Ransomware continues to escalate globally targeting essential services. The NHS attack has been particular devastating for the UK, knocking out patient records and rendering hospitals at its mercy forcing a diversion of patients and ambulance routes across the UK. With no ability to access patient records and essential data, patients are being turned away on a large scale. Hospitals have become an increasingly larger target in recent times due to the large number of vulnerable systems in these institutions. They also pay the ransom, as in the case of Hollywood Presbyterian Medical Center last year.

What is particularly interesting about this attack is that it exploited a vulnerability that was discovered and developed by the National Security Agency which was recently leaked by a group called the shadow brokers. They leaked a number of important techniques and methods used by the NSA to take over or eavesdrop on a computer or mobile device. The weaker security protocols and systems in place at many of these hospitals allowed the ransomware spread quickly, in this case via an encrypted email attachment.

How does it actually work?

Once the ransomware has been installed on a computer it executes on the local machine and then contacts a third party server to download other payloads (applications) and activate the application. It then starts encrypting all the files on your drive. After it has completed it will popup a paywall requesting payment to have your files decrypted. If you don’t pay the ransom then the files can be deleted by the hackers.

WanaCryptOr 2.0

The NHS attack has been particularly severe and rapid and took only 4 hours to spread to the NHS, originally infecting systems at Telefonica in Spain. The ransomware itself is known as Wanacryptor 2.0 and is a variant of WeCry which was discovered in February 2017 and infects any Windows based operating system (no known Mac variants have been found yet). It appears from several reports as though this software was initially infected via email and then spread through the internal NHS network using SMB shared drives across the organization. Microsoft has been aware of the vulnerability since March of 2017 and have posted a security update to address this.

Early indicators seem to point to the attack originating in China, but more evidence is needed.

We have confirmed that this ransomware has affected Windows computers on shared networks in at least 74 countries worldwide, with 57,000 reported individual cases being affected as of May 12, 11:55am US Pacific Time.

Can BlackFog Help?

BlackFog has been designed to target a range of ransomware just like this and prevent the activation and spread across your internal network by preventing outbound traffic to foreign networks and through execution prevention on your local machine. We will continue to update the details of this attack as they facts become clear.