Ransomware Rundown

By on May 15, 2017 in Technology

Though some experts predicted the final payoff would hit one billion dollahackrs, Friday’s ransomware attack – believed to be one of the largest ever perpetrated – ended with a fizzle over the weekend with the hackers barely pulling in $26,000 before being  temporarily stopped in their tracks by an anonymous cyber security expert.

Summarizing the situation Monday morning, Jan Op Gen Oorth, senior spokesman for Europol, told the AFP, “The number of victims appears not to have gone up and so far the situation seems stable in Europe, which is a success.”

“It seems that a lot of internet security guys over the weekend did their homework and ran the security software updates.”

A Simple Fix

According to Gizmodo the damage was mitigated, in part, due to the quick action of an “anonymous 26-year-old security researcher” named MalwareTech, who managed to temporarily slow the spread of the ransomware attack late Friday. After discovering the domain name associated with the ransomware, iuqerfsodp9ifjaposdfjhgosurijfaewrwergwe- a.com was available for purchase for just $10.69, MalwareTech bought the domain and halted the attack.

“Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freak out until I realized it was actually the other way around and we had stopped it,” MalwareTech told The Guardian.

According to Matthieu Suiche, founder of cybersecurity firm Comae Technologies, MaltechWare’s registration of the domain stopped the malware from spreading throughout the US.

“The kill switch is why the U.S. hasn’t been touched so far,” he told the New York Times on Saturday. “But it’s only temporary. All the attackers would have to do is create a variant of the hack with a different domain name. I would expect them to do that.”

A Global Attack

The flurry of ransomware attacks shut down several UK hospitals and spread to multinational companies and governments in 150 countries. While England’s National Healthcare System (NHS) received most of the initial attention, Russia, Taiwan and Spain appeared to have been hit the hardest while the U.S. remained relatively unscathed.

According to the New York Times, the tool used to unleash the ransomware was leaked by the group Shadow Brokers as part of the group’s online release of NSA hacking tools online last month.

Operating under a variation on the name “WannaCry,” the malware exploits a Windows vulnerability known as EternalBlue allegedly discovered by the NSA.  The attacks were most successful on computers running unpatched versions of Microsoft Windows up through version 10. Though Microsoft sent a patch (MS17-010) for the particular vulnerability exploited by the malware back in March, the hackers won on the gable that most users had failed to update their systems, highlighting the need for organizations to stay on top of all the latest security protocols.

“This highlights the importance of regular patching of Windows OS (operating system) of servers and workstations,” noted Jay Shobe, Vice President, Technology at Yardi. “Microsoft released a patch in March to fix particular this vulnerability, so servers that are up to date with patches are not affected. In addition, keeping on current Windows versions is essential as well.  For example, Microsoft stopped patching Windows XP in 2014, so there is no protection for workstations running on that version of Windows.

“Cyber security constantly evolves,” he added. “It’s important to maintain constant network security that’s able to adapt as the threat changes.”

Old OS at Fault

Unfortunately, the NHS was particularly susceptible to this type of incursion because the organization relies on Windows XP. As reported in December, the UK government’s security agreement with Microsoft, which cost the country £5.5 million per year, came to an end on May 15, 2016. The government chose to discontinue Microsoft security support, relying instead on government organizations and departments to make the switch to Windows 10, but that massive migration never took place.

In fact, at the beginning of the year, Freedom of Information request filed by Motherboard revealed thousands of NHS computers were still running on the outdated OS. Those systems included tens of thousands of machines either left unpatched or running an older version of Windows.

As Sam Pudwell noted in an article for Silicon UK, “By running Windows XP, NHS Hospitals risk breaching data protection regulations, which are set to become even more stringent through the new General Data Protection Regulation (GDPR) coming into force in 2018. Legal experts have confirmed that the guilty hospitals may be in breach of current regulations.”

Jon Baines, Chair of the National Association of Data Protection and Freedom of Information Officers (NADPO) told Pudwell, “If hospitals are knowingly using insecure XP machines and devices to hold and otherwise process patient data they may well be in serious contravention of their obligations.”

Hospitals on High Alert

As reported by the New York Times and other media outlets, the ransomware attack appeared to be a variant of the familiar Wanna decryptor malware. Users attempting to log into the network were greeted with a pop-up message saying “Ooops, your files have been encrypted!” with a demand of $300 worth of online currency Bitcoin to release the system.

A message from the ransomware attackers demanded a bitcoin payment in order to release the system. In all, 61 NHS operations throughout Britain were affected, causing ambulances to be diverted as well as cancellation of scheduled operations and nonemergency procedures. According to a report from the Health Service Journal, X-ray machines, patient administration systems and pathology tests had all been affected. Phone lines and email were also inaccessible. Blood work and other diagnostics services had to be put on hold.

“Just about to start a night shift,” said Reddit user Tildah, “No computers, no electronic prescribing. X-rays are being printed and have to be viewed in [the] radiology department.”

While NHS state the attack did not seem to be “specifically targeted at NHS,” officials were working with the government’s National Cyber Security Centre to craft a solution. In the meantime, several hospitals in the country posted notifications online alerting patients and their families of possible delays due to “a major IT disruption.”

“Our focus is on supporting organisations to manage the incident swiftly and decisively,” the NHS statement continued, “but we will continue to communicate with NHS colleagues and will share more information as it becomes available.”

According to Wired, hospitals and private practitioners were both hit by the cyber attack, resulting in an advisory asking citizens to avoid seeking medical attention unless facing a life-threatening emergency. The attack began in the north and southwest regions of the country but was said to be “creeping” across the nation, with the southern part of England reporting another attack Friday afternoon targeting general practitioners.

“I’m a doctor in one of the affected hospitals, a major trauma center in London,” wrote user purplepatch on Reddit late Friday afternoon. “Everything has gone down. No blood results, no radiology images, there’s no group specific blood available. They’ve declared a major internal incident, the hospital is diverting major trauma and stroke patients. All elective surgery was canceled from about 1 pm. We’re not doing anything in the theatre that’s not life or limb threatening. There will almost certainly be deaths as a result of this.”

Cutting the Cord

As reports of the ransomware attack spread, some organizations acted quickly to disconnect their networks. In a message to a Guardian reporter, one NHS IT worker from an Essex hospital explained the disconnect notice came through around 2 pm Friday afternoon.

“We were told to shut down, take out network cables and unplug the phones,” she said. “A message came up for just one of our team about the fact that all the files would be wiped in two hours unless we gave $300 in bitcoins.”

She confirmed the demand for $300 in Bitcoin, noting that ransom message warned, “Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files but do not waste your time. Nobody can recover your files without our decryption service.”

“You only have three days to submit the payment,” the ransom note cautioned. “After that, the price will be doubled. Also if you don’t pay in seven days, you won’t be able to recover your files forever.”

Derbyshire Community Health Services, which operates as part of the NHS Foundation Trust, reassured patients in a statement that they had not been hit by a cyber-attack, but had “switched off the IT systems that pose the biggest risk.”

Returning to paper records and handwritten notes, Derbyshire explained they’d “gone ‘back to basics’ for some tasks – so you might find things take a little longer than they would normally.”

Health and Safety at Risk

Sky News posted a video interview with Dr. George Farrelly deploring, “amoral people interfering with vulnerable people.” Dr. Farrelly explained to Sky News that his office took the precaution of printing the day’s appointments after receiving a warning a neighboring practice had been hit. At 1 pm, the office’s computers were locked, and the familiar ransomware notice appeared.

When asked if his office was prepared for an attack of this nature, Dr. Farrelly replied, “We were told we were operating within a very secure system with the NHS.”

Highlighting just how unprepared many healthcare providers are when it comes to network security, Farrelly added, “We are aware of cyber security, but our practice doesn’t have any kind of contingency plan when we have a shutdown of our system.”

“You have to understand that those of us who have gone paperless – which includes an increasing number of practices – rely wholly on our web-based system to operate. All our information is based on the computer.”

Officials stated that though operations had been disrupted, no patient records appeared compromised. According to the Guardian, law enforcement personnel indicated the attack seemed to be criminal rather than an action perpetrated by a foreign power, making the threat serious but so far, not an incident with “national security implications.”

“At this stage, we do not have any evidence that patient data has been accessed,” NHS Digital declared in a statement. “We will continue to work with affected organisations to confirm this.”

Global Concern

As England struggled to regain control of their healthcare network, the Spanish government announced that several large companies, including telecom giant Telefonica, had also been compromised. Spain’s natural gas company Gas Natural and electric company Iberdrola were also victims. According to Wired, the incidents appeared “to be part of a global cyber security incident with malware spreading to multiple organisations around the world.” In fact, but the end of the day on Friday several more countries reported attacks and compromised systems.

“Security firm Check Point said it has seen instances in multiple countries” reported Wired. “Telefonica in Spain has been the biggest confirmed incident outside of the UK, but it also reports issues in Russia, Turkey, Indonesia, Vietnam, Japan, and Germany.”

“A live map tracking the malware has plotted thousands of incidents around the world. Although, it is not confirmed these are all the latest version of the malware.”

As night fell over London, malware infections had been reported in 99 countries, though that number would rise to 150 over the weekend.  Updates and public comment on the NHS attack continued on Twitter under the #nhscyberattack header.

Echoing sentiments expressed by many in the Twittersphere, Kanayo Onyeka wrote, “Organisations need to take cyber security seriously. This isn’t funny. The vulnerability has been there for a while…”