Friday’s Wanna Decryptor ransomware campaign badly affected NHS hospitals in the United Kingdom, with 40 hospitals spread across at least 24 Trusts confirming they were affected and had data encrypted. However, some media reports claim as many as 48 of the 248 Trusts in the UK were impacted by the attack to some degree.
Wanna Decryptor (WannaCry/WannaCrypt) attacks rapidly spread across the globe, with an estimated 200,000 victims spread across 150 countries. China was hit particularly badly due to the number of computers running older, vulnerable operating systems such as Windows XP. Microsoft had issued a patch to address the vulnerability that was exploited by Wanna Decryptor ransomware, although not for the unsupported Windows XP operating system.
Microsoft has since taken an unusual step of issuing a patch for Windows XP, even though extended support for the platform ended two years ago. A patch was also issued for Windows 8 and Microsoft Server 2003. However, for many companies, those patches came too late.
ETERNALBLUE was an exploit reportedly developed by the NSA that leveraged a security vulnerability in Microsoft Server Message Block 1.0 (SMBv1). According to Microsoft, the remote code execution vulnerability could allow an attacker to execute code on a targeted server. In Friday’s campaign, the attackers did just that and downloaded Wanna Decryptor ransomware, which incorporated a worm allowing it to spread rapidly through a network, encrypting data on all vulnerable computers and devices.
In contrast to many ransomware attacks that require an end user to click on a malicious link or open an infected email attachment to infect their computer, this flaw targeted vulnerable SMBv1 servers, with specially crafted packets sent to those servers. No user interaction was required.
The ETERNALBLUE exploit was stolen from the NSA by the hacking group Shadow Brokers, which released the exploit online in April. That allowed any hacker to use the exploit to conduct attacks.
Some evidence has been uncovered suggesting the Wanna Decryptor ransomware campaign was the work of a hacking group called the Lazarus Group, which was behind the attacks on the Bangladesh Central Bank earlier this year and the 2014 hack of Sony Pictures. The group has suspected links with North Korea. No hard evidence has been uncovered that links the attack with the Lazarus Group or North Korea at this stage.
Medical Devices Encrypted by Wanna Decryptor Ransomware
There were also victims in the United States. Fedex was attacked and several healthcare organizations. The attacks also affected certain medical devices used by hospitals.
A statement issued by HITRUST indicates certain medical devices from Bayer (MedRad), Siemens, and other unnamed suppliers were encrypted by Wanna Decryptor ransomware on Friday and Saturday. The attacks took advantage of out of date software which had not been patched to block the threat from the ETERNALBLUE exploit.
HITRUST reports that organizations that implemented HITRUST CSF controls have appropriately addressed the threat, with the HITRUST Enhanced IOC Program providing Indicators of Compromise (IOC) well in advance of Friday’s attack.
Siemens has not issued a statement confirming healthcare organizations in the United States that used its medical devices were affected, although the firm said it is assisting NHS Trusts in the UK to deal with attacks. Bayer said two healthcare organizations in the United States had suffered Wanna Decryptor ransomware attacks affecting MedRad devices, although those devices were fully operational again within 24 hours.
The Wanna Decryptor ransomware attacks highlight the importance of patching software promptly, the danger of running outdated, unsupported operating systems and the benefits of adopting the HITRUST CSF and other cybersecurity frameworks.