nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

Bronze badge

Has some one been sending emails again?

26
1
LDS
Silver badge

The Register:

13:22 "'Jaff' argh snakes: 5m emails/hour ransomware floods inboxes"

14:22 "NHS hit by 'cyber attack', at least one hospital shut down"

Coincidence?

11
0
Anonymous Coward

Rang my local hospital at about 13:00. They told me their IT systems had been down for about the last two hours.

2
0
Anonymous Coward

I suspect it also might be related to Windows preferring to execute emailed malware rather than than scan it. It nicely removes the user actually having to click anything, windows takes care of executing it for you..

This is Avery good reminder why windows is such a security cesspit, and unless you need to run Windows stuff, you are far more secure running a Chromebook with its signed read-only runtime.... It's pretty much unhackable

11
14
Anonymous Coward

That's what comes of still running Windows XP!

At least if they ever get to Windows 10, it's a continual incremental upgrade platform and the problem of needing to go through a major upgrade every few years goes away...

5
26
Anonymous Coward

It appears the source IP address is...

It appears the source IP address is ...

Conservative Central Office.

Conservative Central Office are still trying to find the culprit, but they suspect:

Theresa May / Amber Rudd.

(Well if you can't win support for full access to encrypted communications, what better than to stage a ransomware attack on the NHS, to further your cause)

21
18
Anonymous Coward

Re: It appears the source IP address is...

You, sir, are a first-class c**t. This situation is not any sort of funny, nor is it an excuse to make crass "jokes" like this.

7
25

If it has come in on an email, then it says a lot for Trend Micro's cloud-based email scanning service they provide for the NHS.......

7
0

Re: It appears the source IP address is...

Sweary AC. You're not from round these parts are you?

19
2
Silver badge
Boffin

Re: It appears the source IP address is...

scanning port 445, which SHOULD be blocked at the firewall. but apparently is NOT.

According to THIS web site, the worm in question scans for vulnerabilities on port 445. This is an old problem which most net-savvy people BLOCK for incoming packets of any type. Yes, you do NOT want "teh intarwebs" accessing your SMB ports. EVAR.

So it looks like blocking those SMB ports (445, 139) from "teh intarwebs", and (potentially) blocking SMBv1 access on your network PERIOD, are 2 ways of mitigating this problem.

some technical info here:

https://www.hackbusters.com/news/stories/1532486-player-3-has-entered-the-game-say-hello-to-wannacry

5
1
Bronze badge
Facepalm

Re: It appears the source IP address is...

Hmmm but no. This all undermines Rudd's position - the NSA had their zero-day back door and, ooops, the crims eventually got hold of it. OK so it's years after it was created and the vendor has officially patched it (at least for the supported OSes) but that doesn't appear to be stopping it now being used to wreak havoc on a reasonably global scale (caveats re early speculation apply).

Please can we have more of that kind of hole deliberately built in to the fabric of our communications infrastructure because the security services and government will be very careful to never, ever, ever let it out in to the wild. Ever.

19
0
Anonymous Coward

Oh, I do so hope the US gets hit really badly. Like Americans funding the IRA until 11/9 - what goes around comes around...

13
0
Anonymous Coward

Re: It appears the source IP address is...

Who said it was meant as a joke? It was meant to put across a serious point. Due Diligence. Encryption is getting scapegoated here, when this really boils down to lack of resources, poor management - updating/securing systems, poor choices regards Software.

There is a narrative here being fed to the press, who are lapping it up, printing it all as gospel (especially the Guardian's coverage), typically aimed at the technically illiterate, to cause change (I believe regards encryption laws),

What better way to achieve your goals/press that point, than hype up a very emotive "encryption target", where the general public will have difficulty understanding the full picture of the encryption attack, instead, they will be swayed by the emotional aspect of its effects.

It all plays very well for new laws regarding the use of encryption, which lessen, rather than stengthen their own security, without them realising. This is exactly the sort of techniques that will be used to force "change" (regarding encryption law) through.

Yes, the effects are real, but like anything, systems will be back to normal in a week, the real effects on encryption laws/personal privacy (long term) could be the real attack vector in this.

6
0
Anonymous Coward

Re: It appears the source IP address is...

Well sir, I for one are sniggering as I stopped using that virus vector-ware called MS Windows in 2008. The brill thing about Linux is YOU have control, and can cut out as many application packages as you wish, making your installed system smaller, simpler and therefore much easier to manage.

You choose. I'm sniggering.

2
2
Anonymous Coward

Re: It appears the source IP address is...

OH but it is ...it so is

Because it highlights that the clowns that run IT in most major orgs are clueless - but think they are gods gift

And now thay have just been bitten and bitten hard ...

2
2

Re: It appears the source IP address is...

Lack of resource and funding is correct to a certain extend. One of the real issues is the equipment that has to use Windows XP because the supplier either no longer exists or it is too expensive to replace. Million pound scanners that are perfectly serviceable simply cannot be replaced because the OS of a control PC is unsupported. With many of these very high tech, high cost and low volume systems, there really is very little option.

The armchair experts that only look after a few hundred PCs and a handful of servers simply do not understand the problems.

4
0

"I suspect it also might be related to Windows preferring to execute emailed malware rather than than scan it. It nicely removes the user actually having to click anything, windows takes care of executing it for you."

That isn't a Windows vulnerability per se, it's an incompetently-written-email-client vulnerability. This is one reason why Pegasus Mail deliberately doesn't execute any code in an email, unless of course explicitly asked by the user to do so.

0
0
Anonymous Coward

>At least if they ever get to Windows 10, it's a continual excremental upgrade platform

FTFY.

1
0

Strong and stable network

55
3
Anonymous Coward

Who Gains ?

4
1
Silver badge

Probably a misunderstanding by the attackers. Ransomware is probably quite effective against US hospitals and they may have made an assumption that all hospitals will pay to resume service.

Or it's just collateral damage from a massive email spam list which includes hospitals. That'll be why they are hitting all parts of government as well.

6
2
Anonymous Coward

He who closes the tickets

In the large, paperless hospital I currently work in, HP's performance is measured by the number of tickets they generate and close rather than any problems they actually solve. I'm sure their performance will be way up in the coming days.

15
1
Silver badge

It's international. UK, Spain, Italy, China, Russia, Vietnam, Kazakhstan and Taiwan so far reporting massive numbers of infections.

9
0
Anonymous Coward

Expect them to engineer a scare story every day now until polling day.

8
9
Anonymous Coward

Details from Spain's National Cryptology Centre on which computer systems are being affected:

Microsoft Windows Vista SP2

Windows Server 2008 SP2 and R2 SP1

Windows 7

Windows 8.1

Windows RT 8.1

Windows Server 2012 and R2

Windows 10

Windows Server 2016

21
3
Anonymous Coward

Tough on Health. Tough on the causes of Health.

16
0

Portugal too

- I heard on the news. Not sure how much, they mention NHS as worst hit.

0
0
PTW
Pint

Eh?

A down vote for posting details from Spain's National Cryptology Centre?

Weirdo down voter Foxtrot Oscar & you can have an up vote [and beer] from me

6
1

Re: Eh?

Perhaps the thumbdown didn't agree that later systems are vulnerable? But those are the affected systems reported at www.ccn-cert.cni.es

1
0
Anonymous Coward

Details from Spain's National Cryptology Centre on which computer systems are being affected:

Microsoft Windows Vista SP2

Windows Server 2008 SP2 and R2 SP1

Windows 7

Windows 8.1

Windows RT 8.1

Windows Server 2012 and R2

Windows 10

Windows Server 2016

No specific target then...

4
1
Anonymous Coward

Linux...

Can't see Linux on your list.

3
0
Anonymous Coward

Re: Linux...

No Specific Target then...

(It was meant as Sarcasm)

3
0
Flame

Re: Eh?

"Perhaps the thumbdown didn't agree that later systems are vulnerable?"

Affected system != vulnerable system. The Spanish report covers those systems which were infected (and as I have said before, downvoting a fact doesn't make it false); it doesn't distinguish between those with unpatched vulnerabilities, and those with dumb users who click on dodgy links such as those "YOUR COMPUTER IS AT RISK!!!!!" ads we have all seen.

1
0

Ransomware

Looks like ransomware https://twitter.com/asystoly/status/863027172453351424 , let's wait and see how they spin this into a "complex zero-day state-sponsored attack"

19
7

Re: Ransomware

Spin? What makes you think cyber warfare is not a possibility?

1
14
Silver badge

Re: Ransomware

"Spin? What makes you think cyber warfare is not a possibility?"

Because in warfare you destroy the opponents assets. You don't lock them up and demand a ransom.

29
0
Silver badge

Re: Ransomware

"You don't lock them up and demand a ransom."

You might not now but in medieval times it was the best way of becoming rich

36
0
Anonymous Coward

Re: Ransomware

Surely a threat detection system can notice that a lot of files are being encrypted and pop up a warning to block that process and let you know.

So why is there no universal endpoint protection system that does this, in fact this should be baked in to the OS by now.?

I remember someone wrote a piece of software that put a honeypot file in every directory and checked them for changes. If they changes then the user account would be blocked immediately.

Hopefully a major incident like this will spur some action from someone.

24
1

Re: Ransomware

You might not, you might want to tie up resources and cause stress to enemy systems, much like snipers shooting people to wound and so tying up resources both medically and for the wounded soldiers friends.

8
0
Silver badge

Re: Ransomware

@AC

"So why is there no universal endpoint protection system that does this, in fact this should be baked in to the OS by now.?"

Because when Windows XP was being developed in 2001 no-one thought it was important (and I believe a lot of the NHS still uses that). Of course that doesn't excuse weaknesses in Win 10.

12
0

Backup

No need for messing about with clever detection routines that use up valuable system resources and still won't catch it early enough to protect everything - just backup your shit, ffs. There's so many lightweight endpoint backup solutions out there, there's no excuse - just roll back to a date/time just before the attack and carry on with your day.

15
0
Anonymous Coward

Re: Backup

A backup is a start and will help you recover a few user docs that have aged a little, but if you believe that will save you from any issues you are clueless.

Roll back your DB to your last backup 24hours ago, or 5 hours ago or even 5 minutes ago and for some people you may as well not have a backup at all unless there is also systems in place to recover the data from then until a few seconds ago.

If you think the issues being experienced today by the NHS could be solved just by putting last night's backup tape in and everything will be back to normal, why not go and knock on their door they would love to hear from you - similar to all the other organisations which may or may not be having a similar nightmare day today. You'll earn a fortune as a consultant.

In fact why not hire yourself out as a consultant and guarantee that any company who hires you will never get into any serious trouble as you'll install a backup system for them. You better have a pretty good insurance policy backing you up on your claims though.

14
4
Anonymous Coward

Re: Backup

If you're running a business-critical back-end database on a Windows box that is in any way accessible by a clueless user who can manage to get it infected with a virus, then my friend, you deserve all you get.

31
8
Anonymous Coward

Re: Ransomware

"Surely a threat detection system can notice that a lot of files are being encrypted and pop up a warning to block that process and let you know. So why is there no universal endpoint protection system that does this, in fact this should be baked in to the OS by now.?"

Malwarebytes claims that their Endpoint Security product for businesses will do this. They also have a free anti-ransomware product for desktops (beta for past year).

1
0
Silver badge

Re: Backup

Roll back your DB to your last backup 24hours ago, or 5 hours ago or even 5 minutes ago and for some people you may as well not have a backup at all unless there is also systems in place to recover the data from then until a few seconds ago.

I worked on systems with this capability over two decades ago. This isn't rocket science.

7
4
Bronze badge

Re: Ransomware

You might not now but in medieval times it was the best way of becoming rich.

It works pretty darn good for Microsoft, Adobe and their ilk. Have the paying beta testers... erm, customers locked into the Windows OS and demand increasing ammount for each forced update.

14
4
Anonymous Coward

Re: Backup

"that is in any way accessible by a clueless user who can manage to get it infected with a virus, then my friend, you deserve all you get"

Of course, it's all so easy. There is no way anything could run a privilege escalation attack on system process and then propagate through the network to trusted resources. Or open a hole in a previously secure protocol or hijack a privileged app updater routine, or etc etc.

Life isn't so easy in the security arena. Anyone who thinks it is isn't responsible for systems security at anything approaching a large organisation.

5
1

Re: Ransomware

Hopefully a major incident like this will spur some action from someone.

This is Windows you're talking about. "Security" just doesn't exist.

12
7
Silver badge

Re: Ransomware

"You might not now but in medieval times it was the best way of becoming rich"

Look, I know after 7 years under a Tory lead bollocks job of a government it feels like we're in the medieval times. But we're not. Have faith, pip pip and make June the end of May.

Thank you x

16
11
Silver badge
Unhappy

Re: Backup

According to at least one hospital official interviewed tonight; there is no electronic backup, there is no paper backup, more than likely patient data will not be recovered.

1
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing