At least 40 NHS Trusts and hundreds of GP Practices have shut down their IT systems after being hit with ransomware today (12th May 2017). We would like to reassure our users that PatientSource is immune to these attacks.
If you have unpatched Windows systems which are affected, please see below for instructions on how to recover from WannaCrypt.
Hospitals running PatientSource are still able to access their full PatientSource system. PatientSource is cross-platform and can accessed via any modern web browser, which means that even if all of a hospital's internal Windows computers are infected, their PatientSource system can still be accessed by their non-Windows computers, tablets and smartphones. PatientSource uses security-hardened Linux servers with daily patching so is not vulnerable.
It is safer to have patient data stored on professionally maintained, up to date cloud infrastructure, such as PatientSource hosted on Microsoft's Azure, than in on-premises hospital networks which may have unpatched vulnerable systems.
The malware responsible for the 12th May ransomware outbreak was WannaCrypt (.WCRY). .WCRY was first seen in February 2017 in the wild in Europe. A second variant appeared today (12th May 2017) rapidly spreading across Europe. Telefonica, the Spanish ISP was particularly affected. At some point in the afternoon, WannaCryptor reached central NHS servers and began spreading to GP Practices and hospitals.
All versions of Windows and Windows Server which have not received Microsoft's March 2017 patch MS17-010 are vulnerable.
How WannaCrypt works:
WannaCrypt spreads across vulnerable Windows servers and terminals. Once a machine is infected, it begins encrypting files and folders which can only be recovered by decrypting them again with the correct key. WanaDeCryptor throws up a screen demanding a ransom paid in Bitcoins in order to obtain the key to decrypt your files.
Files are encrypted using the symmetric encryption cipher AES 128-bit. AES is the industry standard symmetric encryption technology, which at 128 bit key length would take even a supercomputer 1 billion billion years to crack. AES is a useful technology for protecting data from unauthorised access, however WannaCrypt abuses it to lock away files from their rightful owners until a ransom is paid.
The vector for spreading WannaCrypt is thought to be the Windows SMB (Server Message Block) protocol. SMB allows users to share files and folders across a network. Once the malware has reached a new Windows Server or Windows computer, it exploits a vulnerability in the Windows Malware Detection service to execute. The malware then begins searching the hard drives and shared network folders, encrypting any non-system file it encounters.
Affected operating systems:
- Microsoft Windows: XP, Vista, 8, 8.1, 10
- Windows Server: 2003, 2008, 2008 R2, 2012, 2012 R2, 2016
Why the NHS has been affected:
Much of the NHS still runs on-premises servers. With increasing pressure on NHS finances, many hospital Trusts do not have sufficient numbers of in-house IT staff to keep all their servers up to date with daily patches. Many NHS Trusts are running unsupported end-of-life operating systems such as Windows XP and Windows 2003 due to budgetary constraints.
It is much safer to keep patient data on an ISO27001 certified professionally-maintained cloud service such as PatientSource hosted on Microsoft’s Azure infrastructure, than on hospital premises where there may be unpatched systems.
How to recover from a WannaCrypt attack:
You can restore your systems in the following manner (requires administrative privileges):
1) Reboot the affected Windows terminal or Server in "Safe Mode with Networking".
2) Download and apply the MS12 010 patch which was originally released in March. Windows Update will automatically fetch this for you if switched on.
3) Download and run Windows Defender. Fetch the latest definitions first which will pull in detections for Ransom: Win32/WannaCrypt. Run a full scan.
5) Restore your non-system files from your most recent backups, if you have them.
At the moment, there is no known flaw in the WannaCrypt encryption routine. Security researchers are working hard to find a flaw. If one is found, this may allow us to break the WannaCrypt encryption and provide a program for users to decrypt their affected files.
We advise you not to pay the ransom. Not only will paying the ransom fuel more crimes like the WannaCrypt outbreak, you are also likely to end up on a list of people who are willing to pay, thus will be targeted in future attacks.
PatientSource Ltd is providing healthcare organisations with low-cost expert IT help to recover from ransomware attacks and to harden their systems against future attacks. Please Contact Us if you are affected. PatientSource systems are already immune to this attack.
Updated 2017-05-13 10:10 UTC: Amended the total number of NHS organisations affected. Added instructions for how to remove the ransomware.