Davey Winder: risks of ransomware attack were well known and avoidable

You don’t need me to tell you that large swathes of the NHS have been hit by a ransomware attack. You might be forgiven for thinking that it was a targeted attack against the NHS, if you have been watching the TV news or reading the newspapers.

Actually, it was nothing of the sort, and those surgeries and trusts impacted by this were victims of a global attack. Organisations in around 190 countries, and ranging from universities to telecoms providers, postal services to the railways, have all been hit.

NHS not targeted, or attackers would have set sights higher

That this wasn’t targeted at the NHS was pretty obvious from the get-go, not least as the ransomware involved (WannaCrypt0r to be precise) is a known threat and the ransom demanded of between £230 and £460 is equally generic. If the attack was truly targeting an organisation the size of the NHS, even at a more local Trust level, you might imagine the actors involved would have set their sights a little higher. Especially given the huge risk they are taking. Attacks on this scale do not go without in-depth investigation, and the chances are the attackers will be caught, tried and likely jailed.

This was not an attack that was unexpected either, at least not by anyone with half a clue when it comes to IT security. Obviously, I don’t include the NHS Trust c-suites with control over budgets, or government, in this description.

Warnings had been coming thick and fast

The warnings have been coming thick and fast for years and not just from us here at Digital Health either. That said, I did warn about precisely such an event just days before the attack hit…

I’ll come on to how vulnerable the NHS was (and still is) as a whole to this kind of threat in a moment, but first let’s take a look at the threat itself.

First let’s look at the malware involved, a ransomware variant known as WannaCrypt0r (aka WannaCrypt and Wcry). There is nothing particularly virulent or special about WannaCrypt0r, truth be told; it’s bog standard ransomware when all is said and done. Once installed it will encrypt every file that it comes across and demands a ransom for the decryption key.

That ransom is initially $300 (£230) in Bitcoin but if you haven’t paid by the time the countdown reaches zero in 72 hours it doubles to $600 (£460) – again, all familiar territory in the ransomware world. As is the threat to delete the files after a week, although that’s something of a pointless threat if they are encrypted and unusable anyway.

Virulent ransomware delivered by worm

Less familiar territory for ransomware is the distribution mechanisms used to spread the malware payload. Rather than go in through the usual social engineering route of a phishing email, or spear-phishing in a truly targeted attack, this WannaCrypt0r threat employed something far more virulent and successful: it adopted the worm approach. How it turned itself into a ransomware worm is both interesting and frightening in equal measure. You see WannaCrypt0r exploited a vulnerability that enabled it to spread from network to network, LAN to WAN, and pretty much with impunity.

Usually when such a vulnerability is discovered, one of two things happens: it either gets disclosed to the vendor concerned and fixed by way of a patch, or becomes a 0day that is sold on the underground ‘dark market’ for criminal or state-sponsored usage. In the case of EternalBlue, as the vulnerability is known, it’s a mixture of things.

NSA developed the original exploit code NHS was hit by on Friday

For start, it was developed for, and presumably used by, the NSA (National Security Agency) in the US. Unfortunately, the NSA couldn’t keep the exploit code secure and it was released as part of the Shadow Brokers hacking group exposure of such things in April.

The vulnerability was in the Server Message Block protocol, specifically as found in Microsoft Server Message Block 1.0 (SMBv1) server. Using a specially crafted message, this could exploit how Windows machines communicated with the file system over the network allowing remote code execution. Once one machine is infected, it rapidly propagates to any others that are connected and vulnerable. This is how a worm works, and it worked well in the case of WannaCrytp0r.

NHS would have been protected by applying 14 March Microsoft MS-17-010 security update

But it didn’t have to be that way as Microsoft had already patched the vulnerability long before Shadow Brokers released the exploit code. The 14 March Microsoft MS-17-010 security update for SMB Server fixed the problem, but you had to have installed the patch of course. And that’s where the NHS amongst others fell short.

NHS legacy machines should have been behind a firewall

You’d think that a couple of months would be plenty for even the most risk-adverse (in the sense of risk from a patch causing problems) organisation to roll out a critical security update. But no, apparently not. But patching isn’t the only problem here. Systems, and in the case of the NHS legacy machines, that had not or could not be patched should have been behind the firewall at the very least.

Yet the spread of this thing suggests that those firewalls were not properly configured, with ports 139 and 445 being open, with those hosts listening to inbound connections including the WannaCrypt0r message. Of course, all it takes is a single, solitary firewall to be incorrectly configured for such a worm to quickly propagate post-infection to other machines.

Get set for variant strains of WannaCrypt0r

So what happens now? Well, you’ll have probably read that a young security researcher, from his bedroom, spotted a killswitch in the malware code and with the help of the professionals this was able to be activated. This certainly reduced the overall impact of the attack. It will not, however, have stopped it dead. Things are set to get worse as there are already variant strains of WannaCrypt0r (with that killswitch removed and other tweaks to make it harder to spot and stop) out in the wild. This is not over by a long chalk.

The answer remains: do the basics of security well

And just how *do* you stop this happening again? The simple answer is by doing the basics of security well. Replacing legacy systems where practical, ensuring network separation where not, so that threats cannot leapfrog the whole shebang, getting on top of patch management and, yes I’m going to keep on saying it until I’m blue in the face, making the proper investment in data security. If you want a ‘strong and stable’ NHS from the IT security perspective then it comes at a cost, and that has to be provided by central government.

Look, I understand that patching for a large enterprise (and that’s what NHS Trusts are) is not a trivial thing. I get that software compatibility is rather important when we are talking patient care. I also get that by delaying patching, or not patching at all, the risk increases to the point where something like this can happen. That cannot be the better option, will never be the better option. I also get that money isn’t on tap in the NHS, and that a scanner costing upwards of a few hundred thousand quid that has an embedded legacy OS cannot easily be replaced. However, it can easily be isolated from danger by the use of correctly configured firewalls, by the use of appropriate controls in other words.

These do not need to be a costly exercise to implement, but do need to be addressed as a matter of urgency. At the very least blocking SMB traffic (on ports 139 and/or 445) to any legacy and unpatched system is essential.

Cyber security is not just about systems, it’s about process and understanding.

Cyber security is not just about systems, it’s about process and understanding. This isn’t a case of data being lost, NHS backups will be in place. The problem is more one of restoring that data in a secure manner, protecting from reinfection. That means isolating individual machines, restoring them manually, all things that take time and therefore cost money. A lot of money when the knock-on effect of departmental closures and rescheduling appointments is taken into consideration.

Proper risk management in the NHS has been exposed as severely lacking these last few days. That has to change. It’s all very well for government spokespeople to roll out the ‘NHS information Governance Toolkit’ message but that was, and remains, just a mishmash of legal requirements that doesn’t speak to the technical requirements needed. Direction is essential, and government is only providing soundbytes.

That direction needs to come before the paperless NHS becomes a complete reality, or it will also be a completely insecure mess.