Cyber Attack on NHS

https://www.google.co.uk/amp/s/amp.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack

Find more posts tagged with

Comments

Infosec85

From what I gather it's a major ransomeware attack.

JasminLandry

I was just reading about it on Twitter, apprently they got in the machines using the EternalBlue exploit.

Infosec85

Yeah I also hear Spain has been hit, I wonder if it's the same group.

JasminLandry

Ransomware attacks reported in Europe - BBC News

Across Europe now (apparently it hit organizations from 11 different countries in 2 hours).

It has too be the same group.. it would be quite the coincidence if it was done by different groups.

UKIkarus

This isn't the first time either, do they have sufficient backups to recover from this I wonder?

TechGromit

I like how they say "Oops!", like it's a syntax error of a command you typed incorrectly. Can't say I ever been hit with Ransom ware, but if I do, it's a DOD wipe, reformat, reinstall OP system, restore from last backup. NHS stands for National Health Services, I had to look at several websites before one of them spelled out what it stood for.

TheFORCE

This has been escalated to over 100 different countries right now. It uses the 0-d day SMBv1 exploit. Better block those part 445s on your systems.
More info here https://blog.varonis.com/massive-ransomware-outbreak-what-you-need-to-know/

greg9891

UKIkarus wrote: »

This isn't the first time either, do they have sufficient backups to recover from this I wonder?

I agree I'm wondering the same thing. Hope they have some nice daily backups with file level recovery if needed. Their Disaster recovery plan will be tested today.

TheFORCE

England got hit pretty bad, their hospital reportedly have shut down and not accepting patients, and even surgeries have been postponed.

dhay13

We got hit with ransomware at my last job. Our QA Manager clicked on a LinkedIn invite in his email. Luckily he called me right away and I told him to just unplug everything from it and shut it off ASAP. It was contained to that one laptop and he only lost a few things as we had daily backups. I left there and found out he did the same thing again. I heard it shut down that whole side of the building but not sure how that would happen unless it hit all other workstations over there before they reacted. Funny thing is I lectured him after the first time and explained to him what and how it happens. My manager at the time was clueless. We had no A/V on servers. When I questioned this he said 'well we don't surf the internet with servers'. No wonder it hit that whole side of the building that second time.

TechGromit

dhay13 wrote: »

I heard it shut down that whole side of the building but not sure how that would happen unless it hit all other workstations over there before they reacted.

Probably emailed everyone in his address book LinkedIn invites.

I recall this happening at the FAA after I left. Someone received an email with an infected file and they clicked on it and it infected there computer, which it turn emailed everyone in the building. something like 80% of the people clicked on the same email and infected their PC's in turn. They were effectively down for over a week while the IT staff re-imaged computers. Most of the staff is computer savvy, including engineers, so it's not like it was a bunch of clueless office clerks working there.

Santa_

Been tackling this for the last few hours. And by tackling I mean patching all of our servers - around 100 of them. Preventative measures so we do not run into any problems. *knocks on wood*

Backups are key. Best of luck to those who are experiencing this first hand.

If you're running 2008 Servers.
Within Admin Powershell Windows:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force[FONT=&quot]

[/FONT]

https://support.microsoft.com/en-us/help/4013389/title

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

xxxkaliboyxxx

And just like that, an unsung hero registered the kill switch domain and stops WannaCry in it's track. Still good to patch, but I wish I would of known before I spent late hours into this lol.

wd40

I know for a fact that some local hospitals are still using windows XP, probably because there ancient system does not work on newer OS for some reason.

I hope that they are not infected, and that this will make them consider upgrading soon...

Santa_

xxxkaliboyxxx wrote: »

Still good to patch, but I wish I would of known before I spent late hours into this lol.

Agreed. Even though we're wrapping up now, this is a peace of mind for our organization and our IT team.

xxxkaliboyxxx

Santa_ wrote: »

Agreed. Even though we're wrapping up now, this is a peace of mind for our organization and our IT team.

^^^^^ AGREE 100 percent, good time to ask for some additional security controls. Scare the bejesus out of them lol

Mike7

wd40 wrote: »

I know for a fact that some local hospitals are still using windows XP, probably because there ancient system does not work on newer OS for some reason.

I hope that they are not infected, and that this will make them consider upgrading soon...

XP, Server 2003 and Windows 8 has EOL. Credit to Microsoft for releasing a patch.
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

TechGromit

wd40 wrote: »

I know for a fact that some local hospitals are still using windows XP, probably because there ancient system does not work on newer OS for some reason.

Cost money to rewrite software, which is often in short supply. Were I work, we have an XP machine that runs a machine that tests respirators for compliance. Upgraded software to run on Win 7 would cost us 50k, we simply disconnected it from the network, it still works perfectly fine today.

TheFORCE

wd40 wrote: »

I know for a fact that some local hospitals are still using windows XP, probably because there ancient system does not work on newer OS for some reason.

I hope that they are not infected, and that this will make them consider upgrading soon...

I never understood this logic. If your main OS is EOL and you have a critical software on it, start in advance your migration plan. If your vendor is not supporting a new OS version, then drop them, see how they react when you tell them we going to use a competitors software.

UncleB

TheFORCE wrote: »

I never understood this logic. If your main OS is EOL and you have a critical software on it, start in advance your migration plan. If your vendor is not supporting a new OS version, then drop them, see how they react when you tell them we going to use a competitors software.

The reason is that the cost to the company is often perceived as not worth it - or the software is so proprietary that the only solution is to rewrite it ad significant cost which there is no budget for.

I've worked for a lot of companies with this mentality and it often took some fairly creative thinking to come up with a change in the way the company approached the need to get them weaned off the legacy systems.

I don't know if anyone from overseas (the NHS is the health service in the UK) knows much about the finances of the NHS, but it is a free health service for the public for pretty much anything non-elective (ie anything from a nasty cut to cancer, childbirth and mental care is covered but not enhancing plastic surgery or gender reassignment, although these sometimes happen when there are other factors involved). As such it is paid for by the government through taxation and their budgets have been cut annually for about a decade so are having to do more with an awful lot less money.

They also have a history of really badly run IT projects (being government funded this is the norm unfortunately) so they have their funds for IT spent on badly managed projects rather than fixing legacy systems that can be left ticking over.

I know it is a false economy but I'm not the decision maker for them.

I hope that puts in context why they are in the rubbish state they are - as for backups, I wouldn't hold my breath. It does remind me of a recent episode of Chicago Med where a doctor ended up paying the ransom...

Mike7

Sometimes it is almost difficult to migrate. When I once worked, we had HR payroll software that only runs on XP and business owner refused to upgrade. We re-installed the software on XP VM and closed all ports except RDP. If it gets infected, we can restore from VM image backups.

Now the UK government is under pressure. Ransomware is not new, the question is does the NHS have any backups? What is their DRP procedure? What are the RTO or RPO requirements? The vulnerability was patched 2 months ago. Does NHS have a patch management policy?

JockVSJock

https://intel.malwaretech.com/pewpew.html

TechGromit

UncleB wrote: »

I hope that puts in context why they are in the rubbish state they are - as for backups, I wouldn't hold my breath. It does remind me of a recent episode of Chicago Med where a doctor ended up paying the ransom...

Just is just sad, Patching and daily backup is Disaster Recovery 101. If everyone did this, ransomware would be pointless, no one would pay. Sadly far too many pay, and even after they pay once, they do not learn the lesson. and will likely pay again.

UncleB

If they can't sort out upgrading their client OS then you can be sure they have lots of physical servers, different platforms and no cohesive backup solution so a backup solution probably involves differing tape formats, manual changing of tapes and the reliability issues of the software and tape drives running the backups.

The NHS trusts are individually run so there are hundreds of them around the country, each doing their own thing and in desperate need to find a cohesive strategy and investment to get their IT sorted out, but the owners are prioritising what cash they have towards patient care in what is becoming a death choke hold on their IT.

rob42

It looks as if even XP has now been patched

Microsoft Releases XP Patch for WannaCry Ransomware

TechGromit

rob42 wrote: »

It looks as if even XP has now been patched

This is a little surprising, but it's nice to see Microsoft didn't say tough to users, upgrade. I guess it's good PR for no real effort, since I'm sure they developed a patch for companies that continue to pay for extended support.

MrXpert

I work for the NHS unfortunately. Our trust has got hit by ransomware more than once. A lot of money is spent on IT within our Trust and in fact we are over-staffed and usually spend a fair amount of time with "horse play". Many other NHS trusts IT departments operate this way too. Sadly it is normal. When bad things happen though we're slow to respond. Fire fighting rather than prevention

Chivalry1

Unfortunately I am not surprised by the impact of this ransomware. Many companies completely ignore patch management/disaster recovery/backups. The people ignoring the obvious are Senior Level Management CEO, CIO, CISO and Information Security Directors. HIPAA/PCI/SDN environments completely ignored and nor compliant, although being "signed-off" by the CISO as compliant. I am hoping this is a wake up call that companies should take information security serious!

I anticipate a increase in Cyber Security positions soon.

ande0255

I have a feeling that Ransomware thing from Friday is going to make tomorrow morning at my job a f'ing nightmare, I work with SMB customers who like to put backups of their servers on the back burner if its too much money / inconvenient / they don't report its messing up.

Good time to use mass Ransomware attacks though if your a thieving piece of ****, btc has been skyrocketing until it recently seems to have level between $1750-1800 per coin, if you don't go after government servers I bet you could bake millions in a global cyber heist like that.

I'm starting to reconsider my occupation after typing that and reading it a few times.

Mike7

ande0255 wrote: »

Good time to use mass Ransomware attacks though if your a thieving piece of ****, btc has been skyrocketing until it recently seems to have level between $1750-1800 per coin, if you don't go after government servers I bet you could bake millions in a global cyber heist like that.

I'm starting to reconsider my occupation after typing that and reading it a few times.

22 Bitcoins and USD $39K payment so far
How Much Wannacry Paid the hacker