Updated 15 May: According to the Independent, 1 of 5 or 20 percent of NHS trusts, or ‘dozens’, have been hit by the WannaCry malware, with six still down 24 hours later. NHS is not referring to numbers, but here is their updated bulletin and if you are an NHS organization, yesterday’s guidance is a mandatory read. If you have been following this, over the weekend a British specialist known by his/her handle MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware as designed into the program, with the help of Proofpoint’s Darien Huss.
It looks as if the Pac-Man march is over. Over the weekend, a British specialist known as MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware, with the help of Proofpoint’s Darien Huss. It was a kill switch designed into the program. The Guardian tagged as MalwareTech a “22-year-old from southwest England who works for Kryptos logic, an LA-based threat intelligence company.”
Political fallout: The Home Secretary Amber Rudd is being scored for an apparent cluelessness and ‘wild complacency’ over cybersecurity. There are no reported statements from Health Secretary Jeremy Hunt. From the Independent: “Patrick French, a consultant physician and chairman of the Holborn and St Pancras Constituency Labour Party in London, tweeted: “Amber Rudd is wildly complacent and there’s silence from Jeremy Hunt. Perhaps an NHS with no money can’t prioritise cyber security!” Pass the Panadol!
Previously: NHS Digital on its website reported (12 May) that 16 NHS organizations have been hacked and attacked by ransomware. Preliminary investigation indicates that it is Wanna Decryptor a/k/a WannaCry. In its statement, ‘NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.’ Healthcare IT News
According to cybersecurity site Krebs on Security, “It remains unclear exactly how this ransomware strain is being disseminated and why it appears to have spread so quickly, but there are indications the malware may be spreading to vulnerable systems through a security hole in Windows that was recently patched by Microsoft.” The reports from Spain’s national computer emergency response team (CCN-CERT) and Czech Republic-based Avast security suggest that Wanna exploits the MS17-010 software vulnerability in the Windows Server Message Block (SMB) service. Other UK and Spanish organizations in and out of healthcare are reporting attacks, with Telefónica urgently asking staff to shut down VPNs and computers to limit damage. According to Krebs, the ransom is $300 in bitcoin. Another alternative is to consult the BleepingComputer ransomware forum.
Updated 13 May: The Intercept tracks Wanna back to a hacker group dubbed the ‘Shadow Brokers’, which stole and then leaked NSA software tools code-named ‘EternalBlue’. While Microsoft released the patch in March, many computers may not have been updated. The infection seems to move on its own through networks. The ‘digital weapon’ has crippled tens of thousands of computers in 99 countries. Russia has reportedly led in the number of attacked computers, including the Russian Interior Ministry and its second largest mobile phone provider, Megafon. Spain’s Gas Natural, Portugal Telecom, the Deutsche Bahn long-distance rail system, a Swedish local authority and FedEx also reported system infections (Deutsche Bahn’s major disruptions at left, courtesy Zero Hedge.) The ransom escalates over time: $300, then after two hours to $400, $500 and then $600. BBC News, Wall Street Journal