Ransomware Wanna Decryptor causing IT failures across NHS

[walibe]

Interesting to see it's made relatively little money. Targeting large organisations does not seem to bear fruit - likely because of backups and other mitigating factors. Home users not so much.

[Rubarb]

I had to laugh at this,
I'm sure we've all had this kind of thing in the past, ...format/ 1 min turn off (incase it has a monkey virus that copys to ram) and re-install cures it and it's not network bound or depenat because not all NHS computers where infected.
Simply scaremongering from people that have no clue.

The NHS has been ripped off for years by Dell and also HP, I had a friend that worked for Dell and he loved selling to companys or orgs like that simply becasue he could jack up the price hugly with no questions asked, the Idiots hold the cheque book.

[peterb]

Interesting to see it's made relatively little money. Targeting large organisations does not seem to bear fruit - likely because of backups and other mitigating factors. Home users not so much.

I was just thinking that there hasn't been any mention of home users being affected, either because it isn't newsworthy compared with the corporate systems, or few home users have been affected.

[chj]

Not looking forward to seeing what kind of mess it'll be in tomorrow.

[Gh0sty]

I'm sorry but I did have to lol a little bit. I've heard how bad the IT departments are and this kinda confirms it

I've heard the goverment have invested loads of money in Britains space program. Just because you've heard something doesn't make it true! Try backing up your sweeping generic statements with facts. As someone who spent the whole weekend dealing with this, it wasn't down to the IT departments. All of our servers and pcs were patched, the weak point was 3rd party servers and pc's that are left on for remote access and not rebooted so didn't take the patch. As ever it was user error that caused the problem and we are now having to try and recover from that. Hope you don't need a dr's appoinment this week and all your records are being held on a 3rd party server, bet you won't find it so funny then.

[Spud1]

I was just thinking that there hasn't been any mention of home users being affected, either because it isn't newsworthy compared with the corporate systems, or few home users have been affected.

Thousands of home users are affected by various bits "randomware" every day - but you are right it doesn't make for a good news story compared to sensationalised claims of "cyber attacks on the NHS". This was very likely nothing of the sort - everything we know so far points towards a phishing/vishing attempt via email, which a number of users have fallen victim to whilst using NHS machines. The ransomware then spread through the vulnerability as we know through N3 and internal hospital networks..and the rest is history.

We don't know whether the source was from a personal email or NHS.net email, and the odds are this wasn't a targeted "attack" - but it sounds better in the news to call it so.

[themandark_uk]

I could of sworn that only a couple of months ago the virus companays where reporting that the nhs where in a bad state and this could happen at any min. And did the nhs listen.

[Dashers]

I expect the NHS do listen, and I expect it's sat fairly prominently on their risk logs.

Unfortunately, Enterprise IT is slightly different from your home computer or a small business. I would hazard a guess that the bulk of the machines running unsupported OS are due to dependencies on specialised kit that has never been updated and will not run on different OS. You can't stop say, blood screening, just because support has lapsed.

You could cry air-gap, but there is the scale of managing these estates and having any hope of updating them at all. Plus often, with Enterprise IT, data needs to be shifted, and having people wonder around with sensitive on USB drives is even worse.

The real test is how well they can recover these systems.

[walibe]

I believe decryption keys have now been generated so anyone affected can reverse the encryption.

[satrow]

The decryption method will only work if the machines haven't been rebooted.

The infection was almost entirely limited to W7/Server 2003 and there is zero evidence that it was transmitted via an email attachment.

Unpatched W7 machines connected directly to the Internet were the most likely infection route.

[walibe]

The decryption method will only work if the machines haven't been rebooted.

The infection was almost entirely limited to W7/Server 2003 and there is zero evidence that it was transmitted via an email attachment.

Unpatched W7 machines connected directly to the Internet were the most likely infection route.

Are you on about the hunt for patient zero? Yes it's still unknown although there are some good guesses at the moment. Its obviously spread via SMB internally but thanks to VPNs its easy to escape the network and a contractors laptop would be a perfect example.

Shame about the decryption but it's an interesting retrieval none the less and as it's businesses affected I suspect many of the machines won't have been rebooted if they haven't already been recovered, unless that part of memory is over written I guess.

[Dashers]

I guess it would have to be a laptop on 3G. Nobody connects to the Internet directly these days, even the most basic home broadband solution uses NAT which would block any inbound SMB sessions.

[walibe]

I guess it would have to be a laptop on 3G. Nobody connects to the Internet directly these days, even the most basic home broadband solution uses NAT which would block any inbound SMB sessions.

VPN as stated above.

[Dashers]

I doubt any NHS computers would be connecting to external VPNs.

[walibe]

I doubt any NHS computers would be connecting to external VPNs.

Regardless the scenario above was a contracter using a VPN for one reason or another then connecting laptop to same NHS network afterwards. A very likely and realistic scenario.