An attack that hit the NHS brought to light a global ransomware infection, hitting 75,000 computers in 99 countries, demanding ransom payments in 20 languages.
Ransomware is computer malware that installs covertly on a victim’s device that either mounts the cryptoviral extortion attack from cryptovirology that holds the victim’s data hostage, or mounts a cryptovirology leakware attack that threatens to publish the victim’s data, until a ransom is paid.
Yesterday, NHS services across the UK were hit by a large-scale cyber-attack. Hospitals across the country have reported being hit by the attack and in some instances in England, patients are being turned away from A&E and operations are being cancelled.
East and North Hertfordshire NHS trust said in a statement:
“The trust is postponing all non-urgent activity for today and is asking people not to come to A&E – please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency. To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need.”
NHS Digital said:
“We’re aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware.”
Hospitals have been told to pay $300 dollars – £233 – in order to regain their files and hackers are demanding this is paid in Bitcoins, an unregulated currency that authorities find difficult to track.
The attack affected Telefónica and several other large companies in Spain, FedEx and Deutsche Bahn. Other targets in at least 99 countries were also reported to have been attacked around the same time. Over 1,000 computers at the Russian Interior Ministry, the Russian Emergency Ministry and the Russian telecommunications company MegaFon, have been reported as infected.
WannaCry is believed to use the EternalBlue exploit, which was allegedly developed by the US National Security Agency, to attack computers running Microsoft Windows operating systems. ETERNALBLUE exploits vulnerability MS17-010 in Microsoft’s implementation of the SMB protocol.
Although a patch to remove that vulnerability had been issued on March 14, 2017, delays in applying security updates left some users and organisations vulnerable.
A “kill switch” hardcoded into the malware has allowed the initial infection to be halted but variants are expected to be created.