Ransomware Wanna Decryptor causing IT failures across NHS

[kalniel]

And it's not really the moron end users fault that they have outdated system, didn't this only work because many NHS trusts are still running XP?

No, it has affected all versions of Windows - if you didn't patch in the last two months then you're vulnerable. It's just that there's no patch for XP.

Also, it's a worm, so no need for user error.

The dilemma for the NHS is they have hugely complicated inter-connected systems, presumably on very custom software. Upgrading OS, or even sometimes just running the latest update, is fraught with danger. Catch 22 is so is not upgrading.

This wasn't targetted at NHS either. It's spread worldwide with speed of transmission related to how many computers were active - it looks like Russia/Asia were affected early, along with Europe. Then it hit UK, proliferated in NHS due to size. It also hit the US, but a lucky UK chap found the kill switch before it spread too far that way so vastly limited the damage.

[peterb]

Yea i heard something about that, IDK if it was released before or after event but either way the cause of this is more complicated than moron end user, bad IT, evil Microsoft, or any other single point of failure, it's a series of failures.

Having said that I'd personally attribute it mostly to a lack of money, throwing money at problems while perhaps not very cost effective tends to get them solved.

Yes I'd agree with that, broadly. More perhaps a case of a lack of a coherent IT strategy - and one not just confined to the NHS. The attitude seems to be that while it is working, leave it alone, why spend money on it. And then when it goes wrong, it fails spectacularly.

Interesting thought on the biological analogy of a virus. In the biological world, virus's exploit species and so biodiversity acts as a slowing down mechanism (in very simplistic terms).

In corporate IT, where Microsoft products are prevalent, one malicious virus can infect large numbers of the system where 'immunity' doesn't exist.

I wonder how mixed operating systems would fare, a mix of Microsoft, *nix and Apple (which are *nix based anyway) across an organisation? One subset might be affected, but the likelihood of all would be lessened.

The downside would be the support and training, but for mission critical systems, that might be a price worth paying.

[peterb]

No, it has affected all versions of Windows - if you didn't patch in the last two months then you're vulnerable. It's just that there's no patch for XP.

Also, it's a worm, so no need for user error.

The dilemma for the NHS is they have hugely complicated inter-connected systems, presumably on very custom software. Upgrading OS, or even sometimes just running the latest update, is fraught with danger. Catch 22 is so is not upgrading.

This wasn't targetted at NHS either. It's spread worldwide with speed of transmission related to how many computers were active - it looks like Russia/Asia were affected early, along with Europe. Then it hit UK, proliferated in NHS due to size. It also hit the US, but a lucky UK chap found the kill switch before it spread too far that way so vastly limited the damage.

Well intenioned but ignorant users can be dangerous too. I remember a case where an organisation had two networks, one isolated from the net and moderately well locked down, and another computer that was used only for internet access. All was well until the machine connected to the network failed. 'Fortunaly' the internet connect machine was the same make and OS, so the user 'helpfully' swapped them over.

You can guess the rest, the internet machine was infected but could do little damage - until it was connected to the closed system where it went rampant.

This was some years ago so I would hope lessons were learned.....

[Corky34]

No, it has affected all versions of Windows - if you didn't patch in the last two months then you're vulnerable. It's just that there's no patch for XP.

Also, it's a worm, so no need for user error.

The dilemma for the NHS is they have hugely complicated inter-connected systems, presumably on very custom software. Upgrading OS, or even sometimes just running the latest update, is fraught with danger. Catch 22 is so is not upgrading.

This wasn't targetted at NHS either. It's spread worldwide with speed of transmission related to how many computers were active - it looks like Russia/Asia were affected early, along with Europe. Then it hit UK, proliferated in NHS due to size. It also hit the US, but a lucky UK chap found the kill switch before it spread too far that way so vastly limited the damage.

Sorry i should have been clearer, it only worked to the extent it has because many NHS trusts are still running XP that didn't receive any patches for MS17-010 in March.

Also every worm needs user error to get started.

Yes patches need testing and it's complicated however that's not helped by Microsoft changing to a monolithic patching system.

Lastly as this vulnerability originated, or so it seems, from the leak of NSA exploits a few months ago ultimately their to blame as they didn't practice responsible disclosure, something that's probably against their own best practice guidelines.

[kompukare]

Lastly as this vulnerability originated, or so it seems, from the leak of NSA exploits a few months ago ultimately their to blame as they didn't practice responsible disclosure, something that's probably against their own best practice guidelines.

That was Snowden's response:
"If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened"

But then as this and the large hole in Intel AMT and vPro show, disclosing holes, backdoors, and flaws is not in their interest. When the Snowden stuff came out I though him mentioning backdoors over wireless was surely a joke or only where they could compromise a target's hardware and add some wireless hardware but now I am no longer so sure. Certainly, it seems Intel are either idiots or some of their stuff is being done at the behest of three-letter agencies. The only mystery would be, where would they sneak in an aerial without it being noticed. Maybe a certain track length between the CPU and the chipset but then how would it pass FCC emission unless it is off (but catch 22 how can you remotely turn it on then?). I guess it is still very unlikely but just no longer in the category of 'impossible tin-foil hat stuff'.

[Corky34]

For anyone concerned Microsoft have released an emergency patch today for all versions of Windows from XP onwards.

[mtyson]

A Microsoft TechNet blog post is available providing guidance to those affected.
Customer Guidance for WannaCrypt attacks

[b0redom]

DBAN all the PC's and servers
Image them using SCCM
Restore data from backup

About a week's job, Could be done over the weekend with a lot of manpower.

Well that's fine and all assuming that you don't have any compromised data. I worked recently at a place who until recently allowed remote access using BYOD until someone VPNd in using a laptop which had been compromised with ransomware. As soon as they connected to a network share it encrypted the lot. Fortunately they had a weekly backup strategy with daily incrementals so they only lost a day or so of work. Even if all of the NHS data is stored on a SAN, there must be systems which update it.

Having worked fairly extensively in the public sector as well as the private sector, much of the reason not to move to modern OSs etc is due to risk avoidance and cover your ass by civil servants over technical reasons.

[scaryjim]

... they have hugely complicated inter-connected systems, presumably on very custom software. ...

The bigger issue for the NHS is that a lot of their IT managers made some dubious (but cheap) decisions in the early 2000s, contracting freelancers to build (but not support) custom systems for mission critical functions. Many of those systems used the rather dubious OS hooks in Win XP or IE6/7 that MS stripped out of later versions, so those trusts ended up, 5 - 10 years later, facing a choice of upgrade all their PCs and rewrite a lot of their critical systems from the ground up (expensive), or to leave everyone on XP and hope that everything would turn out OK (cheap). The less money they spend on IT the more money can get ploughed into patient care, so no surprise which option they took...

[peterb]

I would suspect that the digital criminal underworld are concerned at the moment.

Last thing cyber criminals want is publicity, and the extent that this has spread, and the countries and systems affected means that there will be a lot of collaborative work by some very clever people, not only looking for a solution to the encryption, but shining a light into some dark places - and when you shine lights into dark places, it may reveal lots of interesting things.

[walibe]

This is true to an extent. In my experience and from speaking to others in this world and in the 'dark side' of the web these are very organised criminals which operate like businesses in a pyramid scheme.

They will have people who compete and carry out the phishing activities and work on the basis of if we get paid $300 to remove the ransomeware you get $50 of it. They even hold daily, weekly and monthly competitions where the top performers are awarded iPads and in one cases they gave away a brand spanking new Lexus. I'm not even kidding.

They also have some of the best customer care that the likes of even Apple can only dream of. Say you are the victim and decide to pay the fee, they even provide phone support and in some cases help you patch yourself because you are now their customer.

It's crazy. These gangs do go down frequently and are almost always multi national. This one has become too successful for its own good in a very short space of time and will now be very much in the spotlight like peterb says.

I could write a couple of articles about this in the new few weeks if anyone wants to know more and recommend further reading etc.

[Xlucine]

A couple of years ago the NHS agreed a deal with microsoft to extend support for windows XP for a year, so they had time to finish switching from XP to more modern systems
https://www.theguardian.com/technolo...-public-sector

The extended support deal comes with a requirement that PCs be migrated from Windows XP, Office 2003 or Exchange 2003 within a year. The government expects the majority of machines to be upgraded from Windows XP by April 2015.

If systems were still on XP and not airgapped, that's gross incompetence.

I would suspect that the digital criminal underworld are concerned at the moment.

Last thing cyber criminals want is publicity, and the extent that this has spread, and the countries and systems affected means that there will be a lot of collaborative work by some very clever people, not only looking for a solution to the encryption, but shining a light into some dark places - and when you shine lights into dark places, it may reveal lots of interesting things.

I'd give it a couple of months before we get research identifying a statistically significant uptick in mortality during the outage

[=assassin=]

I'm at Blackpool Victoria Hospital, and we have Windows 7 on every machine, not XP.

[walibe]

I'm at Blackpool Victoria Hospital, and we have Windows 7 on every machine, not XP.

But as you all operate as different trusts, not every trust has upgraded their I.T systems yet. Plus if Windows 7 talks SMB v1 which by default it won't, but if it's set to in group policy or was installed as an upgrade (in which case it automatically enables SMBv1) you can still be vulnerable and will continue to be so. The key thing here is that everyone should be on version 3 and at least 2 with SMB v1 completely disabled.

Plus I'd put money on a vast amounts of your medical equipment still being XP embedded. Even the cash machines mostly run XP embedded still.

[peterb]

Very interesting read here about how the infection was halted

https://www.forbes.com/sites/thomasb.../#63eadc5274fc

[walibe]

Oops