… quite likely on Monday”.
Becky Pinkard, from Digital Shadows, a UK-based cyber-security firm, told AFP news agency that it would be easy for the initial attackers or “copy-cat authors” to change the virus code so it is difficult to guard against.
“Even if a fresh attack does not materialise on Monday, we should expect it soon afterwards,” she said.
Gavin Millard, EMEA Technical Director of Tenable Network Security said, “With the success of the initial infection of WannaCry, it wouldn’t be at all surprising to see the next iteration released soon. Although there has been a significant amount of interest in the media and inescapable coverage of the outbreak, many systems will still be lacking the MS17-010 patch required to mitigate the threat.”
In order to protect organisations from such attacks, Kaspersky Lab security experts advise the following:
- Conduct proper and timely backup of your data so it can be used to restore original files after a data loss event.
- Use a security solution with behaviour based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and yet unknown samples of ransomware.
- Visit The “No More Ransom” website, a joint initiative with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
- Audit installed software, not only on endpoints, but also on all nodes and servers in the network and keep it updated.
- Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes. Review external vendor and 3rd party security policies in case they have direct access to the control network.
- Request external intelligence: intelligence from reputable vendors helps organisations to predict future attacks on the company.
- Educate your employees, paying special attention to operational and engineering staff and their awareness of recent threats and attacks.
- Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response in order to block an attack before it reaches critically important objects.
The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here.