How to beat ransomware

Cyber criminals are finding ever more devious ways to lock your files. We explain how to protect your devices from the latest threats

2017 WannaCry campaign

May 2017 saw the execution of a ransomware attack of unprecendented scale, which hit over 100 countries simultaneously. In the UK, even the NHS was worst, with 40 NHS trusts and 11 health boards across England and Scotland affected. Scheduled operations were cancelled, with most health organisations hit by the ransomware accepting emergency patients only, or even diverting to other nearby hospitals that were unaffected.

Which ransomare hit the NHS?

There are many different types of ransomware that can tarsget your IT systems. In the case of the May 2017 attack, affected organisations were hit by WannaCry also known as WannaCrypt, WannaCrypt0r, WCRY and various other names.

WannaCry used an exploit believed to have been developed by the NSA as a "cyber weapon", known as EternalBlue, which was stolen and publicly released by the hacking group Shadow Brokers. Once a computer is infected and the ransomware executes, all the files on that machine are encrypted and a demand for a ransom in Bitcoin appears on the screen. The ransomware demand also shows two countdown timers. The first shows how long the victim has to pay the ransom before the price doubles, while the second shows how long it is until the malware deletes all the their files.

Advertisement
Advertisement - Article continues below

How did it spread?

It was initially thought that the ransomware would first have been downloaded onto a vulnerable system by a phishing attack, a malicious website that carried out a "drive by" attack, or something similar. However, later investigations pointed instead to a vulnerable SMB (Server Message Block) port being the actual vector of attack.

Microsoft had issued a patch in March 2017 for the vulnerability EternalBlue (and, thus, WannaCry) used for Windows 7 - 8.1. Windows 10 wasn't affected. Windows XP and Windows Server 2003 were also vulnerable, however as they were both out of support by three years no patch had been issued for them.

What actually happened?

In the morning of 12 May 2017, reports began to surface of a ransomware attack on the Spanish telco Telefonica, which were fairly quickly confirmed. A few hours later, new reports began to surface in the UK, initially stating that a handful of NHS Trusts in England were also affected. This number quickly rose to over 10, then over 20 and finally passed 40 by the end of the day. During this time it also became apparent that some hospitals in Scotland were also affected, although the NHS in both Wales and Northern Ireland remained clean.

Around 70,000 devices in the NHS were affected, including MRI machines, refrigerators, and operating theatre equipment.

After the news of the attacks in Spain, England and Scotland broke, reports of similar infections started to filtre in from Russia, the USA, Canada and Australia, with the total number of affected devices surpassing 75,000 across 99 countries on the first day.

As the day went on, the scale of the attack, which Europol described as "unprecedented", rapidly became apparent. In an effort to stop it spreading, Microsoft issued an emergency patch for Windows XP and Windows Server 2003, despite them being out of support.

There has been some speculation in the security community that due to the apparent simultaneous nature of the attack, with disparate organisations across the world all being hit at the same time, that the infection had lain dormant in systems for some time, with the attackers activating an "on switch" on 12 May. This hasn't been confirmed, however.

Who was responsible?

Advertisement
Advertisement - Article continues below

Attacks like this are notoriously hard to attribute with absolute certainty. There are some indications that it came from North Korea, with both Kaspersky Lab and Symantec pointing to code similarities between WannaCry and malware previously used by Lazarus Group the hacking ring thought to have been behind the 2014 attack on Sony Pictures Entertainment. Others, however, have claimed this could be a so-called false flag and for its part, North Korea has denied any involvement.

For a day-by-day account of the WannaCry attack, visit our dedicated news page.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019
Visit/network-internet/wifi-hotspots/354283/industrial-wi-fi-6-trial-reveals-blistering-speeds
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019