Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Communications Medicine Security United Kingdom IT Technology

Cyberattack Hits England's National Health Service With Ransom Demands (theguardian.com) 202

Hospitals across England have been hit by a large-scale cyber-attack, the NHS has confirmed, which has locked staff out of their computers and forced many trusts to divert emergency patients. The IT systems of NHS sites across the country appear to have been simultaneously hit, with a pop-up message demanding a ransom in exchange for access to the PCs. NHS Digital said it was aware of the problem and would release more details soon. Details of patient records and appointment schedules, as well as internal phone lines and emails, have all been rendered inaccessible. From a report: "The investigation is at an early stage but we believe the malware variant is Wanna Decryptor. At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this. NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations. "This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors. "Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available." NPR adds: The problem erupted around 12:30 p.m. local time, the IT worker says, with a number of email servers crashing. Other services soon went down -- and then, the unidentified NHS worker says, "A bitcoin virus pop-up message had been introduced on to the network asking users to pay $300 to be able to access their PCs. You cannot get past this screen." The attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors, it appears. The report adds: Images that were posted online of the NHS pop-up look nearly identical to pop-up ransomware windows that hit Spain's Telefonica, a powerful attack that forced the large telecom to order employees to disconnect their computers from its network -- resorting to an intercom system to relay messages. Telefonica, Spain's largest ISP, has told its employees to shut down their computers.

Update
: BBC is reporting that similar attacks are being reported in the UK, US, China, Russia, Spain, Italy, Vietnam, Taiwan today.
This discussion has been archived. No new comments can be posted.

Cyberattack Hits England's National Health Service With Ransom Demands

Comments Filter:
  • General VLAN... (Score:5, Interesting)

    by __aaclcg7560 ( 824291 ) on Friday May 12, 2017 @11:06AM (#54406137)
    Sounds like the General VLAN got hit. Critical medical systems should be on a separate and restricted VLAN. I'm a bit surprised that VOIP phones weren't isolated from this.
    • Re:General VLAN... (Score:4, Interesting)

      by Major Blud ( 789630 ) on Friday May 12, 2017 @11:15AM (#54406199) Homepage

      Sounds like the General VLAN got hit. Critical medical systems should be on a separate and restricted VLAN. I'm a bit surprised that VOIP phones weren't isolated from this.

      I don't know how things are in the U.K., but I spent a few years working in hospital IT in the U.S. The phones used in patient rooms had to be discarded after ever discharge because of fears of contamination, meaning that it was incredibly expensive to have a rotation of phones coming and going. This made it difficult to transition away from the old analog phone system that was in use.

      I didn't get involved with the telephony side of things, so I'm not sure if this entire process was logical or not. I'm not sure how difficult it is to disinfect a phone.

      • The phones used in patient rooms had to be discarded after ever discharge because of fears of contamination, meaning that it was incredibly expensive to have a rotation of phones coming and going. This made it difficult to transition away from the old analog phone system that was in use.

        Interesting. The few hospitals I've worked in for IT Support had VOIP phones that most workstations plugged into. We discarded old keyboards like the plague since studies have shown that they are dirtier than toilets and a hospital environment was probably a lot worse.

        • Yes you're correct, they had VOIP for IT and admin staff, it was only patient rooms that still had analog.

          • [...] it was only patient rooms that still had analog.

            My employment contracts prohibited me from being in an occupied patient room, which had the mobile workstations that connected to the wireless network. Never paid attention to the phones inside the patient rooms. I don't know if they were analog or VOIP.

      • Umm, why not wrap in disposable plastic bags? Then, once in awhile place old phones in a cabinet lit with UV lighting for 24 hours?

        • You'd have to disassemble the handset so that the UV light could access the microphone and internals, on what could potentially be hundreds of phones in a day.

        • why not give the patient some disposable headphones with a mic, airlines can get them cheaply enough.
        • Re:General VLAN... (Score:4, Interesting)

          by Farmer Tim ( 530755 ) <`roundfile' `at' `mindless.com'> on Friday May 12, 2017 @01:25PM (#54406907) Journal

          I asked a similar question when my dad was in hospital being treated for an MRSA infection from a previous hospital stay. The answer is a typical telephone has speaker and mic holes, seams and moldings in the case, cutouts around the buttons (if it doesn't use membrane switches, though I haven't seen one like that for years)...lots of places for germs to hide where UV light can't get to them. Wiping down with alcohol isn't effective either.

          Plastic bags muffle sound, add handling noise and make dialling and using the phone in general more difficult. It's a reasonable assumption that a patient is in hospital because they're already impaired in some way (or may be impaired by sedatives, pain killers, etc), so if the phone is more difficult to use than normal it may defeat the purpose of having it there at all.

          And ultimately, they can buy basic handsets in bulk for ~$8 each, which works out cheaper than trying to keep them sterile. It also eliminates the risk of human error such as being incorrectly tagged and accidentally cycled back into use without being sterilized first, and that's a big enough problem with surgical instruments which can easily be autoclaved (many cheaper instruments like scalpels and scissors are also single use these days for the same reason).

      • by Stoertebeker ( 1005619 ) on Friday May 12, 2017 @12:33PM (#54406621)

        Isn't that what telephone sanitizers are there for? Maybe we shouldn't have put them all on the first ark?

      • by gweihir ( 88907 )

        Sounds like somebody got himself some steady business bu shady means. Decontaminating phones is not more difficult than doing it for beds, toilets, door-handles, etc. This procedure does not make any medical sense.

    • Even smaller shops tend to have the VoIP stuff on a separate VLAN, just for QoS purposes, to ensure that a doctor calling in a prescription for Prozium or Joy will not get dropped.

      It would be interesting to see how this attack happened. A misconfigured AD forest could have allowed for brute-forcing a DA/EA account. Especially if there is no protection against brute force [1]. A lack of physical security could have allowed someone to boot a DC and crack an admin account.

      In any case, why wasn't AppLocker r

      • Looks to be a ransomware attack based on an update of the classic wcry ransomware, which makes use of the doublepulsar exploit which was patched in the March Microsoft patch deployment.

        Doublepulsar allows remote code execution on windows servers. This allows the ransomware to encrypt entire servers without the need for brute forcing an admin account.
      • Prescriptions get sent to the pharmacy in text/xml format, not by a voice call.

    • Doesn't matter. Can you go forward with a treatment if you're uncertain if the treatment is safe, if the patient is in dire need, and so forth? The patient needs anesthesia; are they going to die like Monty Oum if you use one anesthetic rather than another?

      Everything in a hospital is critical.

    • by gweihir ( 88907 )

      While I agree with you, the reality is that IT security in the medical area sucks even worse than in other fields. That is the only reason they were hit so badly. As law enforcement seems to be completely useless with regards to this threat, it becomes more and more urgent to remove IT security from the back-burner and recognize it as a mission-critical thing that in addition is difficult to get right.

      Caveat: I do earn my living mostly with IT security these days.

  • "Ransomware demanded"???

    So wait. They've demanded that 16 hospitals to give them ransomware?

    Isn't the correct business model to give the hospitals the ransomware instead, and then demand ransom?

    Is this an altruistic cyberattack? The hospitals give them the ransomware, which they install, and then they give the hospitals money so that the hospitals will send the the unlock code, and they can then move onto the next hospital?

    I mean, as an approach to medical billing, it's kind of .. disruptive, but...

    • I am saddened to see my comment market "troll".

      Other than a comment, there is no alternate channel with which to communicate errors in headlines or story summaries. The comment gets made, with humor, the headline gets fixed, and then the comment gets demoted.

      This wouldn't be bad, if there were some way to direct message the editor for the headline and story summary in question, with having to leave a public comment in order to communicate their error.

      At least my comment was made with good humor, rather tha

  • Don't give it to them! If you give them ransomware, they're just going to use it to start attacking people and demanding ransoms from their victims.

    • Don't give it to them! If you give them ransomware, they're just going to use it to start attacking people and demanding ransoms from their victims.

      Hospitals already have their own ransomware. It's call the bill.

  • Not surprised Swiss cheese. NHS malware ransomware terminals not answering back. Ambulance system not reporting incoming patients. Using pen and paper to work out who is in and who is gone home. Unable to answer enquiries about patients. Everything else is working in slow motion not always working. Nationwide.

  • If they were smart the desktops used to access patient are nothing more than "thin" clients with just an OS that can be PXE booted and re-imaged in short order... and the actual applications that matter would be running in VMs accessed from those clients... and the VMs would have have snapshots to roll back to in case something there gets screwed up...

    Then again, if they were smart, they never would have connected systems used for patient care to the internet in the first place... all internet access would

    • If the admins have VM snapshots around available for that then they are using snapshots as backup and are majorly stupid and don't understand how VM snapshots work and their purpose.
    • by ghoul ( 157158 )

      Even with firewalled systems malware can get in. The Iranian centrifuge plants were not connected to the internet but the infection got brought in on USB sticks of scientists who wanted to show their colleagues pictures from their daughter's birthday party. Hackers can use social engineering to get across physical barriers

  • by mspohr ( 589790 ) on Friday May 12, 2017 @11:21AM (#54406227)

    Are they using Windows computers for sensitive health information?
    Are they using Windows for mission critical applications? ... morons...

    • Re:Windows? (Score:5, Interesting)

      by Archtech ( 159117 ) on Friday May 12, 2017 @11:35AM (#54406291)

      When Tony Blair met Bill Gates in 2006 - after kissing Gates' feet and gushing for a few hours about his supreme wonderfulness - Blair signed up for the super huge mega deal, with all the Windows you can eat. (Small print: security is up to you, mumble mumble mumble...)

      "Mr Gates, the billionaire software pioneer, had just written a book about how IT could transform economies".

      Yeah. Transform them from prosperity to miserable bankruptcy - along with lots of dead and dying patients. And transfer a large slice of their revenue to Bill Gates' bulging pockets.

      Maybe the NHS should call Gates now and ask him to sort out their problems.

      https://www.theguardian.com/bu... [theguardian.com]

      • by ghoul ( 157158 )

        This is why countries should not trust US made software. It has backdoors installed for the NSA to sneak in. They would have been better off with Chinese software. It also would have backdoors but it would be cheaper.

      • Transform them from prosperity to miserable bankruptcy - along with lots of dead and dying patients.

        [Citation Needed] More on the latter account because in the former case every country in the world has had an increase in medical costs since 2006 regardless whether or not the mighty BG was involved.

    • Exactly. Why is this not being addressed more? Using Windows for anything critical is just asking to be a victim like we see here.

    • Using Windows in a hospital should be enough to get you fired.
      Connecting Windows to a network in a hospital should be enough to get you prosecuted.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Are they using Windows computers for sensitive health information?
      Are they using Windows for mission critical applications? ... morons...

      Yes... they're using Windows XP. [theregister.co.uk]

    • NHS Digital is national patient administration system, it is bold in scope and vision but with a history of expensive failure and delays caused by miss-management by practically every major IT consultancy that exists. I never worked on it myself but know many colleagues that have and non have ever had a good word to say about it.

    • by gweihir ( 88907 )

      Same morons as almost everywhere else. We have just too many people even in the IT field that know Windows and nothing else. A great success for Microsoft and a huge fail for humanity.

  • by DigiShaman ( 671371 ) on Friday May 12, 2017 @11:27AM (#54406257) Homepage

    It's been posted online that this is a version of WannaCry v2.0 Ransomware. Apparently it's taking advantage of the SMB exploits that got released last week or so ago. It's probably doing an IP scan inside the LAN from an infected machine, and then attempting to exploit SMB at the other end. That machine gets infected, and so it spreads at an exponential rate. Short version, this is WW III starting level shit!! We'll know soon enough in the next 48 hours around the world

    • The four Vanguard-class ballistic missile submarines provide the UK's entire nuclear deterrent. ...
      The four submarines have just one critical flaw: They all run Windows XP.

      http://www.popularmechanics.co... [popularmechanics.com]

    • That machine gets infected, and so it spreads at an exponential rate. Short version, this is WW III starting level shit!! We'll know soon enough in the next 48 hours around the world

      Ya know, you have a point there. I'd sort of expected that the first net propagated worldwide IT catastrophe would be in the financial sector. But healthcare is pretty important also. Especially if you are the patient.

  • by Computershack ( 1143409 ) on Friday May 12, 2017 @11:33AM (#54406277)
    This is the kind of event likely to get GCHQ involved which could result in someone expecting Bitcoin goodness to have a very unwelcome knock on the door one day.
  • When you intend your target to be grandmas or something and then your software accidentally hits a country-wide hospital system. That's when you go from counting bitcoins to having your door smashed down by elite forces at 2:00 in the morning...
  • by 3seas ( 184403 ) on Friday May 12, 2017 @11:36AM (#54406299) Homepage Journal

    is it really that untraceable?

    • Apparently you can launder it through an exchange and it becomes untraceable. I've never tried this so who knows.
    • is it really that untraceable?

      It takes some computational muscle, but I have no doubt the NSA has the tools.

      But joke's on the perps - the way Bitcoin is now, confirmation times and fees are so high that the hospitals will probably be restored from backup before they get any decryption keys.

    • by ghoul ( 157158 )

      It probably is traceable but the NSA is not letting it be known. They are probably keeping it in their backpocket to be used when its worth burning that card. This incident may just be worth burning Bitcoin for but we wont know till the NSA decides to. They may decide to still reserve the card for a future threat.

  • to start hanging the people that produce this crap?

    • by ruir ( 2709173 )
      Hang people that use Windows in Mission Critical systems, and you kill two birds with one stone.
  • Several experts monitoring the situation have linked the infections to vulnerabilities released by a group known as The Shadow Brokers, which recently claimed to have dumped hacking tools stolen from the NSA.

    • Several experts monitoring the situation have linked the infections to vulnerabilities released by a group known as The Shadow Brokers, which recently claimed to have dumped hacking tools stolen from the NSA.

      This is a global demonstration of why "Security through obscurity" and "NSA back-doors" are a very, very bad idea. I can't even imagine of a clearer demonstration.

      Too bad the political response will not be to do draconian things, rather than instituting open code reviews and such. Those NSA spooks like to have their little secret treasures, even if that endangers everyone in the world with an internet connection.

  • Why is it? (Score:4, Interesting)

    by gregarican ( 694358 ) on Friday May 12, 2017 @02:38PM (#54407245) Homepage

    The biggest worms, trojans, etc. all hit Windows? Rhetorical question, so no jesting or serious responses requested :) But this one looks to be fairly sizeable. Plenty of European telecoms, and other industries hit so far today. Even read reports of FedEx's Memphis hub instructing employees to power off those PC's.

    Here's a map --> https://intel.malwaretech.com/... [malwaretech.com]. The ironic thing is that these are far from true 0-day exploits. Patch was released for this in March. Regardless of your organization size, testing and rolling out patches shouldn't be that difficult. Given it's been a few months. This is speaking from a person who's been a cog in the wheel at larger US organizations as well as supported smaller places...

    • The biggest worms, trojans, etc. all hit Windows? Rhetorical question, so no jesting or serious responses requested :) But this one looks to be fairly sizeable.

      NYT noted up to 74 countries reporting having been hit.

      Serious answer: MS puts out patches all the time. In institutions with multi-million $$ equipment, or life-critical equipment, avoid patching if at all possible. Such equipment is designed for a couple of decades of service or more. The computer-interface card might only have drivers up to Windows XP. Applying a MS patch could be either impossible, or if you run Win 8.1, say, something to be avoided. MS security patches are notorious for bricking

      • Okay I guess I did ask for it when I mentioned the rhetorical question. The MS security patches being notorious for bricking expensive equipment reference. Any somewhat recent and significant examples? Reason I'm asking is because I've sysadminned Linux servers going back to around 1997. And in parallel sysadminned Windows servers going back to NT 3.51.

        When it comes to MS security patches bricking equipment, if you are talking about servers the last time I recall a major SNAFU was NT 4.0 Service Pack 6. Tha

        • Okay I guess I did ask for it when I mentioned the rhetorical question. The MS security patches being notorious for bricking expensive equipment reference. Any somewhat recent and significant examples?

          2008 or so. A pushed Windows update bricked ALL Oxford-brand EDS systems globally for a couple of days. A driver update for the interface card fixed it, but it took time. What is an EDS? It's an analytical tool that allows chemical analysis in electron microscopes. Every university has several. Every big company, especially in tech, has tens of them (or 100's if you're Intel). The EDS systems would not work, preventing not only day-to-day use of this basic analysis-lab capability, but also mission-cr

          • That sounds like a complete disaster! I can't imagine the time, expense, and repercussions that resulted. When it comes to specialty equipment with not off-the-shelf hardware I definitely wouldn't put into auto-update mode. Regardless of the calendar year or relative maturity of Microsoft's OS version.

            Servers I manually update after a test run. Most are standardized in terms of hardware. Clients that do auto-update are all vanilla with no oddball hardware involved. The handful of proprietary hardware type c

  • think again - because for saving a penny, companies (including those running hospitals) will sacrifice everything.

    Just to give you one example from the banking industry: I only recently learned that hundreds of banks allow a 3rd-party vendor of some dubious "sentiment analytics" to inject "widgets" into their banking home page, which they welcome because they are served for free - paid by advertisements the 3rd-party injects alongside their data into those HTML widgets.

    Can you believe it? They voluntari

The difference between reality and unreality is that reality has so little to recommend it. -- Allan Sherman

Working...