NHS ransomware: UK government says it's North Korea's fault WannaCry happened


The UK's Foreign Office has said it too blames North Korea for the WannaCry ransomware campaign that brought the majority of the NHS and other public sector organisations to their knees back in May.

"The UK's National Cyber Security Centre assesses it is highly likely that North Korean actors known as the Lazarus Group were behind the WannaCry ransomware campaign one of the most significant to hit the UK in terms of scale and disruption," Foreign Office Minister Lord Ahmad of Wimbledon said in a statement.

The official announcement follows comments by Security Minister Ben Wallace in October that suggested the government believed a nation-state was responsible for WannaCry campaign, and that it was "as sure as possible" that state was North Korea.

He said, like the US authorities, the UK government would "identify, pursue and respond" to malicious activity and wants to make it clear it will not tolerate malicious cyber activity of any kind, wherever it may originate and however severe the impact. It will impose costs on the responsible parties, preventing them from launching further attacks and using them as an example to deter other potential criminals.

"We condemn these actions and commit ourselves to working with all responsible states to combat destructive criminal use of cyber space," he added. "The indiscriminate use of the WannaCry ransomware demonstrates North Korean actors using their cyber programme to circumvent sanctions."

Lord Ahmad added that the UK authorities will work closely with other organisations around the world to "uphold a free, open, peaceful and secure cyberspace."

The WannaCry attacks affected 300,000 computers in 150 countries, including 48 NHS trusts, the government said. Users were told they needed to pay a ransom to get their machines unlocked and data restored.

19/12/2017: NHS ransomware: US blames North Korea for "cowardly" WannaCry attack

The US government has officially blamed North Korea for the devastating WannaCry ransomware campaign that crippled public services and infrastructure in more than 35 countries in May.

The announcement, made by Homeland Security Advisor Thomas Bossert in the New York Times, is the first time the US has formally blamed a nation-state for the attack which hit the NHS, Spain's Telefonica, FedEx and German rail company Deutsche Bahn.

"After careful investigation, the US today publicly attributes the massive 'WannaCry' cyber attack to North Korea," said Bossert. "It encrypted and rendered useless hundreds of thousands of computers in hospitals, schools, businesses and homes. While victims received ransom demands, paying did not unlock their computers."

"It was cowardly, costly and careless," added Bossert. "The attack was widespread and cost billions, and North Korea is directly responsible."

North Korea became a suspect almost immediately following an initial investigation into the attack, particularly as the malware shared a number of similarities with the attack on Sony Pictures, widely thought to have been carried out by the North Korean-based "Lazarus Group".

The WannaCry campaign is thought to have affected around 300,000 computer systems across the world, propagated through a vulnerability in Windows XP and Windows Server 2003. The attack was eventually halted when security researcher Marcus Hutchins discovered a 'kill switch' in the malware that shut down the malware before it delivered its payload.

The US stance comes almost three months after the UK government and Microsoft officially blamed North Korea for the attack. "North Korea was the state that we believe was involved in this worldwide attack on our systems," said security minister Ben Wallace, speaking to BBC Radio 4. "It is widely believed across the community and in a number of countries that North Korea had taken this role."

As well as officially blaming Pyongyang for the attack, Bossert took the opportunity to highlight recent bolstering of IT defences by the Trump administration.

"(Trump's) continued sanctions on Russian hackers and directed the most transparent and effective government effort in the world to find and share vulnerabilities in important software," said Bossert, almost certainly referring to the recent ban on Kaspersky products from all government departments.

Bossert added that the US was now calling on the private sector to "increase its accountability in the cyber realm by taking actions that deny North Korea and other bad actors the ability to launch reckless and destructive cyber attacks."

North Korea has always denied its involvement in the WannaCry attack, and labelled the UK's accusation as a "wicked attempt" to enact tougher sanctions against the country.

Speaking to the Korean Central News Agency, a spokesperson for the Korea-Europe Association said at the time: "It does not make any sense that the DPRK, which gives the highest priority to the life and health of its people, would carry out a cyber attack on the UK health service."

28/11/2017: NHS to hire ethical hackers in 20m cyber security boost

The NHS has set aside 20 million to establish a new security centre designed to constantly probe the organisation's cyber defences using ethical hackers.

The Security Operations Centre (SOC) will operate throughout all NHS sites across the UK, providing monitoring services and guidance on how to handle cyber security incidents to local departments.

Part of its remit will be to employ 'white-hat' hackers to test the NHS' ability to prevent a data breach or a repeat of the style of attacks seen during the WannaCry ransomware campaign, which hit over one-third of health trusts earlier this year.

Dan Taylor, head of the Digital Security Centre at NHS Digital, said that the new centre will provide a "near-real-time monitoring and alerting service that covers the whole health and care system"

"The Security Operations Centre will enhance NHS Digital's current data security services that support the health and care system in protecting sensitive patient information," he added.

"The partnership will provide access to extra specialist resources during peak periods and enable the team to proactively monitor the web for security threats and emerging vulnerabilities.

"It will also allow us to improve our current capabilities in ethical hacking, vulnerability testing and the forensic analysis of malicious software, and will improve our ability to anticipate future vulnerabilities while supporting health and care in remediating current known threats."

Taylor said the centre would "drive economies of scale, giving health and care organisations additional intelligence and support services that they might not otherwise be able to access".

NHS Digital also said it's seeking a partner to provide advice and help run the project, a contract for which is tendered to run for three to five years.

It's not the first time a public body has turned to ethical hacking to probe its defences. In July, it was revealed that the Met Office had previously asked cloud security firm Cloudreach to purposefully break its systems in an effort to test how well its teams were able to deal with major outages.

The move is the latest attempt to try and overhaul the NHS' outdated IT systems, which were considered to have been a soft target for the WannaCry malware. A recent report by the National Audit Office found that "basic IT security" could have prevented the spread of the ransomware, and that the NHS had been warned previously about its reliance on the outdated Windows XP operating system.

"Given the impact of the WannaCry attack, one must ask why it has taken them so long to create an SOC," said Matt Lock, director of sales engineers at Varonis, in a statement to IT Pro.

"The new centre must be a part of an ongoing effort to keep up with the latest attacks from extremely well-funded and experienced criminals intent on compromising the NHS system.

"An SOC is an important piece of the overall security posture for large organizations, but continuous improvement and advancements are critical parts of the equation."

31/10/2017: North Korea denies it created the WannaCry ransomware

North Korea yesterday denied being behind the devastating WannaCry attack, after the UK government identified the nation as the creator of the ransomware.

Home Office Minister Ben Wallace told the BBC last week that the government was "as sure as possible" that North Korea was behind the cyber attack in May, which caused chaos among NHS hospitals, dozens of which had to suspend and postpone appointments and operations.

But a spokesperson for the North's Korea-Europe Association denounced this as a "wicked attempt" to toughen sanctions against the country, which is currently embroiled in a war of words with the US over its nuclear tests.

In the statement, published on the Korean Central News Agency, the spokesperson said: "It does not make any sense that the DPRK, which gives the highest priority to the life and health of its people, would carry out a cyber attack on the UK health service.

"The moves of the UK government to doggedly associate the DPRK with the cyber attack cannot be interpreted in any other way than a wicked attempt to lure the international community into harbouring greater mistrust of the DPRK and further tighten sanctions and pressure against the latter."

The spokesperson added: "This is an act beyond the limit of our tolerance and it makes us question the real purpose behind the UK's move."

Along with the UK government, Microsoft also said it believed North Korea was behind the WannaCry attack. Brad Smith, Microsoft's president and chief legal officer, said that the attack was carried out by the country using cyber tools stolen from the NSA in the US.

An investigation into the ransomware attack found that the NHS failed to follow basic IT security principles that could have prevented the malware from taking effect, such as upgrading from the unsupported Windows XP operating system.

27/10/2017: NHS ransomware: "Basic IT security" could've prevented WannaCry

A report conducted by the National Audit Office found that the NHS was informed by the Department of Health and the Cabinet as early as 2014 about the dangers of cyber attacks and were encouraged to make plans to move away from old software like Windows XP by April 2015.

Despite the NHS's critical alerts telling organisations to patch their system to prevent the spread of WannaCry ransomware, the department had "no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyber attack".

"The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks," said Amyas Morse, head of the National Audit Office.

The attack, which occurred on 12 May 2017, affected 81 out of 236 NHS organisations in England. It also lead to the cancellation of 19,500 medical appointments, the locking of 600 GP surgeries, and the diversion of ambulances from five hospitals, according to the report.

Although the department, NHS England, and the National Crime Agency said that no NHS organisation paid the ransom, the report found that the department does not know how much the attacks cost the NHS when considering costs such as the cancelled appointments, IT support and consultants, along with the restoration of data.

"What the NHS needed was the ability to detect and put a stop to malicious behaviour as early as possible in the kill chain," Nick Pollard, security intelligence and analytics director at Nuix said.

He suggested the use of next-generation endpoint security, which "can analyse unknown processes and terminates those that exhibit bad behaviours, keeping end users from clicking on unusual and potentially harmful attachments and applications even before they knew you were in danger".

The report said that the NHS has learned from WannaCry and is taking action to secure local firewalls by asking hospital trust boards to make sure they have implemented measures outlined in all alerts issued between March and May 2017.

16/10/17: Microsoft says North Korea was behind WannaCry attack

Microsoft's president and chief legal officer has said that North Korea was behind the WannaCry attack that affected companies worldwide.

Brad Smith told ITV News: "I think at this point that all observers in the know have concluded that WannaCry was caused by North Korea using cyber tools or weapons that were stolen from the National Security Agency in the United States."

Smith also said cyber-attacks conducted by nation-states have become more frequent and more severe. He added that governments around the world should do more to protect people from harm.

"We need governments to come together as they did in Geneva in 1949 and adopt a new digital Geneva Convention that makes clear that these cyber-attacks against civilians, especially in times of peace, are off-limits and a violation of international law," said Smith.

He addressed criticism over the fact that Microsoft left Windows XP vulnerable to attackers since it had withdrawn support for the operating system. "When there's a broad attack, we provide patches for [all versions of Windows]," he said. "We did so with WannaCry, we did it again in June when Ukraine was attacked."

He added: "At the same time we repeatedly asked people, we explained to people, we virtually pleaded with people 'please don't rely on software that now belongs in a museum'."

Smith underlined that hospitals need to give more priority to upgrading their IT systems. "When hospitals think about the equipment that is critical to protecting their patients they've got to think not only about the beds...Computers play a fundamental role in the delivery of healthcare and patients shouldn't have to rely on healthcare based on an old computer."

WannaCry affected over 200,000 computers in 150 countries and demanded money for users to access their files.

Marcus Hutchins, the British security researcher who stopped the attack, was charged by US authorities with creating and distributing the Kronos banking Trojan in August.

At IP Expo 2017, Microsoft's Brad Anderson told IT Pro that the company had seen a 300% increase in cyber attacks in the last year. The sophistication of the attacks have increased and the most sophisticated ones he has seen are from nation-states.

18/08/2017: 'WannaCry' ransomware hits LG self-service kiosks

Electronics giant LG has likely become the latest victim of the WannaCry ransomware, which infected self-service kiosks found at its service centres.

LG has yet to confirm the infection was definitely the WannaCry ransomware, but a spokesperson told The Korea Herald that the malware bears a strong resemblance to WannaCry, which caused widespread chaos when it targeted NHS hospitals and businesses in May.

"The problem was found to be caused by ransomware. There was no damage such as data encryption or asking for money, as we immediately shut down the service centre network," the spokesperson said.

The infection was reported to the state-run Korean Internet & Security Agency, which noted that it had found samples of code in the LG kiosks that were identical to code used in the original WannaCry ransomware campaign.

LG moved to quickly shut down the kiosks and pushed out a security update for them, and said that all the of the kiosks are now back up and running.

Dean Ferrando, EMEA manager at cyber security firm Tripwire, suggested that the infection of LG's kiosks is down to the company failing to apply a security update to the vulnerable machines.

"Reports suggest that the company had not applied all the security updates available from Microsoft. This highlights something that we already knew - many organisations are not good at applying software security updates," he said.

"Applying available patches is one of the easiest ways to keep an organisation safe from new attacks however, the unfortunate truth is that, despite the warnings and advisories to patch and secure the systems, there will always be a system that is missed."

17/08/2017: WannaCry paralyses 200 computers in Delhi

WannaCry has infected over 200 computers belonging to book publishing company Rachna Sagar in the Indian capital New Delhi.

The attack was reported on 9 August as staff found they could no longer access their user accounts, according to The Indian Express.

Users were faced with a message demanding $800-$1000 US dollars in Bitcoin in order to unlock their computers.

A complaint filed by the company at the Darya Ganj police station read: "This morning, when we started our work and opened Busy software, we received a text message which said our files are encrypted. The message said we have to pay money to enable decryption of our files."

The company uses "Busy" accounting software where employees have two accounts: live and busy. In order to conduct business, they need to access their live account which has been blocked by hackers.

A source told The Indian Express: "The hackers have locked out their data since April. Employees have not been able to conduct any business since the day of the cyber attack. Their billing process has been delayed and they are even scared to use net banking as they fear online payment systems may be compromised."

IT Pro has contacted Rachna Sagar for comment.

This isn't the first WannaCry attack to hit India. There were isolated incidents reported in Andhra Pradesh, Gujarat, Kerala and West Bengal, but it is the capital's first attack.

Marcus Hutchins, the British national who stopped the initial spread of WannaCry, was arrested in Las Vegas charged on six counts relating to the creation and distribution of a banking Trojan known as Kronos. The judge has set a trial date for October and released Hutchins on bail. He's not allowed to access the server he used to prevent WannaCry from spreading and must remain under house arrest.