IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

How to beat ransomware

Cyber criminals are finding ever more devious ways to lock your files. We explain how to protect your devices from the latest threats

2017 WannaCry campaign

May 2017 saw the execution of a ransomware attack of unprecendented scale, which hit over 100 countries simultaneously. In the UK, even the NHS was worst, with 40 NHS trusts and 11 health boards across England and Scotland affected. Scheduled operations were cancelled, with most health organisations hit by the ransomware accepting emergency patients only, or even diverting to other nearby hospitals that were unaffected.

Which ransomare hit the NHS?

There are many different types of ransomware that can tarsget your IT systems. In the case of the May 2017 attack, affected organisations were hit by WannaCry also known as WannaCrypt, WannaCrypt0r, WCRY and various other names.

WannaCry used an exploit believed to have been developed by the NSA as a "cyber weapon", known as EternalBlue, which was stolen and publicly released by the hacking group Shadow Brokers. Once a computer is infected and the ransomware executes, all the files on that machine are encrypted and a demand for a ransom in Bitcoin appears on the screen. The ransomware demand also shows two countdown timers. The first shows how long the victim has to pay the ransom before the price doubles, while the second shows how long it is until the malware deletes all the their files.

How did it spread?

It was initially thought that the ransomware would first have been downloaded onto a vulnerable system by a phishing attack, a malicious website that carried out a "drive by" attack, or something similar. However, later investigations pointed instead to a vulnerable SMB (Server Message Block) port being the actual vector of attack.

Microsoft had issued a patch in March 2017 for the vulnerability EternalBlue (and, thus, WannaCry) used for Windows 7 - 8.1. Windows 10 wasn't affected. Windows XP and Windows Server 2003 were also vulnerable, however as they were both out of support by three years no patch had been issued for them.

What actually happened?

In the morning of 12 May 2017, reports began to surface of a ransomware attack on the Spanish telco Telefonica, which were fairly quickly confirmed. A few hours later, new reports began to surface in the UK, initially stating that a handful of NHS Trusts in England were also affected. This number quickly rose to over 10, then over 20 and finally passed 40 by the end of the day. During this time it also became apparent that some hospitals in Scotland were also affected, although the NHS in both Wales and Northern Ireland remained clean.

Around 70,000 devices in the NHS were affected, including MRI machines, refrigerators, and operating theatre equipment.

After the news of the attacks in Spain, England and Scotland broke, reports of similar infections started to filtre in from Russia, the USA, Canada and Australia, with the total number of affected devices surpassing 75,000 across 99 countries on the first day.

As the day went on, the scale of the attack, which Europol described as "unprecedented", rapidly became apparent. In an effort to stop it spreading, Microsoft issued an emergency patch for Windows XP and Windows Server 2003, despite them being out of support.

There has been some speculation in the security community that due to the apparent simultaneous nature of the attack, with disparate organisations across the world all being hit at the same time, that the infection had lain dormant in systems for some time, with the attackers activating an "on switch" on 12 May. This hasn't been confirmed, however.

Who was responsible?

Attacks like this are notoriously hard to attribute with absolute certainty. There are some indications that it came from North Korea, with both Kaspersky Lab and Symantec pointing to code similarities between WannaCry and malware previously used by Lazarus Group the hacking ring thought to have been behind the 2014 attack on Sony Pictures Entertainment. Others, however, have claimed this could be a so-called false flag and for its part, North Korea has denied any involvement.

For a day-by-day account of the WannaCry attack, visit our dedicated news page.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
US government warns of increased risk of ransomware over holiday season
ransomware

US government warns of increased risk of ransomware over holiday season

24 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022