Ransomware, Data Loss and the NHS Incident
Over the weekend of 12 – 14 May 2017, news began to emerge of an extensive ‘ransomware’ attack, affecting large numbers of organisations and individuals worldwide. The attack manifested itself via a message on the user’s computer, stating that their files had been rendered unavailable via a process of encryption (encoding), and would be released only upon payment of a ransom of $300. Payment was to be made using Bitcoin, a digital ‘virtual currency’, in which payments are virtually untraceable.
Of particular concern was the scale of the issue – 75,000 cases in 99 different countries had been reported by 13 May – with the National Health Service in England and Scotland one of the worst affected. However, a number of other large institutions also experienced data losses, including Telefonica in Spain, Renault in France, FedEx in the US, and Portugal Telecom [1, 2,3,4].
The attack was caused by a piece of malicious software (‘malware’) known as ‘WanaCrypt0r 2.0’, a variant of an earlier version known as ‘WannaCry’ or ‘WCry’, which spread itself through connected computers on Windows networks, following initial infection of any one of the machines on the network. The spread was made possible by the existence of a known vulnerability in the Windows operating system. This vulnerability had been fixed by a previously-released security patch, but this was reliant on individual users having regularly run Windows Updates and ensuring that their system was up-to-date.
It has more recently been reported that the spread of the ransomware – or, at least, its initial version – appears to have been stopped via the actions of a malware analyst, who registered a domain name to which the malware appeared to be attempting to connect (perhaps as part of a way of determining whether or not it was being run in a ‘sandbox’ (test) environment). Initial indications are that the registration of this domain appears to have acted as a ‘kill switch’, to prevent the malicious code from spreading [6,7,8]. However, for those infected, the damage had already been done.
The costs to businesses arising from a loss of their critical data – even for a short period – can be catastrophic. For this reason, many businesses affected by a case such as this may be tempted to simply pay the ransom in order to have their files unlocked, rather than attempt to go through a lengthy data-restoration process. However, a number of experts suggest that, even if payment is made, there is a high likelihood that the criminals will not reinstate the encrypted files .
In addition to the ransomware involved in this particular case, large numbers of other types of malware exist, which can cause damage in a range of different ways. Some variants will monitor keypresses on a user’s computer (e.g. to collect passwords and other sensitive data) and will relay this information back to a fraudster; other types of malware can affect the configuration of a user’s computer, so as to re-direct the user to a fraudulent domain when attempting to browse to a legitimate website.
For these reasons, it is essential for organizations – and other Internet users – to take as many precautions as possible to avoid falling victim to the damaging effects of malware. Some of the key actions to implement are:
- Avoid opening attachments in unsolicited e-mails, or clicking links on unknown / untrusted websites, which can be sources of initial malware infection.
- Ensure that software and operating systems are kept up-to-date with the latest versions, incorporating any security patches (e.g. by regularly running Windows Updates).
- Run anti-virus / anti-malware software on all systems and ensure that firewalls are in place.
- Ensure that regular back-ups of important data are made, so that files can be restored in the case of loss.