Cyber-security is not often top of the headlines across the world, but there was an exception last week as massive ransomware attack infected thousands of machines across the world, affecting many big companies and, perhaps most notably, the National Health Service (NHS) in the UK.
The incident, which began to spread rapidly on Friday, saw more than 57,000 attacks in more than 99 countries across the globe according to anti-virus and cyber-security firm Avast.
The NHS and beyond in lockdown
The NHS said that at least 40 different health service organisations were infected by the attack, which locked doctors and nurses out of vital patient notes and other online information. Many others were forced to shut down their online systems in an attempt to prevent infection.
It left thousands stuck in A&E and GP Surgeries, whilst NHS Trusts were urging new patients not to come to hospitals and GP surgeries unless it was an emergency.
The NHS Blackpool Clinical Commissioning Group was just one which posted a message to patients saying “Please avoid contacting your GP practice unless absolutely necessary. Should you wish to obtain non-urgent medical advice, please call 111. Please also only attend the Walk-In Centre and A&E department if absolutely necessary.”
An investigation is taking place into how the attack was able to take hold, but the NHS said in a statement, “This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors… At this stage, we do not have any evidence that patient data has been accessed.”
In Spain, the country’s largest telecoms company, Telefonica, was affected, whilst French car manufacturer Renault was forced to shut down its factories and railway ticket machines in Germany stopped working.
According to Avast, most victims appear to have been individual users in Taiwan, whilst Russia and the Ukraine were also badly hit.
The malware responsible was called “WanaCrypt0r 2.0” or WannaCry and actually first appeared on April 14th. It exploits a vulnerability in the Windows software and encrypts data on a device before demanding payment $300 in Bitcoins for the data to be unencrypted.
They warn that if payment is not received within a certain period of time, the amount will rise. Understandably, many people and firms appear to have started paying up already.
The malware was actually released by a group called Shadow Brokers, which last year claimed to have stolen a huge cache of ‘cyber-weapons’ from the NSA. On its release, Microsoft did quickly release a security update which dealt with the problem. But it seems that this particular piece of ransomware is exploiting devices which have not yet downloaded that patch.
The flaw was also present on versions of Microsoft Windows, which are no supported and it was apparent that this was a big factor in the rapid spread of the malware. Remarkably, even though Microsoft stopped providing security updates for Windows XP back in 2014, many NHS machines still run on it.
Indeed, such was the concern that Microsoft themselves took what they called the “highly unusual step” of providing a security patch for Windows XP, Windows 8, and Windows Server 2003 to protect users against this vulnerability.
Kill Switch discovered
The story so far has all the makings of a Hollywood movie (if not perhaps a blockbuster) but the story gets even better. It soon emerged that a British security researcher, who tweets @malwaretechblog and is 22 years old from the southwest of the country, managed to identify and activate a kill switch on the malware.
He looked at a sample of the malware and found that it was connecting out to a specific domain which was not registered. So, he registered the domain for a cost of $10.69. It later emerged that as soon as that domain became live, the malware would stop spreading. And with that, the problem was, at least for now, resolved.
As the security researcher himself noted “This is not over. The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”
That is indeed exactly what users should do. If your system does not download such security updates automatically, you can do so manually by going to Control Panel > System and Security > Windows Updates and ensuring you have downloaded update MS17-010. More information for all operating systems is directly available from Microsoft here.
And as always, users should ensure their anti-virus, spam filters, and firewalls are functioning and properly updated and ignore any emails which look like they might be suspicious. Lastly, try to backup all of your data, just in case the worst happens.