IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

What have we learnt from the NHS ransomware attack?

The malware that made businesses everywhere WannaCry is an important case study for everyone.

In May 2017, a ransomware attack of unprecedented scale was unleashed on the world, with the NHS in England and, to a lesser extent, Scotland being hit the hardest of any organisation in the UK. Around 70,000 devices were infected, leading the attack to be known colloquially as the NHS hack.

How such an attack happened and how it was shut down offers valuable information to IT professionals on how to avoid falling victim to such an incident themselves in the future.

Day Zero: 12 May 2017

In the early morning of 12 May, reports started to emerge of the first computers infected by WannaCry. While some researchers, including those at Sophos concluded the first infections cropped up in Asia, it wasn't until Spanish telecoms giant Telfonica reported its systems had been compromised that it started to come to the attention of those with an interest in technology and security.

Within just a few hours the attack had snowballed, swallowing up an estimated 47 NHS Trusts in England and Scotland. Other high-profile victims included Deutsche Bahn, Renault, FedEx and the Russian Ministry of the interior.

The impact on the NHS was particularly potent, with approximately 70,000 devices including MRI scanners, blood storage refrigerators and operating theatre equipment, as well as computer terminals, being infected.

Some hospitals, including Barts in London, had to cancel routine planned operations, while others told patients only to come to A&E if it was a "life-threatening emergency".

In the end, it's thought that around 200,000 devices running Microsoft Windows were infected across 150 countries. 

Aftermath and investigation

Somewhat miraculously, WannCry was stopped in its tracks the same day it started by a 22-year-old British cyber security researcher, Marcus Hutchins, who discovered a kill-switch' embedded in the ransomware's code. 

This was a considerable stroke of luck for the world's IT systems, but for those that had already been affected, there was a lot of cleanup to be done, including disinfecting and restoring systems, patching (more on that in a minute) and so on.

For the NHS, this also included rescheduling all the routine appointments that had to be cancelled, leading to disruption that continued over the following few weeks.

It was also in the wake of the attack's subsidence that questions began to be raised about how such an infection was able to run rampant in the first place, given Microsoft had already issued a patch for the vulnerability exploited by WannaCry.

While the ransomware wasn't targeted, as the wide range of organisations affected demonstrates, it unwittingly took advantage of a critical weakness in many business systems "just patch" isn't always an option.

In large organisations in particular, there are often valid reasons systems can't be patched or updated. The most common among those is dependance on critical applications or hardware that aren't compatible with newer operating systems or some patches.

In this scenario, IT administrators face a choice: update the system, but potentially risk rendering inoperable a very expensive piece of hardware or the patient database software, or don't update it in order to keep the organisation running, but risk a crippling attack, as happened in May. Most take the potential risk of being hit by ransomware or another infection in the future over the certainty of breaking existing infrastructure.

Mitigation is better than a cure

Here's the obvious advice: patch your systems.

"WannaCry only hit organisation running older versions of Windows, so the obvious advice is to update those, which of course has a cost," says Bob Tarzey, analyst and director at Quocirca.

But, as stated above, that's not always possible.

"Another option is to better isolate older systems," Tarzey continues. 

Jeff Pollard, principal analyst at Forrester, agrees: "We recommend a zero trust' approach to security strategy. Zero trust means trusting nothing people or systems until they prove they are trustworthy. Make sure environments are segmented so an automated worm [like WannaCry] can't infect every system."

This has the primary benefit of isolating the infection, which means not needing to throw the switches on all systems in order to stop it from spreading an approach that had to be taken by some NHS trusts, despite being disruptive in itself. 

Pollard further advises organisations "understand the identity of users, systems, and workloads, and make sure that least privilege is in place". 

There's also the question of having an educated and aware workforce. Although WannaCry wasn't spread via phishing emails, many ransomware infections and other malware attacks are, so drilling into users that they mustn't open links and attachments, particularly if they're unexpected, is vital. Other basic steps include having an enterprise-grade firewall in place, as well as business-focused anti-malware software running wherever it can (although, once again, in some embedded systems this might not be possible).

WannaCry was unusual in the way it attacked systems and the speed with which the infection spread, with the high-profile nature of the victims also being notable. What was surprising in May, however, may become par for the course in the future and this is an eventuality organisations must prepare for.

"Breaches and malware infections are inevitable. What matters is the ability to continue to operate, contain the issue, and bounce back from the problem and get back to business as usual," Pollard concludes.

Make sure your organisation is resiliant enough to bounce back from an attack like this...

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download


Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
RATDispenser evades nine in ten anti-virus engines

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021
Secretary of State retires NHS Digital and NHSX
public sector

Secretary of State retires NHS Digital and NHSX

23 Nov 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022