NHS cyber-attack: GPs and hospitals hit by ransomware

[greypanther]

I think this needs its own thread, avoid accident and emergency, at the moment. Maybe avoid hospitals altogether?

Link.

NHS services across England and Scotland have been hit by a large-scale cyber-attack, which is being treated as a major incident.

The prime minister said the incident was part of a wider attack affecting organisations around the world.

Some hospitals and GPs cannot access patient data, after their computers were locked by a malicious program demanding a payment worth £230.

Worldwide.

A massive ransomware campaign appears to have infected a number of organisations around the world.

Computers in thousands of locations have apparently been locked by a program that demands $300 (£230) in Bitcoin.

There have been reports of infections in more than 70 countries, including the UK, US, China, Russia, Spain, Italy and Taiwan.

Many security researchers are linking the incidents together.

A seemingly concerted, coordinated attack, but by whom?

At least it has not affected the resource distribution network. How many meals are we away from anarchy again?

How long will it take to sort this out I wonder...

[Dantrithor]

It is worldwide and severe. In my company (Software development, consulting) we are in lockdown. Our VPN's have been disabled, and we are forbidden from working due to risk from infection from outside sources and from clients.

[Morkonan]

There's a huge influx of ransomeware attacks going on right this moment, many derived from NSA leaked documents describing vulnerabilities and strategies used to exploit them. Many are due to networks that have systems which have not been patched and included network snoop additions to these viruses actively hunt out connected, local, networked systems to exploit. (Admins can sometimes be slow to update, often due to legitimate reasons or underfunded/understaffed IT departments and partners charged with keeping this and their other, mission critical, software working together well.)

Consider these recent issues a hand-grenade going off in the network - As soon as one system gets infected, it exposes the entire network to an attack that examines all connected machines for vulnerabilities and then installs the payload on them, no matter if they have permission to connect to the internetz or not. (ie: As long as the machine is networked, it can be held for ransom, even if it, currently, doesn't have access to an internet gateway. It can't hide...)

[korio]

On Spain the biggest telecom company (Movistar) was hit today with the ransomware.

I have a cousin working there and at 10:00 AM over the company speakers they told to people to directly shut down all the computers.

I have other mails that the other big company's are shutting down all their public stuff like helpdesk mail addresses and such.

I am IT staff where i work, and we are only 3 people to cover all the spain division of the company, around 200 computers, laptops and servers.

All i could do today was to push the lastest updates in our WSUS server and hope to find everything fine this monday, fingers crossed.

[Alan Phipps]

@ greypanther: It cannot be such a coordinated and sophisticated attack after all if it deliberately targets an NHS that is already underfunded. There is no way that government assistance would subsidise or accede to such things and I am sure that the people behind the attacks would know that.

I suspect this is just an opportunist widespread assault that just targets and exploits security weaknesses and poor user practices wherever it can find them.

[greypanther]

You are probably right Alan, I can see your logic, but wonder at the motives anyway.

The NHS may have just been collateral damage too and not the actual target. I have read that Australia has not been attacked, so maybe it is some Aussie network attack thing. After all, the rest of Australia is out to kill, so why not their section of the internet?

As I tried to imply, this should be a heads up as to just how vulnerable our societies systems really are. How many days will it take to sort this out? It is lucky other systems have not been affected.

Edit: There is also this, from the BBC, which shows how serious things are, intent or not:

An anonymous NHS staffer tells us:

"Absolute carnage in the NHS today. Two Hyperacute stroke centres (the field I work in) in London have closed as of this afternoon. Patients will almost certainly suffer and die because of this.

"Had a patient that needed urgent neurosurgery referred, but unable to look at scans - stroke care is absolutely dependent on IT systems and joined up systems."

[Terre]

The UK government is looking to consolidate all of it's services and databases, where this kind of breach could wide spread damage.

[pjknibbs]

An anonymous NHS staffer tells us:

"Absolute carnage in the NHS today. Two Hyperacute stroke centres (the field I work in) in London have closed as of this afternoon. Patients will almost certainly suffer and die because of this.

"Had a patient that needed urgent neurosurgery referred, but unable to look at scans - stroke care is absolutely dependent on IT systems and joined up systems."

Well, maybe they should consider upgrading from Windows XP, which I believe is still used in 70% of hospitals...

[red assassin]

Well, maybe they should consider upgrading from Windows XP, which I believe is still used in 70% of hospitals...

With what money? That's always been the problem. This has been inevitable for a while, but they're not exactly flush with cash at the moment. Without a kick in the pants like this, the budget was never going to get allocated - management and political bosses never see IT as anything other than a cost to be minimised. When finally confronted with the cost of not paying for IT, the immediate response is generally "well why didn't you tell me this was a problem".

[Avis]

Well, maybe they should consider upgrading from Windows XP, which I believe is still used in 70% of hospitals...

The problem really stems from public sectors (not just NHS) inability to negotiate a discount for bulk buying IT equipment. in fact it's alarming just how much of a markup everything seems to carry because the buyer is using the credit card from the bank of magic money.

[Memnoch]

I work in HE and we get very good discounts on Dell kit. However with the closure of SBS everything got thrown into the air. It used to be straightforward but it took us months to buy some Apple kit that I could wander in to town and buy immediately. Crown Commercial Services are who we have to go through now and its proving to be painful to say the least.

[philip_hughes]

I have software running pretty much all the time. Got an email from uni staying because of the latest problems my pc was patched and restarted over the weekend. This is a major nuisance.

[felter]

While this is a bad thing, it is also a good thing though some are still not taking their security seriously. Wannacry is a pretty bad thing that does not work like a conventional virus, as it does not require you to activate it instead it is prowling around the internet looking for vulnerable unpatched and unprotected computers, servers and networks. Once it finds one it infects it and moves on to finding its next victim.

To show just how serious this is being taking, Microsoft have reportedly even released a patch for win xp (can't confirm this) to protect against it, but it is no good if people do not patch their computers, which a lot of people do not do. So if you are running any window system other than win 10, you need to patch your computer right now using the update function, don't know how to do that just type update into the run box and it should give you the option to do a windows update.

I hate to scare monger, but even if you think you are safe as you don't visit any funny websites, or open any links in emails, or whatever makes you feel safe. It doesn't matter, just connecting to the internet can make you unsafe if you are reading this, then you are a potential victim. So make sure you are patched up and are running a good quality av and firewall, that are regularly updated at least once a day.

[OmegaKnight]

well windows update isn't going to work on older versions of windows,
so:
link to Microsoft Security Bulletin MS17-010

and the KB4012598 patch

you might also want to:
Filter all SMB (TCP/445), NetBIOS (TCP/139), and RDP (TCP/3389)

[Memnoch]

I have software running pretty much all the time. Got an email from uni staying because of the latest problems my pc was patched and restarted over the weekend. This is a major nuisance.

The alternative is worse though. Imagine if you were the one that caused an outbreak at your institution?

Besides, don't you have servers your can run your processes on instead?

[Morkonan]

Just a note:

I hear that the currently distributed Wannacry ransomware needs to contact an unregistered domain. A young security researcher in the UK figured this bit out and then registered the domain for $11... aaaaand - Problem solved. It effectively shut down a large part of this problem, though sleepers may wake up on Monday, causing a short reignition of the issue on unpatched machines.

I wouldn't be surprised if it starts calling backup domains, irc channels or all the other standard bot reporting protocols. But, at least there is a small victory in this particular war.

On legacy systems: Plenty of government agencies, local, state, federal, still run outdated O.Ss and they either don't have the money to make the conversion to newer, more secure, O.S.s or, frankly, do not see a pressing need. Large institutions that see their networks and the services they provide as more of a "burden" on their standard infrastructure also seem to have a tendency to lag behind.

Nobody wants to orphan their favorite (or really expensive)... whatever, due to the "nuisance" of having to keep their systems secure from "chance" attack.

[red assassin]

There's been samples around for a few days that don't have the callback to that hardcoded domain. Sadly it's not as simple as "register domain, fix problem". This is going to carry on being an issue until people figure out how to patch.

[felter]

Just a note:

I hear that the currently distributed Wannacry ransomware needs to contact an unregistered domain. A young security researcher in the UK figured this bit out and then registered the domain for $11... aaaaand - Problem solved. It effectively shut down a large part of this problem, though sleepers may wake up on Monday, causing a short reignition of the issue on unpatched machines.

And shortly after he did this, someone released version 2 that did not have that kill switch in it.

I originally thought it had to be a mistake, that someone had released it by accident, because of the amount of damage it was doing and the potential for it to kill people, but when someone releases it again after it was closed down, means it was not done by accident. Something tells me this is a terrorist attack and not some criminal organization that is behind it, either way they will be traced, there will be a massive digital fingerprint pointing right at them. If it is a crook, they will be going to jail over this.

[philip_hughes]

I have software running pretty much all the time. Got an email from uni staying because of the latest problems my pc was patched and restarted over the weekend. This is a major nuisance.

The alternative is worse though. Imagine if you were the one that caused an outbreak at your institution?

Besides, don't you have servers your can run your processes on instead?

99.9% of the time I don't need internet. I propose just doing stuff on an unconnected pc, periodically connecting it when I need to.

This reply was sent on the machine I propose to disconnect.

[Morkonan]

On the subject of the re-release..

I heard the "fix" this morning. And, as several have said, it's back in the wild with a new set of legs... Things like this can change so fast that it's hard to keep up. Which is surely the intention.

If anyone makes enough noise, they likely to get caught. The successful ones prey in the shadows or pounce once and then lay low for awhile. Whoever is doing this isn't, in my opinion, too darn smart. A hand-grenade goes off in a field somewhere, nobody cares too much. But, if someone throws a hand-grenade into a nunnery.... for profit...

Stealing data, military secrets, commercial databases, etc, all those things are a little bit "removed" from most common, civilian, users. But, waking up in the morning to "Give me $300 or your computer files get shot in the head" is up-front-and-personal.

Conficker ransomware... :/

Depending upon how deep this hole goes on Monday+, we may start to see some "kneejerk legislation" get started. That sort of thing is almost worst than the darn ransomeware. :/