May 12, 2017

At least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware, a type of malicious software that encrypts a victim’s documents, images, music and other files unless the victim pays for a key to unlock them.

It remains unclear exactly how this ransomware strain is being disseminated and why it appears to have spread so quickly, but there are indications the malware may be spreading to vulnerable systems through a security hole in Windows that was recently patched by Microsoft.

The ransom note left behind on computers infected with the Wanna Decryptor ransomware strain. Image: BleepingComputer.

The ransom note left behind on computers infected with the Wanna Decryptor ransomware strain. Image: BleepingComputer.

In a statement, the U.K.’s National Health Service (NHS) said a number of NHS organizations had suffered ransomware attacks.

“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” the NHS said. “At this stage we do not have any evidence that patient data has been accessed.”

According to Reuters, hospitals across England are diverting patients requiring emergency treatment away from the affected hospitals, and the public is being advised to seek medical care only for acute medical conditions.

NHS said the investigation is at an early stage but the ransomware that hit at least 16 NHS facilities is a variant of Wana Decryptor (a.k.a. “WannaCry“), a ransomware strain that surfaced roughly two weeks ago.

Lawrence Abrams, owner of the tech-help forum BleepingComputer, said Wana Decryptor wasn’t a big player in the ransomware space until the past 24 hours, when something caused it to be spread far and wide very quickly.

“It’s been out for almost two weeks now, and until very recently it’s just been sitting there,” Abrams said. “Today, it just went nuts. This is by far the biggest outbreak we have seen to date.”

For example, the same ransomware strain apparently today also hit Telefonica, one of Spain’s largest telecommunications companies. According to an article on BleepingComputer, Telefonica has responded by “desperately telling employees to shut down computers and VPN connections in order to limit the ransomware’s reach.”

An alert published by Spain’s national computer emergency response team (CCN-CERT) suggested that the reason for the rapid spread of Wana Decryptor is that it is leveraging a software vulnerability in Windows computers that Microsoft patched in March.

According to CCN-CERT, that flaw is MS17-010, a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers rely upon to share files and printers across a local network. Malware that exploits SMB flaws could be extremely dangerous inside of corporate networks because the file-sharing component may help the ransomware spread rapidly from one infected machine to another.

That SMB flaw has enabled Wana Decryptor to spread to more than 36,000 Windows computers so far, according to Jakub Kroustek, a malware researcher with Avast, a security firm based in the Czech Republic.

“So far, Russia, Ukraine, and Taiwan leading,” the world in new infections, Kroustek wrote in a tweet. “This is huge.”

Abrams said Wana Decryptor — like many ransomware strains — encrypts victim computer files with extremely strong encryption, but the malware itself is not hard to remove from infected computers. Unfortunately, removing the infection does nothing to restore one’s files to their original, unencrypted state.

“It’s not difficult to remove, but it also doesn’t seem to be decryptable,” Abrams said. “It also seems to be very persistent. Every time you make a new file [on an infected PC], it encrypts that new file too.”

Experts may yet find a weakness in Wana that allows them to way to decode the ransomware strain without paying the ransom. For now, however, victims who don’t have backups of their files have one option: Pay the $300 Bitcoin ransom being demanded by the program.

Wana Decryptor is one of hundreds of strains of ransomware. Victims who are struggling with ransomware should pay a visit to BleepingComputer’s ransomware help forum, which often has tutorials on how to remove the malware and in some cases unlock encrypted files without paying the ransom. In addition, the No More Ransom Project also includes an online tool that enables ransomware victims to learn if a free decryptor is available by uploading a single encrypted file.

Update, May 13, 9:33 a.m.: Microsoft today took the unusual step of releasing security updates to fix the SMB flaw in unsupported versions of Windows, including Windows XP, Windows 8, and Windows Server 2003. See this post for more details.


100 thoughts on “U.K. Hospitals Hit in Widespread Ransomware Attack

  1. JOHNEIL IRVIN

    Since everyone has screenshots of the ransomware request for payment page with the bitcoin addresses in it…..can we inspect network traffic coming in from perimeter for those texts (those bitcoin addresses)….just trying to throw something out there.

  2. Wiliam

    Reuters disclosed that hackers used NSA exploits to launch the attack. Why NSA is not charged for the exploits to commit crime ? Or the law is not same for everybody ?

    1. Joe

      Definitely not the same for everyone, Ask Snowden…

    2. 9

      It wasn’t the NSA who committed the crime. Yes, the leaked exploits were (almost certainly) made by them, but breaking into computer networks to obtain information is part of their duties.

      1. columbus_viaLA

        Oh, now I get it. Just like it was the duty of Eric Holder’s DOJ to provide guns to Mexican drug cartel members, so that they could kill US Border Patrol agents.

        Just doin’ their jobs: all in a day’s work.

      2. Mahhn

        Yeah but, once they knew their exploits were in the wild they should have told MS so they could patch then. The NSA left us all to be slaughtered for just a few more days to use the same hack. Where would we be without them.

        1. Sean McVeigh

          Right. Spy agencies are tasked with finding exploits not to use against their enemies but helping organizations stay patched.

          1. Mahhn

            they are tasked with the Security of the US.

  3. columbus_viaLA

    OMG! Did Krebs on Security totally miss the memo?

    This attack was made possible–if not actually brought to you–by the NSA.

    Even the MSM is so reporting.

  4. Daniel

    The NSA was simply the first organisation to come across this zero day and start making using of it (that we are aware of). If anyone is to be blamed for the recent spike in infections of this malware, it would be the shadow brokers for releasing the cache of tools the NSA used. However as with most of the exploits released, chances are the NSA hasn’t used them too much in recent times as the majority of content appeared to be quite outdated.
    This is a patched vulnerability. Only recently patched yes, but one that was well and truly patched before this outbreak. If organisations or individuals were blamed for the zero days they discovered whenever a piece of malware was made that took advantage of them, Brian could dedicate to this blog purely to that topic as it would be that frequent.
    I am not attempting to defend what the NSA does, however pointing the finger at them in this situation isn’t realistic.
    Large organisations need to invest in updating legacy systems so they can run modern operating systems and apply these fixes. Simplified view obviously, I know the reality is far from simple, but resources should be focused on improvements.

    1. epistemology

      No, the product maker, Microsoft, made a flawed product. If a car maker sold a car, later to be found to have an accident causing flaw, they would be responsible for fixing it. Why can Microsoft just declare that they no longer patch older versions of their products as they did here?

      1. Beeker25

        They do. They have told people many times that their XP system will not be subject to the update as the system has run its course in support.
        The biggest problem is that people refused to believe it until it is too late. That’s why MS has offered a Windows 10 upgrade for free for a year. Anyone not doing so is the ones should have their head banged for it.

      2. Ron G

        “If a car maker sold a car, later to be found to have an accident causing flaw, they would be responsible for fixing it.”

        Ah yes… MS Windows… The “Ford Pinto” of Operating Systems. anybody who uses -any- version of Windows without either routine and regular patching and/or routine and regular backups gets what they deserve.

        “Why can Microsoft just declare that they no longer patch older versions of their products as they did here?”

        I am actually sympathetic to MS here. MS *did* offer a free patch to all users of , for example, Windows XP, and some folks just refused to install that.

        The patch was called “Windows 10”.

    2. Dave

      What if you can’t patch your system, because something in Microsoft’s now mega-update-with-everything causes your PC to go into a blue-screen/reboot loop? Is there a way to mitigate this without being able to apply software updates?

  5. Kevin Richards

    It’s not the first time for NHS to be targeted for ransomware attack. Last year, it was attacked by an unknown ransomware and the staff had to shut down their servers in order to prevent it from spreading and sent outpatients to other facilities, read by this article:
    https://www.beencrypted.com/malware-shuts-down-national-health-service-operations/

    It seems that NHS just avoided the situation and did not update their systems for such vulnerabilities.

    1. Ron G

      “It seems that NHS just avoided the situation and did not update their systems for such vulnerabilities.”

      Yes, and it would appear that they -also- left a bunch of totally open SMB shares lying around on their network.

      There’s no excuse for this. This is just faith-based network security.

  6. tom

    So uk and world hospitals should buy now bitcoins.
    then when attack comes then they are ready and it will save many lifes. Goverments now should prepare their bitcoins reserves.

  7. Jean

    As there’s no depth to which they will not stoop, my money is on GCHQ orchestrating this to get bitcoin ruled illegal.

  8. Jolhan

    We should ban bitcoin.
    Money is traceable, bitcoin is not.

    1. sergey

      Ban bitcoin? No !! Some people make daily living of bitcoins.
      not fair to punish honest btc users !!

    2. patti

      Try calculating the carbon footprint of a bitcoin. That alone should declare it a tech travesty.

  9. Tyler

    Don’t blame the NSA or CIA for this exploit reaching this level. It is well known exploits become public as soon as they are patched. Finding the exploit a patch fixes is an art that has been around for years.

    This exploit was probably known by both the NSA and CIA. I may be wrong, but was it not the CIA that had the leak a couple weeks ago?

    These hospitals should only have sensitive systems on internal networks. Why they are reaching public web space from systems critical for operations is an error.

  10. cardao

    Best thing to do is if the goverments all round the world will buy bitcoins right now. Btc price is 1600$ right now…its high price
    So hospitals and goverment should buy bitcoins now and stack up enough the bitcoins in case your are under attack,you have bitcoins to pay asap. Hospitals should have wallets ready with bitcoins. This way they can faster make btc transfer and it can save many lives.

  11. Rich

    What ever happened to Production Systems and Admin Systems that don’t talk to each other? Anything other than that is unaccceptable. BTW, production doesn’t talk to the internet. Harder to implement, but worth it.

  12. Mike

    Has the kill switch that was found effectively stopped it in its tracks?

    1. Cog

      This version, but even the researcher that found the killswitch said it will only stop this variant. So it would be easy to change the killswitch URL and re-launch it.

    2. Daniel

      Yes, this variant. Currently it checks for a particular domain and if the domain didn’t exist, it would set to work encrypting files. Thanks to a security researcher who register the domain, not knowing the result it would have, when the malware checks for the domain and realizes it exists, it does not encrypt any files.
      That being said, its very easy for the malware authors to change the checking process and send out a new wave of emails quickly.

      1. Jon snow

        from the article, self taught researcher, lives with his parents, accidentally stumbled on this,… remain anonymous…a bit fishy.

  13. Roshan

    Is there one common key for all users or does the malware generate new keys for every user and sends either the symmetric key or the private key back to the author?

  14. MowGreen

    All money transfers will be made transparent and that includes ‘crimecoin’, excuse me, bitcoin.

  15. Bob Stromberg

    I spent some time in frustration trying to determine if my Windows 8.1 system, on which Microsoft’s “check for updates” showed now new updates, was infected.

    Why did I keep looking? Because the reports mention “Windows 8,” not “Windows 8.0.”

    I take “Windows 8” to mean either “Windows 8.0” or “Windows 8.0 and 8.1.”

    I sure wish that Microsoft, and other reports, would make this clear.

    In the end I went into “Programs and Features” and disabled SMB Version 1.

    I *think* my Windows 8.1 system is no longer subject to this particular form of ransomware.

      1. Bob Stromberg

        Thanks for the link. I had already read it when I posted my complaint.

        I don’t think the info at the link is at all clear:

        — The table has 4 rows for Windows 8.1

        — OK, I have a 64-bit system. That narrows it down to two rows.

        — The first 64-bit row (“Windows 8.1 for x64-based Systems
        (4012213) Security Only[1]”) looks like a hit. OK, what do I do? Reading across, I get to the 7th column and it says “None.” Huh? This column’s heading says “Updates Replaced.” Wait, what?

        I’ve gotten nowhere.

        This kind of information should be in “plain technical English.” Something like:

        “On your Windows 8.1 computer, do ABC to check that the required update is installed. In addition, if your computer communicates with other computers on a network (other than the Internet), for example, if you use Windows Homegroup or otherwise stream content to or from this computer, then do XYZ.”

        These are instructions that ordinary home users who read attentively and can click (or right-click) on icons, and reboot the computer as needed, can do. O’ course, the “ABC” and “XYZ” in the above sample paragraph need to be ready to understand without abstruse terminology or missing steps.

        Just my 2¢.

  16. patti

    Windows is *obviously* not going to get significantly less vulnerable in the foreseeable future. It’s totally a gamble to stick with that OS.

  17. Mahhn

    I’ll bet there was a Shodan report pulled just before this started by the perpetrators to compile the main list of targets. (systems accepting incoming :443 request)

    1. Ron G

      “I’ll bet there was a Shodan report pulled just before this started by the perpetrators to compile the main list of targets. (systems accepting incoming :443 request)”

      That’s a crock. Whenever stuff like this happens, people who couldn’t find their own routers with both hands and a flashlight inevitably flail around searching for somebody to blame OTHER THAN the dumbass victims who were too dumb to patch, or to close down all unnecessary ports, or to make backups. Some people inevitably scream that it’s all the fault of MS, or Bitcoin, or Shodan. But the sad truth is that it is highly likely that a lot of the systems that got encrypted this time… just like that last 10 or 20 times… were *internal* networked systems that didn’t even have public-facing internet IP addresses, and which are thus machines that Shodan would never even see. And also, who the hell needs Shodan? If you’ve already managed to break into a couple of thousand or so machines, then you can… and if you are smart, you probably will… leverage those machines and get them to do a big scan for you… one that will probably end up being bigger and better and more complete than whatever Shodan might give you.

      The problem is that the Great Unwashed Masses respond to incidents like this in a kneejerk fashion… just like we all did after 9/11, and we know how well THAT went. After incidents like this people want to make Shodan or Bitcoin or MS Windows illegal, which is dumb, and won’t actually address the problem that some people don’t patch *and* don’t make routine backups.

      Until we can make common, garden variety stupidity illegal, outlawing Shodan or Bitcoin or Windows isn’t going to help and won’t actually solve the real problem.

      1. Mahhn

        wow, very touchy about Shodan. Clearly you didn’t get that I was indicating that if one could review who pulled shodan reports, and see if there was a good match, it may be an avenue to find the culprit.
        Our infrastructure is in great shape and we’re always diligent, so sorry, not a knee jerk reaction from me, like your response was.

    2. MaxSecurity

      Doubtful they used Shodan. You can use MassScan or similar free tool to scan the entire internet IP space on a single port in under 3 minutes. Shodan is for tech plunkers, there are many free tools and other tools that provide this info. Most hackers will run their own target list

  18. TomTrottier

    The only way to make a safe backup would be to boot from a different OS disk. This could also serve as the backup disk. Ideally, it would check for signs of malware encryption as it incrementally backed up and halt the process with a message.

  19. Michel

    Huge mistake by Microsoft. This will just keep companies running XP longer. Support for the OS ended, companies need to upgrade.

Comments are closed.