How to beat ransomware

2017 WannaCry campaign

May 2017 saw the execution of a ransomware attack of unprecendented scale, which hit over 100 countries simultaneously. In the UK, even the NHS was worst, with 40 NHS trusts and 11 health boards across England and Scotland affected. Scheduled operations were cancelled, with most health organisations hit by the ransomware accepting emergency patients only, or even diverting to other nearby hospitals that were unaffected.

Which ransomare hit the NHS?

There are many different types of ransomware that can tarsget your IT systems. In the case of the May 2017 attack, affected organisations were hit by WannaCry also known as WannaCrypt, WannaCrypt0r, WCRY and various other names.

WannaCry used an exploit believed to have been developed by the NSA as a "cyber weapon", known as EternalBlue, which was stolen and publicly released by the hacking group Shadow Brokers. Once a computer is infected and the ransomware executes, all the files on that machine are encrypted and a demand for a ransom in Bitcoin appears on the screen. The ransomware demand also shows two countdown timers. The first shows how long the victim has to pay the ransom before the price doubles, while the second shows how long it is until the malware deletes all the their files.

How did it spread?

It was initially thought that the ransomware would first have been downloaded onto a vulnerable system by a phishing attack, a malicious website that carried out a "drive by" attack, or something similar. However, later investigations pointed instead to a vulnerable SMB (Server Message Block) port being the actual vector of attack.

Microsoft had issued a patch in March 2017 for the vulnerability EternalBlue (and, thus, WannaCry) used for Windows 7 - 8.1. Windows 10 wasn't affected. Windows XP and Windows Server 2003 were also vulnerable, however as they were both out of support by three years no patch had been issued for them.

What actually happened?

In the morning of 12 May 2017, reports began to surface of a ransomware attack on the Spanish telco Telefonica, which were fairly quickly confirmed. A few hours later, new reports began to surface in the UK, initially stating that a handful of NHS Trusts in England were also affected. This number quickly rose to over 10, then over 20 and finally passed 40 by the end of the day. During this time it also became apparent that some hospitals in Scotland were also affected, although the NHS in both Wales and Northern Ireland remained clean.

Around 70,000 devices in the NHS were affected, including MRI machines, refrigerators, and operating theatre equipment.

After the news of the attacks in Spain, England and Scotland broke, reports of similar infections started to filtre in from Russia, the USA, Canada and Australia, with the total number of affected devices surpassing 75,000 across 99 countries on the first day.

As the day went on, the scale of the attack, which Europol described as "unprecedented", rapidly became apparent. In an effort to stop it spreading, Microsoft issued an emergency patch for Windows XP and Windows Server 2003, despite them being out of support.

There has been some speculation in the security community that due to the apparent simultaneous nature of the attack, with disparate organisations across the world all being hit at the same time, that the infection had lain dormant in systems for some time, with the attackers activating an "on switch" on 12 May. This hasn't been confirmed, however.

Who was responsible?

Attacks like this are notoriously hard to attribute with absolute certainty. There are some indications that it came from North Korea, with both Kaspersky Lab and Symantec pointing to code similarities between WannaCry and malware previously used by Lazarus Group the hacking ring thought to have been behind the 2014 attack on Sony Pictures Entertainment. Others, however, have claimed this could be a so-called false flag and for its part, North Korea has denied any involvement.

For a day-by-day account of the WannaCry attack, visit our dedicated news page.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.