Did unpatched Microsoft exploit lead to massive NHS ransomware attack?
Security reseller claims initial theories show hackers used vulnerability that Microsoft fixed through patch in March - but that the NHS may not have finished updating its systems
An unpatched vulnerability in the NHS' systems that Microsoft released a patch for in March may have been used to launch today's nationwide ransomware attack, a security VAR has told CRN.
The NHS confirmed this afternoon that 16 of its organisation had been hit by a ransomware attack, after numerous trusts had confirmed they were experiencing "significant problems" with IT and telephone networks. One suspected hospital worker shared an image of what appears to be a ransomware demand.
The screenshot, posted on Twitter, shows a message stating "oops, your files have been encrypted" and demands a payment of $300 in bitcoins.
It also claims that the ransom will be increased in three days, before the machine is wiped clean in seven days.
The attackers claim they "guarantee" that all data will be restored safely if the ransom is paid.
Speaking to CRN David Lannin, director of technology at security VAR Sapphire, said initial indications are that hackers exploited a vulnerability that Microsoft released a patch for in March.
"I've been speaking to some of our team back in the office and they've heard it's something called the Wanna Decryptor which is yet another variant of ransomware out there," he said.
"There are a couple of things that we advise customers if they want to protect themselves against ransomware - the obvious one is backups so you can restore your data - but obviously patching is really important, but the problem with the way that this particular exploit got into the system, as we understand it is, is through something that Microsoft patched recently - on 16 March.
"You can imagine that an organisation like the NHS would take potentially weeks and weeks to update their systems to protect against this vulnerability.
"It's not going to happen overnight and indeed an organisation like the NHS is going to be running systems that are out of date and may not even be able to be patched."
Since CRN spoke to Lannin, the NHS has confirmed the attack to be the WannaDecryptor variant of ransomware.
CRN contacted the NHS Digital press office which said there would be no further comment to the press release on its website.
The release confirms that, as of 3.30pm today, 16 NHS organisations had been hit by a ransomware attack.
The statement said: "A number of NHS organisations have reported to NHS Digital that they have been affected by a ransomware attack.
"The investigation is at an early stage but we believe the malware variant is Wanna Decryptor.
"This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.
"At this stage we do not have any evidence that patient data has been accessed.
"NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.
"Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available."
Research conducted by CRN earlier this year found that the NHS is running more machines on the 16-year-old Windows XP than it is on the two newest Windows variants - Windows 8 and Windows 10. Support for Windows XP was stopped in 2014.
In a recent CRN article Ignition's Paul Risk demonstrated how a person with little or no technical ability could create a piece of ransomware in under an hour that could completely encrypt a computer.