Massive Cyber Attack Cripples UK Hospitals, Spreads Globally

A massive ransomware attack is currently under way. It was first widely reported having crippled the UK hospital system, but has since spread to numerous other systems throughout the world including FedEx in the US, the Russian Interior Ministry, and telecommunications firms in Spain and Russia.

The virus is known by names WannaCrypt, WannaCry, and a few other variants. It spreads using the ExternalBlue exploit in unpatched Windows machines older than version 10. The tools used to pull off this attack were likely from an NSA toolset leaked by the Shadow Brokers.

So far the strongest resource for technical information that we’ve found is this factsheet hosted on GitHub.

NHS Services at a Standstill in the UK

NHS services across England and Scotland have been hit by the ransomware attack, crippling multiple hospitals and doctor’s practices. The UK has universal healthcare — the National Health Service  — covering Doctors, Hospitals and generally everything medical related is free at the point of service. but today they have had to turn away patients and cancel consultations.

NHS is unable to access medical records of patients unless they pay £230 ($300) in bitcoin for infected machines. There is no evidence patient data has been compromised, NHS Digital has said. The BBC has stated that up to 39 NHS organisations and some GP practices have been affected.

The National Cyber Security Centre (NCSC) was “working closely” with the NHS and that they will protect patient safety. We are aware that a number of NHS organisations have reported that they have suffered from a ransomware attack.

-Prime Minister Theresa May

Infected Systems Throughout the World

Computers in regions across the globe have been under attack today, including Telefonica (O2 in the UK), with at least 45,000 computers compromised in Russia, Ukraine, India, and Taiwan alone. There’s no indication of who is behind the attack yet.

The ransomware’s code takes advantage of an exploit called EternalBlue, made public in April by Shadow Brokers which was patched by Microsoft in March, It comes as a shock that an organisation the size of the NHS seem not to have kept their computers updated. This is perhaps just a taster of what is to come in the future as cyber crime and warfare become more and more commonplace.

[Ransomware screenshots via @UID_]

179 thoughts on “Massive Cyber Attack Cripples UK Hospitals, Spreads Globally

    1. There are no similarities between the two. You are an idiot. If Potato was a codename for a place with the best quality food for free for all citizens then perhaps that’d make sense. One source? I mean really do you think there isnt private health care as well as many many nhs trusts spread all the over the glorious great britain.

      1. >free for all citizens
        No, paid equally by all citizens, regardless how little or much they use it. I in no way imply this is bad, but calling it free is just wrong.

        1. “Free at the point of service” Now read that slowly. What it means is that when I was diagnosed with Bowel Cancer, I got treated without having to pay “at the point of service”. The fact that I my taxes over the previous 3 decades had contributed to the NHS is no longer relevant AT THAT POINT. If we had had the US system, I would almost certainly not have survived. My consultant told me I had a less than 50% chance of surviving till my next birthday. At that time I had no health insurance, and would not have been able to afford treatment. End of my story!

          1. You’re begging the question.

            The reason why you had no health insurance is because you had the NHS. Had you lived in the US, you would have been paying – if you hadn’t been an idiot – health care insurance for the last three decades and would have been covered by that.

            And the doctor would have given you greater than 50% prognosis.

            In the US the quality of care especially for cancer is greater than what the NHS has to offer because they have more comprehensive early diagnosis of cancers and the survival rates are higher compared to the NHS which runs on a minimum cost basis and avoids doing anything “unnecessary”.

        2. “generally everything medical related is free at the point of service”, just how most non private roadways are free at the point of service. Few belabor the use of free in regards to freeways, and other “free” services why is its use here in the USA in regards to how health care, such problem for many?

      2. A little strong to jump right to idiot, no? i interpreted it more as a comment on the technology (windows) rather than the organization. that being said, im not from the UK – so maybe something flew over my head…but lets be civil here :-)

      3. The problem isn’t ‘free’ healthcare in the U.K.
        There are other providers – a few private outfits (tiny compared to the NHS), and other trusts. But trusts are large and geographic, so essentially have a monopoly in each area. If your trust was hit, all the local hospitals and GPs are probably affected.

        The real issue is that the NHS has been political for too long, meaning successive governments have spent short-signtedly to get reelected – because “more nurses” gets votes, but “more IT” doesn’t.

    2. “potato famine”, there was no such thing. At the time there was lots of food being grown, it was all being exported for profit. It is like calling the holocaust the oxygen famine.

    3. It wasn’t open source it’s because they used commodity Windows machines for much of their infrastructure and many of them were running out of date software and not behind a proper firewall.
      If they ponied up a little cash for an IBM Z13 or at a the very least some linux/unix servers this would have been a minor incident.

      1. They can’t afford much at the moment (If we exclude the high-paid doctors and the monetary buffers, lack thereof, then they should have money… however IRL…)
        We UK-nians have Labour party history, conservatives, Teressa May and David C to thank for that.

        .

        >Overspendature and making everything illegal where possible – Labour.

        >Extreme cutbacks, Britexit, Lies about NHS savings – Conservatives.

        >Start a Britexit referendum, Corrupt it, run off with the now foreign deposits – David Cameron

        >Push Britexit, Prove we live in a dictatorship, pretend a vote will make Brexit go away after article 50 – Teressa May

      2. At first I thought the hackers were to blame, then I heard that the flaw was patched already so then initially I blamed the managers not updating, then I recalled how windows updates on a regular basis completely disable systems and realized you can’t just auto-update and run the risk of shutting everything down when running a business/national service, so then I blamed MS.
        But yeah, they should just use linux and some protection to avoid the whole idiocy altogether. Especially since they might use W10, and then it takes some skill to use management tools to not have every detail of every patient shared to MS, and such skill is likely not available in abundance for the NHS I bet.

    1. Typically, no.
      Some of the encryption ransomware holds the keys and you have no access unless you pay up and get their “unlock code” and tool to get your files back.
      Some ransomware is even so poorly built that there is no recovery. None. The software has flaws that basically make your data useless, and paying only adds insult to injury because the decryption tools are broken from the start.

      If anything, Ransomware is teaching people the hard way to have proper backups in place, because that is the easiest way to protect yourself. Just wipe the disk(s) and start fresh, restore, and move on.

      It is an awful time to use the internet.

      1. Even that’s becoming problematic. In principle, there’s almost nothing that can keep the ransomware from encrypting or trashing your backups if they’re conducted automatically. It used to be that you could count on tapes not being physically mounted in the machine after being written, but nothing like that is really very practical anymore.

        1. That is still a viable method. Sure, sending all your stuff to another data centre is more convenient, but losing all your data does not sound all too convenient either.

        2. Therefore it is always recommended to have backup servers pull in the data. They log into your machine and make the backup. The other way around opens up the possibility of the client deliberately or accidentally damaging the backups on the server,

      2. Pretending to pay to find out where the money goes is good for catching the crooks though.
        But yeah, I can’t imagine paying myself, you would only reward crime and worse of all guarantee they will do it again, and again and again.
        And it’s illegal in many countries to pay, so it would be rather bitter if you were the one being fined on top of it all.

        1. Track a Bitcoin payment? Technically possible, but the attackers are probably mixing them in tumblers, converting to Monero or one of the other fully anonymous crytocurrencies, putting them in offline wallets, or all of the above and more. You’re not going to find these guys with that route. Better way would maybe be to analyze the malware in a VM and see if you can find any distinct information that would pin it on one group or another. Has no one taken responsibility yet?

      1. Network policies are normally set up that way. The only thing different between one work station and the next is the MAC address. Most things are server based but then things can happen staff using local email as a work related medium or worse still some of the servers get encrypted.

          1. I would hope that there is no threat to data in the hospital system. It’s probably more about the immediate functionality of the workstations which of course (in a hospital system) is critical infrastructure.

          2. Rob:
            Remote PXE and/or boot images can already be used since quite a while now.
            Most hospital machines are likely C2D or newer, with PXE and sometimes Intel ME Remote boot server support (The dell under my workbench at work supports this).
            For example a WinPE like environment with default NHS applications with a licence for general PC use (Multi-PC licences) from Microsoft could resolve this or a PXE menu that defaults to booting the HDD and a second option to refresh the PC…
            That way the PXE could be used to autodetect the correct MAC and auto download the per machines correct OS (PS XP can be gotten down to 600MB cutting back fresh-install fat+Compression, that would make for lighter network load).

            have a local caching server: A small PC with a tightly configured Linux/Userspace so the only network services allowed is 1X PXE and 1X read-only share + should have a backup air-gaped PC, just in case.
            Heck, even a Raspberry PI could be used as the server, albeit slower downloading of the images to the destination PCs. (I use the RPi method at work, though the test and tools images are around the 1MB to 5MB)

          3. Problem is that the moment you get a new (unpatchrd) win box up, it’ll get infected again.
            And likely the win update breaks the weird software they use for averaging patient records.

    2. So we got nailed at work by one of these ransomwares. Apparently only the first 2048 bits of the file is encrypted because it would take forever to encrypt everything. So if you can compare a unencrypted file to an encrypted one you can figure out the key using a program on the web and get your stuff unencrypted.

    1. You could always sell your bit coin account off for a reduced rate to some underworld organisation who may be able to traffic the money around hundreds of different bitcoin wallets in smaller amounts, Over and over again until the transactions begin to look like legit purchases of products from people unconnected to the original scam. I do agree though it’s going to be hard especially with all the attention on something so big as this. I bet all the money in my bank that UK’s secret services will already be involved trying to trace and find the attackers.
      It only takes a small mistake and you are caught. Either way I don’t think much spending will be happening for a little while that is for sure. If I was the attacker I would be scared witless right now at the shear trouble I’d be in if caught.

          1. The NSA just kept the explot secret. If they had released it the second they found it, The spawn of Bill would have patched it and only a small fraction of computers would be infected.

    2. There are a huge number of options to use such wealth to grow a business or a market that you can then profit from legitimately. e.g. And yes this is “dumb” example but it should illustrate the point well enough, if I buy and then giveaway or sell below market a “thing” (hard or software) that I can purchase with bitcoin and that item just happens to have an app or feature as part of it, that is in no way connected to me, but I own the company that brokers the advertising stream generated by it then I will profit from all of those ‘things” being in used even if I got them into the market at a loss.

    3. They don’t.

      Bitcoin itself is a pump and dump scam to begin with – it’s based on the bigger fool theory, same as the tulip mania etc.

      Suppose a criminal has ended up with a large number of bitcoins and wants to sell them for cash – but they can’t because doing so would cause a market crash. Releasing a large number of bitcoins onto the market would depress the value, which would cause a bull run and bust the price bubble when everyone rushes to sell to cut their losses.

      So, the criminals create artifical demand for bitcoins by the ransomware software, and thus are able to liquidate large amounts of their ill-gotten cryptocurrency without being directly associated to the deal.

      They also get the bitcoins back as ransom, but they don’t actually need to use those bitcoins to cash out, so they can just delete any information regarding the wallets and laugh all the way to the bank.

      1. Sorry, not a bull run but a bank run.

        If you think of the BTC system as a bank where there’s no actual wealth to back the currency up: the only way for one to cash out is for another to cash in, and so if everybody tries to cash out – everybody loses their money. The bank’s vault is empty.

        That’s another way to see why someone with a large amount of BTC would want to create a ransomware software that demands payment in BTC.

        1. Pretty much all banks have operated like that, for gods know how long. There’s very few banks that could afford to actually pay their members’ in cash the full balance of their accounts. Fractional reserve banking.

          The whole thing’s a Ponzi scheme, where as long as enough money comes in today to pay out what’s withdrawn, then civilisation is OK for another day. But it can’t last forever.

          1. Although of course cash itself is a Ponzi scheme. And gold, mostly irrelevant as it is now to banking, has very little innate value. Just jewellery and tiny wires in microchips. The value of gold is mostly a result of supply and demand, artificial and natural scarcity.

            As an aside, the value of diamonds is almost entirely based on heavy advertising, and enormous amounts of hoarding by the DeBeers cartel. Vastly inflated value.

            If there were some sort of indestructible turnip, that would never go rotten, then that might be some concrete way of storing value. I suppose you could use cement powder, lots of people want concrete.

        2. I hear this argument put forward often.

          Bitcoin has backing in gold or other material value so it is fiat money.

          However *every* other currency has been fiat money since the 1970’s or before.

      2. Yes and no

        There is value and perceived value

        Value is very precise and controlled by a mathematical algorithm

        Perceived value is any value given to bitcoin by people who observe traditional market behaviors and expect bitcoin is the same when it is not!

        It’s the incoming speculators that loose until they realize bitcoin does NOT follow the behavior patterns of traditional markets.

        They do in fact temporarily effect market values but experienced bitcoin traders will just sit back with the predefined buy and sell points and capitalize on the temporary fluctuation as the value returns to it mathematically controlled value.

    4. They most likely are smart enough to use a different wallet address for each transaction, so it does not look like a massive amount of bitcoin suddenly goes to one wallet, then they can use a bitcoin mixer to mix it with a bunch of other peoples bitcoin to another address so it looks like it was a bunch of smaller transactions. They can then go to localbitcoins, sell the bitcoin to a few different users for cash. Or they could sell stuff online to people at somewhat low prices, and buy the product through purse.io (lets you use bitcoin on amazon), and just dropship it to the people that buy from them.

      1. The real culprits in the UK are successive governments, that have underfunded the NHS. Outsourcing services like IT has made it difficult to respond promptly and with enough resources. This is the story for any large institution which has bespoke software which is mission critical. My sister used to work for a national newspaper which had a very good in-house IT, and some very good bespoke software. A new director of IT decided to make a lot of the in-house department redundant on the basis that their role could be outsourced. The outsourcing company hire some of the people laid off and then sent them back in at double the hourly rate! It all went bad because the annual IT bill went up nearly 100%!

        Bottom line the NHS hasn’t got the resources in-house. With the level of chaos this attack is causing, the contractors also don’t have enough resources to go round. Because there are legacy applications that require XP there is still a lot of that around. My GPs surgery only upgraded from Windows XP to 8.1 last year, and some of there PCs are still XP. The UK government still has applications which require IE6! There is huge inertia in government, and all the easy solutions are very expensive.

        1. Yes, there is always an excuse and then pass the blame. I am very aware of this approach having seen it in action at a Canadian large telco where they were still using NT on the desktop well after its EOL date. The IT company didn’t act on mandatory security patches until after the pc’s got infected. Apparently things were specified clearly in the contrast or some blather. Your GP made a decision at some point to spend money elsewhere, they are accountable for that decision, not the govt.

        2. Well, there is one little flaw in your logic: “underfunded the NHS”.
          Easy to say when you have your own moneytree from which to pluck unlimited cash.
          But that is exactly the problem with any socialist government. It works great until you run out of other peoples’ money.

          1. Spoken like a true accountant. Accountants see all expenditure as a “cost” rather than an “investment”. The prime minister of my country is one such “accountant”. You future looks good.

            You real choices are –
            a) Invest money into the health of those who are biologically (or otherwise) disadvantaged so that they can become productive members of your society.
            b) Hide the suffering and pain caused by the lack of medical support for these people and hide the elevated ongoing costs to society (tax) that results from their lack of contribution.

            Many politicians chose option “b” because they need a scapegoat and vulnerable people have no voice to protest.

        1. Coders don’t make the holes. The holes are in the Operating System. Hackers have shovels and dig the holes wherever they want. Sometimes coders fail to predict were the hackers are going to dig the hole and because of that the coder doesn’t steel plate over where the hacker is going to dig.

          1. They could reduce this risk by writing smaller OSs and open sourcing it, so the dev community would be much bigger and more likely to catch this kind of hole.

  1. Well at least hording this 0-day stopped untold numbers of terrorist attacks.
    The truly sad thing is this won’t change their thinking.

    Isn’t it EternalBlue? not E-x-ternalBlue?

    1. This and many other exploits previously used by the NSA have been released. I thought that was public knowledge.

      All the others are more or less 0 day (not patched) and available to terrorists or anyone else for that matter. The one saving grace here is that terrorists are not *currently* that tech savvy but it’s only a matter of time.

      1. I honestly believe the battlegrounds of the future will at least take part partially online. It’s a scary thought, I mean if someone can accidentally take down multiple hospitals then what could someone do with a highly trained team of internet security experts coordinating an attack on specific infrastructure. Makes you think will planes be brought down? self driving cars automatically crashed or coffee machines serve colder than normal coffee to lower workforce moral.

        1. Bringing planes down would be a waste of time.

          There’s an old rule of war – If kill an enemy then you fight his mates. If you severely maim him then his mates will take him away.

          I simple 1, 2, 3 would be to take out traffic lights in peak hour. Then take out communication systems. After time people will become highly irrational as they don’t know what is happening and assume the worst. Next take out the hospitals systems. The ensuing mass hysteria would cause mass death as people engage in a perceived fight for survival. Far greater than twin towers or any other event.

          To be clear, I am not condoning any of these things.

          1. That does sound like a disaster if someone could pull it off. We need have a backup system put in place to protect from these type of attacks as I really can see them becoming big in the future. Even if you disrupt a big city (London, New York, Paris, Berlin etc) just for a day in economic terms you could cost that country millions possibly even $1billion. BTW I always find your comments knowledgeable on a great range of subjects and was wondering what you did for a living? You don’t need to answer if you don’t want, I’m just curious.

          2. True and maybe we are too dependent on systems that are inherently not fault tolerant.
            In someways I think our IT infrastructure was more secure during the 1990s than it is today since not everything was X86 windows and nor was everything connected to the internet.

          3. How about using “smart” meters (AMI) to turn off electric meters on all the houses
            (or businesses, etc.) in a large city, then brick the meters so that it will take weeks to months to get the power back on.

            (Not advocating, just pointing out another way we are making ourselves more vulnerable.)

          4. @[Jack Laidlaw]

            It’s not economics, loss of life will be a real thing.

            My work history is rather long
            Valve era electronics
            Transistor analogue
            Simple Digital – 74xx era
            IC analogue
            Programming – FORTRAN, Pascal, Cobol, Z80, 6502, BASIC (who didn’t do BASIC back then)
            Communication
            Computer Maintenance Engineer when the IBM PC (XT/AT) became more common
            Network Maintenance Engineer
            Information/Network Technologist – consultancy
            Web-server Maintenance – programming
            Then back to embedded uC / programming
            I code for anything now. I have learnt many Asm, web code, embedded, HDL. I haven’t done LISP yet. Well over 100 languages so I can pick up a new platform easily. I just look for ‘::’, ‘string.string, { … } and learn the primitives.

          5. There are other, simple methods to screw up entire country. For example one could adjust voltage regulators in power stations to increase voltage to 320V. Every light bulb, every home appliance, every charger and probably every computer will be broken…
            If you want a mass hysteria in USA? Disable Google, Facebook, every social media platform and cellphone towers…

          6. M H:
            That’s why when I got letters explaining that the Key meters were being phased out and smart meters placed in. I chose to ignore them, the electrical cupboard is public facing, they can change it without appointment anyway and I found out I only get said letters if I top-up 5pounds at a time (They must assume I get the 5pound debt on the meter). Instead I now top up between 20 to 50 pounds with longer intervals. Then there are the recent events and concerns around the (Not so) smart meters.
            So either the electricity board decided to delay the downgrade due to politics or because they realize they assumed wrong about my usage.

            Moryc:
            Say, even at 350V out, I know my 230W Dell PSU and my APC UPS will survive. A while back (A year ago now?) I was asked to fix a generator (Cheap knock-off, the stuff of Pikie scams). It would keep tripping the cabin’s fuse box and/or blowing up phone-chargers/lightbulbs. The 230W Dell PSU had gone faulty (PSID pin soldering gone bad) so I used it as sacrificial whilst measuring the generator output with a DVM:
            the output when it revved up spiked about 370V, average 310 and a dip to 60V, I reckoned the alternator had fried and told the owner to get a replacement generator (His was a 500W supposedly, I recommended 1Kw and up).
            He still got it, so I decided to test out the APC claim on it’s survival of unstable AC input above and below normal voltage: Their claim is certainly verified (And the test was on a modern UPS, The one I have)

            PS, sometimes the generator would rev up hard and still sit at 60V AC AFAIR.

          7. Thanks for answering RÖB, I knew you must have done work in a few different fields. You are right it’s more about lives than economics, I was just trying to bring that side up also ;)

          8. Add false public service announcements, telling people to do the wrong thing, IE head to the nearest “emergency checkpoint” this could be a hospital or police station, with all of the crowding, its function would cease.

  2. If the UK health service is anything like the situation in my Continental neck of the woods, they still use an awful lot of old computers with Windows XP or worse. In “my” hospital they still had some DOS machines (barely) running because there was no time or budget to port a particular piece of software or database. Disasters just waiting to happen.

    1. Speaking as someone who (most) recently managed a couple $7M contracts to upgrade (about half of) a medium sized financial institution’s software from an older version of Windows, this is exactly the crux of the problem with the vast majority of government and enterprise entities.

      They have, at least, one or two software packages that are “mission critical”, according to some long time employee (and oh are they never ever wrong, or let go for general inability to operate a computer – or talk about something other than their 58 cats), that haven’t been sold or supported since 1995 so aren’t able to survive the migration. So the company stands around with it’s hands in it’s pockets trying to find a way to get a new software package written or bought while not offending the crazy cat person (be they management or just rank and file – and almost always close to retirement). I’ve literally watched multiple times as top level management (at disparate places) canceled planned projects because they made the crazy cat person unhappy, and they didn’t want to hear the noise they would make about it.

      1. ^ this * 1000! We had a plan to migrate everyone (around 2000 workstations) to Linux which would save the organization around a million euro in Microsoft license fees. Every year. It ultimately got blocked by ONE GUY who just couldn’t bear losing his precious Excel macro’s.

  3. The upside is that the data on the NHS servers is finally properly encrypted and secure. If you don’t focus too much on the negatives, it all worked out wonderfully well.

  4. The NHS has been severely underfunded by the UK’s Conservative government as a tactic to privatise it (defund it, complain about how bad it is then bring in the private sector). It is no wonder that the computers were not upgraded when there are problems with staff shortages in hospitals. The best thing the UK can do to prevent this happening again is to get rid of the Conservatives in the upcoming general election, end the privatisation of the NHS and fund it properly.

    1. The NHS makes its own decisions on how to spend the money. Much like the US govt, as long as systems seem to work just leave them alone and spend the money elsewhere (e.g. on unnecessary prescriptions for Cialis/Viagra just because you have diabetes, whether you have ED symptoms or not.) US govt still has systems relying on 8″ floppies, not a good plan.

      1. On the 8″ floppies a PDP 11 or Vax is in someways a lot more secure than a windows machine in that at least you’re not going to compromise one with a piece of ransomware designed to normally extort money from a relatively technically illiterate PC user.

    2. Yep. Vote Labour instead – you get a bunch of Stalin worshipping communists and Jeremy Corbyn at the helm. Recipe for winning right there!

      Labour are toast.

      1. Yeah. Many labour election pamphlets are not mentioning Corbin.
        All the conservative election pamphlets are!

        It’s consecutive governments at fault, and a public who vote for “more doctors and nurses” policies not “invest in the boring bits where the NHS needs it”.

  5. I really hate how updates are the only defense people have against poor quality code these days. Really, it should not be the victims fault, it should be the fault of the stupid coder who put the holes in the software in the first place. People are paid $100k/y now to not give a crap, because they (someone else) can hotfix it later. It’s crazy. It makes no sense. Business is driving it, I get that, but it’s still WRONG.

    1. It’s not bad coders. It’s the historical platform that the code runs on. Usually Windoze.

      In a secure system, security would NOT be compromised by “bad code” because “bad code” is exactly what black hat hackers write.

      1. If an OS is popular enough, the malware will come. Writing a fully verifiable secure system is pretty much impossible, so even the most securely structured OS will be plagued by malware if popular enough. We are not even talking about human error, which is a huge part of most outbreaks. A wall is only worthwhile if people actually keep the gate closed.

        1. “If an OS is popular enough, the malware will come.”
          People keep saying this, but I’m just not seeing the evidence. Over 50% of internet servers run on Linux, and yet there are no known Linux viruses in the wild – none. Am I wrong?

          1. https://en.wikipedia.org/wiki/Linux_malware

            they are there, they usually just don’t get get that far, also note that there is a marked difference in infection rates between workstations and server units, servers usually have lower infection rates even using windows, the user is one of the primary vectors, a lot of servers sometimes have the benefit of better, separate firewalls and access control as well.

          2. You’re partly wrong.
            Whilst *nix/BSD type systems are inherently more secure, much of the benefit is that people who run them know what they’re doing. Even the average mac user is better than the average PC user – for starters, if they can afford a mac, they can’t be a complete moron.

          3. @[Dan]

            I specifically challenge you to scientifically prove the causative link between cost of PC and intelligence lol. My experience tells me quite the opposite.

        2. For web servers
          2% are windows
          96% are linux
          2% are unix

          Linux does get hacked all the time but most hacks aren’t made public. It is however much more secure and less prone to being hacked. Viruses aren’t an issue though.

          Also you have to remember a web server has a layer on top of the OS that can be prone to hacks. For windows it’s IIS and for Linux it’s Apache.

    2. Unix and Linux now are the same, endless fixes since the 1980’s. It happens regardless of OS or company. Windows happens to be the prevalent desktop OS hence it is a target as that is where the numbers are for criminals. Were MacOS prevelant then it would be the main target.

      1. Maybe. But Windows machines are generally operated by the least computer competent people, so when you add this to the mix you get disaster. People that routinely click on any link and click ok on anything that shows up without reading.

    3. Sure, like you’ve never made any mistakes in your line of work and software development is super simple, right?

      How about a year’s prison for every bug you write?

  6. You figure NHS would have their core services running on something more robust such as a IBM Z series mainframe where everything is virtualized or at the very least have multiple backups of records in multiple locations so at a worst they would need to do is wipe the drive of infected machines and do a full system restore.

      1. If that’s the case, then there’s no problem, just flatten all the workstations and re-install from scratch.

        I hope it’s the case, and really no organisation, especially a huge and extremely important National Health Service, should be storing vital files on Windows machines. So if all the important stuff is really on IBM data-vaults, we’re pretty much OK.

  7. Been reading the international reports… Sounding kinda more than disturbing this time, scary. Almost everything at the hosp is windows except for one med equip mfg on linux. Doubt it will be any fun there for a good long while if this gets in. Windows updates alone were nightmares when a “not med device mfg approved” update would slip past and get to the medical devices. Now this. Seems to me some hackers may become guilty of a few deaths.

    Mid 2015 retired, way early, from Biomedical Engineering at a hosp, as Senior Biomed. I did hosp IT as a network engineer for them for a couple years, but when a position in biomed opened up quite happily went back to doing that, didn’t even take a heartbeat. Love it, and loved it! But 24/7/365 with 45 minute response time plus full time and overtime and then double overtime with only half staff and boss betting he could keep it working with just half staff making him look really good…. there was supposed to be 7 to 9 of us, not TWO (just me and a trainee for almost 3 yrs)… a bit later 5 of us… still getting killed…. whooo-eee! Hot time in Hades! Loved it! Succeeded all the years… Stayed with the ship till Scotty came on the intercom with “She’s gonna blow!” and my boss was left as the only klingon just then saying “Only the computer is speaking.” Actually doesn’t sound so bad, like it’s just some whining, till you find out that I’m a disabled person… and was for all those years… … and was placed there BECAUSE I’m a disabled person!

    …. but here.. this hack attack for $$$…. Now I’m pissed!

    1. 45 minutes response time. I’m jealous! I had a call 20 minutes before flight departure (often in the early hours of the morning) so I had to keep a packed bag. I did 24/7/365 for 6 years and I am sure that wasn’t good for me. Some people said – well look at the money you making and I would say – all I can do is look at it, I can’t spend it (no time), I can’t share it (no time and no relationships) all I can do is look at it. Eventually I gave up the 24/7/365 and discovered life! I am also disabled and was during those times to. No one really noticed though. I could cover my ass. So I dip my hat to you!

    2. “Seems to me some hackers may become guilty of a few deaths.”
      Don’t want to make light of this, but, looking at past history, when doctors have gone on strike, and hospitals cancelled procedures, the death rate actually dropped – in some cases by 35%.
      Google “doctor strike death rate”

      1. it is hard to know if that is a stable trend though, let us say you had a patient that required a heart transplant and was being kept alive with a ventricular assist, if the doctors were striking he would probably do just fine, his function is stabilized.

        he also wont get that new heart he wanted, a surgery that carries risk mind you, so even if the doctors were as competent as humanly possible there would be an increase in risk from active surgery and treatment happening.

        to use that statistic for something it would have to be a stable trend over a month or more, that way you can compare the “non treatment” option with the “treatment” option, but i think it is fairly obvious what the results would be in most hospitals around the world, even in the less developed world.

        all of this doesn’t mean doctors cant make mistakes though.

      2. System failure during treatment vs delaying care. We’re talking two different things.

        Monitoring in Cardiac Care Unit (CCU) is all Windows and handles ICU as well. Fallback is nurses monitoring every patient and takes hours to even locate that many by phone. Cardiac Cath Labs use multiple windows boxes and any one shutting down leaves doc flying blind.

  8. When government fails, the peasants suffer. All they had to do was update their OS.

    But they couldn’t do that, because they mostly have bootleg versions of Windows.

    1. The CIA leaks proposed a quick way to get around the Windows certification. I think it had something to do with editing a few bits on the boot sector. The Microsoft lawyers should have jumped on the chance to sue the CIA for stealing.

  9. What on earth are companies doing still using XP?
    What we need to do is for the major ISPs to block machines running insecure OS’s from connecting in the first place.

      1. Many companies are using XP even 3.11 and even variants of DOS due to the systems in place do a job really well and newer machines have a stupid amount of overhead or break critical system TSR or glitch out on certain events or are absurdly priced and due to environmental certifications and safety regulations the price for upgrading these systems is crazy crazy.

        Blame your governing bodies for regulating the crap out of business then setting preferred licensing vendors here and there so some obese waste of space can cash in because he’s related to blah blah.

  10. Someday people will figure out that computers requiring an internet connection are inherently unreliable and stop using them as critical parts of life-safety applications.
    Doctors can’t do their jobs without a computer? It’s funny, they used to be quite capable of doing their job that way. Sad.

    1. It’s not the doctors that can’t do medical stuff per se, it;s the administration and history files, with a national service where a patient might visit any doctor and any hospital they veer towards a central DB to keep the data. Now if you do a central DB then you need to access said DB, and you need a network.Plus the pharmacies are run independent in most cases of public health and need to know which patient is entitled to receive medication so they get reimbursed and so they don’t give stuff to addicts or something.

      Perhaps as a safeguard they should make a service where the patient also has his data on a USB stick and that’s updated each visit. After first making damn sure the USB access on those systems is locked down good of course,
      .

        1. Have a copy on your smartphone if you have ongoing medical needs, or even on a sd card or usb stick. A computer may be down but even a 50$ android tablet should be able to display the records, have them encrypted with a standard program and make sure a second person you trust knows the password. Having a personal copy of medical and financial information offline is going to be more important in the future I think.

      1. The NHS still hasn’t got central databases. At least, going from my GP to a special clinic, or to a hospital with some minor injury, I have to give all my details from scratch. They can’t just access it from some big box somewhere.

        In that case why even give them Internet access? Well it was handy when I went to a clinic for a certain condition. The “specialist” there looked the condition online. On Wiki-fucking-pedia! It just doesn’t inspire confidence.

    2. At the risk of stating the obvious, other than resuscitating a patient in a medical emergency or treating an uncomplicated patient with a simple self limiting illness, it’s hard to continue ongoing management of a medically complicated patient when you don’t have access to their medical file and past medical history.

      In the good old days there were physical case notes to refer to.

      Would you want someone to make up your fifth dose of chemo, dial up the MeV in the radiotherapy suite and aim the beam, or undertake an elective surgical procedure, by “winging it”?

  11. Maybe a stupid simplified question (as in I don’t see the big problem with it) but why when they need to run legacy programs don’t they just run them in virtual environments on the newer patchable OS’s? Your run time might slow down but as its on a newer system it probably wouldn’t be noticeable to most operators and since you’re running it virtualized it should slow down the spread of the malware. Is there a simple answer other than $ as to why this doesn’t work?

    1. In reality the rate of infection probably traces back to 2015 when the Health Secretary Jeremy Hunt cancelled a pricey support package as a cost-saving measure. The party in power ultimately want to reduce the service or make it operate so badly that they can privatise a national asset by fragmenting it and selling the fragments to their friends at a low low price.

      1. I’ll assume that response was ment for a different post as it A) does not answer any part of the question I asked and B) just seems to be political mudslinging. My question was only meant to find out if a method could be used to close or slow down some of the attack vectors that are used in these incidents. While I realize that the NHS issues in the UK are important to some people if I wanted to discuss the political policies involved then I would go to a political blog and fan a bunch of flames there, since my question was not political I posted it here where I hoped someone might point out the fault with what I suggested.

    2. So after reading the explanation on how the ransomware wannacry tested to see if it was in a virtual machine and shut down if it thought it was, my question just bugs me more, why don’t we run legacy (or even current mission critical) programs in virtual environments more ?

    3. This does work and is often used as a fix on network servers for some specific applications that wont run on a modern OS.

      The real problem is that if you do this with the entire workstation OS then the system would be so slow that it would be like using ten year old hardware.

  12. >It comes as a shock that an organisation the size of the NHS seem not to have kept their computers updated.
    THIS! This time (at least according to this article, didn’t read/watch the news) data has been encrypted, so wipe the disk, take the backup and reinstall AND PATCH! But imagine the next time it will not be a piece of code that encrypts the data to get money but takes data and sends it somewhere. Just think a second about what highly sensitive data the NHS handles every day… *scared*

    >This is perhaps just a taster of what is to come in the future as cyber crime and warfare become more and more
    >commonplace.
    It certainly is. A lot of years ago already somebody said “why countries still make efforts to make war? it’s so much easier to recruit some hackers”… And incidents like this and what security researchers say about insecured systems connected to the internet the consequences could be – no, WILL BE catastrophic.

  13. This can be laid at the feet of a few camps and has been coming for years.
    First the NSA & GCHQ are heavily complicit in this. Both agencies knew of the vector for years and hid it.
    Secondly the people who architectured SPINE (UK NHS backbone systems) and used a monoculture of windows with sharepoint and other ms tech only and froze a mixed infrastructure out, because BT and the other players in SPINE are in bed with Microsoft in the UK.
    Thirdly, the patching cycle for IT systems support in the UK. In places the infrastructure is years out of date, and theres very much a attitude of patching when replacing things at end of life and doing no in life patching if possible. There’s hardly any designed in progressive patching as its seen as a unwanted cost centre, its pretty much all reactionary to pen tests and audit work.
    The NHS however did pay vast sums of money to sort their IT out, they just got the usual crowd of big players to pitch and supply systems and the usual crap resulted.
    Finally the stains on humanity who pulled this one off, however I believe they didnt intend for it to go this big. I would bet theyre crapping themselves now because they’ve painted a enormous target on their back and nation state level resources will be after them.
    Just my ha’penny worth, having prodded round inside the UK infrastructure at times.

    1. Obviously, like everyone else, I’ve read the Microsoft contracts that I’ve “signed” by opening the box or clicking OK on some wall of text somewhere.

      So I’m pretty sure they have liability waivers about the suitableness of Windows, for example, in mission-critical roles. Basically “it isn’t”.

      So whoever’s responsible for implementing this to start with, seriously fucked up and is obviously liable. If I built a hospital building out of breadsticks, and it collapsed the first time a lorry drove past, I wouldn’t blame the lorry driver.

      The fact the people behind SPINE are in bed with Microsoft should be seen as evidence of deliberate corruption.

      However in general in things like this, when the usual corporate greed and complete non-giving of fucks causes an immense disaster, nobody who’s actually responsible gets blamed. When banks nearly destroyed our economy a while back, big chunks of the bailout money somehow ended up as golden parachutes, for the already rich men who’d CAUSED the problem in the first place. If you’re rich and mates with the Tories, you’re golden. Fuck up as much as you like, you won’t be punished, you’ll be rewarded.

      And that’s very bad. The hackers in this case really are among the last people to blame. Because doing stuff like this is their job, they’re hackers! Implementing a national system that doesn’t drop dead the first time a bored nurse clicks a dodgy email, was the job that other people were paid very well to do, and they failed right from the start.

      But because pictures of Russians in balaclavas sell newspapers, and people refuse to understand anything about computers (even though in general they’d be perfectly capable if they tried), the usual old round of nonsense is gonna happen. Those really responsible continue to live charmed lives, and they don’t give a fuck cos they’re all with BUPA anyway.

  14. The real problem is that if you do this with the entire workstation OS then the system would be so slow that it would be like using ten year old hardware.
    If there were some sort of indestructible turnip, that would never go rotten, then that might be some concrete way of storing value.

  15. Implementing a national system that doesn’t drop dead the first time a bored nurse clicks a dodgy email, was the job that other people were paid very well to do, and they failed right from the start. com/uks-nhs-likely-compromised-due-to-broadpwn-vulnerability-on-raspberry-pi-medipi/

Leave a Reply to GreenaumCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.