Britain’s National Health Service is under sustained attack from years of under funding. Now, inaction by Theresa May’s Government of Chaos has seen the NHS come under further attack by a ransomware virus, so delaying treatment for thousands of patients. And now there is a warning that a second version of the ransomware is about to be launched. But the impact of these attacks could have been limited.
One day before the attack, Dr Krishna Chinthapalli warned in a British Medical Journal article that some hospitals “will almost certainly be shut down by ransomware this year”. And Britain’s spy agency GCHQ and its offshoot the National Cyber Security Centre would also have been aware of the dangers.
British journalists should be asking if GCHQ knew of the vulnerability being used to attack NHS but kept it secret so they could use it.
— WikiLeaks (@wikileaks) May 12, 2017
How the attack unfolded
The ransomware used in Friday’s attack on the NHS and other targets around the world is known variously as Wanna, WannaCry, or Wcry. It is estimated that the malware has seen 200,000 victims in at least 150 countries. Those behind the attack demand a ransom of $300 to $600 in Bitcoin, to be paid by 15 May.
It’s very important [for] everyone [to] understand that all they [the attackers] need to do is change some code and start again. Patch your systems now!
There are many reasons why the NHS was targeted. The main one is that the NHS still runs thousands of computers on Windows XP. Indeed, as many as 90% of NHS Trusts rely on Windows XP. But the government was warned of the potential risks of using outdated IT systems as far back as 2015.
Immediately after the attack, the Victoria Hospital in Blackpool requested that patients seek treatment only for life-threatening emergencies. And Barts Health Hospital in London redirected ambulances to other facilities. Close to 50 NHS Trust hospitals were infected.
How a system is infected
Targets are sent an encrypted, compressed file that once loaded allows the ransomware to infiltrate its targets. The malware then scans TCP port 445 (Server Message Block/SMB) before spreading to a worm, so compromising hosts and encrypting files stored on them. It then demands a ransom payment by Bitcoin.
Here is a step-by-step analysis:
- An initial file mssecsvc.exe drops and executes the file tasksche.exe. The kill switch domain is then checked.
- Next, the service mssecsvc2.0 is created. This service executes the file mssecsvc.exe with a different entry point than the initial execution. This second execution checks the IP address of the infected machine and attempts to connect to port 445 TCP of each IP address in the same subnet.
- When the malware successfully connects to a machine, a connection is initiated and data is transferred.
- The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc.
- The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption.
- While the files are being encrypted, the malware creates a new file directory ‘Tor/’ into which it drops tor.exe and nine dll files used by tor.exe.
- Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @[email protected] to display the ransom note on the desktop to the end user.
- The @[email protected] is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe.
- The tor.exe file is executed by @[email protected] This newly executed process initiates network connections to Tor nodes. This allows WannaCry to attempt to preserve anonymity by proxying their traffic through the Tor network.
What should NHS Trusts do?
In the short term, it is recommended that:
- They ensure that devices running Windows are fully patched and deployed in accordance with best practice.
- SMB ports (139, 445) should be immediately blocked from externally accessible hosts.
- They block connections to TOR nodes and TOR traffic on the network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices.
WannaCry’s spy agency origins
WannaCry makes use of Doublepulsar, which is a persistent backdoor used to execute code on previously compromised systems. The backdoor is installed following successful exploitation of SMB vulnerabilities, as part of Microsoft Security Bulletin MS17-010.
WannaCry copies a weapons-grade exploit codenamed Eternalblue that the NSA used for years to remotely commandeer computers running Microsoft Windows. It was one of several exploits published in the most recent Shadow Brokers release. The WannaCry developers combined Eternalblue with a self-replicating payload that allows the ransomware to spread from machine to machine, without requiring operators to open emails, click on links, or take any other action.
After the attack, Microsoft announced it was:
taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack.
Britain’s National Cyber Security Centre (part of GCHQ) has also published instructions to businesses and homes on how to deal with the ransomware threat. Kaspersky Labs has also issued advice on how to avoid infection. And Hacker News lists basic security practices (section 7) everyone should follow.
Meanwhile, former NHS manager Jan Filochowski commented:
To give the NHS the modern IT system it so desperately needs would cost hundreds of millions, and probably billions, and it would take years to do, given the complexity involved.
Indeed, massive investment will be needed to improve IT systems across the entire NHS. Further delays will only put more patients’ lives at risk.
– Ensure a government that will fully fund the NHS against such attacks is in power.
– Register to vote in the 8 June general election.
– Discuss the key policy issues with family members, colleagues and neighbours. And organise! Join (and participate in the activities of) a union, an activist group, and/or a political party.
– Also read more Canary articles on the 2017 general election.
Featured image via screengrab on Avast
We need your help to keep speaking the truth
Every story that you have come to us with; each injustice you have asked us to investigate; every campaign we have fought; each of your unheard voices we amplified; we do this for you. We are making a difference on your behalf.
Our fight is your fight. You’ve supported our collective struggle every time you gave us a like; and every time you shared our work across social media. Now we need you to support us with a monthly donation.
We have published nearly 2,000 articles and over 50 films in 2021. And we want to do this and more in 2022 but we don’t have enough money to go on at this pace. So, if you value our work and want us to continue then please join us and be part of The Canary family.
In return, you get:
* Advert free reading experience
* Quarterly group video call with the Editor-in-Chief
* Behind the scenes monthly e-newsletter
* 20% discount in our shop
Almost all of our spending goes to the people who make The Canary’s content. So your contribution directly supports our writers and enables us to continue to do what we do: speaking truth, powered by you. We have weathered many attempts to shut us down and silence our vital opposition to an increasingly fascist government and right-wing mainstream media.
With your help we can continue:
* Holding political and state power to account
* Advocating for the people the system marginalises
* Being a media outlet that upholds the highest standards
* Campaigning on the issues others won’t
* Putting your lives central to everything we do
We are a drop of truth in an ocean of deceit. But we can’t do this without your support. So please, can you help us continue the fight?