Is your organisation safe from the ransomware that crippled the NHS?

On 12 May, hundreds of NHS employees turned on their computers, only to be greeted by a message stating that their files had been encrypted and could only be unlocked by paying $600. Their computers had succumbed to WannaCry, a particularly vicious type of virus known as ransomware. The on-screen message that now dominated the screen could only be removed by transferring $600 worth of Bitcoin to a given address. Instructions for obtaining Bitcoin were also provided.

Forty-eight NHS organisations were affected by this cyber-attack, leading to cancelled appointments, operations and more. Patients were asked to stay home because staff did not have the means to receive or treat them. The NHS was held to ransom by unseen forces.

WannaCry and the threat to computers

The WannaCry software might be dangerous, but its spread is usually checked because it requires people to download a dodgy attachment or click a suspicious link. The virus typically spreads slowly, gradually, in fits and starts. What happened on 12 May was very different. The doctors, nurses, surgeons and administrators who found their machines frozen that day may not have been to blame for the virus overtaking their machine. WannaCry had found its way to their desktop through a backdoor that exists in older Microsoft Windows machines.

Remarkably, this backdoor is alleged to have been developed – and utilised – by America’s National Security Agency (NSA). This vulnerability, known as EternalBlue, was stolen from the NSA by a group of Russian hackers called ShadowBrokers and then shared online. EternalBlue was used to inject WannaCry onto a huge number of machines in a synchronised attack. Infected machines were then used to spread the ransomware onto other networked machines.

In a story with many startling elements, perhaps one of the most shocking parts is the fact that Microsoft had released a patch to close this vulnerability in March. The only computers affected by this attack where those that had not been updated. In the case of the NHS, it seems that the government chose not to renew a multimillion-pound security package which would have protected against this threat. This meant that the NHS attack also became a political issue in the middle of a general election.

The WannaCry attack was only halted by an intrepid IT security consultant who noticed that the malware was trying to connect to a non-existent web domain. Marcus Hutchins immediately registered the address, an act which killed the virus immediately and meant that hundreds of NHS organisations could get back to work.

While the usual advice on digital security is to raise awareness among staff, the WannaCry incident is a good reminder that employee training will only protect your organisation if your technology is up-to-date. Effective digital security must be holistic, protecting against a wide range of evolving threats with a mixture of training, processes, hardware, software and company culture.

How VinciWorks can help

Our vast and expanding cyber security training suite prepares users for all cyber risks. It includes hours of training, hundreds of micro-learning modules and topics from social media to IT security. These courses and micro-learning units can easily be configured into a multi-year training plan.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”