NSA Ransomware Cripples NHS Hospitals, Spreads Globally

Ransomware

A computer ransomware developed by the US National Security Agency has brought havoc to UK’s NHS.

On Friday National Health Service hospitals across England were hacked in one of the largest cyberattacks ever.

Patients were told not to attend A&E, with hospitals up and down the country cancelling operations and appointments.

A ransomware demanding $300 (£233) in Bitcoins locked out staff from their computers.

The NHS is believed to be still running the obsolete Windows XP operating system on 90% of their computers.

The ransom reads: “Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

You only have three days to submit payment.

The ransomware has spread to dozens of other countries around the world.

A NHS worker posted an image:

Why would you cyber attack a hospital and hold it for ransom?

The Telegraph reports:

Hospitals and doctors’ surgeries in parts of England were forced to turn away patients and cancel appointments after they were infected with the “ransomware”, which scrambled data on computers and demanded payments of $300 to $600 to restore access. People in affected areas were being advised to seek medical care only in emergencies.

“We are experiencing a major IT disruption and there are delays at all of our hospitals,” said the Barts Health group, which manages major London hospitals. Routine appointments had been cancelled and ambulances were being diverted to neighbouring hospitals.

Telecommunications giant Telefonica was among many targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services.

Ransomware is malicious software that infects machines, locks them by encrypting data and then extorts money to let users back in. A Telefonica spokesman said a window appeared on screens of infected computers that demanded payment with the digital currency bitcoin in order to regain access to files.

Rich Barger, director of threat research at U.S.-based security research company Splunk, said: “This is one of the largest global ransomware attacks the cyber community has ever seen.”

Officials and experts identified the type of malware as ‘Wanna Cry’, also known as ‘Wanna Decryptor’. It exploits a vulnerability in Microsoft’s Windows operating system that allows it to automatically spread across networks, which gives it the ability to quickly infect large numbers of machines at the same organization.

It is the first piece of self-spreading ransomware, said Adam Meyers, a research with cyber security firm CrowdStrike. “Once it gets in and starts moving across the infrastructure, there is no way to stop it.”

The Wanna Cry malware exploits a vulnerability widely believed by security researchers to have been developed by the National Security Agency that was released on the Internet last month by a group known as the Shadow Brokers.

Shadow Brokers said at the time that they obtained it from a secret trove of NSA tools and files that are part of the spy agency’s hacking program.

Microsoft issued a patch on March 14 described as critical to users of Windows to fix that vulnerability, which CrowdStrike and Splunk said should protect users from getting infected by Wanna Cry. Organisations or individual users who failed to apply that patch to Windows machines may remain vulnerable to WannaCry.

The NSA and Microsoft did not immediately respond to requests for comment.

Andrea Zapparoli Manzoni, a senior manager in the Information Risk Management division of Kpmg Advisory in Italy, said: “The ransomware attack is happening in a haphazard fashion and is hitting every country in the world, including Italy.

“This particular ransomware contains a vulnerabilty, called Eternal Blue, which was developed in U.S. intelligence circles and was then stolen. That gives you an idea about why the level is risk is particularly high. The aim isn’t to hit any specific country but to strike as widely as possible to make money.”

Hospitals were a prime target, Manzoni said, because “they are very vulnerable to cyber attacks and ready to pay because they cannot afford any shutdowns.”

Edmondo Burr

BA Economics/Statistics
CEO
Assistant Editor