IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

How to beat ransomware

Cyber criminals are finding ever more devious ways to lock your files. We explain how to protect your devices from the latest threats

2017 WannaCry campaign

May 2017 saw the execution of a ransomware attack of unprecendented scale, which hit over 100 countries simultaneously. In the UK, even the NHS was worst, with 40 NHS trusts and 11 health boards across England and Scotland affected. Scheduled operations were cancelled, with most health organisations hit by the ransomware accepting emergency patients only, or even diverting to other nearby hospitals that were unaffected.

Which ransomare hit the NHS?

There are many different types of ransomware that can tarsget your IT systems. In the case of the May 2017 attack, affected organisations were hit by WannaCry also known as WannaCrypt, WannaCrypt0r, WCRY and various other names.

WannaCry used an exploit believed to have been developed by the NSA as a "cyber weapon", known as EternalBlue, which was stolen and publicly released by the hacking group Shadow Brokers. Once a computer is infected and the ransomware executes, all the files on that machine are encrypted and a demand for a ransom in Bitcoin appears on the screen. The ransomware demand also shows two countdown timers. The first shows how long the victim has to pay the ransom before the price doubles, while the second shows how long it is until the malware deletes all the their files.

How did it spread?

It was initially thought that the ransomware would first have been downloaded onto a vulnerable system by a phishing attack, a malicious website that carried out a "drive by" attack, or something similar. However, later investigations pointed instead to a vulnerable SMB (Server Message Block) port being the actual vector of attack.

Microsoft had issued a patch in March 2017 for the vulnerability EternalBlue (and, thus, WannaCry) used for Windows 7 - 8.1. Windows 10 wasn't affected. Windows XP and Windows Server 2003 were also vulnerable, however as they were both out of support by three years no patch had been issued for them.

What actually happened?

In the morning of 12 May 2017, reports began to surface of a ransomware attack on the Spanish telco Telefonica, which were fairly quickly confirmed. A few hours later, new reports began to surface in the UK, initially stating that a handful of NHS Trusts in England were also affected. This number quickly rose to over 10, then over 20 and finally passed 40 by the end of the day. During this time it also became apparent that some hospitals in Scotland were also affected, although the NHS in both Wales and Northern Ireland remained clean.

Around 70,000 devices in the NHS were affected, including MRI machines, refrigerators, and operating theatre equipment.

After the news of the attacks in Spain, England and Scotland broke, reports of similar infections started to filtre in from Russia, the USA, Canada and Australia, with the total number of affected devices surpassing 75,000 across 99 countries on the first day.

As the day went on, the scale of the attack, which Europol described as "unprecedented", rapidly became apparent. In an effort to stop it spreading, Microsoft issued an emergency patch for Windows XP and Windows Server 2003, despite them being out of support.

There has been some speculation in the security community that due to the apparent simultaneous nature of the attack, with disparate organisations across the world all being hit at the same time, that the infection had lain dormant in systems for some time, with the attackers activating an "on switch" on 12 May. This hasn't been confirmed, however.

Who was responsible?

Attacks like this are notoriously hard to attribute with absolute certainty. There are some indications that it came from North Korea, with both Kaspersky Lab and Symantec pointing to code similarities between WannaCry and malware previously used by Lazarus Group the hacking ring thought to have been behind the 2014 attack on Sony Pictures Entertainment. Others, however, have claimed this could be a so-called false flag and for its part, North Korea has denied any involvement.

For a day-by-day account of the WannaCry attack, visit our dedicated news page.

Featured Resources

ZTNA vs on-premises VPN

How ZTNA wins the network security game

Free Download

The global use of collaboration solutions in hybrid working environments

How companies manage security risks

Free Download

How to build a cyber-resilient business ready to innovate and thrive

Outperform your peers in your successful business outcomes

Free Download

Accelerating your IT transformation

How Cloudflare is innovating for CIOs to start 2023

Watch now


Ransomware now strikes one in 40 organisations per week, Check Point finds

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022

Most Popular

Tech pioneers call for six-month pause of "out-of-control" AI development
artificial intelligence (AI)

Tech pioneers call for six-month pause of "out-of-control" AI development

29 Mar 2023
Getting the best value from your remote support software
Advertisement Feature

Getting the best value from your remote support software

13 Mar 2023
3CX CEO confirms supply chain malware attack

3CX CEO confirms supply chain malware attack

30 Mar 2023