Massive Ransomware Attack Hits NHS and ISPs

Massive Ransomware Attack Hits NHS and ISPs

A major ransomware attack has been reported, with targets including banks and NHS Trusts all being hit.

According to Russia Today, a number of NHS employees have been reported as being hit by the ransomware, while one user posted on Twitter a screenshot of the ransomware which asks for "$300 worth of Bitcoin".

Patients have now been urged to avoid them all 'unless absolutely necessary', and should instead call 111 for triage and medical advice.

A statement by East and North Hertfordshire NHS read: “Today, the Trust has experienced a major IT problem, believed to be caused by a cyber-attack.

"Immediately on discovering of the problem, the Trust acted to protect its IT systems by shutting them down; it also meant that the Trust’s telephone system is not able to accept incoming calls.”

Jamie Moles, Principal Security Consultant at Lastline said: “Interestingly, the NHS takes a very strict and sanitary approach to dealing with these attacks, shutting down almost all of its IT capabilities while it triages and treats the problem. Why would we expect any different from a medical organization?

“Moving forward if we are to prevent these attacks causing delays to treatment and potentially deaths, NHS trusts are going to have to invest in technology to deal with cyber-threats. There are plenty of good technologies available to assist in this issue and they can be scaled effectively and cost efficiently to cope with massive organizations like the NHS."

The infections follow discovery of a ‘massive ransomware campaign’ named WannaCry, with infections spotted in 11 countries. The notification by G Data said: “In the early morning hours (CET) of Friday, May 12, a sizeable wave of infections with the latest iteration of the WCry / WannaCry ransomware was spotted. Researchers are not sure where the sudden onslaught came from, but suspicions currently include bot nets, exploit kits, infected emails or malicious advertising (also called malvertizing).”

The notification also claimed that ISP Telefónica was hit with an infection on one of their internal servers where staff were asked to cut any VPN connections in order to stop the ransomware from hitting more parts of the company's network.

A statement by Telefonica claimed: “In the middle of today's morning an incident of cybersecurity has been detected that has affected the PCs of some employees of the company's internal corporate network. Immediately, the security protocol for this type of incidents has been activated with the intention that the affected computers operate normally as soon as possible.”

The National Cyber Security Centre said in a tweet that it was aware of "cyber incident" and was working with the National Crime Agency and NHS Digital to investigate.

Javvad Malik, security advocate at AlienVault, said: "The attack seems to show that there is no segregation between front-end, back-end, and critical NHS systems. While it is not always possible to defend against all attacks, having critical systems segmented, to prevent being impacted by such a breach could have allowed core capabilities to remain online.

“By having security designed into system architecture, it can make services harder to compromise, or reduce the impact of a compromise.”

Dr Malcolm Murphy, technology director, Western Europe at Infoblox, said that attacks such as this demonstrate the risk to public services. "The ransomware trend is only set to increase, however. The last Infoblox DNS Threat Index reported a 3,500 per cent increase in domains that either hosted or communicated with malicious ransomware downloads was recorded in the first quarter of last year, and its commoditization through cyber-crime toolkits means that even the most novice criminal can deploy it. 

“All organizations must ensure that their security measures are up to scratch: from having all software patched and up to date and making sure users observe best practice, to deploying DNS effectively as an enforcement point to block ransomware.“

Source: Information Security Magazine