In-brief: Hospitals across England were forced to divert patients from emergency departments after suffering what has been described as a cyber attack involving ransomware, according to published reports and a statement from the UK’s National Health Service. (Editor’s Note: Updated to include information on the Wana ransomware. PFR May 12, 2017)
Hospitals across England were forced to divert patients from emergency departments after suffering what has been described as a “cyber attack,” according to published reports and a statement from the UK’s National Health Service.
The incident is part of a massive cyber attack comprising some 45,000 incidents in 74 different countries according to the SANS Internet Storm Center. Cyber criminals are using a known vulnerability in Microsoft’s Windows operating system to spread rapidly within organizations, hitting unpatched computers and infecting them with a variant of ransomware dubbed “Wana” or “Wanna.”
Spain’s Computer Emergency Response Team (CN-CERT) said on Friday that the ransomware was exploiting a vulnerability dubbed “EternalBlue” or “DoublePulsar.” That was part of a trove of previously unknown vulnerabilities linked to hacking tools released by the group Shadow Brokers in April. Cyber criminal and nation state groups have made short work of the released tools, reverse engineering them to mine previously unknown and exploitable software holes in common products like Windows and Microsoft Office.
The latest attacks appear to exploit a hole Microsoft patched in March with the release of the MS17-010 bulletin. That hole, in Microsoft Server Message Block 1.0 (SMBv1) server, if exploited, gives malicious actors the ability to execute code on the target server. Microsoft released a critical software patch for the hole in March, but many organizations still have not gotten around to patching it.
Windows systems ranging from the discontinued Windows Vista up to Windows 10 and Windows Server 2016 are vulnerable to attack, CN-CERT warned.
Healthcare organizations in the UK have been heavily affected by the attack.
Barts Health group which manages major central London hospitals including The Royal London and St Bartholomew’s.”We are experiencing a major IT disruption and there are delays at all of our hospitals,” it said. ADVERTISING”We have activated our major incident plan to make sure we can maintain the safety and welfare of patients. Ambulances are being diverted to neighboring hospitals.”Patients requiring emergency treatment across England were diverted away from the hospitals affected and the public was advised to only seek medical care for acute medical conditions.
The BBC reported that the facilities including hospitals and surgical centers in London, Blackburn, Nottingham, Cumbria and Hertfordshire were affected. “Staff cannot access patient data, which has been encrypted by ransomware that hit NHS networks. There is no evidence patient data has been compromised.” So far 16 NHS organizations were reported to have been affected by the attack, the BBC said in its report, which attributed the attack to the Wanna Cryptor.
In a statement on the UK National Health Service website, NHS Digital said that it is in the early stages of an investigation into the incident, but that it does not appear to have been targeted at NHS.
“NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations (sp) and ensure patient safety is protected.
“Our focus is on supporting organisations (sp) to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available.”
Other organizations throughout the EU also reported attacks. The Spanish telecommunications firm Telefonica released a statement Friday that said a cybersecurity incident “has affected the PCs of some employees of the company’s internal corporate network,” and that the company was following a security protocol to return the computers to normal operation. Reports in Spanish media allege that up to 85% of the company’s computers may have been affected in the attack. Reports say the source of the attack is in China.
Allan Lisaa, a Senior Solutions Architect at the firm Recorded Future said the ransomware used in the latest attacks, dubbed “Wana” has been around since March, but was not especially unusual or widespread. “There was nothing big or unusual about it,” he said. Like other ransomware, the Wana family is typically installed when a user opens a malicious attachment in an email message or clicks on a link to a malicious “drive by download” website.
However, the latest round of attacks are unique in that they couple ransomware with a Windows worm, which spreads rapidly by locating and compromising vulnerable systems running the Redmond, Washington firm’s software. Other ransomware will quickly search a compromised computer for any linked file shares or network drives and encrypt their contents, as well. But ransomware has not traditionally tried to compromise and take over adjacent systems. But this attack is capable of quickly identifying and attacking any vulnerable system on the same network, multiplying the harm.
“We haven’t seen a worm infection aside from, maybe, the Mirai botnet since 2007 or 2008,” he said. “This is the first time I’ve seen ransomware coupled with wormlike activity.”
Lisaa said that organizations have to apply the latest Microsoft patches immediately on all affected systems. “At this point, if you haven’t patched yet – given the severity of this issue – that’s a problem.”