What have we learnt from the NHS ransomware attack?

In May 2017, a ransomware attack of unprecedented scale was unleashed on the world, with the NHS in England and, to a lesser extent, Scotland being hit the hardest of any organisation in the UK. Around 70,000 devices were infected, leading the attack to be known colloquially as the NHS hack.

How such an attack happened and how it was shut down offers valuable information to IT professionals on how to avoid falling victim to such an incident themselves in the future.

Day Zero: 12 May 2017

In the early morning of 12 May, reports started to emerge of the first computers infected by WannaCry. While some researchers, including those at Sophos concluded the first infections cropped up in Asia, it wasn't until Spanish telecoms giant Telfonica reported its systems had been compromised that it started to come to the attention of those with an interest in technology and security.

Within just a few hours the attack had snowballed, swallowing up an estimated 47 NHS Trusts in England and Scotland. Other high-profile victims included Deutsche Bahn, Renault, FedEx and the Russian Ministry of the interior.

The impact on the NHS was particularly potent, with approximately 70,000 devices including MRI scanners, blood storage refrigerators and operating theatre equipment, as well as computer terminals, being infected.

Some hospitals, including Barts in London, had to cancel routine planned operations, while others told patients only to come to A&E if it was a "life-threatening emergency".

In the end, it's thought that around 200,000 devices running Microsoft Windows were infected across 150 countries.

Aftermath and investigation

Somewhat miraculously, WannCry was stopped in its tracks the same day it started by a 22-year-old British cyber security researcher, Marcus Hutchins, who discovered a kill-switch' embedded in the ransomware's code.

This was a considerable stroke of luck for the world's IT systems, but for those that had already been affected, there was a lot of cleanup to be done, including disinfecting and restoring systems, patching (more on that in a minute) and so on.

For the NHS, this also included rescheduling all the routine appointments that had to be cancelled, leading to disruption that continued over the following few weeks.

It was also in the wake of the attack's subsidence that questions began to be raised about how such an infection was able to run rampant in the first place, given Microsoft had already issued a patch for the vulnerability exploited by WannaCry.

While the ransomware wasn't targeted, as the wide range of organisations affected demonstrates, it unwittingly took advantage of a critical weakness in many business systems "just patch" isn't always an option.

In large organisations in particular, there are often valid reasons systems can't be patched or updated. The most common among those is dependance on critical applications or hardware that aren't compatible with newer operating systems or some patches.

In this scenario, IT administrators face a choice: update the system, but potentially risk rendering inoperable a very expensive piece of hardware or the patient database software, or don't update it in order to keep the organisation running, but risk a crippling attack, as happened in May. Most take the potential risk of being hit by ransomware or another infection in the future over the certainty of breaking existing infrastructure.

Mitigation is better than a cure

Here's the obvious advice: patch your systems.

"WannaCry only hit organisation running older versions of Windows, so the obvious advice is to update those, which of course has a cost," says Bob Tarzey, analyst and director at Quocirca.

But, as stated above, that's not always possible.

"Another option is to better isolate older systems," Tarzey continues.

Jeff Pollard, principal analyst at Forrester, agrees: "We recommend a zero trust' approach to security strategy. Zero trust means trusting nothing people or systems until they prove they are trustworthy. Make sure environments are segmented so an automated worm [like WannaCry] can't infect every system."

This has the primary benefit of isolating the infection, which means not needing to throw the switches on all systems in order to stop it from spreading an approach that had to be taken by some NHS trusts, despite being disruptive in itself.

Pollard further advises organisations "understand the identity of users, systems, and workloads, and make sure that least privilege is in place".

There's also the question of having an educated and aware workforce. Although WannaCry wasn't spread via phishing emails, many ransomware infections and other malware attacks are, so drilling into users that they mustn't open links and attachments, particularly if they're unexpected, is vital. Other basic steps include having an enterprise-grade firewall in place, as well as business-focused anti-malware software running wherever it can (although, once again, in some embedded systems this might not be possible).

WannaCry was unusual in the way it attacked systems and the speed with which the infection spread, with the high-profile nature of the victims also being notable. What was surprising in May, however, may become par for the course in the future and this is an eventuality organisations must prepare for.

"Breaches and malware infections are inevitable. What matters is the ability to continue to operate, contain the issue, and bounce back from the problem and get back to business as usual," Pollard concludes.

Make sure your organisation is resiliant enough to bounce back from an attack like this...


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.