How to beat ransomware

Cyber criminals are finding ever more devious ways to lock your files. We explain how to protect your devices from the latest threats

2017 WannaCry campaign

May 2017 saw the execution of a ransomware attack of unprecendented scale, which hit over 100 countries simultaneously. In the UK, even the NHS was worst, with 40 NHS trusts and 11 health boards across England and Scotland affected. Scheduled operations were cancelled, with most health organisations hit by the ransomware accepting emergency patients only, or even diverting to other nearby hospitals that were unaffected.

Which ransomare hit the NHS?

There are many different types of ransomware that can tarsget your IT systems. In the case of the May 2017 attack, affected organisations were hit by WannaCry also known as WannaCrypt, WannaCrypt0r, WCRY and various other names.

WannaCry used an exploit believed to have been developed by the NSA as a "cyber weapon", known as EternalBlue, which was stolen and publicly released by the hacking group Shadow Brokers. Once a computer is infected and the ransomware executes, all the files on that machine are encrypted and a demand for a ransom in Bitcoin appears on the screen. The ransomware demand also shows two countdown timers. The first shows how long the victim has to pay the ransom before the price doubles, while the second shows how long it is until the malware deletes all the their files.

How did it spread?

It was initially thought that the ransomware would first have been downloaded onto a vulnerable system by a phishing attack, a malicious website that carried out a "drive by" attack, or something similar. However, later investigations pointed instead to a vulnerable SMB (Server Message Block) port being the actual vector of attack.

Microsoft had issued a patch in March 2017 for the vulnerability EternalBlue (and, thus, WannaCry) used for Windows 7 - 8.1. Windows 10 wasn't affected. Windows XP and Windows Server 2003 were also vulnerable, however as they were both out of support by three years no patch had been issued for them.

What actually happened?

In the morning of 12 May 2017, reports began to surface of a ransomware attack on the Spanish telco Telefonica, which were fairly quickly confirmed. A few hours later, new reports began to surface in the UK, initially stating that a handful of NHS Trusts in England were also affected. This number quickly rose to over 10, then over 20 and finally passed 40 by the end of the day. During this time it also became apparent that some hospitals in Scotland were also affected, although the NHS in both Wales and Northern Ireland remained clean.

Around 70,000 devices in the NHS were affected, including MRI machines, refrigerators, and operating theatre equipment.

After the news of the attacks in Spain, England and Scotland broke, reports of similar infections started to filtre in from Russia, the USA, Canada and Australia, with the total number of affected devices surpassing 75,000 across 99 countries on the first day.

As the day went on, the scale of the attack, which Europol described as "unprecedented", rapidly became apparent. In an effort to stop it spreading, Microsoft issued an emergency patch for Windows XP and Windows Server 2003, despite them being out of support.

There has been some speculation in the security community that due to the apparent simultaneous nature of the attack, with disparate organisations across the world all being hit at the same time, that the infection had lain dormant in systems for some time, with the attackers activating an "on switch" on 12 May. This hasn't been confirmed, however.

Who was responsible?

Attacks like this are notoriously hard to attribute with absolute certainty. There are some indications that it came from North Korea, with both Kaspersky Lab and Symantec pointing to code similarities between WannaCry and malware previously used by Lazarus Group the hacking ring thought to have been behind the 2014 attack on Sony Pictures Entertainment. Others, however, have claimed this could be a so-called false flag and for its part, North Korea has denied any involvement.

For a day-by-day account of the WannaCry attack, visit our dedicated news page.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

14 Oct 2021
Senator to introduce new bill to force ransomware payment disclosures
ransomware

Senator to introduce new bill to force ransomware payment disclosures

6 Oct 2021
Two-thirds of organizations have fallen victim to ransomware
ransomware

Two-thirds of organizations have fallen victim to ransomware

29 Sep 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021