NHS ransomware attack

We wrote about ransomware attacks almost a year ago, warning they would become more prevalent.

Now, the United Kingdom's National Health Service (NHS) has suffered massive disruptions as a result of a ransomware attack. Apparently numerous countries have been hit by the malware, known as WannaCrypt, which was first spotted on 12 May.

Ransomware is usually spread via infected emails. Once an attachment is clicked on, the program executes and encrypts the contents of the computer's hard drive. Due to the nature of the encryption, it is virtually impossible to decrypt the data without the key.

There are only two solutions - restore from an off-line backup, or pay the ransom demanded. Paying the ransom may be the only option if the data is not backed up and is important. But there are no guarantees that the data will be restored, and of course it means you are financing cybercrime.

This attack was far worse than typical ransomware attacks, though. It was coupled with a program that exploits a security hole in the Windows operating system, allowing it to replicate across networks from machine to machine. So only one user in the NHS needed to install the virus! Once on NHS networks, the virus spread rapidly. Given most of the NHS runs on obsolete Windows XP machines, there was no possibility of them being patched to prevent the replication.

Are there any lessons to be learned from this incident?

Firstly, users need to learn not to click on unknown attachments. Good virus-checking software will help prevent infection if they do. The nature of this virus meant that eventually some user would get infected though.

Computers need to run the latest operating system software, system administrators need to keep them patched with the latest security fixes. This would have prevented the rapid spread of the virus in the NHS.

Finally, off-line backups of all important data is critical! It needs to be backed up daily in most organizations.