Extensive Ransomware Cyberattack Reported on 16 Healthcare Institutions

May 12, 2017

There has been an extensive cyberattack today aimed towards Britain’s National Health Service, in which websites of 16 health institutions were targeted concurrently by cyber criminals. As a result, doctors were blocked from accessing patient files, causing hospitals to "divert ambulances and cancel appointments".

Unlike DDoS attacks, a ransomware attack encrypts all the data on the affected computers and blocks users from accessing any files unless a ransom is paid.  

Unfortunately, the healthcare industry is heavily targeted by cyber criminals due to the treasure trove of identity-related patient data.

It is suspected that the attack against NHS systems is known as WanaCryptor, a variant of WannaCry. In fact, more than 45,000 attacks in over 74 countries have been credited to the WanaCryptor ransomware, with Russia, Ukraine, and Taiwan as the most targeted countries.  US-CERT reports that the WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1). For information on how to mitigate this vulnerability, review the US-CERT article on Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010. Users and administrators are encouraged to review the US-CERT Alert TA16-091A to learn how to best protect against ransomware.

Here are some additional tips on how best to mitigate the risk associated with ransomware to protect your organization:

1. Train your staff on how to spot potential cyber threats, especially considering ransomware is often spread through online phishing campaigns. 
2. Have a strong risk management protocol in place in case of infection.
3. Ensure that all data is backed up at regular intervals and is kept off the internal network.
4. Check to see if there is a decryption key to the ransomware variant affecting your network computers.
5. Ensure that all software applications are patched regularly — 44% of attacks are often due to unpatched code that’s 2-4 years old.
6. Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
7. Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
8. Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.

Herjavec Group highly advises against paying the ransom if a ransomware attack occurs, a recommendation supported by the FBI. In fact, last year, the FBI published a PSA on how to deal with ransomware infections, with information on what to report to law enforcement as well as outlining preventative measures enterprises can use. 

To request more information about our Cybersecurity Product and Service Offerings, including Remediation and Incident Response, please connect with a security specialist here.