The WannaCry attack on the NHS and the continuing threat of Ransomware
For cyber-security specialists, May 12th, 2017 was (and still is) an extremely significant day. Why? Because cybercrime dominated the headlines. Of course, there had been stories about hackers and various digital scams, but a seemingly catastrophic attack on the UK’s treasured National Health Service brought the threat into sharp – and very human relief.
The story was huge. TV news reports led with it. Newspapers catastrophised. And various experts were thrust in front of cameras and microphones to define concepts like ‘ransomware’ and ‘zero-day vulnerabilities’ in brief soundbites.
It was a BIG story. Potentially, every UK citizen could be affected. GP surgeries, hospitals, clinics, even research labs, lost access to their data, couldn’t make appointments (7,000 were cancelled, and up to 19,000 affected), and the NHS lost track of patients and their records for a worryingly long period of time.
It was quickly revealed that WannaCry was a global phenomenon. The NHS wasn’t a primary target; every and any organisation that hadn’t patched a serious flaw in Microsoft’s operating system – ‘EternalBlue’, a ‘zero-day’ vulnerability was. That was later revealed to have been first detected by the American National Security Agency (NSA) but kept secret from Microsoft because they thought they could use is as a tool in their secret statecraft. The NSA still won’t confirm that story.
WannaCry itself was created by a North Korean hacker group called Lazarus who got their hands on EternalBlue after had been stolen from the NSA by another shadowy group called – very appropriately – Shadow Brokers. Yes, it does sound like the plot of a Netflix series. But it gets better.
The most famous geek in the world
Enter Marcus Hutchins, a talented cybersecurity expert – naturally dubbed a ‘geek’ by the Press – who, from his bedroom in South West England, used his knowledge of malware to quickly find an unregistered domain name within the WannaCry code to which the program was repeatedly pinging messages. He registered it (for just £10.60) to see what would happen and discovered the ‘kill switch’ which would disable the ransomware. He activated it and the world was saved. The movie credits rolled.
But the whole episode revealed just how prevalent and dangerous the threat of ransomware was – and still is. Naturally, as in any good drama, there was a dramatic coda to the story. Not only did the WannaCry attack endanger the NHS it turned out that 200,000 computers were compromised across 150 countries with victims including big corporate names like Spain’s Telefonica, FedEx in the US, German rail company Deutsche Bahn, and LATAM Airlines. It even brought the car production lines at both Nissan and Renault to a screaming halt. The worldwide financial fall out has been estimated to be £6 billion. In the UK, the NHS lost £92 million, and has since spent over £50 million improving its defences, with a further £150 million on IT security.
And, yes, the story gets even better. Hutchins might have saved the day to become an instant celebrity, but he was subsequently arrested by the FBI for allegedly being the author of malware that stole credit card numbers. A feat he achieved when he was a mere teenager. That twist to the story only served to underline the threat of ransomware which has, in the four years since the attack, become even more prevalent and sophisticated. Bitdefender’s Threat Landscape Report for 2020 showed that in the first half of 2020 alone, ransomware attacks jumped by 715%.
The pandemic, with its sudden transformation of work into something we all did at home, only made the potential ‘attack surface’ of every organisation broader. Hackers have attacked more businesses via people working at home, and they’ve even targeted medical research labs, hospitals, and other public bodies seeking to mitigate the effects of Covid-19. As one commentator put it, “Covid reshaped the ransomware landscape. Cybercriminals stepped up their game.”
It helped us crack the cybersecurity bubble
WannaCrys notoriety is useful because it allows us to focus on how and why ransomware can be so catastrophic: a lack of good defences, software that goes unpatched for too long, and the constant threat from social engineering.
Back in 2017 our team at Reliance responded quickly to the attack. We researched some of the key compromise signatures involved, and members of our team spent that weekend (the attack hit on a Friday) helping world renowned hospital St. Barts, which is close to our offices in London, update their computers and restore systems. It meant that they could get their essential business operations back swiftly so they could focus on treating patients.
It was a sobering experience and underlined the need to focus on what the key people in the organisations we serve need to know and understand in layman’s terms. WannaCry dramatically revealed just how easily hackers can exploit vulnerabilities that are hidden deep in software or operating systems as well as more obvious entry points like malware in emails or from dodgy links to bad websites.
Ransomware is a bigger threat now than ever
As I mentioned, ransomware is now a major part of the threat landscape. It’s matured into a serious and organised crime run by global criminal gangs as well as lone hackers in basements. In fact, you can venture into the dark web and pay for each element of a ransomware ‘project’ to launch your own attack. You can buy vulnerabilities in specific companies, organisations, or sectors, including millions of individuals and their computer details. You can buy the WannaCry style attack vector, get someone else to set the ransom, another entity to collect it, and yet another to convert the bitcoin (the ransom is usually demanded in some kind of crypto currency) into real money. It’s called ‘Ransomware-as-a-Service.’
Lazarus (believed to have a base in Sinuiju, North Korea, and strongly associated with its government) has been highly active during the Covid-19 pandemic. They’ve been continuing to try and steal ordinary fiat currencies as well as cryptocurrencies and have been increasing their use of ransomware attacks. Some reports claim that they’ve been trying to penetrate medical research facilities across the West and might have been ‘Zoom bombing’ corporate networks to disrupt meetings. Commentators believe that the fact that so many executives and even politicians are working (and conferencing) from home is a great opportunity to socially engineer attacks on domestic IT and Wi-Fi equipment.
Do you pay the ransom?
As one study put it, “A criminal’s ability to make money from ransomware critically depends on victims’ believing that the criminal will honour ransom payment.” It’s actually a kind of Game Theory. So, the reason that the police might advise you not to pay the ransom is a way to undermine the business model of the criminals.
The oil magnate John Paul Getty had a point (though a cold-hearted one) when he initially refused to pay a ransom when his grandson was kidnapped in the early 1970s in Italy (The 2017 film, All The Money in the World tells the story very well). He is reputed to have said, “I have 14 grandchildren, and if I pay a penny of ransom, I’ll have 14 kidnapped grandchildren.”
It makes sense; if ransoms are paid then more attacks will be made. Law enforcement usually advise against payment. The reality is that, at best, around 50% of victims get their data back. Some put that figure as low as 19%. And it’s all about reputation. If the criminal wants to keep profiting from ransomware, they need to give the data back. For instance, CryptoLocker forged a ‘good’ reputation, but WannaCry had an extremely bad one. So, more people paid the ransom when attacked by the former.
Others believe that organisations have social responsibility not to pay (again, law enforcement uses that argument in other ransom situations). Economists and social scientists call it a positive ‘externality’ – not paying deters future attacks which helps protect others. But that means taking positive steps to avoid attacks is vital too. It’s a social as well as corporate responsible action. The more resilient and secure your organization is, the better for you and for all of us.
Right now, there are moves in the United States to deter any ransom payments with the announcement from the Treasury’s Office of Foreign Assets Control and its Financial Crimes Enforcement Network that any company which makes a ransomware payment or uses a third party to facilitate any kind of payment, could be prosecuted if it turns out that the criminals involved are subject to U.S. sanctions.
That’s a big threat. Given that a large number of criminals who make use of ransomware work closely with state sponsored groups (like Lazarus), it’s actually quite likely that a company and its directors who pay up could find themselves in breach of sanctions regulations (especially if they’re a foreign branch of a U.S. entity). Seen through that lens. the Getty approach seems eminently sensible.
Ransomware can be stopped
It’s no surprise that Ransomware has been on the rise. As I’ve mentioned, cyber criminals have actively sought to take advantage of an intense global reliance on all things digital. The sudden dispersal of people and systems meant that the ‘attack surface’ broadened considerably. Inherent weaknesses in organizations ability to protect their systems were exposed and the bad guys have attacked and, far too often, run off with the money.
It’s important to understand that the threat of ransomware had been rising for years. We shouldn’t be surprised that both underworld and state actors are trying to make the most of the pandemic. They will do the same with its aftermath. The vital point is to understand that ever-present threat, be prepared for it, and know how to protect your vital data, files, and operations. The key to doing that is to understand that it is possible to defend your organisation, your data, and your people. There are simple ways to mitigate the immediate effects of an attack and overcome the demands of the hackers.
That takes leadership from the board and vigilance at all levels of your organisation. People are the first line of defence: equip them, train them, enable them to stay vigilant, and your data can and will be safe. And that’s just how Reliance ascn can help, through knowledge, insight, advice and, of course, the right technology to augment your defences.
Contact us to talk about your needs.
i. The New York Times May 16th, 2017
ii. The Times – April 7th, 2018
iii. B Mid-Year Threat Landscape Report 2020
vi. The Sunday Times – Misha Glenny – May 24th, 2020
vii. Ransomware and Reputation: Anna Cartwright & Edward Cartwright 2019 Games 10,26