Britain’s National Health Service is under sustained attack from years of under funding. Now, inaction by Theresa May’s Government of Chaos has seen the NHS come under further attack by a ransomware virus, so delaying treatment for thousands of patients. And now there is a warning that a second version of the ransomware is about to be launched. But the impact of these attacks could have been limited.
One day before the attack, Dr Krishna Chinthapalli warned in a British Medical Journal article that some hospitals “will almost certainly be shut down by ransomware this year”. And Britain’s spy agency GCHQ and its offshoot the National Cyber Security Centre would also have been aware of the dangers.
British journalists should be asking if GCHQ knew of the vulnerability being used to attack NHS but kept it secret so they could use it.
— WikiLeaks (@wikileaks) May 12, 2017
How the attack unfolded
The ransomware used in Friday’s attack on the NHS and other targets around the world is known variously as Wanna, WannaCry, or Wcry. It is estimated that the malware has seen 200,000 victims in at least 150 countries. Those behind the attack demand a ransom of $300 to $600 in Bitcoin, to be paid by 15 May.
It’s very important [for] everyone [to] understand that all they [the attackers] need to do is change some code and start again. Patch your systems now!
There are many reasons why the NHS was targeted. The main one is that the NHS still runs thousands of computers on Windows XP. Indeed, as many as 90% of NHS Trusts rely on Windows XP. But the government was warned of the potential risks of using outdated IT systems as far back as 2015.
Immediately after the attack, the Victoria Hospital in Blackpool requested that patients seek treatment only for life-threatening emergencies. And Barts Health Hospital in London redirected ambulances to other facilities. Close to 50 NHS Trust hospitals were infected.
How a system is infected
Targets are sent an encrypted, compressed file that once loaded allows the ransomware to infiltrate its targets. The malware then scans TCP port 445 (Server Message Block/SMB) before spreading to a worm, so compromising hosts and encrypting files stored on them. It then demands a ransom payment by Bitcoin.
Here is a step-by-step analysis:
- An initial file mssecsvc.exe drops and executes the file tasksche.exe. The kill switch domain is then checked.
- Next, the service mssecsvc2.0 is created. This service executes the file mssecsvc.exe with a different entry point than the initial execution. This second execution checks the IP address of the infected machine and attempts to connect to port 445 TCP of each IP address in the same subnet.
- When the malware successfully connects to a machine, a connection is initiated and data is transferred.
- The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc.
- The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption.
- While the files are being encrypted, the malware creates a new file directory ‘Tor/’ into which it drops tor.exe and nine dll files used by tor.exe.
- Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @[email protected] to display the ransom note on the desktop to the end user.
- The @[email protected] is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe.
- The tor.exe file is executed by @[email protected] This newly executed process initiates network connections to Tor nodes. This allows WannaCry to attempt to preserve anonymity by proxying their traffic through the Tor network.
What should NHS Trusts do?
In the short term, it is recommended that:
- They ensure that devices running Windows are fully patched and deployed in accordance with best practice.
- SMB ports (139, 445) should be immediately blocked from externally accessible hosts.
- They block connections to TOR nodes and TOR traffic on the network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices.
WannaCry’s spy agency origins
WannaCry makes use of Doublepulsar, which is a persistent backdoor used to execute code on previously compromised systems. The backdoor is installed following successful exploitation of SMB vulnerabilities, as part of Microsoft Security Bulletin MS17-010.
WannaCry copies a weapons-grade exploit codenamed Eternalblue that the NSA used for years to remotely commandeer computers running Microsoft Windows. It was one of several exploits published in the most recent Shadow Brokers release. The WannaCry developers combined Eternalblue with a self-replicating payload that allows the ransomware to spread from machine to machine, without requiring operators to open emails, click on links, or take any other action.
After the attack, Microsoft announced it was:
taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack.
Britain’s National Cyber Security Centre (part of GCHQ) has also published instructions to businesses and homes on how to deal with the ransomware threat. Kaspersky Labs has also issued advice on how to avoid infection. And Hacker News lists basic security practices (section 7) everyone should follow.
Meanwhile, former NHS manager Jan Filochowski commented:
To give the NHS the modern IT system it so desperately needs would cost hundreds of millions, and probably billions, and it would take years to do, given the complexity involved.
Indeed, massive investment will be needed to improve IT systems across the entire NHS. Further delays will only put more patients’ lives at risk.
– Ensure a government that will fully fund the NHS against such attacks is in power.
– Register to vote in the 8 June general election.
– Discuss the key policy issues with family members, colleagues and neighbours. And organise! Join (and participate in the activities of) a union, an activist group, and/or a political party.
– Also read more Canary articles on the 2017 general election.
Featured image via screengrab on Avast
Do your bit for independent journalism
Did you know that less than 1.5% of our readers contribute financially to The Canary? Imagine what we could do if just a few more people joined our movement to achieve a shared vision of a free and fair society where we nurture people and planet.
We need you to help out, if you can.
When you give a monthly amount to fund our work, you are supporting truly independent journalism. We hold power to account and have weathered many attempts to shut us down and silence the counterpoint to the mainstream.
You can count on us for rigorous journalism and fearless opposition to an increasingly fascist government and right wing mainstream media.
In return you get:
- Advert free reading experience
- Behind the scenes monthly e-newsletter
- 20% discount from our shop