UK's NHS badly affected by WannaCry

Organisations around the world are currently reeling from what is being called the worst ransomware outbreak to date, with the UK’s National Health Service (NHS) having been particularly badly hit by the attack.

The WannaCry — also known as WannaCrypt — ransomware attack over the weekend hit around 200,000 victims across 150 countries. As of early this morning there had only been three Australian companies confirmed as being affected, according to the Prime Minister’s top cybersecurity advisor, Alastair MacGibbon.

The UK’s NHS was not so lucky, with at least 16 hospitals being forced to divert emergency patients due to their computer systems being infected with ransomware. An estimated 90% of care facilities in the NHS are still using Windows XP, leaving them vulnerable to the attack.

“When a cyber attack literally puts people’s lives at stake, and not just their data, it indicates just how serious and vindictive hackers have become,” LogRhythm ANZ Regional Sales Manager Simon Howe said.

“Attacks on critical national infrastructure are becoming increasingly common, so it’s no surprise that hospitals are a prime target yet again. Health care is such a lucrative target for ransomware because there is a direct correlation between downtime and lasting damage, and as a result, most will surrender to the hacker’s demands immediately.”

Other notable victims include Spanish telecoms operator Telefonica, FedEx in the USA, German railway company Deutsche Bahn and South America’s LATAM Airlines.

How it happened

The attack used the high-profile Windows Exploit EternalBlue, a component of the suite of NSA hacking tools leaked by suspected Russian hacking group The Shadow Brokers in April. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol that had been patched in a security update issued two months earlier.

Once infected, impacted systems’ files are encrypted, and a decryptor is run with a message demanding $300 worth of Bitcoins per infected machine. The program offers to decrypt some files for free as a demonstration, and demands payment within a three-day time limit. After this time, the price is doubled, and after seven days files will be lost forever.

The attack was able to spread so rapidly because it acts as a worm and self-propagates. Analysis from Malwarebytes shows that the attack uses an initial infection vector of a malicious PDF to download and infect a single system. Once there it uses the SMB exploit to spread to all other endpoints on the internal network, making it the first massive worm discovered in around 15 years.

“This is a fast propagating ransomware that is crippling critical infrastructure. There are strong indications it could be using a known vulnerability to penetrate networks and then spread laterally,” Malwarebytes Regional Director for ANZ Jim Cook commented.

“Our research shows the encryption is done with RSA-2048 encryption, which means that it is near impossible to decrypt unless the coders have made an error somewhere.”

As widespread as the attack was, it could have been even worse if a pair of young security researchers hadn’t accidentally discovered a way to issue a “kill switch” stopping the propagation of the worm.

A security researcher known online as MalwareTech discovered the WannaCry code pointed to an unregistered domain, and promptly registered it. Another security researcher, Proofpoint’s Darien Huss, meanwhile discovered a kill switch within the malware. By linking the kill switch with the domain, MalwareTech was able to halt the spread of the attack.

But this reprieve will be short lived, with MalwareTech warning that it will be trivial for attackers to create a new version removing this domain check.

This means that Australian organisations could still be vulnerable to a second wave of attack, warned Geek founder and Chairman John Paior. “It’s very likely that someone will reverse engineer this ransomware worm to generate an updated version which you can guarantee will not contain a ‘kill switch’,” he said.

In the wake of the attack, Microsoft has taken the highly unusual step of issuing patches for the vulnerability for unsupported versions of Windows, including Windows XP and Windows 8 and Windows Server 2003, despite these operating systems being past their support cycles. The company has put together a page to help you if you think your PC could be at risk, with links to download the latest patches at the bottom of the page.

Image credit: ©lollo/Dollar Photo Club

Follow us on Twitter and Facebook