Analysis | What you need to know about the massive hack that hit the British health-care system, elsewhere


May 12, 2017

It was first reported in England — hackers gained access to the National Health Service computers, effectively shuttering the entire system. Patients were told to stay home; doctors and nurses were unable to access email or medical records and had to take notes by hand. The hackers demanded a ransom, to be paid in bitcoin.

May 12, 2017

It was first reported in England — hackers gained access to the National Health Service computers, effectively shuttering the entire system. Patients were told to stay home; doctors and nurses were unable to access email or medical records and had to take notes by hand. The hackers demanded a ransom, to be paid in bitcoin.

An exterior view shows the main entrance of St Bartholomew's Hospital, in London, one of the hospitals whose computer systems were affected by a cyberattack, Friday, May 12, 2017. A large cyberattack crippled computer systems at hospitals across England on Friday, with appointments canceled, phone lines down and patients turned away.

By this afternoon, though, it was clear that this was not a limited attack. Businesses in at least 11 other countries reported similar cyberattacks. Many were paralyzed.

There's still a lot we don't know. (We'll be updating this post!) But here's what we know, so far:

How, exactly, does this ransomware work?

As its name implies, ransomware works like a hostagetaker.

Once your computer is infected, the attack can do a couple of things. One common approach: your files will be encrypted, or converted into a different language to which only the hacker has the cipher. Often, you won't even know you've been targeted until you try to open a file.

Another, more damaging version of this is what's happened today: The ransomware locks you out of your entire system. During today's attacks in England, the wallpaper of a computer was replaced with a message demanding $300 in bitcoin in exchange for the decryption” key that would unlock the files. Victims have three days to pay before the fee is doubled. (Something very similar happened to a hospital system in Los Angeles a couple of months ago. The hospital ended up paying about $17,000. The hackers had even set up a help line to answer questions about paying the ransom.)

Here's the screen that flashes up if your computer gets hacked.

The attack relies on something called the Wanna Decryptor, also known as WannaCry or WCRY. These kinds of attacks are particularly hard to spot, especially because hackers are always tweaking them. The Wanna Decryptor being used is just weeks old, and it was just updated.

How do computers get infected?

Lots of ways.

Hackers can get ransomware on your system if you download an infected piece of software or even a PDF. They can use a phishing email to direct users to an infected website.

In this case, hackers sent a .zip file attachment as an email — when victims clicked on it, their computers were infected. But the attack didn't stop there. The ransomware spread through the hospitals' and businesses' computer networks. “Once you get a foothold in the system, other users will start to run those pieces of software,” explained Clifford Neuman, who directs the USC Center for Computer System Security.

What's Edward Snowden got to do with it?

Though we don't know for sure, it looks like the hackers exploited a vulnerability in the Windows operating system. Microsoft knew about this many months ago and put together a patch, but many businesses are slow to update their operating system because they have to evaluate system updates impact on other software. (Or, like most of us, they just keep running old versions of software forever.)

Microsoft knew about this vulnerability because it was exposed by former National Security Agency contractor Edward Snowden: Apparently the U.S. surveillance service had been exploiting it for its own use.

Who's behind the attack?

Investigators are pursuing a lot of different leads, but so far they have very little concrete evidence. They do think it's the work of criminals, not a foreign power. They know that the original hacking tool was leaked by a group called Shadow Broker, which dumps stolen NSA tools online. But they don't know who the Shadow Broker hackers are, or whether they even perpetrated the attack.

Who's been hit so far?

Britain's National Health Service was a major victim. More than forty hospitals and health facilities across England have been affected, and many staff members are totally locked out of their computers, unable to access patient medical records, appointment schedules and internal emails. At least 16 hospitals were affected across the country. It's so bad that officials are warning people to stay home unless they're having a medical emergency. Hospitals in Scotland and Wales were affected too.

But investigators quickly discovered that the NHS was not the only, or even the intended, victim. The attack was wide-ranging and affected organizations around the country.

Meanwhile, Spain's National Cryptologic Center, part of the country's intelligence agency, reported a “massive ransomware attack” against Spanish organizations. At Telefonica, in Madrid, security department officials ordered employees to switch off their computers and disconnect from WiFi.

This is WAY bigger than that, though. According to the Independent, these attacks may well stretch around the globe, from Portugal to Turkey, Indonesia, Vietnam, Japan, Germany and Russia. It “is much larger than just the NHS,” Travis Farral, director of security strategy for cyber security firm Anomali Labs, told the Independent. “It appears to be a giant campaign that has hit Spain and Russia the hardest.” (Here's a live map tracking the malware.)

This afternoon, FedEx disclosed that its systems also were victims of the hack.

What are investigators trying to do to catch the attackers?

It can be hard to track down the perpetrators in attacks like this, but not impossible.

One method: follow the money. It's possible to trace where a bitcoin payment ends up. “Despite what people tend to think, it's highly traceable,” said Neuman, the USC director. “You can see the flow of funds through the bitcoin system.” That doesn't mean, however, that you'll know who actually ends up with the money, especially once it's pulled out of the bitcoin system. Hackers are able to hide that in lots of different ways.

Experts will also be searching the code itself for clues. Hackers each write codes in different ways, leaving identifiable traces of their work, like a signature.

What can I do to stay safe?

First, back up your hard drive. You should be keeping frequent backups anyway, in case your computer dies on it own. But if your computer gets hacked, you'll be able to retrieve your data without paying a ransom.

If you run a business, back up every computer in your office, and have a plan for what to do if your system goes down for a while. Be smart about setting up your network, so that most users don't have complete access to the system. This makes it harder for a ransomware attack to infect everything. And make sure your users are educated about the common kinds of attacks.

Avi Rubin, a Johns Hopkins professor who studies computer hacking, has one other piece of advice: If you or your business get attacked, don't pay. "You're funding the bad guys, and giving more incentive,” he said. You also don't know whether your things will really be restored.

Courtesy: Washington Post