NHS England hit by 'cyber attack'

Page may contain affiliate links. Please see terms for details.
Incidentally... all mainstream anti-Malware and anti-Ransomware software packages were able to detect and stop the WannaCry ransomware since March.... so the affected PCs and servers either did not have suitable anti-Malware software installed, or it was out of date.

(anti-Malware / anti-Ransomware is the not the same as anti-Virus).

Regarding the NHS... software licenses for not-for-profit organisations, registered charities, educational institutes, government and public sector are usually heavily discounted, though there would be labour costs in planning, installing, and maintaining any system.
 
In my view this attack was done in error.

It makes little sense:

The larger organisations will never pay anyway. They will apply their standard procedures, restore from backups etc, but they won't pay. In the last 5 years I only heard of one case where someone agreed to pay, it was a home user who lost all his family photos, and in the event the pay website did not work so the data was lost for good. This is not to say that no one pays - this 'industry' is estimated to rake up some $1bn a year - but the success rate is actually very low and depends on sending out millions and millions of malware code, and the victims comprise mostly of home users and small business. The 'revenue' is then disturbed over many criminal organisations and individuals rather than going to a single 'Mr Big'.

The perpetrators have now 'spent' their secret weapon - instead of continuing to milk ransoms over a period of time from home users and small business - the typical victims who are slow to update their IT systems, have no backups, and who would actually pay up - the cat is now out of the bag, as every computer on the planet will now be protected and this particular vulnerability can no longer be exploited by them. So after what must have been for them a good two months they have now in one stroke finally slaughtered the goose that lays the golden eggs...

Cyber criminal mostly get away with it because there are so very many of them and police forces around the world just don't have the resources to trace and prosecute, especially given the need for expensive international investigations. In other words, Cyber crime have largely gone unpunished so far because - just like theft from cars and other petty crimes - police forces just can't deal with them, not because the perpetrators are untraceable. But this particular criminal organisation managed to get themselves on the sights of what will now be a coordinated international effort to find them - with the cooperation from the law enforcement and security agencies of some countries that don't bother too much with privacy, data protection, court orders, and human rights in general - and I have no doubt that the perpetrators will be traced and quite quickly, in spite of all the proxy VPNs and the payloads they may have dropped in unprotected computers and online appliances etc. They will be found...soon.

So in summary.... in all likelihood this was a nice and steady little earner that got badly out of hand and spiralled out of control into a worldwide attack that its originators did not intend nor want and now may not be able to survive.

A big mistake that they are probably already regretting - I can see them cashing in on what they can and folding up their operation, hoping to disappear before the proverbial hits the fan.
 
Last edited:
LiveForever said:
The company I work for is owned be Iberdrola.

We all got told to log off our computers yesterday afternoon. After about half an hour they told us just to go home, but make sure every computer was logged off.

We don't use XP, so it must got into our systems via Spain as we are linked to their systems.
Click to expand...

The electricity supply to our Spanish house is with Iberdrola, so no doubt a price increase is on its way. :wallbash:
 
Another interesting point is that given scale and the simultaneous nature of the attack, the most likely scenario is that the affected computers were infected with the Ransmoware some time ago, e.g. that the infections occurred over a period of time, and were triggered on Friday either in real-time or based on an internal scheduler.

This is significant because given that neither the Windows vulnerability nor the worm were new, it is likely that regular virus scanning of the PCs e.g. daily or weekly etc with up-to-date anti-virus/anti-malware/anti-ransomware would have identified and quarantined it long before it was 'awaken'.

So again this seems like a 'low-tech' attack (in the sense that it was relying on known tools that were out there for a while now), that managed to hit hard because of poor systems admin on the clients' side.
 
LiveForever said:
That is my understanding of it all.

Whoever is responsible for patching and system updates is in for a severe roasting on Monday morning.
Click to expand...

I can pretty much guarantee that pretty much all of the IT organisations attempt to run a regular patching regime. For some it will be monthly, others quarterly.

However, the by far biggest hindrance to this is the business. They have to test these patch releases against all of the applications they run and will often block the release of patches until they are ready. Often this can be months as they do not release the resources to perform the testing. And if that testing fails, they often accept the risk rather than pay to remediate the application leaving those devices vulnerable going forwards.

So don't go knocking the IT guy if you have no understanding of how that particular business operates and the state it was in.

There are of course other measures that can be put in place, both from a tiered architecture and a secure workplace. For example, your workloads should be firewalled from your work-space, you work-space should have anti-virus and anti-malware (and many didn't get updates for this until Friday contrary to what some have claimed) and then you should be blocking running of non approved executables.

Now all of this is an idea scenario, multi tiered protection, regular patching etc, but they all bring disruption to a business and some for that reason do not run all of these.

There are also the odd under-trained IT departments or CIO's who really don't understand the risks, but more often than not it is the business just trying to run a business.
 
markjay said:
Another interesting point is that given scale and the simultaneous nature of the attack, the most likely scenario is that the affected computers were infected with the Ransmoware some time ago, e.g. that the infections occurred over a period of time, and were triggered on Friday either in real-time or based on an internal scheduler.

This is significant because given that neither the Windows vulnerability nor the worm were new, it is likely that regular virus scanning of the PCs e.g. daily or weekly etc with up-to-date anti-virus/anti-malware/anti-ransomware would have identified and quarantined it long before it was 'awaken'.

So again this seems like a 'low-tech' attack (in the sense that it was relying on known tools that were out there for a while now), that managed to hit hard because of poor systems admin on the clients' side.
Click to expand...

This wasn't a targeted attack. It was not aimed at stealing information. It was aimed at having as wide a vector as possible to get as much ransom as possible.

This particular version has also not been around for months and just activated. It was just released and most AV's and anti-malwares had no protection for it at the time.

So whilst there may have been a patch from Microsoft for some OS's for a while (2 monthly roll-ups) there was little protection other than organisations which block the running of non approved executables.

It was propogated by users who were clicking on attachments in emails. Once in an environment it could then move from machine to machine that was not protected meaning it could encrypt multiple data sources making the problem far worse than if just an individual machine was infected.
 
markjay said:
Chap on the radio today ('security expert') said that "90% of NHS PCs still run Windows XP".
Click to expand...

I saw NHS Digital did release some figures on what the level of XP still running within the NHS is.

4.9%, so somewhat less than the ridiculous 90% given by the so called security expert.

That is lower than I expected on experience in the NHS but glad it is lower.
 
markjay said:
In my view this attack was done in error.

It makes little sense:

The larger organisations will never pay anyway. They will apply their standard procedures, restore from backups etc, but they won't pay. In the last 5 years I only heard of one case where someone agreed to pay, it was a home user who lost all his family photos, and in the event the pay website did not work so the data was lost for good. This is not to say that no one pays - this 'industry' is estimated to rake up some $1bn a year - but the success rate is actually very low and depends on sending out millions and millions of malware code, and the victims comprise mostly of home users and small business. The 'revenue' is then disturbed over many criminal organisations and individuals rather than going to a single 'Mr Big'.

The perpetrators have now 'spent' their secret weapon - instead of continuing to milk ransoms over a period of time from home users and small business - the typical victims who are slow to update their IT systems, have no backups, and who would actually pay up - the cat is now out of the bag, as every computer on the planet will now be protected and this particular vulnerability can no longer be exploited by them. So after what must have been for them a good two months they have now in one stroke finally slaughtered the goose that lays the golden eggs...

Cyber criminal mostly get away with it because there are so very many of them and police forces around the world just don't have the resources to trace and prosecute, especially given the need for expensive international investigations. In other words, Cyber crime have largely gone unpunished so far because - just like theft from cars and other petty crimes - police forces just can't deal with them, not because the perpetrators are untraceable. But this particular criminal organisation managed to get themselves on the sights of what will now be a coordinated international effort to find them - with the cooperation from the law enforcement and security agencies of some countries that don't bother too much with privacy, data protection, court orders, and human rights in general - and I have no doubt that the perpetrators will be traced and quite quickly, in spite of all the proxy VPNs and the payloads they may have dropped in unprotected computers and online appliances etc. They will be found...soon.

So in summary.... in all likelihood this was a nice and steady little earner that got badly out of hand and spiralled out of control into a worldwide attack that its originators did not intend nor want and now may not be able to survive.

A big mistake that they are probably already regretting - I can see them cashing in on what they can and folding up their operation, hoping to disappear before the proverbial hits the fan.
Click to expand...

Given that the criminals behind this have only earnt $26k from it, sounds plausible,
 
The spread and attacks were stopped by a security analyst investigating and seeing it was connecting out to a particular URL. When they tried to go to that URL they found it was unregistered.

To try to see what it was looking for they registered the domain it was going to. This subsequently turned out to be a kill switch. If the malware found that url was active it stopped executing.

Purely by chance was this muted so quickly and the global problem could have been so much worse than it has been.

There will no doubt be new variants released in the next few days targeting those not in a position to patch.

Users on Windows 10 are fine as that was not vulnerable, but any other Microsoft version is, so best to patch. This isn't an enterprise issue only so best all memebrs make sure they are patched. If you are running XP or 2003 which no longer get pushed updates then you can get the patches from Microsoft.

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 has all of the patches for the various OS versions.

Also ensure your AV is up to date as many pushed new definitions late Friday afternoon.
 
I think we can all agree that patching the OS is the last line of defence, not first.

First and foremost there's user training (do not click on links, do not open attachment you are not expecting... etc).

Then there are spam filters that should stop malicious email messages.

Then there are firewalls with gateway antivirus and built in spam filters, and website filtering to prevent access to rogue sites via email links. And blocking access to private email accounts such as Gmail or Yahoo.

Then there's endpoint security i.e. anti-virus and anti-malware and desktop firewalls etc. And daily or weekly automated virus scans.

And of course users should have very limited permissions to their own workstations.

And there are organisation-lever measure such as segmenting and segregating networks and using reverse proxy firewalls for applications etc.

Given that not the vilnataviliy and WannaCrypt were known for a while... there had to be more than just one it two thing wrong with the security of those sites that were affected.
 
Yep, agree, people are bashing IT when the constraints on those layers being effective is at the business level.

Not always, but often.

This is where people say digitisation is a bad thing, when actually it is a good thing as it drives modernisation of systems and focuses the importance of all of those layers from organisational to technical. The difference it will make to care care pathways, personalised medicine and wellness are the ways in which the NHS stops itself going bankrupt. Changing demographics and ways of living will cripple it otherwise.
 
Apologies for the spelling mistakes in previous post... :( the perils of typing with one hand while walking the dog :D
 
You must log in or register to reply here.

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)

Similar threads

ioweddie
https://www.bbc.co.uk/news/uk-england-tyne-66947040
2
Replies
25
Views
1K
markjay
markjay
Gollom
Nanny state
Replies
6
Views
720
m80
m80
N
If You’ve Got a New Car, It’s a Data Privacy Nightmare
Replies
18
Views
2K
MikeInWimbledon
MikeInWimbledon
ioweddie
Unbelievable
Replies
3
Views
942
clk320x
clk320x
ringway
Coronavirus: Army veteran, 99, 'smashes' £500k NHS target!
2 3 4
Replies
64
Views
5K
James Copeland
J
Back
Top Bottom