NHS Ransomware Attack Goes Global, Affecting Tens of Thousands

Written by

The National Health Service (NHS) in the UK has confirmed that 16 different NHS organizations have been affected by the brand-new Wanna Decryptor 2.0 ransomware—while it has emerged that the campaign is global and coordinated, with tens of thousands of attacks on various sectors in just the last few hours.

The investigation is at an “early stage,” NHS Digital said in a short statement, adding that there is no evidence that patient data has been accessed.

Earlier, news emerged that NHS and a diverse slew of organizations, including telecom giant Telefonica, have been targeted by the ransomware, with the NHS Trust shutting down its IT systems entirely to contain the infection. Telefonica is taking similar quarantine measures—with major repercussions in the offing.

“The financial impact of the attack on Telefonica should be significant, and goes far beyond the ransom being demanded,” said Avast team lead Jakub Kroustek, via email. “Reportedly, 85% of the company’s computers have been affected, and Telefonica asked employees to shut down their computers and go home which should have serious financial consequences for the company. It should not take Telefonica long to remove the ransomware, but if Telefonica has not recently backed-up employee files, it could take a while before they are recovered, if they were encrypted by the ransomware.”

A follow-on investigation by Avast Threat Lab found that the ransomware, variously known as WannaCry, Wanna Decryptor, Wcry or WanaCrypt0r 2.0, is actually in the middle of a massive global peak, with more than 36,000 detections so far in just the last day. Despite the NHS and Telefonica hits (and other European companies like Santander), the campaign is largely targeting Russia, Ukraine and Taiwan. Victims are as far-flung as Turkey, Indonesia, Vietnam, Japan and Germany.

Check Point said that version 1.0 of this ransomware was discovered on February 10, and was used in a limited way. Version 2.0 was detected for the first time earlier today, suddenly emerging and spreading very rapidly globally.

Aatish Pattni, head of threat prevention, Northern Europe for Check Point, told Infosecurity that "the ransomware used in this attack is relatively new. Even so, it’s spreading fast, with organizations across Europe and Asia being hit. It shows just how damaging ransomware can be—and how quickly it can cause disruption to vital services.”

Some believe this was a carefully orchestrated attack rather than a case of a new sample suddenly becoming virulent.

“This would appear to be a wide ranging, well-coordinated ransomware attack, using a new variant of ransomware. It was well thought-out, well-timed and well-coordinated,” said Brian Lord OBE, former deputy director of GCHQ Cyber and Intelligence, now MD at PGI Cyber. “But fundamentally, there is nothing unusual about its delivery. It is still fundamentally robbery and extortion, albeit large scale.”

He added, “Something like this was always inevitable. While organizations are distracted by high-profile dramatized threats, such as Russian election hacking, they are neglecting basic cyber-hygiene measures which can prevent the mass effectiveness of mass ransomware attacks like this.”

NHS Digital said that it is working closely with the National Cyber Security Centre, the Department of Health and NHS England to resolve the situation.

What’s hot on Infosecurity Magazine?