When Wannacry struck in May 2017 it was the first mass global ransomware attack of its kind. It set headline writers into overdrive and organisations scrambling to react. Although the day was saved by a quick-thinking British researcher, who effectively provided a kill switch to stop the worm from spreading, the UK’s National Health Service (NHS) was one the many organisations badly hit.
The question is, have improvements been made to mitigate the impact of something similar happening in the future? Or has ransomware now evolved into something arguably even more dangerous?
Subsequently attributed as a state-sponsored attempt to monetise mass ransomware infections, WannaCry spread by exploiting a legacy Windows implementation of the Server Message Block (SMB) protocol (SMBv1). The vulnerability was patched in March 2017 by Microsoft, but when the attack struck, many organisations had yet to apply the vital fix. In total, the threat is thought to have infected almost half a million computers worldwide, although it only made its creators an estimated $100,000.
In a post-mortem of the incident, the National Audit Office (NAO) claimed that WannaCry caused disruption at a third (34%) of NHS England trusts and infections at a further 603 primary care and other NHS organisations. An estimated 19,000 appointments and operations were canceled and in five areas, patients were forced to travel further to visit A&E.
The NAO found the health service’s IT security processes wanting in several areas. It said NHS Digital issued critical alerts in March and April 2017, to patch the flaws which were ultimately exposed by WannaCry. However, the Department of Health at the time had “no formal mechanism” for assessing whether trusts had complied with the advice. In addition, although it developed a cyber incident response plan, this hadn’t been tested at a local level.
In the end, the incident cost the NHS an estimated £92 million, with the vast majority (£72m) of this coming from IT overtime payments.WannaCry caused disruption at a third (34%) of NHS England trusts and infections at a further 603 primary care and other NHS organisations.Click To Tweet
Amazingly, WannaCry is still prevalent today, four years after it caused global panic. In March, researchers found the malware affected 53% more organizations than at the start of the year. A separate study claimed 67% of organisations are still running the insecure SMBv1 protocol.
However, things appear to be a lot better at the NHS, after it embarked on what NHS Digital CISO, Dan Pearce, described as “one of the most ambitious and aggressive cybersecurity programmes seen in any health and care system in the world.” This included the creation of:
- A Cyber Security Operations Centre, which is said to block around 21 million incidents of malicious activity every month
- A network of “Cyber Associates” who own and advise on cybersecurity within the NHS
- A Data Security and Protection Toolkit (DSPT), which assesses NHS organisations against 10 national data security standards
- Regional leads to support local delivery of cybersecurity
- Licences to enable all NHS Trusts to upgrade to Windows 10, featuring greater in-built anti-malware protection. This provides endpoint security across 1.3 million connected devices, and visibility into threats and vulnerabilities nationally
- An NHS Secure Boundary, consisting of nextgen and web app firewalls designed to protect NHS organisations from the most sophisticated threats
The changing face of ransomware
For all the headlines and damage done, WannaCry was a relatively unsophisticated attack. Healthcare organisations in the UK and globally face an arguably far more determined, professional adversary today. The ransomware-as-a-service (RaaS) model has significantly lowered the bar to entry, so that multiple affiliate groups may be using a single ransomware variant.
Healthcare organisations (HCOs) across Europe and the US have been targeted during the pandemic, in the hope that they had diverted attention away from security during the crisis and would be desperate to get any disrupted services back online. Increasingly these attacks are multi-stage, APT-style campaigns that may start with a phishing email, an RDP compromise via stolen or cracked credentials, or an exploited vulnerability. Legitimate tools and “living off the land” techniques are then used to enable lateral movement without triggering alarms. Data is often stolen to increase the chances of a payout.
The NHS may have learned the lessons of the pandemic, but no healthcare organisation is safe from modern ransomware, there are simply too many financially motivated threat groups around. Among the best practice recommendations are:
- Email protection and anti-phishing training to help staff better spot suspect emails
- Implement application security to protect vulnerable web applications
- Back-up according to the best practice 3-2-1 rule
- Prevent malware with multi-layered defenses (email, network, web app, endpoint, server etc)
- Multi-factor authentication (MFA) for all accounts, especially RDP
- Network segmentation to reduce lateral movement risks
- Restrict access controls along “least privilege” principles using Zero Trust Access
- Patch high-risk systems promptly (conduct regular vulnerability scans)
- Next-gen firewalls and network-layer detection to control lateral movement
- Disable RDP and any other unused ports
There may not be another WannaCry. But in the meantime, HCOs must be alert to the evolving nature of the ransomware threat, and proactive in their responses.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.