NHS ransomware: UK government says it's North Korea's fault WannaCry happened
The Foreign Office said it will find, pursue and respond to the malicious activity
04/08/2017: WannaCry hackers 'blocked' from cashing ransomware bitcoins
WannaCry hackers who tried to launder their ransom money have been blacklisted by the exchange they used, digital asset exchange ShapeShift, according to Forbes.
ShapeShift allows customers to change Bitcoin into an alternative cryptocurrency without creating an account, but said the attackers' attempt to use the service to convert their bitcoins into Monero, an allegedly secure, private, and untraceable currency, broke its terms of service.
A spokesperson for ShapeShift toldForbes: "As of today, we have taken measures to blacklist all addresses associated with the WannaCry attackers that are known to the ShapeShift team, as is our policy for any transactions we deem breach our terms of service. We are closely watching the situation as it continues to unfold as to block any further addresses associated."
The hackers, who leveraged WannaCry against NHS hospitals and other business targets, attempted to move $36,922 of the $140,000, according to Chainalysis co-founder Jonathan Levin, speaking to Forbes.
The Shapeshift spokesperson added: "Any transactions made through ShapeShift can not be hidden or obscured and are thus 100% transparent, making laundering of any digital tokens impossible.
"Additionally, we are engaging directly with law enforcement involved with the WannaCry case and will assist them with any needs they may request to apprehend the perpetrators."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The WannaCry attack affected over 200,000 computers in 150 countries and demanded money for users to access their files.
Marcus Hutchins, the British security researcher who stopped the WannaCry attack, was charged by US authorities with creating and distributing the Kronos banking Trojanthis week. Hutchins, 23, tried to leave the US after attending the Black Hat and Defcon security conferences in Las Vegas, but was arrested at the airport.
03/08/2017: WannaCry's $140,000 Bitcoin wallets are emptied
More than $140,000 in bitcoins paid by victims of the WannaCry attack have been moved from their online wallets.
Keith Collins, a technology reporter at Quartz, set up an online Twitter bot called "actual ransom" to monitor three Bitcoin wallets tied to the WannaCry attack which would post whenever money was moved from the wallets.
At 3 am today, it reported the wallets held $142,361.51 which they had collected through 338 payments.
Starting at 4:10 am, there were a series of seven tweets saying that different amounts of money had been taken out, ranging from $19,318.06 to $27,514.04. The balance of the wallets are now zero.
Now, the money may be sent through a Bitcoin mixer which will help to obscure its trail. This mixer sends the money to a high volume address, such as an exchange, where legitimate money frequently passes. This is carried out in order to hide where the ransomware money eventually goes, as reported by Collins. The purpose of this is to confuse and obscure anyone who is following the money trail and can be thought of as "online laundering".
WannaCry affected more than 200,000 computers in 150 countries and blocked users from accessing their files. The files were only recoverable through a $300 to $600 Bitcoin payment. This ransomware exploited vulnerabilities in the Microsoft Cryptographic API built into Windows to create and hide a decryption key.
29/06/2017: WannaCry was "inevitable" due to NHS underfunding, says BCS
The NHS has been criticised for a lack of investment and accountability in IT security measures that allegedly led to the widespread Wannacry outbreak last month.
The Chartered Institute for IT (BCS) said that despite efforts with limited resources available, some hospital IT teams lacked access to trained, registered and accountable cyber security professionals with the power to assure hospital boards that computer systems were fit for purpose.
David Evans, director of community and policy at The Chartered Institute for IT, said that the healthcare sector has struggled to keep pace with cyber security best practice, and with a systemic lack of investment, ultimately, the Wannacry attack was an "inevitability".
"Patients should be able to trust that hospital computer systems are as solid as the first-class doctors and nurses that make our NHS the envy of the world," he said.
"Unfortunately, without the necessary IT professionals, proper investment and training the damage caused by the Wannacry ransomware virus was an inevitability, but with the roadmap we are releasing today, [that] will make it less likely that such an attack will have the same impact in the future."
BCS has joined forces with the Patient's Association, the Royal College of Nursing, BT and Microsoft to produce a blueprint that outlines steps NHS trusts should take to avoid another crippling cyber attack.
Most important was ensuring there are clearly laid out standards for accrediting relevant IT professionals. NHS boards are being urged to ensure they understand their responsibilities, and how to make use of registered cyber security experts. The blueprint also states that the number of properly qualified and registered IT professionals needs to be increased.
Almost 50 NHS Trusts were hit last month by Wannacry, with the ransomware encrypting computers and leaving them unusable in many areas of the health service, with hackers threatening that valuable files would be lost forever unless a ransom was paid.
23/06/2017: WannaCry isn't over. Honda was forced to shut a car manufacturing plant in Japan after being struck by the ransomware, while reports suggest Australian traffic cameras were knocked offline by the attack.
Honda shut its Sayama plant on Monday after being hit by the ransomware over the weekend, which then spread across the car maker's networks. The factory was back online the next day. It produces about 1,000 cars a day.
The car maker didn't say how it was infected, or why its systems were still at risk several weeks after the initial attack, which was halted when a security engineer triggered a kill switch. Microsoft has since released patches to prevent infection.
Honda isn't the only organisation to still be reeling from WannaCry. An Australian traffic control system was infected by the ransomware, though the 55 cameras continued working throughout the attack.
In this case, the spread of WannaCry was human error, after a contractor working for the government connected an infected device to the camera network. A patch is being rolled out to stop the infection, and any fines that are mistakenly doled out as a result of the incident will be refunded, the department of justice in Victoria said.
30/05/2017: Why WannaCry's creator could be Chinese
The creator of WannaCry may be Chinese, according to a fresh analysis of the notices sent to victims of the ransomware, including NHS trusts, earlier this month.
Flashpoint's research concludes that the native language of the author, or authors, may have been Chinese, and that while they were familiar with the English language, were not native speakers.
The security firm's analysis found that nearly all of the ransom notes for WannaCry were translated using Google Translate and that only three languages; English and the two Chinese versions (simplified and traditional) were likely to have been written by a human, instead of translated by a machine.
The researchers deduced that the English note appeared to be written by someone with a strong command of English, although it apparently contained a glaring grammatical error (which Flashpoint did not detail) suggesting the speaker is non-native or poorly educated.
They also found that while the English note was the source text for machine translation into the other languages, the Chinese ransom note served as the original source for the English version, because it "contains content not in any of the others, though no other notes contain content not in the Chinese".
This means it's possible that Chinese is the writer or writers' native tongue, but other languages cannot be ruled out. Flashpoint added: "It is also possible that the malware author(s)' intentionally used a machine translation of their native tongue to mask their identity. It is worth noting that characteristics marking the Chinese note as authentic are subtle. It is thus possible, though unlikely, that they were intentionally included to mislead.
Experts had previously pointed to North Korea as the creator of the ransomware that shut down NHS hospitals earlier this month, though a think tank last week aired its doubts over this attribution, questioning suspect the Lazarus Group's alleged links to the country.
The cyber attack infected more than 200,000 computers in 150 countries. The FBI, Europol and the UK's National Crime Agency are investigating who was responsible for the attack.
Multiple security experts have said that the majority of computers infected by WannaCry were running Windows 7, in contrast to previous assumptions that it was unpatched XP machines responsible for the quick spread of the ransomware.
WannaCry blocked users from accessing files which were only recoverable through a $300 to $600 Bitcoin payment. The ransomware exploited vulnerabilities in the Microsoft Cryptographic API built into Windows to create and hide a decryption key.
24/05/2017: North Korea may not be behind WannaCry
As experts point to North Korea as the creator of WannaCry ransomware that shut down NHS hospitals earlier this month, one sceptical note still sounds.
Cyber security vendors including Symantec have linked WannaCry to the Lazarus Group, allegedly a group of North Korean hackers, but a think tank has called for caution amid the finger-pointing.
"To be abundantly clear, the recent speculation concerning WannaCry attributes the malware to the Lazarus Group, not to North Korea, and even those connections are premature and not wholly convincing," wrote James Scott, a senior fellow at the Instiutute for Critical Infrastructure Technology (ICIT).
He added: "Lazarus itself has never been definitively proven to be a North Korean state-sponsored advanced persistent threat."
The comments follow multiple vendors blaming North Korea for initiating the ransomware, which locked files and demanding Bitcoin payments to release them at 16 NHS organisations, among other targets, though the NHS initially found no evidence of personal data being compromised.
"From all that we see, the technical evidence points to the fact that this is Lazarus," Symantec investigator Eric Chien told the New York Times on Monday.
The publication referred to "digital crumbs" that the cyber security firm had traced to previous attacks widely attributed to North Korea, like the Sony Pictures hack in late 2014.
Symantec also found similar tools and computer code in the WannaCry attack to previous hacks on South Korean targets.
But ICIT claimed the Lazarus Group was a "cyber-mercenary" outfit, and Scott said of the similarity between the malware tools used in WannaCry and previous attacks: "These claims should not be seen as overly definitive despite their presentation because Lazarus was known for borrowing code from other malware and because it remains possible that outdated Lazarus malware was captured by the WannaCry threat actors and occasionally used as a template for their less sophisticated malware development."
He added: "At best, WannaCry either borrowed heavily from outdated Lazarus code and failed to change elements, such as calls to C2 servers, or WannaCry was a side campaign of a minuscule subcontractor or group within the massive cybercriminal Lazarus APT."
22/05/2017: NHS ransomware: Wannacry spread via Windows 7, not XP
The majority of computers infected by WannaCry were running Windows 7, according to multiple security experts - and contrary to assumptions that unpatched XP machines were to blame for the ransomware's quick spread.
When the ransomware shut down NHS hospital systems on 12 May, Microsoft had already issued a patch for the vulnerability being abused to spread the infection, but Windows XP users only got that patch if they were paying for custom support, as the two-decade-old OS is out of standard support.That left many assuming XP was the main attack vector, with 90% of NHS trusts still using the OS at the end of last year.
However, it instead appears to be down to organisations and individuals failing to run keep Windows up to date.
Kaspersky Labs released data showing Windows 7 dominated infections at 97%, with negligible numbers of Windows XP infections. Windows 10 was unaffected, as the vulnerability didn't infect the latest OS. Those figures are for PCs running Kaspersky software.
That data was backed up by a Reuters-commissioned report by BitSight, which suggested two-thirds of PCs infected by WannaCry were running Windows 7 without the latest security patches. The report suggested XP could be infected, but didn't help spread the ransomware, with the OS handily crashing before WannaCry can spread.
Hackers have been trying to restart the WannaCry attack by targeting the domain that acted as a kill-switch and was set up by a 22-year-old British security researcher, who goes by MalwareTech online. They've been using Mirai botnets to run a DDoS attack to target the servers, he noted.
19/05/2017: Researcher claims to have bypassed WannaCry encryption
Victims hit by the recent WannaCry attack may be able to avoid paying the $300 to $600 ransom demand, as a researcher says he has found a way to access the secret decryption key.
Adrien Guinet of France-based research firm Quarkslab has made software available that he says granted him access to the decryption key on a system running Windows XP, allowing him to bypass the payment demand and recover his files.
"This software has only been tested and known to work under Windows XP," wrote Guinet, in a message alongside his GitHub post. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work and so it might not work in every case!"
So far it appears the software, known as WannaKey, hasn't been tested fully in the wild so it's difficult to say whether it's a reliable work around.
WannaCry is the most recent widespread ransomware campaign, which infected and encrypted data on networks across the world last week, most notably the NHS. The infection is able to block users from accessing files that are normally only recoverable through a $300 to $600 payment. WannaCry exploited vulnerabilities in the Microsoft Cryptographic API built into Windows to create and hide a decryption key.
More modern versions of Windows erase this key through memory cleanups, however, a flaw in Windows XP allows for some instances where WannaKey is able to scour the system memory for traces of the variables used to generate the key. Importantly, this only works if the computer has not been powered down, so it is advised that affected machines are left running.
If a match is found during the scan, a key will be generated which can then be used to decrypt affected files."If you are lucky (that is the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory," added Guinet.
As the software makes use of an oversight on Windows XP, those affected users running later operating systems will need to look elsewhere for a solution. The advice is to leave affected machines powered on and wait to see if a work around becomes available.
Update: A second WannaCry software workaround appears to have been successful at sourcing the decryption key on a Windows 7 machine. Matt Suiche, researcher and founder of Comae Technologies, reports that a tool known as WannaKiwi, which works in a similar way to Wannakey, has been able to decrypt data on a machine running Windows 7.
16/05/2017: WannaCry attackers may be North Korean
Similarities between the WannaCry ransomware attack that knocked NHS hospitals offline and previous cyber incidents suggest the culprits are based in North Korea, security experts have said.
The evidence is not conclusive, but multiple security researchers have discovered similarities between the code used in early versions of the WannaCry ransomware and attacks on targets including Bangladeshi and Polish banks and Sony Pictures - attacks that were later attributed to North Korea. "The scale of the Lazarus operations is shocking," Kaspersky Lab researchers said in a blog post.
These links were pointed out by a Google researcher on Twitter, and the New York Times reports that they were corroborated by Symantec. However, Kaspersky researchers noted that this could be a 'false flag operation', designed to trick experts into thinking the attacks were carried out by someone else.
It was also spotted that the code linking WannaCry to the Lazarus attacks was not present in the latest sample of the malware, meaning that the perpetrators could be trying to cover their tracks. Kaspersky Labs called for further scrutiny. "For now, more research is required into older versions of Wannacry," the post said. "We believe this might hold the key to solve some of the mysteries around this attack."
Indeed, others noted that such code overlap doesn't prove anything other than the fact hackers borrow and steal from each other."The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator," FireEye researcher John Miller told Newsweek.
Whoever the culprits are, they haven't made much cash from the disruption their hack has caused. A White House spokesperson said yesterday that while 300,000 computers in 150 countries were infected, only about $70,000 in ransom had been paid, according to a Reuters report.
15/05/2017: Labour says NHS is 'wide open' to cyber attacks
The government's response to the recent NHS cyber attack has been described as 'chaotic' by Labour, arguing that recent cuts have left hospitals 'wide open' to hacks.
Shadow health secretary Jon Ashworth has said Labour would invest an extra 5 billion into new IT infrastructure for the NHS, after hospitals and services were affected by the widespread ransomware attack on Friday.
Speaking to Sky News, Ashworth said: "The truth is, if you're going to cut infrastructure budgets and if you're not going to allow the NHS to invest in upgrading its IT, then you are going to leave hospitals wide open to this sort of attack."
The comments coincide with allegations that health secretary Jeremy Hunt was previously warned that the NHS was susceptible to cyber attacks of this kind, following an assessment he commissioned last year, according to the BBC.Diane Fiona Caldicott and the Care Quality Commission assessed the cybersecurity capabilities of 60 hospitals throughout the UK, which found that not only were many sites still using outdated IT systems, but the report identified an increasing number cases where malware was being sent by email.
However, security minister Ben Wallace claimed the NHS were following "pretty good procedures" for dealing with the cyber attack, and insisted that affected trusts had enough resources to deal with attacks of this kind.
"We make sure the trusts are aware of their vulnerabilities and ask them to make sure they keep themselves up to date. What we don't do in our NHS is micromanage it from the desk," said Wallace, speaking to BBC Breakfast.
It is thought 47 NHS trusts were affected by the ransomware attack, which will continue to cause disruption through the coming week.
United Lincolnshire Trust said it has been forced to cancel all routine appointments in its hospitals on Monday, while Northumbria Healthcare has postponed all CT and MRI scans until further notice. Southport and Ormskirk Hospital Trust will run GP appointments as normal on Monday throughout West Lancashire, however it is advising patients to expect severe delays.
15/05/2017: Microsoft points to NSA leaks for NHS ransomware
Microsoft has confirmed the exploits that took out NHS networks and others around the world last week were stolen from the US National Security Agency, as security experts warned the ransomware could start spreading again today as workers startup their computers.
On Friday, the WannaCrypt or WannaDecryptor malware exploded across networks, including 16 NHS systems, leading to ambulances being diverted and some appointments being cancelled. The ransomware wasn't specifically targeted at the NHS, but part of a wider attack that took in organisations around the world.
The spread of the ransomware was partially halted by one British security researcher, who bought a domain listed in software and was rewarded for their efforts by having their identity revealed by British tabloids.
Microsoft also released a patch for XP, which is no longer being supported except by special arrangement and extra fees, which the British government decided against paying. NHS Direct said fewer than 4.7% of its devices use XP, and that includes "expensive hardware" such as MRI scanners that aren't easily updated.
In a blog post, Microsoft's legal counsel Brad Smith said companies like his own were "increasingly among the first responders" in such attacks, and that online security is a "shared responsibility between tech companies and customers".
Customers, be they individuals or corporations, need to keep their machines updated, but Smith admitted that's not always easy, adding "we are dedicated to developing further steps to help ensure security updates are applied immediately to all IT environments".
Such work is made harder when governments are stockpiling and then losing vulnerabilities, he added, confirming that the exploits abused to infect the NHS and the other organisations on Friday were indeed those stolen by the NSA earlier this year.
"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," he said. "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen."
Smith said the attack should be a "wake-up call" to governments on cybersecurity. "They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world," he said. "We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."
12/05/2017: NHS hospitals targeted by ransomware attack
The NHS has been hit by a major ransomware attack, shutting down multiple hospital IT systems - as well as companies and universities elsewhere.
NHS Digital said the NHS itself was not specifically the target of the attack but part of a wider "Wanna Decryptor" ransomware campaign. Telefonica was also hit by a similar attack as well as a range of other Spanish organisations, and reports on Twitter suggest universities are facing similar malware.
Hospital trusts across England and Scotland have admitted they've been caught up in the attack, with appointments cancelled, phone lines down and ambulances diverted. Doctors and other staff have also been sharing further details on Twitter, with one screenshot suggesting the ransomware is demanding $300 in bitcoin to decrypt files, with the price doubling after three days.
NHS Digital confirmed the attacks, with a spokesperson saying 16 NHS organisations had reported they've been impacted by ransomware. "The investigation is at an early stage but we believe the malware variant is Wanna Decryptor," the spokesperson said. "At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this."
The statement added: "This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors. Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available."
The East and North Hertfordshire NHS trust confirmed it was hit by the attack.
"Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust's telephone system is not able to accept incoming calls," a spokesperson said in a statement. "The trust is postponing all non-urgent activity for today and is asking people not to come to A&E - please ring NHS 111 for urgent medical advice or 999 if it is a life-threatening emergency."
"To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust's hospitals continued to receive the care they need," it added.
Blackpool Teaching Hospitals tweeted that it was having "issues with our computer system", asking people not to come to A&E unless it's an emergency, while North Staffordshire and Barts Health Trust in London have also said they've been hit by the ransomware.
"We are experiencing a major IT disruption and there are delays at all of our hospitals. We have activated our major incident plan to make sure we can maintain the safety and welfare of patients," a statement from Barts said. "We are very sorry that we have to cancel routine appointments, and would ask members of the public to use other NHS services wherever possible. Ambulances are being diverted to neighbouring hospitals. The problem is also affecting the switchboard at Newham hospital but direct line phones are working. All our staff are working hard to minimise the impact and we will post regular updates on the website."
Others have shared images of the screenshot that shows the ransom demand.
In a security alert, the Spanish National Centre for Cryptology stated: "The ransomware, a version of WannaCry, infects a computer, encrypting all its files and, using a remote code execution vulnerability through the SMB (server message block), distributes itself to the rest of the Windows machines connected to the same network."
The organisation stated that Windows Vista SP2 through to Windows 10, including RT 8.1, are all affected by the vulnerability that allows computers to be infected by the malware. Windows Server 2008 SP2 and SP1 through to Server 2016 are also affected.
Microsoft issued a patch for the vulnerability in March, but it would appear it hasn't been rolled out across all organisations. Windows XP isn't listed as one of the operating systems affected, however as support for the aged operating system ended in 2014, it's possible the vulnerability also affects that OS and will never be patched.
The researchers at MalwareHunterTeam reported earlier today that the particular strain of ransomware was quickly spreading, spotted in 11 countries within a few hours - and that's before the NHS attacks.
Research last year revealed that 90% of NHS trusts still used no-longer-supported Windows XP in some way, but it remains unclear how this ransomware infected the hospital trusts. Wanna Decryptor is also known as WannaCry or WCry. These attacks appear to be using the second version of the ransomware, based on the screenshots, which spreads via dodgy attachments in email.
- 1
- 2
Current page: NHS ransomware: News archive
Prev Page UK government says it's North Korea's fault WannaCry happened