Several hospitals in the United Kingdom have been the target of a severe ransomware attack on Friday. Staff were no longer able to access patient records and appointments, according to UK press. The strain of ransomware that caused the chaos was Wanna Decryptor (WanaCrypt0r 2.0′, or Wanna Cry). Press reports show that Wanna Decryptor attacks afected over 300,000 computers in over 150 countries.
Wanna Decryptor Attack Affects 16 Hospitals
The National Health Service (NHS) in England has declared this incident a major attack. Up until 15.30PM on Friday, 16 hospitals have reported an infection. “NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected,” said NHS England, in a statement.
The NHS added that the attack has also affected other industries. British law inforcement believe the attack is criminal in nature, but it does not have implications for national security.
The Only Way Out is a Restore from Backup
Doctors and nurses reported that they could not access their computer systems, with screens popping up a message with ransom demands. Wanna Decryptor renames files with the extension “.WCRY” and asks for a ransom of 230GBP (around $300) in Bitcoin to regain access to files. According to MalwareHunter Team, this ransomware strain is relatively new (emerged in February 2017). There currently is no other way to decrypt files without paying the ransom.
According to law enforcement, organizations can restore their systems from backups to resume activity.
— MalwareHunterTeam (@malwrhunterteam) May 12, 2017
Unpatched Windows XP Systems Exploited
One security expert pointed to the old operating systems in hospitals as the cause of the infection. Many NHS hospitals run on old Windows XP systems, that are unable to apply newer patches that could defend them against the infection.
Apparently, Wanna Decryptor spreads using a flaw in the Microsoft SMBv2 network protocol. Microsoft announced a patch for the vulnerability on March 14. This was just a month before a hacker group leaked the ransomware, and claimed to have stolen it from the National Security Agency (NSA) in the United States. Older systems like Windows XP, however, cannot benefit from this patch – and are still vulnerable.
“It is not just the NHS affected: reports suggest it is a global problem. The virulence is likely to be because some organisations have either not applied the patch released by Microsoft, or they are using outdated operating systems (such as XP) that are no longer supported by Microsoft and hence no patch exists,” said professor Alan Woodward, a security expert from the University of Surrey, quoted by The Guardian.
Sings of a WorldWide Attack
Other reports also stated that this is a worldwide operation, and systems in several countries have been attacked. Kaspersky Lab released a report on Friday that showed over 45,000 infections taking place all around the world, and added they expect this number to climb.
The Wanna Decryptor attack has also affected several large telecommunications companies and utilities in Spain, as well as businesses worldwide.
Unfortunately, it looks like many organizations activated their disaster recovery plans after the Wanna Decryptor attack. While the ransom demands were small, this massive attack has crippled public and private companies across the globe, in one of the largest cyberattacks we’ve seen so far.
As always, the best defense against ransomware attacks are reliable backup and disaster recovery tools and a well-thought business continuity plan.