back to article UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

UK hospitals have effectively shut down and are turning away non-emergency patients after ransomware ransacked its networks. Some 16 NHS organizations across Blighty – including several hospital trusts such as NHS Mid-Essex CCG and East and North Hertfordshire – have had their files scrambled by a variant of the WannaCrypt, …

Silver badge

Re: It doesn't have to be connected to t'internet

I take if that you've either been on a different planet or asleep under a rock whilst the variety of USB VID/PID control products hit the market then ?

Its trivially simple to control USB device insertion to only approved device types / types & Serial numbers and/or to specific users

3
1

Re: It doesn't have to be connected to t'internet

One of the simplest, things to do on machines is to disable autoruns on all drives, a primary access method for malware. Teach users to delete any emails that they don't recognise, disable script and stick to plain text emails only.

The stupidity anmd cluelessness of this amazes me. All critical infrastructure should be on private networks with no direct access to the internet. Where access is needed, it should be via a single point, with firewalls and mail and attachment scanners that actually work. Those resposible for all this must be asleep at the wheel, unbelievable...

1
1
Silver badge

Re: It doesn't have to be connected to t'internet

@Tridac - "Teach users to delete any emails that they don't recognise"

So do you open the email with the subject, "Please change my appointment"? Anyone whose job is to interact with the public can be targeted by a suitable email. Sure, dumping any email client with scripting support is good (if you disable it, do you trust that the next update doesn't turn it back on silently, for whatever reason), but how do you force the public to only send plain text?

5
0

Re: It doesn't have to be connected to t'internet

Opening an email doesn't run anything if scripting is disabled and if you click on an attachment without being sure who it's from then it's your own fault :-). For linfrastructure and large arganisations, secure setup can be handled via initial machine provisioning and automated, with application software settings locked down. The OS config should be bare bones, with all but needed services disabled by default. Perimeter firewalls should have all but needed ports blocked by default, ideally with separate hardware firewalls between each internal subnet. Wouldn't surprise me to hear that they have smb shares across the global internet with no vpn, but that's a worse case scenario.

Even Win Xp is fine in a properly configured and protected environment, but the whole system must be configured to design out the vulnerabilities. Assume that any network can be broken, given enough resources. Think systems engineering...

0
1
WTF?

"The wards in Colchester General have free WiFi."

And? Nearly all hospitals have patient wi-fi, either free (such as at St. Thomas') or paid (such as at King's College Hospital), but unless the IT staff are not just clueless but total freakin' idiots (read: none of them), the patient wi-fi doesn't come anywhere near being connected to the hospital's wireless network(s).

0
0
Anonymous Coward

That doesn't make any sense.

0
0

Appears to just be a very good (at spreading) ransomware, not a particularly dedicated attack.

6
0
Silver badge
Childcatcher

@tin 2

I just such dramatics on the beeb news intro... It's an all out attack on the NHS! Hospitals shutting down sending patients home...

How is some user clicking on an attachment in such an environment an attack? Attacked! I say! Targeted with surgical precision, just like the systems they were running...

2
1
TRT
Silver badge

It's using an exploit leaked by the CIA whistleblower. Cheers, pal.

Very effective against NHS systems because they've left older SMB protocol versions running in order to service XP-based clients, and there's a lot of digital real-estate not updated to 7 or above, for very good reasons.

So, this highlights the danger of running un-supported Operating Systems, does it? Perhaps it highlights the disadvantage of continuously changing operating systems in this rapid release format that Microsoft have switched to. Will there be a version of Windows 10 in, say, 10 years time that is deemed 'unsupported'? We heard a while back that Windows 10 was the last version of Windows you'll ever get, because they're ditching that idea of releasing versions. Yet within 2 years we are onto 'Creators edition', potentially back to how it was. Good or bad? We've yet to see.

Will this be a lesson for developers to produce something that is "buy once"?

4
1
Silver badge

"How is some user clicking on an attachment in such an environment an attack?"

Well, it's obviously an attack. Just because the defence wasn't great (assuming that) doesn't mean it isn't an attack.

0
0
Anonymous Coward

I was just about to post that it was to do with Telefonica, a friend in IT at NHS said that it's initially been spread from Telefonica who provide networking over the N3 connections the hospitals use.

I hope they put more effort into tracking and prosecuting the people behind these things as hitting hospitals, if anyone dies, it's manslaughter in my eyes!

15
0

Manslaughter? If someode dies it should be first degree.

6
1

This is the UK. We don't have the construct of first degree murder. I feel it might be quite challenging to prove that $whatever was released specifically to kill, which is what you'd need for a pre-meditated murder conviction (UK's equivalent of first degree) but causing death by being a silly bugger (AKA manslaughter) would be more likely to succeed.

Nope, I'm not a lawyer nor do I work for the police. I just work in IT so take an interest for...ummm...idle curiosity. Yes, that's it. Definitely that.

Rosie

25
0
Silver badge

First degree?

So the only way to get decent qualifications these days is to kill people for them?

3
0
Silver badge

I would imagine they would go for Terrorism, with Computer Misuse Act and Blackmail charges as an alternative lesser charge.

4
0
Silver badge

It'll be The Computer Misuse Act 1990, Section 3ZA - 'Unauthorised acts causing, or creating risk of, serious damage.'

Punishments are up to 14 years in prison, or a fine, or both. Offenders can be sentenced to life imprisonment where their actions endanger human welfare or national security.

But first you have to catch the buggers.

3
0

you forgot the catchall "Money Laundering" as they are asking for Bitcoin.

0
0
Silver badge

"This is the UK. We don't have the construct of first degree murder. I feel it might be quite challenging to prove that $whatever was released specifically to kill, which is what you'd need for a pre-meditated murder conviction (UK's equivalent of first degree) but causing death by being a silly bugger (AKA manslaughter) would be more likely to succeed."

Don't need the whole murder, manslaughter thing. If anyone gets caught for this, it's committing a terrorist act they'll be done for. Attacking national infrastructure tends to get treated in that way.

1
0
Anonymous Coward

Not withstanding ..

that is behooved of internal and external IT providers to have effective measures against such attacks - at what point does the government get off its collective hairy arse and decide to send SF to kill or castrate the perpetrators? This is costing money better spent on bullets - we are too nice for our own good.

4
3

Who would have thought that NHS systems would have been vunerable to a ransomware attack?

How's that XP migration project going by the way?

53
1
Silver badge

That's the migration project from Win2k, I assume?

8
0
Silver badge
Windows

Yes, they are migrating from Win2K TO Windows XP :)

4
0
Bronze badge

This weeks windows vulnerability affects ALL versions of Windows. Let's not pretend something newer would have been immune. It might have been safer, but by how much? Windows is still horrendously insecure ... Also the screenshot clearly shows windows 7... Nothing to do with xp or win2k..

The widespread nature suggests worm and self replication and self execution..

3
2
Anonymous Coward

I believe the way this works is that it will turn out to be the fault of one of the many private companies being paid huge amounts of money by the NHS, and the consequence will be that the NHS will take the blame & pay any legal liabilities (using our money) while there will be no comeback against the private company which will however have its NHS contract(s) extended.

37
2

Come on GCHQ, this is your time to shine. Get in there and sort this out.

25
0
Anonymous Coward

> Come on GCHQ, this is your time to shine. Get in there and sort this out.

Preferably with cricket bats.

17
0
Silver badge

Oh they already played a blinder there!

https://mobile.twitter.com/GazTheJourno/status/863039598984908800

They removed their tweet shortly after the news broke...

4
0
MJI
Silver badge

Sod cricket bats

Send the SAS.

With cricket bats!

6
0
Silver badge

Let me guess...

"Come on GCHQ, this is your time to shine"

Every year:

GCHQ: They're going to get pwned unless you fix this list of things *unrolls*

HEALTH MINISTER: That looks expensive, and will cause disruption that will make me look bad because nobody can see the benefit. They'll be fine! You'll just pull out a magic wand and fix it. I won't blame you if you can't, I promise!

GCHQ: *sigh*

17
0
Silver badge

Re: Sod cricket bats

Send them where? Crapita, Fujitsu, Cap Gemini?

3
0

"> Come on GCHQ, this is your time to shine. Get in there and sort this out.

Preferably with cricket bats."

Preferably with one of the green-coloured units that have a dotted sideways line to you on the org chart.

1
0
Anonymous Coward

Be careful what you wish for...

https://pbs.twimg.com/media/C_XQpj0XcAEg7Hu.jpg

https://pbs.twimg.com/media/C_XP1MqXsAENwH3.jpg

#Deadbeats

0
3
Anonymous Coward

Damn right, it's high time that only GCHQ be allowed to install malware on her mejesty's subjects computers.

Oh, wait...

0
0

Having been a supplier to the NHS in the past. The reason none of us greedy bastard, no good, only out for ourselves, shoody outfits provide the right high quality solution is this:

NHS: Can I have a good thing to update / fix / provide (delete as needed) this service

Supplier: We would recommend X which costs £Y

NHS: We can't afford Y because we are not able to negotiate the budget we need to fix update / fix / provide (delete as needed). What can you for £Z?

Supplier: How about this 2003 PC running XP?

10
0
N2
Pint

Come on GCHQ, this is your time to shine

- Get in there and sort this out.

That made me smile, pint cos its Friday, just

1
0

Sorry but GCHQ aren't going to reveal they've got working probes into the blockchain that reveal where the ransom recipients are.

1
1
Anonymous Coward

Preferably with cricket bats..

How did you know we go to Lords for the annual GCHQ day out?

1
0
MJI
Silver badge

GCHQ Cricket Bats

Use to know people who worked there.

A very competent group.

0
0
MJI
Silver badge

Just SAS them then.

0
0

Here is a screenshot of the claimed randsomware: https://twitter.com/LawrenceDunhill/status/863032679595421696/photo/1

Looking up that bitcoin address it appears that someone has paid the ransom 0.15 BTC ($267, a bit short of the $300 requested).

0
0

that discrepancy could easily be down to volatile intra-day exchange rates, which BTC certainly has.

0
0
Anonymous Coward

Is it possible to blacklist bitcoin addresses or is this a "sub-address" not traceable to wherever the money is accumulating?

There will always be a crook to ignore a blacklist but if it's possible, why make it easy for anyone?

1
1

Another waller address shown in a screenshot on BBC News was also paid, 0.16321544 BTC to https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

0
0
Anonymous Coward

> Is it possible to blacklist bitcoin addresses or is this a "sub-address" not traceable to wherever the money is accumulating?

I'm sure the authorities will be extremely interested in any transactions that subsequently move the bitcoins onwards from that address. If whoever does so isn't behind 7 proxies, or knows what a mixing service is, they'll discover how unanonymous bitcoin is.

1
0
Anonymous Coward

they'll discover how unanonymous bitcoin is.

This is where we discover jiust how competent (or not) GCHQ is.

6
0
Holmes

Not just the NHS

Looks like some of the biggest companies in Spain have been hit too with the same bug

1
0
Anonymous Coward

Merseyside NHS

merseycare.nhs.uk has Server Error in '/' Application.

Exception Details: System.ComponentModel.Win32Exception: The network path was not found.

then a screen full of sql exceptions.

0
0
Unhappy

My heart goes out to the IT grunts dealing with this on a Friday

28
0
Bronze badge

Yep, and me. I'm on call this weekend and we run some services over the N3 network.. here's to hoping our firewalls and patching are up to date.

3
0
Silver badge

Im on call too. But we have sophos interceptX. Im tempted to fire up a quarantined VM and try running the ransomware.

2
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018