NHS Ransomware attack-how it worked

First thing to say is that the ransomware wasn’t the new and interesting thing here.

Ransomware has been hitting organisations and individuals for years, and the strain of ransomware used in this attack (WCry) isn’t new, or interesting. It does what all other ransomware does: scrambles victims’ files and charges them a ransom to get it back.

Wannacry-on-computer-image

The new and interesting bit is how it spread.

You see, the problem with ransomware has always been distribution. If you can get the virus onto someone’s computer, there’s a pretty good chance it’ll work, and an odds-on chance that the victim will pay up.

But how do you get it onto their computer in the first place? That’s the challenge.

The traditional method has been through spam email. How does that work? Well, remember all those news stories about websites being hacked and millions of records leaking out? Hackers take those millions of email addresses and spam them, and contained within that spam is often ransomware.

But it’s an imperfect solution: for a start, the spam emails can get picked up by junk email filters. And even if they get through, the hackers are reliant on the victims clicking on the link in the email or opening the attachment in order to launch the ransomware.

It’s a pain, basically.

What hackers have been praying for is a self-replicating virus: something that can spread all by itself without the need for email, and rake in money too.

And, thanks to the US National Security Agency, that’s exactly what they got.

The NSA developed a hacking tool called Eternal Blue. It was a virus that could spread from one Windows machine to another, through a feature of Windows called SMB.

SMB is, basically, a computer-sharing tool. If you have music on your computer in the study and want to listen to it on the laptop in the lounge, SMB links the two computers to let you do that.

But the NSA discovered that you can also use that link to spread viruses from one Windows machine to another.

The NSA didn’t tell Microsoft that they’d found this flaw, but instead kept it secret as part of their armoury of online weapons.

Last year, someone broke into the NSA’s systems and stole a bunch of tools, including Eternal Blue (sparking a debate about the wisdom of letting spy agencies secretly harvest and exploit computer problems).

The stolen hacking tools were sold online by a group called Shadow Brokers, which many tech security analysts believe is either working for or within the Russian government (Russia has repeatedly denied any involvement in such hacking in the US).

Noticing that the cat was out of the bag, in March Microsoft released an update for Windows that fixed the SMB problem. But because Microsoft had earlier decided not to keep providing updates for its aged XP software, it didn’t provide a fix for SMB in XP.

Some people downloaded the update. Some didn’t. Those who used Microsoft XP didn’t even have the choice.

At some point between the Shadow Brokers leak and May 12th, someone worked out how to combine the SMB-computer-hopping trick with ransomware.

Here’s how it works: the computer-hopping virus comes up with a random IP address (a computer’s unique location on the internet). It then checks to see if the computer at that IP address has SMB installed, and if so, if it’s vulnerable to Eternal Blue.

If so, the computer-hopping software sends ransomware over the internet to that vulnerable machine, which is then infected.

The computer-hopping virus then looks for other computers connected to the infected one, and if they have vulnerable SMB software, it sends them ransomware too.

It keeps generating random computer addresses, checking them for vulnerability, and sending them ransomware, which then keeps spreading itself to more computers.

That’s how it got to 200,000 machines in 150 countries.

So why was the NHS apparently so badly affected? Two reasons: firstly, there’s no centralised NHS control of Trusts’ IT systems; it’s up to Trusts themselves to make decisions about day-to-day tech admin. And it appears some decided not to install that critical Windows update back in March. Bad call.

NHS Trusts also make their own arrangements as to how they connect together online. This meant that once one Trust’s computers were infected, the virus could spread to other Trusts’ machines.

Who was behind the ransomware campaign? There’s been talk of North Korea, because the hacking code used last week contains some elements previously used in attacks attributed to a group named Lazarus, which is in turn attributed to North Korea.

But a tech security source told me the overlap in code isn’t huge, and could well have simply been ripped off from publicly available sources.

In addition, the code contained a flaw: it called out for instructions to two particular websites – yet the hackers who wrote the code had not actually bought those websites. So when a researcher found this out and bought the websites himself, it stopped the virus in its tracks. Doesn’t look like the work of a hacking genius.

And besides, bashing together some publicly-available ransomware (WCry) with a publicly-available worm (Eternal Blue) doesn’t seem like rocket science. This could just be a run-of-the-mill hacker’s work.

One thing’s for sure: the hack wasn’t a financial success. By tracing the Bitcoin wallets into which the ransom is paid, researchers have turned up a haul of under $100,000. Compare that with the $325m reportedly paid to another ransomware group in just one of their campaigns.

There is, however, a silver lining here: the hackers may find they’ve killed the goose that lays the golden egg….

With thanks to SecureWorks, Glasswall and Cyjax whose research informed this article.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s