back to article NHS Digital stopped short of advising against paying off WannaCrypt

NHS Digital stopped short of advising health organisations in England not to cough up for the WannaCrypt ransom attack because it couldn't be certain that all hospitals had backed up patient records. Dan Taylor, head of security at NHS Digital, told thousands of NHS organisations everything about the attack – except explicitly …

  1. Pete 2 Silver badge

    Survival of the fittest

    > organisations within the NHS that were running unpatched versions of Windows XP but did not get a single infection because their machines were safe behind their network

    Overall it seems that about 20% of NHS Trusts were affected by this attack. It would seem reasonable that those were the ones with the least well run IT systems. While there would be some "good" trusts in that number that were just unlucky - and some badly managed ones that lucked-through, generally poor security is a sign of bad management.

    So while there will undoubtedly be platitudes and "lessons have been learned" press releases, there will just as certainly be more attacks in the future and more badly run trusts will find their systems get breached again.

    The only real solution would be to have an outside body review the incidents and decide which ones were due to bad luck and which (i.e. the rest) were due to incompetence. And then to take severe action - given the number of guidelines, warnings, alerts and processes that are supposed to stop this sort of thing happening in the first place. Severe action, that recognises those incompetent trusts simply don't have a senior management: both IT and general management, that is up to the job of running their IT systems.

    1. Anonymous Coward
      Anonymous Coward

      Re: Survival of the fittest

      Get someone external to review and all you get is recommended commercial products to keep existing stuff up and running.

      What you need is peer-review, get "good trusts/boards" to review ones not up to scratch and make real recommendations to bolster defense whilst removing aging kit and software.

      People keep bringing up XP - the problem was actually Windows 7 not being patched in most places, usually due to a combination of late 2016 decision by MS to roll up updates into monthly sets, which makes it hard to apply when you need to test them and secondly due to aging clinical systems which may still work OK with XP but still haven't been updated to run on Windows 7 - and I hate to point it out but in many cases that's a decision outside of ITs hands. IT cannot say to clinicians "replace your system or we'll cut you off" that's simply not going to work.

      1. Sir Sham Cad

        Re: clinical systems which may still work OK with XP

        And not just Clinical Systems. Also systems which broke once these patches had been applied, mostly because of lazy suppliers not updating their product because they don't have to because their customers aren't patching because the suppliers aren't updating their product so the customers don't patch so...

        Then, when you patch and things break: You (IT) need to roll back the patch! You (IT) broke it so you fix it!

      2. Pete 2 Silver badge

        Re: Survival of the fittest

        > What you need is peer-review, get "good trusts/boards" to review ones not up to scratch and make real recommendations to bolster defense whilst removing aging kit and software.

        Actually what I had in mind was a review board that didn't so much look at the technical aspects, but at the trusts' management competence to manage. The "severe" measures would be to decide which senior managers should be help personally responsible (for failing to keep their systems secure, for failing to abide by all the advisories, policies, warnings and instructions) and summarily dismissed for gross incompetence.

        For that, a peer-review would not work as it's all a bit of a "boys club" (and girls, too). This would need outside, independent, counsel that might even decide there was scope for criminal prosecution. That would shake up the dumb fat and happy senior management. Especially if their pensions were forfeit!

        Harsh? Yes! but that is nature's way.

    2. John Brown (no body) Silver badge

      Re: Survival of the fittest

      "lessons have been learned" press releases

      Lessons ARE learned every time, but the people who learn them move on before the learned lessons are implemented into ongoing processes and procedures. So they have to be learned all over again the next time.

      This is a systems failure across most organisations and businesses, quite possibly caused by budgetary constraints on the relevant departments for whatever reasons, eg government austerity savings or commercial profit margins. If the cost of an economy size box of elastoplasts is less than proper medical treatment, then guess which gets chosen by the bean counters (who will be long gone when it all goes septic)

    3. IanTP

      Re: Survival of the fittest

      And lets not forget it was central government decision NOT to pay microsoft for extended support on those XP machines, which would have probably protected them.

      1. jrd

        Re: Survival of the fittest

        It seems plenty of Windows 7 machines were affected because they hadn't been patched. This suggests that having the XP patches available would not necessarily have helped much.

        If an organization has poor security practices and unreliable backups, it's going to be vulnerable no matter what.

      2. Anonymous Coward
        Anonymous Coward

        Re: Survival of the fittest

        Central government paid for one extra year support and made it clear to the NHS Trusts that they needed to sort things out ... at the end of the year they told the Trusts that if they still needed patch support for MS then they could pay for it from their budgets. I suspect the problem with big public sector organsiations liek the NHS is that if someone else (i.e. central government) pays for something then there's no incentive for anyone to sort things out for themselves because they know that at the end of the day everyone will say "its our wonderful NHS ... give them as much money as they can spend".

        In any case, it seems taht XP wasn't actually affected and it was failure to roll out Windows 7 patches that caused the problems.

    4. Anonymous Coward
      Anonymous Coward

      Re: Survival of the fittest

      Bedroon experts everywhere, on here, and in the NHS it seems.,

      Ultimately, Dan Taylor, head of security at NHS Digital, is responsible, slow deployment of updates to Windows 7 machines was the cause here, not a few XP machines. Slow deployment of updates, that's because they don't trust Microsoft to test them properly I guess.

      However some possible fubar systems because of poor Microsoft QA, is that worse that having all your systems vulnerable to whatever Windows nasties there are this week?

      Sounds like it's time to ditch Windows. Munich had the right idea, until the brown envelopes started arriving in the mail.

  2. This post has been deleted by its author

    1. Alister

      Re: Virtualisation Of OS

      You can implement any version of OS as a guest, on say a Linux base build, take an image regularly, only operate the PC using the guest OS, such that any issues means that you can immediately restore good known image.

      Any zero day, or unpatched exploit should be less of an issue as you just restore the good known image. So any old OS can be supported indefinitely, running the proprietary software.

      The problem may be that whilst you can emulate software in a virtual environment, it is not so easy to emulate custom hardware in a VM. This is not the case for all of NHS's problems by any means, but may be a reason for sticking with real hardware in some cases.

    2. Doctor Syntax Silver badge

      Re: Virtualisation Of OS

      The problem isn't so much restoring a known good image as restoring data. In any case there'd be no point in restoring an OS image while a worm was working it's way round the network as it would promptly get reinfected.

    3. Anonymous Coward
      Anonymous Coward

      Re: Virtualisation Of OS

      Wouldn't work, remote sites, lack of storage and linux frankly isn't even supported by most clinical system developers, we're talking years for them to even start supporting it. Less of a problem as we move to browser based systems, but still years.

      Bottom line is that this attack would have been avoided through proper patch management and/or stronger perimeter controls and monitoring. throwing money sorting end points - money which arguably has already been thrown and somehow ended up elsewhere won't help.

    4. Just Enough

      Re: Virtualisation Of OS

      "I have not been in the support environment for many years, but will virtualisation of the target OS be of benefit here ?."

      Not at all. If the NHS had the money to run computers that can host VMs, and the staff to support two operating systems to do the job of one, then they wouldn't be running ancient Win XP boxes to begin with. Would they?

      Having your data stored remotely also does not prevent an infected client computer encrypting/infecting the remote data. And what happens if the hosting OS gets an infection?

      And if you are constantly just restoring unpatched VM images then you are not solving the problem. All you are doing is ensuring that you'll be back tomorrow fixing a repeat infection in a constant round of whack-a-mole.

      1. Anonymous Coward
        Anonymous Coward

        Re: they wouldn't be running ancient Win XP boxes to begin with.

        No downvote, but a second to the comment above about virtualisation not always being possible due to attached hardware.

        In one job I had, there was a virtualisation drive that virtualised everything except one, Win2000 PC. It was needed to manage a piece of hardware (a telemetry relay) that was no longer supported (as the vendor had gone bust). The hardware itself was available, and supported, but the required drivers were 2000 only.

        Given the amount of proprietary kit you can see in a 5 minute walk around the front of your local hospital (plus God only knows what they have out back) I would guess a lot of XPness is because of similar issues.

        And that's *before* we consider how many suppliers think moving from XP->Win7 is a reason to charge the cost price all over again.

      2. John Brown (no body) Silver badge

        Re: Virtualisation Of OS

        "restoring unpatched VM images"

        Even the most underfunded or incompetent admin is unlikely to keep restoring the same unpatched image, especially once the infection vector is known.

        1. This post has been deleted by its author

    5. DMSlicer

      Re: Virtualisation Of OS

      > I have not been in the support environment for many years, but will virtualisation of the target OS be of benefit here ?

      Actually it might, for a reason that might not be readily apparent:

      A lot of modern nastyware will try and detect if it's running in a Virtual Environment and either alter its behaviour or terminate itself entirely. The idea behind this is to stop itself from being detected by sacrificial "honeypot" VMs used by Security Researchers. As a byproduct to this, production virtual servers can actually be slightly safer than non-virtual: they can still get infected, but often the payload actually refuses to run.

      As an aside: I actually work in the NHS in an IT Support capacity, albeit not on Mainland Britain. Our trust didn't get infected by WCry for several reasons, but the attack has provoked a bit of a shakeup upstairs and a fresh round of "Potential Scenario Planning", so there may be some good that comes out of all this. (Most of the machinery out in the Hospitals works off relatively-uninfectable firmware, so one ideal would be to have a redundant network backbone using both Windows and Linux-based OSs so that any Malicious infection could only ever take out one set of servers... but (at least for now) that still remains a pipedream...) :/

  3. Doctor Syntax Silver badge

    "you will need to make a risk-based decision of whether to pay or not."

    As a matter of interest do we know if any of those who did pay actually got their data back?

    1. Lee D Silver badge

      Unlikely, given that nobody has spent the Bitcoin ransoms that were collected.

      Yeah, that "anonymous" network? You can trace every payment from every wallet out to every endpoint, by just visiting one of the thousands of blockchain info websites.

      Sure, if you break it down into enough pieces and "launder" it through enough genuine transactions, people will lose track. But at the moment, a lot of money is sitting in a BitCoin account that nobody has dared touch.

      Because the second you touch it, every Bitcoin exchange is going to be tracking it and refusing to deal with it's products, most likely.

      And if you're not being paid, or being paid a pittance (nothing compared to 20 years in the slammer, for instance), or being paid into an account you daren't touch.... why would you send out anything so incriminating as a release code?

      1. gnasher729 Silver badge

        It's also been said that the software used had no ability to distinguish _who_ had paid. So even if you paid, the bastards at best knew that a payment was made, but not by whom.

  4. hplasm
    Thumb Down

    Anyone-

    Who starts off with "We support organisations in cyber..."

    Is certainly worth listening to.

    1. 0laf
      Facepalm

      Re: Anyone-

      That's the language demanded by the politicians and the decision makers. If you don't mention 'cyber', if happen to talk about it's older wiser less exciting brother 'Information Security', you just get ignored.

      So we all sound like fuds talking cyber this and cyber that and secretly hating ourselves for doing it.

      1. EnviableOne

        Re: Anyone-

        Thumbs up for that!

        Say Cyber Security and everyone pays attention - say Informtion Security and they all fall asleep.

        Boards tend to speak buzzwords and are more likley to fund a cyber security initiative

      2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        Re: Anyone-

        "if happen to talk about it's older wiser less exciting brother 'Information Security', you just get ignored"

        Indeed. It's no use talking to "policymakers" and "stakeholders" in proper English - they need to be talked to in infant-IT and words of less than 3 syllables.

        "So we all sound like fuds talking cyber this and cyber that and secretly hating ourselves for doing it."

        Speak for yourself matey. The only time the word "cyber" crosses my lips is in connection to the word "punk".

        1. This post has been deleted by its author

      4. 404

        Re: Anyone-

        Infosec sounds much sexier than 'Information Security'... try it.

        I feel that anyone using the word 'cyber', needs a bicycle helmet for safety's sake, water wings, and receive an instant 75% discount on the veracity of any subject they expound on (maxing the bullshit meter...).

        1. Anonymous Coward Silver badge
          Trollface

          Re: Anyone-

          Personally I'd go with "Cyber cloud AI BI devops", just to be sure.

  5. Anonymous Coward
    Anonymous Coward

    Actually...

    The headline isn't strictly true, they did warn against paying the ransom, advising that, even if you paid, there's no guarantee you'll get your files back.

    They didn't actually explicitly say not to, though.

  6. Yet Another Anonymous coward Silver badge

    we can't mandate what organisations do

    The government can't mandate what organisations do with citizens medical information?

    They can't mandate paying/not paying a ransom to potentially terrorists/banned nation's security services?

    Then why do we have a government dept ?

    1. Dan 55 Silver badge

      Re: we can't mandate what organisations do

      Something's wrong with a government if it can mandate backdoors in all large messaging services giving itself the right to snoop on practically everybody, but can't mandate best practice in IT for the NHS.

      1. tedleaf

        Re: we can't mandate what organisations do

        Your expecting real joined up government thinking and practice and the same from the gits who realy matter,the moronic "civil servants" ?

        You want miracles...

  7. Anonymous Coward
    Anonymous Coward

    Cyberfraudsters cyberattacking our cybersystems ohno

    "We support organisations in cyber"

    Wot.

  8. adam payne

    "NHS Digital stopped short of advising health organisations in England not to cough up for the WannaCrypt ransom attack because it couldn't be certain that all hospitals had backed up patient records."

    If you can't be certain that the hospitals have backed up patient records then alarms bells should be ringing here.

    ""They are all individual businesses and if I am being honest there may be some organisations that have corrupted backups... or don't have backups."

    It is completely unacceptable for any organisation to not have backups.

    "He said: "Actually it wasn't the worst thing that could have happened to us... the lessons learned from it will make us better in the future."

    Lessons keep being taught but never learned it seems.

    There certainly needs to be an investigation by an external company to find out how it happen and depending on the findings severe action needs to be taken.

  9. Anonymous Coward
    Anonymous Coward

    However, a total of

    "However, a total of just $120,055 (£92,442) $50,000 (£38,000) was paid on 25th of May"

    go google 'actual ransom' on twitter.

    1. EnviableOne

      Re: However, a total of

      and all three Bitcoin wallets are being watched, so they cant access any of it without fear of being caught, so effectivley they made nothing

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like