AAL Insight: WannaCry and the NHS

Feb 10, 2018

Written By Jack J Collins, Editor of AllAboutLaw.co.uk

In May, a devastating cyber attack infected computers in 150 countries around the world, leaving many without access to basic cyber functions. In the UK, the worst affected organisation was the NHS, who were left stranded whilst treating patients. But what was the software, how does it work and who was behind the attack?

What was it?

The attack was based around a ransomware services called WannaCry, which was delivered via spam emails that attempt to get the user to open attachments – thus releasing the malware onto the system. This technique for spreading viruses is known as ‘phishing’.

Once the malware gets into the system, it shuts down what the machine is doing, encrypting files in such a way that the user is thus unable to open or use them in any way. The service then attempts to charge the user, via Bitcoin, stating that only once people have paid will they regain access to their files.

The issue with that, aside from the obvious financial inconvenience of the entire situation, is that there is no guarantee that when the ransom is paid that the files will be returned – and, as it’s exceptionally hard to trace these things, there is nowhere to turn to in regards to poor customer service.

WannaCry was developed to exploit a weakness in Microsoft’s operating system – a weakness which Microsoft released a patch to fix in March. People, however, don’t always install the updates that they should, leaving holes that hackers can try to use as an opening. In this case, they succeeded, to devastating effect.

What happened to the NHS?

The NHS was the worst hit organisation in the UK, with a number of local systems completely going down, and numerous other services brought down to an exceptionally minimal level.

Hospitals around the UK took hits, as well as GP surgeries and NHS Trusts, meaning that many doctors and nurses had to revert to the old pen and paper systems of patient notes which have become largely defunct since the dawn of across-the-board computer systems.

On top of that, patients with non-emergency conditions were turned away from surgeries, with a spike in appointment cancellations. In the worst hit areas of the country, residents were told to seek medical help only in extreme emergency circumstances.

Who else did WannaCry hit?

Russia suffered from the ransomware attack as well, with the Kremlin’s Interior Ministry taken out of service. The other countries that were majorly affected included Ukraine, India and Taiwan.

FedEx, the delivery giant, was another major organisation that fell foul of the WannaCry software, and telecommunication services across the Iberian Peninsula were also hit. Spanish and Portuguese networks Telefonica and Telecom were amongst those affected.

In Germany, the most prominent damage was done to the railway operator Deutsche Bahn, with screens at stations across the country showing the malware’s ransom message rather than the schedule for operation.

Whilst the majority of the first wave of attacks affected Europe, an aftershock rang out across Asia on Monday when their working week began. China and Japan both reported systems being affected, across the geographical spread of both countries.

Do we know who did it?

A mysterious cyber-gang, known only as the Shadow Brokers, are supposedly responsible for the WannaCry attack. They announced in April that they had taken control of a so-called ‘cyber weapon’ from the National Surveillance Agency (NSA) – American’s foremost military intelligence service.

The weapon in question is known by the codename ‘Eternal Blue’. What it’s supposed to be able to do is unlock all Microsoft operating systems, which was supposed to be used to target the computers of known terrorists and therefore allow their files to be read.

When the system fell into the wrong hands, Microsoft sent out a patch which would have blocked its access – but as mentioned above, not everyone is quite as hot at upgrading their system as they perhaps should be.

What happened next is the subject of debate and thus there is some conjecture in the assumptions, but the most common line of argument as to what happened next is that Shadow Brokers dumped the Eternal Blue on a separate website, where it was seized upon by another criminal gang, who used it to open up computers around the world and deposit the WannaCry bug on those systems through the back door.

The bug encrypted the systems and demanded payment for the safe release of the files on the computer, and the rest is now history. Talking to the Telegraph, a computer expert described Eternal Blue as a ‘crowbar’ tool, which allowed computers to be opened up to those wishing to cause chaos and defraud individuals.

How do we combat it in future?

A British researcher working for an American tech firm has discovered a ‘kill switch’ which is able to disable the software and stop it spreading. However, he has warned that this is only a temporary fix and all the hackers need to do is change the code to be able to try again.

As such, Malware Tech Blog has reminded users that they need to update the software on their systems as soon as possible, in order to prevent a second wave of the attack being launched.

Microsoft seem to agree. On top of their pre-existing patch, they made a point of pointing out that those with the free Microsoft anti-virus software installed on their computers will have been able to combat the attack.

"The governments of the world should treat this attack as a wake up call," was the message on the blog of Microsoft's president and chief legal officer, Brad Smith. "This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem."

Pete Turner, of Czech cyber security firm Avast, told the Telegraph that "It's critical that organisations and employees, particularly those in our most critical sectors like healthcare, start to think pro-actively about how to protect themselves from

Commercial Insights