The National Health Service (NHS) in the UK as well as a large number of other organisations across the globe have been hit by a massive ransomware infection that has crippled a number of different networks, especially in Spain and Russia.
On Friday, thousands of reports have surfaced from workers unable to access data stored on computers and servers, instead reporting error messages that claim the data has been encrypted.
Security researchers are already saying that this is the largest single ransomware campaign ever.
What is ransomware?
Ransomware is a strain of malware that has become increasingly popular and sophisticated over the last handful of years, and we’ve warned about its potentially catastrophic effects a number of times.
This particularly malicious malware infects a computer and encrypts all personal files stored on its hard drive and – depending on its ability – any files it can access on network storage servers that are accessible by that computer.
In many cases, that encryption is so strong that it cannot be realistically broken without a specific decryption key. Something that only the cyber crooks are in possession of.
Ransomware gets its name because the cyber crooks are in effect holding all of those encrypted files ransom until the victim(s) pay money to retrieve that decryption key.
Who does ransomware target?
In short, anyone. Ransomware is often targeted towards personal users by attaching installation files to emails and tricking recipients into opening up those attachments.
However ransomware can also be tailored to target businesses, even specific businesses through targeted campaigns (campaigns that have been specifically designed to fool workers in a particular industry or business.) This appears to have been the case in the NHS attacks.
How did the ransomware infect the NHS?
Ransomware campaigns usually rely on tricking victims into infecting their own computers, for example by opening malicious email attachments or downloading harmful files from dangerous webpages.
However ransomware has also been known to exploit unknown (or unpatched) vulnerabilities in computer software that could allow crooks to infect computers with minimal (or even no) help from the victim. Since many NHS computers are still using Windows XP – an operating system that has not been supported for many years now – it is perhaps no surprise that vulnerabilities in the software are to blame for this attack.
Security researchers have claimed this may be the case with this recent campaign. Reports that a computer “worm” (which is software designed to spread across networks) is being used to carry the ransomware infection across computer networks while exploiting unpatched vulnerabilities in network software allowing it to travel unhindered. That computer worm was reportedly designed by the NSA and was leaked on the Internet over a year ago. As such Microsoft did released a security update but many computers have not applied that update (and Windows XP users would not have gotten it since updates have stopped for that OS.)
However Microsoft has released updates security patches including a “one-off” for Windows XP users since the attacks.
What strain of ransomware is it?
Ransomware comes in many different forms, created by a number of different of networks of cyber crooks. In this case the variant of malware is called “Wanna Decryptor” or “WannaCry”, which according to researchers is a relatively new strain of ransomware.
How much is the ransom?
Each infection is reported to being asking for around $300 for a decryption key.
Are people paying up?
Reports suggest that people are paying to retrieve their files back and get the decryption key. As is typical with ransomware, payment is often required through BitCoin because of its anonymity. BitCoin “wallets” associated with this ransomware campaign have reported to have already received substantial payments.
However, with ransomware crooks, there is no guarantee they will honour that payment and allow victims to retrieve their encrypted files.
Learn more about Ransomware here.
More to follow…