NHS Cyberattack: An Expert View on How, Why & What Next


Whilst there is no evidence that any Daisy customers were affected by the WannaCry cyberattack, our IT and security teams are taking several steps to provide the best possible protection.

A huge server patching operation is now underway, which will update and improve security for all of our customers and end users.

Nick Burrows, Security Practice Director at Daisy Group reflects on last week’s attack. 

It was quite a day last Friday.

Sixteen NHS trusts in the UK, and countless other organisations (including Telefonica) from at least 100 other countries saw their volumes encrypted before being offered the option to pay $300 in bitcoins for the safe return of data.

Beyond the cost (whether the ransom is paid or remediation teams bought in to sort things out) many of the affected hospitals were forced to shut down completely, placing the welfare of thousands of patients at risk.

Unfortunately, this was the worst-case scenario we encourage our customers to plan for, but make no mistake, this wasn’t a coordinated attack designed to simply upset the health of us Brits.

The perpetrators want to make money. They don’t care about the ethical questions.

Ransomware depends on people clicking on stuff in emails, or on websites.

And that is why large organisations, with thousands of users in each domain, are so attractive to the ransomware data-hijackers.

So just what has happened?

Firstly – if you don’t have a reasonable working knowledge of ransomware, welcome back from wherever you have been for the last two years.

Ransomware is the one security vendors were waiting for: where, rather than being stolen, organisational data is locked away and rendered inaccessible until someone pays for it to be released. The attackers don’t end up with a shed-load of data they have to sell on. Instead, they rely on making $300 a time from users and organisations desperate to get their stuff back because they don’t hold good backups.

In last Friday’s case, WannaCry, (which also goes by the name of WanaCrypt0r 2.0 and Wcry) appears to be a pretty everyday piece of ransomware. It certainly doesn’t do much more than CryptoLocker or Locky ever did.

But what seems to have caught everyone out was the way it spread.

The vehicle facilitating that was an exploit of Windows SMBv1 vulnerability patched on 14 March this year. If left un-patched, this allows remote code execution on Microsoft Server Message Block 1.0 (SMBv1) servers via an exploit named ‘EternalBlue’.

Further insight here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Unfortunately, three things are obvious – firstly not enough people are on top of their patch management.

Secondly, users still exhibit extreme promiscuity when it comes to clicking links in emails.

Finally, whatever defences most organisations have don’t do much in the way of stopping lateral movement inside the network.

So the response is easy then?

Find a sacrificial lamb; have a meeting about patch management; drop in a ‘Zero Trust’ solution; train everyone (again); and get back on top of things.

Well, not really.

You see it is easy to sit and judge from our ivory towers about what should have been done. There were plenty of vendor postings in the hours after the attack claiming: ‘We would have stopped that’.

When you have a technology to sell that you believe stops all known nastiness, it is easy to lose sight of the fact that the ‘EternalBlue’ exploit that allowed the infection to spread so successfully isn’t the result of a spotty script-kiddy in his mum’s basement getting lucky.

It is actually part of a suite of exploits leaked from the NSA which were ‘made available’ via an outfit calling themselves Shadowbrokers.

So, not only are you trying to patch Microsoft servers in a timely fashion AND win the hearts and minds of Human 1.0 when it comes to not clicking everything in an email that makes the cursor turn to a pointy finger, but you are also up against an exploit that the NSA developed…..great!

Now, I just had a pop at the vendor ‘I told you so’ mentality, but to be fair they have been banging the drum about stopping precisely this type of threat (both the ransomware and the delivery exploit) for a while.

Clearly, investment in next-generation ‘this and that’ isn’t always forthcoming (although it might be now so I’d recommend booking a meeting with the CFO), but the last few years have seen development of easy-to-use technologies that can actually stop this stuff, so was last Friday such a mind-blowing success for the bad guys?

I think the problem has been two-fold – firstly many people have been riding the crest of the ‘it hasn’t happened yet’ wave, so investing in an insurance policy loses out to other more exciting IT projects.

Secondly, there is scepticism in the face of any vendor telling a UK hospital that it should be looking at security in the same way the boffins at the Pentagon do.

I get it. I share the same loathing of American PowerPoint marketing tripe that tells me the Chinese are coming to steal my data, but what is unfolding now is indicative of the type of risks increasingly faced by everyone – NSA weapon-grade exploits being used in a cheap-shot ransomware campaign.

The good news is that all organisations now have the ability to cost-effectively bolster their defences to the point where things like this either won’t happen or, if it does, the impact can be dramatically reduced.

If you haven’t already, now is the time to talk with your provider about how. Alternatively just call us, at Daisy.

It might seem like the horse has bolted, but you could also check out a blog I wrote ages ago on stopping ransomware, which still holds and can be found here: