• Disrupting Power Since 2015
  • Donate
  • Login
Monday, May 12, 2025
  • Login
  • Register
Canary
MEDIA THAT DISRUPTS
  • News
    • UK
    • Global
    • Analysis
    • Trending
  • Editorial
  • Features
    • Features
    • Environment
    • Lifestyle
    • Health
    • Money
    • Science
    • Business
    • Tech
    • Travel
    • Sport & Gaming
  • Media
    • Video
    • Cartoons
  • Opinion
No Result
View All Result
MANAGE SUBSCRIPTION
SUPPORT
  • News
    • UK
    • Global
    • Analysis
    • Trending
  • Editorial
  • Features
    • Features
    • Environment
    • Lifestyle
    • Health
    • Money
    • Science
    • Business
    • Tech
    • Travel
    • Sport & Gaming
  • Media
    • Video
    • Cartoons
  • Opinion
No Result
View All Result
Canary
No Result
View All Result

Theresa May’s Government of Chaos holds the nation’s health to ransom; it makes you wanna cry

Tom Coburg by Tom Coburg
16 August 2017
in Health, Other News & Features, Science, UK
Reading Time: 7 mins read
169 3
A A
0
Home Other News & Features Health
320
SHARES
2.5k
VIEWS
Share on FacebookShare on Twitter

Britain’s National Health Service is under sustained attack from years of under funding. Now, inaction by Theresa May’s Government of Chaos has seen the NHS come under further attack by a ransomware virus, so delaying treatment for thousands of patients. And now there is a warning that a second version of the ransomware is about to be launched. But the impact of these attacks could have been limited.

One day before the attack, Dr Krishna Chinthapalli warned in a British Medical Journal article that some hospitals “will almost certainly be shut down by ransomware this year”. And Britain’s spy agency GCHQ and its offshoot the National Cyber Security Centre would also have been aware of the dangers.

British journalists should be asking if GCHQ knew of the vulnerability being used to attack NHS but kept it secret so they could use it.

— WikiLeaks (@wikileaks) May 12, 2017

But no one wants to take the rap. And perhaps the intelligence agencies spend too much of their resources spying on the UK population.

How the attack unfolded

The ransomware used in Friday’s attack on the NHS and other targets around the world is known variously as Wanna, WannaCry, or Wcry. It is estimated that the malware has seen 200,000 victims in at least 150 countries. Those behind the attack demand a ransom of $300 to $600 in Bitcoin, to be paid by 15 May.

But the ransomware was halted after a researcher took control of a domain name that was hard-coded into the self-replicating exploit. However, MalwareTech has warned:

It’s very important [for] everyone [to] understand that all they [the attackers] need to do is change some code and start again. Patch your systems now!

NHS infection

There are many reasons why the NHS was targeted. The main one is that the NHS still runs thousands of computers on Windows XP. Indeed, as many as 90% of NHS Trusts rely on Windows XP. But the government was warned of the potential risks of using outdated IT systems as far back as 2015.

Immediately after the attack, the Victoria Hospital in Blackpool requested that patients seek treatment only for life-threatening emergencies. And Barts Health Hospital in London redirected ambulances to other facilities. Close to 50 NHS Trust hospitals were infected.

How a system is infected

Targets are sent an encrypted, compressed file that once loaded allows the ransomware to infiltrate its targets. The malware then scans TCP port 445 (Server Message Block/SMB) before spreading to a worm, so compromising hosts and encrypting files stored on them. It then demands a ransom payment by Bitcoin.

Here is a step-by-step analysis:

  1. An initial file mssecsvc.exe drops and executes the file tasksche.exe. The kill switch domain is then checked.
  2. Next, the service mssecsvc2.0 is created. This service executes the file mssecsvc.exe with a different entry point than the initial execution. This second execution checks the IP address of the infected machine and attempts to connect to port 445 TCP of each IP address in the same subnet.
  3. When the malware successfully connects to a machine, a connection is initiated and data is transferred.
  4. The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc.
  5. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption.
  6. While the files are being encrypted, the malware creates a new file directory ‘Tor/’ into which it drops tor.exe and nine dll files used by tor.exe.
  7. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @[email protected] to display the ransom note on the desktop to the end user.
  8. The @[email protected] is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe.
  9. The tor.exe file is executed by @[email protected]. This newly executed process initiates network connections to Tor nodes. This allows WannaCry to attempt to preserve anonymity by proxying their traffic through the Tor network.

What should NHS Trusts do?

In the short term, it is recommended that:

  1. They ensure that devices running Windows are fully patched and deployed in accordance with best practice.
  2. SMB ports (139, 445) should be immediately blocked from externally accessible hosts.
  3. They block connections to TOR nodes and TOR traffic on the network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices.

Further advice from Microsoft on MS17-010 can be found here. Advice also available from NHS Digital.

WannaCry’s spy agency origins

WannaCry makes use of Doublepulsar, which is a persistent backdoor used to execute code on previously compromised systems. The backdoor is installed following successful exploitation of SMB vulnerabilities, as part of Microsoft Security Bulletin MS17-010.

WannaCry copies a weapons-grade exploit codenamed Eternalblue that the NSA used for years to remotely commandeer computers running Microsoft Windows. It was one of several exploits published in the most recent Shadow Brokers release. The WannaCry developers combined Eternalblue with a self-replicating payload that allows the ransomware to spread from machine to machine, without requiring operators to open emails, click on links, or take any other action.

Next steps?

After the attack, Microsoft announced it was:

taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack.

Microsoft is recommending downloading the emergency patches.

Britain’s National Cyber Security Centre (part of GCHQ) has also published instructions to businesses and homes on how to deal with the ransomware threat. Kaspersky Labs has also issued advice on how to avoid infection. And Hacker News lists basic security practices (section 7) everyone should follow.

Meanwhile, former NHS manager Jan Filochowski commented:

To give the NHS the modern IT system it so desperately needs would cost hundreds of millions, and probably billions, and it would take years to do, given the complexity involved.

Indeed, massive investment will be needed to improve IT systems across the entire NHS. Further delays will only put more patients’ lives at risk.

Get Involved!

– Ensure a government that will fully fund the NHS against such attacks is in power.

– Register to vote in the 8 June general election.

– Discuss the key policy issues with family members, colleagues and neighbours. And organise! Join (and participate in the activities of) a union, an activist group, and/or a political party.

– Also read more Canary articles on the 2017 general election.

Featured image via screengrab on Avast

Share128Tweet80
Previous Post

The Scottish Tory leader has made an epic balls up in just 23 words [TWEETS]

Next Post

These canaries in the coal mine are being punished for telling the truth

Next Post
These canaries in the coal mine are being punished for telling the truth

These canaries in the coal mine are being punished for telling the truth

Theresa May is offering a new contract to UK workers, but there’s a bombshell buried in the small print [IMAGES]

Theresa May is offering a new contract to UK workers, but there's a bombshell buried in the small print [IMAGES]

Theresa May finally met a real voter and it didn’t go at all well

Theresa May finally met a real voter and it didn’t go at all well

Theresa May ITV Live Lie

Facebook had a nasty surprise for Theresa May when she decided to lie repeatedly live on air [VIDEO]

Theresa May thinks she’s got rid of millions of voters. But there’s a week to send her a massive fuck you

Theresa May thinks she’s got rid of millions of voters. But there’s a week to send her a massive fuck you

Recovery in the Sun: How the Canary Islands are Becoming a Wellness Tourism Hub
Lifestyle

Recovery in the Sun: How the Canary Islands are Becoming a Wellness Tourism Hub

by Nathan Spears
12 May 2025
Steel companies ArcelorMittal and Ternium continue to run roughshod over Global South communities
News

Steel companies ArcelorMittal and Ternium continue to ride roughshod over Global South communities

by The Canary
12 May 2025
Jenu Kuruba families begin their long-awaited re-occupation of their ancestral homes inside the Nagarhole National Park. They carried photos of loved ones who had died after the village was evicted, so they too can return to the forest.
Analysis

An Indigenous community in India just faced down 130 police to return to their ancestral lands

by The Canary
12 May 2025
Nigel Farage waving Reform
Analysis

Reform’s new ‘manifesto’ is just catnip for the fat cats

by The Canary
12 May 2025
UN experts say Israel has 'criminal responsibility' for 'genocidal conduct'
Analysis

UN experts have now accused Israel of ‘genocidal conduct’ in Gaza

by Maryam Jameela
12 May 2025
  • Contact
  • About & FAQ
  • Get our Daily News Email
  • Privacy Policy
  • Cookie Policy

The Canary
PO Box 71199
LONDON
SE20 9EX

Canary Media Ltd – registered in England. Company registration number 09788095.

For guest posting, contact [email protected]

For other enquiries, contact: [email protected]

The Canary is owned and run by independent journalists and volunteers, NOT offshore billionaires.

You can write for us, or support us by making a regular or one-off donation.

© Canary Media Ltd 2024, all rights reserved | Website by Monster | Hosted by Krystal | Privacy Settings

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • News
    • UK
    • Global
    • Analysis
    • Trending
  • Editorial
  • Features
    • Features
    • Environment
    • Lifestyle
    • Health
    • Money
    • Science
    • Business
    • Tech
    • Travel
    • Sport & Gaming
  • Media
    • Video
    • Cartoons
  • Opinion

© 2023 Canary - Worker's co-op.

Before you go, have you seen...?

Lifestyle
Nathan Spears

Recovery in the Sun: How the Canary Islands are Becoming a Wellness Tourism Hub

Steel companies ArcelorMittal and Ternium continue to run roughshod over Global South communities
News
The Canary

Steel companies ArcelorMittal and Ternium continue to ride roughshod over Global South communities

Jenu Kuruba families begin their long-awaited re-occupation of their ancestral homes inside the Nagarhole National Park. They carried photos of loved ones who had died after the village was evicted, so they too can return to the forest.
Analysis
The Canary

An Indigenous community in India just faced down 130 police to return to their ancestral lands

Nigel Farage waving Reform
Analysis
The Canary

Reform’s new ‘manifesto’ is just catnip for the fat cats

ADVERTISEMENT
Lifestyle
Nathan Spears

Recovery in the Sun: How the Canary Islands are Becoming a Wellness Tourism Hub

Lifestyle
Nathan Spears

Why More People Are Seeking Legal Advice When Separating

Travel
Nathan Spears

Hungary Vignette Adventures: Discovering Hidden Gems by Car