The Health of the NHS IT

13May

The Health of the NHS IT

Below is a clean breakdown of the WannaCry ransomware that plagued the NHS and UK news outlets in May. Below is an “idiot’s guide”. For a lengthier and detailed report of this ransomware, it’s global impact & similar malware, a good place to start is it’s Wikipedia Page 

 

  • WannaCry is malware consisting of a worm and ransomware affecting Microsoft Windows operating systems.
  • Ransomware is malicious software which, when let lose on your machine, finds your files, encrypts them so that you cannot use them anymore. Usually a message appears on your screen explaining to get them back (via a “key” to  decrypt the files) you will need to send some money to a Bitcoin address.
  • Bitcoin can become a type of anonymous and untraceable digital currency. Meaning you will send money as instructed and you might receive a key to decrypt your files.
  • There’s no indication with this malware that your files have actually been sent anywhere – so no one else has necessarily seen your data. Rather they have “jumbled the data” (encryption) so that you can’t cannot access them; unless you pay up [for the decryption key].
  • A worm is is piece of malware whose sole purpose is to spread to other machines and trigger a payload. In this case, the payload is the ransomware.
  • Worms get about in lots of different ways – in this particular case it is using a vulnerability affecting SMBv1. SMB stands for Server Message Block. It’s basically the way in which you share files and folders in Windows. If you save a file on a server at work you’re using SMB, for example. Version 1 (v1) is outdated but still widely in use. V2 and v3 exist and are not affected by this malware.
  • To allow computers to communicate with each other they use ‘ports’ which are numbered. This malware uses the ports which SMB uses to get around and spread the infection. Since this is using an already-existing means of replicating (SMB) this malware doesn’t require the user to do anything to get it to spread. That’s why it’s spread so quickly and has caused so much damage.
  • The exploit used was part of the Shadow Brokers hack of the CIA a while back wherein they stole and released a bunch of NSA tools and, effectively, malware.
  • It affects multiple versions of Windows but importantly, a patch to protect against exactly this was released about 2 months ago. If you patch regularly then this won’t affect you.
  • However, patching at scale – like in a big company – isn’t as easy as it sounds. And a lot of companies are very bad at it. Some companies – including some banks – are so bad at it that they’re still actually running Windows XP which is more than 15 years old. And, more importantly, doesn’t benefit from patches anymore since it’s over 2 years past support.
  • As a possible indicator of just how bad this malware infection has been, Microsoft actually released a Windows XP patch to address it.
  • The malware has a ‘feature’ built in to it whereby when it is triggered it attempts to contact a gibberish website address. If it fails, it infects the machine. Researchers have found that if the malware actually manages to contact the gibberish website then the malware doesn’t trigger. It’s speculated that this was included as a sort of ‘kill switch’ for the malware. One researcher realised that the website address that the malware was calling out to was not actually registered (so all attempts to get to the address would fail and trigger the malware). So he registered it and, killed the malware.
  • They pointed the website address to what’s called a ‘sink hole’ whereby requests coming in can be monitored to see where the malware has gotten to.
  • Companies (and state departments) have been affected in the UK, US, Russia, Spain, and probably more at this point.
  • Whilst this sounds like good news (and it is, really) the reality is that subsequent versions of the malware will likely point to other addresses – or do away with the kill switch altogether. It’s a constant game of cat and mouse.
  • So, if you regularly patch you’re basically home and dry on this one. If you – or your company – don’t, then you’re at risk and realistically the only thing you can really do is patch. Some companies are considering turning off SMBv1 (in favour of v2 or v3) but again, the bigger the company the harder this is.
  • AV vendors are already releasing clean up tools to remove the malware, but I don’t think that they’re able to decrypt and recover affected files yet. And if the crypto was done right, they never will be able to either.