May 12 started as any other day in cyberspace. By day’s end, however, the “WannaCry” or “WCry” malware would go down as one of the most widespread cyber incidents in recent memory. Beginning midmorning, reports started to come out of a cyber incident affecting selected National Health Service trusts in the United Kingdom. The impact of the attack only grew from there.
The ransomware, a type of malware that encrypts files on a computer or locks the user out of the system and demands a ransom to regain access, spread fast and affected organizations in Europe, Asia and the United States. Our Leidos cyber teams responded with urgency and worked with customers to monitor potential impacts and keep them informed of defensive measures to take as they become available.
This attack was intriguing not only for its impact in the UK but also because of how the quick actions of a security researcher impeded its spread. The cyber community has learned a lot more about the attack since those chaotic first few hours. The ransomware was based in part on a Microsoft Service Message Block 1.0 (SMB1) vulnerability that was patched on March 14. The specific vulnerability is known as “EternalBlue” and is tied to a rash of exploit releases that Microsoft has been furiously patching. The good news in all of this is that those organizations practicing good cyber hygiene have largely avoided major incident. It is yet another example of the importance of achieving full visibility and accounting for all enterprise assets while demonstrating the ongoing risk of shadow IT.
The impacts of the cyberattack were far-reaching but the UK arguably bore the brunt. While the likes of Federal Express in the U.S., Telefonica and Renault in mainland Europe, and PetroChina in Asia were all impacted, the NHS was especially hard-hit. By the end of the day, one in five NHS trusts were experiencing effects, with some trusts reportedly redirecting ambulances from their accident and emergency units.
There are many questions about why the impact was so heavy at the NHS, but most signs point to outdated and poorly-patched systems which are highly vulnerable to this malware. Unfortunately, this event is the latest in a very trying last 18 months for the NHS, which has been the target of multiple hacking incidents over that period.
As stated earlier, the unfortunate part of all this is that these sorts of attacks are preventable. Microsoft has been very responsive during the event, pointing out that they had published patches not only for currently-supported operating systems but that they had also created patches for machines back to Windows XP, which is an unusual step. They even published a note that urged users to patch and also took governments to task for not disclosing these vulnerabilities to vendors when they were first identified. While that is a much longer-term debate, there is rising interest in their calls for a “Digital Geneva Convention.”
In the meantime, the SANS Internet Storm Centre has published a number of steps specific to this incident that organizations can use to protect themselves. The recommendations include applying the patches for Windows that Microsoft published. Beyond patching, ensuring that the “kill switch” domain is reachable in the organization is vital, as this will stop the malware from ever executing in the first place. For improved redundancy, capabilities like Leidos Endpoint Detection and Response, powered by our partner Cybereason, can provide protection from the full class of these sorts of attacks.
Strategically, the UK National Cyber Security Centre has published its guidelines for organizations to avoid ransomware attacks in the future. While the guidelines are all excellent recommendations for cyber hygiene in legacy enterprises, such as that of the NHS, patching out-of-date endpoints and controlling network access are continual challenges. As a leading technology company in the UK, Leidos has significant experience helping organizations across all sectors, including defense, intelligence, public sector and health, transform their infrastructure to a more defensive architecture. These evolutionary changes reduce ongoing costs, increase capabilities, including information sharing, and increase the security of the overall organization.
By: William Brennan, Leidos UK/Europe Director of Global Cyber Defense
Bill is the Senior Director for Global Information Security at Leidos. In this role, he uses his 15 years of experience in cybersecurity to protect Leidos Corporation and support the cyber goals of clients around the world. When not on a plane, most of his time is spent coaching his son’s sports teams or enjoying a rare quiet moment on the back porch with his wife.Follow on Twitter More Content by Bill Brennan