NHS Hospital Ransomware
Ransomware became headline news in 2017 when WannaCry, one of the largest international cyberattacks to date, hit major organizations around the world. One of the most high-profile victims was the NHS (National Health Service) in the UK. This article looks at how the NHS Ransomware attack occurred, the consequences of the attack, and the lessons you can learn to reduce the risk of ransomware attacks on your business.
When did the NHS attack take place?
On May 12th 2017, the NHS in the UK was impacted by a ransomware known as WannaCry. This major ransomware attack left hospitals unable to function, since critical systems went down. Thousands of surgeries had to be cancelled, and staff was unable to access patient records or even use telephone systems.
NHS England has estimated that around one-third of the 236 NHS trusts in England were affected, creating privacy and health concerns for staff and patients, who became victims of the resulting data breach.
What is WannaCry?
In May 2017, WannaCry became the world’s most notorious form of ransomware, hitting around 230,000 computers globally, in just one single day. The WannaCry attack was halted quickly, but variations of the original WannaCry still remain active.
As a worm, WannaCry is particularly difficult to stop, as it can infect devices and move across networks automatically, putting a large number of devices at risk from one single infection. Wanna Cry is just one of many notorious forms of ransomware. Others include Sodinokibi and Ryuk.
What is Eternalblue?
The exploit used to take advantage of the Windows OS vulnerability is known as Eternalblue, but it was not created by hackers. Rather, it was developed by the American National Security Agency (NSA). Unfortunately, Eternalblue was stolen by a hacking group known as The Shadow Brokers and was used to create WannaCry. Microsoft quickly created a patch, but any Windows PC that has not been updated since it was published remains vulnerable.
Eternalblue takes advantage of the SMBv1, an old Microsoft network communication protocol. Simply by sending a malicious packet to the target server, the malware can spread rapidly across the network, creating a significant security threat in moments.
Other types of ransomware that follow a similar approach include Petya (also based on Eternalblue), Cerber, and Locky.
NHS attack - what happened?
The WannaCry attacks were not targeted at specific organizations. Instead, they were speculative, looking for any opportunity to infect networks with known security weaknesses.
While WannaCry did not directly target the NHS, poor security and outdated systems made it easy for the attack to occur. UK hospitals had many computers running unpatched versions of Windows 7, so large sections of the network were vulnerable at the same time that this ransomware virus was rapidly spreading around the world.
As well as infecting local trust networks, the WannaCry malware was able to spread across the N3 network, which connects every NHS site. However, the attack was unable to spread via the NHS email system, preventing even more data from being held for ransom or used for phishing.
How did the NHS respond to the attack?
Did the NHS pay the WannaCry ransom?
NHS England and the National Crime Agency reported that NHS organizations did not pay the hospital ransoms. While the Department of Health does not know how much the disruption to services cost the NHS, some estimates are as high as £92 million (USD $116 million).
The cyberattack was stopped by computer security researcher Marcus Hutchins, who identified an unregistered domain that the ransomware was programmed to automatically check. By registering the domain, he was able to create a kill switch. The UK's National Cyber Security Centre spent the following days protecting against attempts to take the domain down until a decryption method was found.
What were the consequences of the NHS ransomware attack?
At least 80 out of the 236 NHS trusts in the UK were affected by the virus, in addition to 603 primary care and other NHS organizations and 595 GP practices.
The cyberattack was stopped by computer security researcher Marcus Hutchins, who identified an unregistered domain that the ransomware was programmed to automatically check. By registering the domain, he was able to create a kill switch. The UK's National Cyber Security Centre spent the following days protecting against attempts to take the domain down until a decryption method was found.
Other examples of ransomware attacks at major hospitals
The NHS ransomware is not the only high-profile incident involving medical facilities. In July 2019, Springhill Medical Center in Alabama was hit by a ransomware attack, resulting in a network outage that shut down monitoring systems for the labor ward. As a result, one of the mothers, Teiranni Kidd, brought a lawsuit after her child was born with brain damage and later died as a result of the attack, which changed how their health was monitored. This became the first alleged death as a result of ransomware.
Another severely damaging ransomware attack in recent years happened to United Health Services in September 2020. Their IT network was shut down for days by Ryuk ransomware, resulting in cancelled appointments, patients being moved to other facilities, and reliance on paper records. It took almost a month to recover, at an estimated cost of $67 million.
Unfortunately, ransomware attacks on hospitals are increasingly common. One report reveals that 45 million individuals were affected by attacks on healthcare in 2021, a dramatic increase from 34 million in 2020. Another survey found that 81% of healthcare organizations in the UK were the victims of ransomware attacks in 2021.
What lessons can be learned for business owners?
The Department of Health was warned about the risks of cyberattacks on the NHS a year before the WannaCry attack, and although work was underway to make changes, it was too late. The Department was also criticized at the time for allowing the use of Windows systems as old as Windows XP, which Microsoft stopped supporting in 2014.
The main lesson to learn from this high-profile attack is to prioritize cybersecurity best practices and implement patch management. While this can be difficult in a demanding environment, it is essential for preventing vulnerabilities that can be exploited by hackers for access to your business network and server.
Alongside this, cybersecurity best practices should be followed, such as:
- Creating an IT Disaster Recovery Plan
- Implementing ransomware protection tools
- Staff training to avoid phishing/social engineering attacks
- Creating secure data backups so sensitive documents can be recovered
By combining these elements, the risk of experiencing an attack can be reduced, helping minimize downtime and recovery. If your business does become the victim of an attack, be aware that many security and government agencies have created decryption tools to help recover data stolen by certain types of known ransomware.
To find out more about major ransomware attacks, be sure to check out our case studies on the City of Atlanta and Baltimore attacks.
Let Avast protect your business from ransomware attacks
Backups and effective security implementation are essential for protecting your business from ransomware attacks. Avast’s Small Business Cybersecurity Solutions will allow you to choose the level of protection that best suits your business’ size and requirements, helping you protect devices against ransomware and other types of cyberattacks.
© 2024 Gen Digital Inc.