
Hospitals across England hit by large-scale cyber-attack - porterde
https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack
======
mvdwoord
After 20 years in IT, listening to all the bullshit by "Management" about
"Audits" and "accepting the risk", "lessons learned" and whatnot.

Honestly, I would be glad if a high impact issue like this, would change any
of that for the better. I am unfortunately also a cynic (after 20 years in,
well anywhere really) so I doubt it will. This means it will only negatively
impact people who need the healthcare, and a bunch of consultants will make
millions on sweeping up the mess, and creating the next failure-to-be.

I'm making popcorn.

~~~
rrggrr
Fault will be leveled against Bitcoin for facilitating the ransom, against
Microsoft, against NHS budget underfunding... everywhere EXCEPT where the
blame belongs. Products liability law applied to IT security would put a quick
end to most vulnerabilities.

~~~
gwright
Seems strange to not mention the ransomers as having culpability.

I'm 100% in favor of better systems/processes/technology to prevent exploits,
but I'm also 100% in favor of blaming the perpetrators of the ransom also.

In the real world we don't accept the argument that the victim is primarily at
fault.

    
    
      * leaving your car unlocked doesn't mean that is OK for someone to steal it and demand a ransom for its return
    
      * leaving your house/apartment unlocked doesn't mean that it is OK for someone to swap out the locks and demand ransom for the new keys
    

And it really isn't about being locked/unlocked. Doors and locks can generally
be easily broken or bypassed, doesn't mean that everyone should have to
purchase industrial strength doors and locking systems (and windows, and...).

~~~
pdeuchler
You're confusing ethics with legal liability. Nobody is saying IT is ethically
responsible, they're saying they are legally responsible since the entire
reason they get a paycheck is to prevent these sorts of things. Reduce it to a
contractual matter if that assuages your conscience.

If you hire a bodyguard and still get shot while the bodyguard is on his phone
both the perpetrator goes to jail and the bodyguard gets fired/pays
restitution. Not that unheard of. It's not like one person gets all of the
legal and ethical blame and everyone else is entirely absolved.

~~~
gwright
I'm not confusing things. I'm saying that public discussion seems to migrate
towards prevention/mitigation and de-emphasizes the criminality. I'm arguing
that we not forget that and pointing out that it was missing from the post I
responded to.

In your bodyguard example I don't think in that type of a situation that
people fixate on the quality of the security detail. They rightly demand that
the shooter be tracked down.

~~~
derefr
What's the point of discussing criminality? The criminal justice system is
centralized and functions independent of public interest in getting results
from it. (And, in fact, functions better when the public is mostly _unaware_
of crime, re: jury selection.)

The civic justice system, on the other hand, is completely driven by public
interest—nothing gets done to change things unless somebody (or some class)
bothers to sue.

~~~
ptaipale
> What's the point of discussing criminality?

Well, for one thing, we could try to think of ways how to catch these
criminals, how to help law enforcement.

------
kaoD
According to Spain's CCN-CERT it's spreading through a remote code execution
vulnerability in Windows' SMB Server, affecting pretty much all versions of
Windows.

[https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-
ccn...](https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-
cert/4464-ataque-masivo-de-ransomware-que-afecta-a-un-elevado-numero-de-
organizaciones-espanolas.html)

[https://technet.microsoft.com/en-
us/library/security/ms17-01...](https://technet.microsoft.com/en-
us/library/security/ms17-010.aspx)

IIUC the security updates have been available since March. I can understand
bureaucratic entities having shitty security policies, but Telefónica? It's
just... wow.

~~~
nthcolumn
SMB vulns courtesy of the NSA? As to shitty - how long do you think it takes
reasonably to test these patches on thousands of servers? What no test on a
critical health system?

~~~
kaoD
It's literally as easy as installing a Windows update organization-wide. What
is there to test? These aren't servers. These are workstations of common
workers. Windows desktops mostly used for spreadsheets and playing solitaire.

I'd rather deploy a Windows update within 2 months of its release and be safe
from a RCE vuln.

~~~
nthcolumn
You have to test the patch against your images! You cannot simply roll out
whatever shit Redmond send you down the pipe especially when they had to rush
it out themselves due a tip off. That would be gross negligence what if there
was some device attached to that workstation keeping someone's machine on? How
would you know what that workstation is doing?

~~~
a2decrow
> what if there was some device attached to that workstation keeping someone's
> machine on?

Then it shouldn't be connected to a non-secure network / the internet in the
first place.

------
jstanley
The ransom from the address in the screenshot appears to have been paid:
[https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8is...](https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw)

Here's another screenshot, with a different address:
[https://img.jes.xxx/1472](https://img.jes.xxx/1472)

Also appears to be paid:
[https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNX...](https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn)

~~~
ryanlol
>Also appears to be paid:
[https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNX...](https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNX..).

Appears to be paid twice in fact, honestly I'd bet that it's people paying
these as a joke rather than the NHS.

~~~
jstanley
It's quite a lot of money to spend as a joke.

And multiple payments could occur if the software has a pre-populated list of
addresses rather than generating a new one for each infected machine.

Of course, it could be the attacker sending money to himself to try to make
victims think other people are paying.

~~~
Cyph0n
Ransomware attacks are typically honest; in other words, if you pay, they
unlock your files.

~~~
roblabla
Do we have actual, hard data backing this up ? I see this touted each time
ransomware is involved, sometimes backed with the 'logical' argument that the
business model would crumble if that wasn't the case. But I have yet to see
any research into whether those ransomware really _do_ unlock those files.

~~~
giarc
Not the commentor, and also don't have data other than some anecdotal, but
what benefit do the hackers gain by not unlocking data? If they stop
unlocking, then people stop paying. It would become a lose lose situation if
they didn't follow through with their promises. Even criminals understand
that.

~~~
watty
I think the main benefit would be that they have a better chance of getting
paid. Developing an unlocking mechanism is technically challenging and takes
time and money to implement. It also adds risk - if there's an unlocking
mechanism it's possible someone can crack it.

By not developing an unlock in the first place they can get it out quicker and
have less risk. Sure, the next hacker may not get paid because they aren't
trusted but for the most part we're talking about individual operations.

~~~
nathan_f77
> if there's an unlocking mechanism it's possible someone can crack it.

Not at all. This is run-of-the-mill encryption. You pay the bitcoins, your
computer receives the decryption key. There is no possible way to crack it,
otherwise the entire internet would be broken. (i.e. TLS)

~~~
watty
I don't follow - are you referring to this specific malware (which tbh I don't
know much about) or ransomware in general? There have been plenty of
ransomware cracks and decryptors released - programmers aren't perfect.

[https://noransom.kaspersky.com/](https://noransom.kaspersky.com/)

~~~
nathan_f77
Oh, just ransomware in general. I was under the impression that most of the
big ones just did simple encryption, and hold the decryption key ransom on an
external server. It would defeat the purpose if they kept the decryption key
on the local machine, because yeah, then you could just release a tool like
the ones you mentioned.

------
jgrahamc
Friend of mine who works for the NHS sent me the following email:

 _All of NHS PCs and hospital systems have gone down from a ransomware trojan!

I have a full clinic this afternoon, and no way to look at my patients'
histories, or meds. It's a damned disgrace.‎

The Trojan is demanding some bitcoins be paid, else they'll lose the boxen.

The entire NHS is penetrated._

I can't vouch for "the entire NHS is penetrated"

~~~
eloycoto
Telefonica (the largest telecom operator in Spain) is having the same issue.
There are a few thousands of workers that are not working; it's a disaster!

~~~
rjtavares
Same in Portugal (confirmed to be affecting PT, one of the biggest telecom
companies, and EDP, the biggest electricity company)

[https://www.publico.pt/2017/05/12/tecnologia/noticia/ataque-...](https://www.publico.pt/2017/05/12/tecnologia/noticia/ataque-
informatico-internacional-afecta-empresas-e-hospitais-1771939)

~~~
anigbrowl
I don't mean to be dramatic here folks, but multiple coordinated
infrastructure attacks are a form of warfare. This is literally shaping the
battle space. Correlation is not causation and all that, but while people are
standing around comparing their knowledge of how to deploy zero-day exploits
and which isms it would be satisfying to blame during some future
retrospective, the systems we depend on are being actively compromised.

------
factsaresacred
Seems like non-targeted ransomware -
[https://twitter.com/ShaunLintern/status/863032223469056004](https://twitter.com/ShaunLintern/status/863032223469056004)
\- based on the modest $300 request.

Note: I've zero idea if that screenshot is legit but it's posted on The Health
Care Journal website so it likely is.

Edit:

\- Earliest Google result for "WanaDecryptor" is from Aug 2015 (All other
search results are from today):

> _almost all of the files on the D drive is encrypted. C is not touched by
> the disc. file found is in the ProgramData folder, there is a hidden folder,
> the virus in it. When you delete a folder that is created again and the
> process starts again._

[http://www.cyberforum.ru/viruses/thread1979411.html](http://www.cyberforum.ru/viruses/thread1979411.html)

[http://www.cyberforum.ru/viruses/thread1979358.html](http://www.cyberforum.ru/viruses/thread1979358.html)

\- Discussion from today mentioning it infecting Spanish Telecoms:
[http://gta-trinity.ru/forum/index.php?/topic/57671-novejshij...](http://gta-
trinity.ru/forum/index.php?/topic/57671-novejshij-virus-na-pk/).

~~~
brightball
At a security seminar last year I got to hear an expert talk about tracking
down ransomware over the course of a couple of years. He said, no matter what
the value of bitcoin the price gets adjusted to be equivalent to $300. That is
the presumed sweet spot where people realize it's worth the money to save
their data.

------
lol768
Existing discussion thread:
[https://news.ycombinator.com/item?id=14324129](https://news.ycombinator.com/item?id=14324129)

\---------

Shutting _everything_ down seems like a really rash response, especially when
these systems seem to be used for critical communication e.g. the phones too.
The Twitter messages seem to suggest that doctors are seeing this on their
personal machines, but why would this impact the phone system? Are they not
separated out?

I'm also really curious as to how this started. The article mentions a "bug"
in the IT systems - some sort of novel zero day in the software they're using
that was exploited remotely? Or is it more likely someone screwed up and ran
something without thinking?

There are reports on twitter that this is impacting X-rays, pagers as well as
the phone system. This is ridiculous if true and suggests there have been some
major failings when putting this infrastructure in place. Perhaps
underinvestment in IT is to blame.

~~~
s_kilk
> Perhaps underinvestment in IT is to blame.

Or, indeed, over-investment in trash-tier IT services provided by blood-
sucking IT consulting companies.

I've seen the insides of some UK Government IT systems (not the NHS), and it's
astonishing how little functional software one can get in exchange for a few
hundred million sterling.

That, and the bitrot of holding on to ancient, never-updated IT systems.

[Edit], back on topic, I sincerely hope whoever did this is burned alive for
their crimes.

~~~
vertex-four
To be fair - healthcare IT infrastructure sucks everywhere, even in the
country most well-known for remarkably expensive privatised healthcare. It's
not really obvious at this point how to fix it. Have the Government Digital
Service or similar work on it directly and ditch the contractors?

~~~
s_kilk
> Have the Government Digital Service or similar work on it directly and ditch
> the contractors?

Basically, yes. Bring it all in-house, ban the
contractors/consultants/mercenaries/etc. Remove the profit motive and suddenly
you don't have millions of dollars/pounds being siphoned off by vampiric
consultancies and third-party vendors. Suddenly you can spend tax-payers money
in a sane and rational way.

Hire a bunch of talented people who care about the wellbeing of their nation
state, pay them well enough and task them with building the best systems
possible in the most efficient way possible.

~~~
pjc50
This is a great idea, but since it's practically to the left of Corbyn I can't
see any chance of it being enacted.

~~~
s_kilk
Without giving too much away, I've been involved in just such an initiative,
and it was _awesome_.

However, in the context of an established organisation it's really hard to
pull off, and so we eventually ran into serious pushback from other factions
within the org, particularly the established IT Ops folk.

Still, it can be done, and it can be a raging success. Especially gratifying
when you spend two days writing up a system in Python which replaces some 90's
garbage that's costing the organisation 200k per year in licenses.

Killing Leeches is fun.

~~~
sofaofthedamned
Had exactly the same.

100 user system, Windows CALs and RDS licenses per user = a lot of money.
Found only 40 users needed the CALs, rest were fine on Linux.

Took the devil of a job to persuade them this, as the _Microsoft_ rep told
them they couldn't.

~~~
UK-AL
In organisation like the NHS something like active directory becomes almost
mandatory.

Open sources equivalents are nowhere near as good.

~~~
sofaofthedamned
Not the same thing I'm on about. Can't say too much, but was on a system where
for majority of users they didn't even touch a Windows server or AD.

------
ojosilva
This is apparently part of coordinated ransomware campaign targeting large
corporations in Europe, only a few of which are making the news at this time.
Some other links:

[https://www.ft.com/content/74c666ec-8dc7-3b20-b573-245bc0e9d...](https://www.ft.com/content/74c666ec-8dc7-3b20-b573-245bc0e9d935)

[http://www.impala.pt/noticias/pt-alvo-ataque-
informatico/](http://www.impala.pt/noticias/pt-alvo-ataque-informatico/) [PT]

------
noxToken
Caught wind of this earlier today with a European client. We were advised to
not connect to their network via VPN. Looks like it's a large scale attack
that's affecting more than just hospitals in England.

These could be a coincidence though.

Here is a source article talking about a Spanish TelCo:
[https://www.usnews.com/news/technology/articles/2017-05-12/s...](https://www.usnews.com/news/technology/articles/2017-05-12/spanish-
companies-hit-by-ransomware-cyber-attack)

~~~
crocal
It is large scale all across Europe. NHS is only one among many (we are smack
in the middle of it)

------
user5994461
This is really fun to see two ransom threads on top of HN.

This one asking for $300 to the NHS and the other one asking for $600 000 to a
phone provider.

Either the criminals have no idea what the NHS is or $300 is the limit of what
middle managers can pay without much approval.

~~~
jerf
It's almost certainly simply a widely-targeted email that was "intended" to
hit individuals via mass spam that happened to hit the wrong individual (who
is probably having a Very Bad Day now) and took down the NHS. And my "almost
certainly" is really just my inner engineer hedging; the fact that they're
asking hundreds of euros worth of ransom for so much is basically proof of
what I said.

Unfortunately, the state of security right now is such that these wide-band
transmissions can still pick up a lot of hits.

------
shubb
NHS systems are remarkably un-integrated. Communication, especially between
trusts and external organisations like GPs, is often by email. I'll be
surprised if this isn't an email worm.

~~~
soVeryTired
They had a fiasco in November by sending an email org-wide which had "reply-
all" enabled. So they clearly don't follow best practice.

[http://www.bbc.co.uk/news/technology-37979456](http://www.bbc.co.uk/news/technology-37979456)

------
DanBC
NHS Digital have released a comment:
[https://www.digital.nhs.uk/article/1491/Statement-on-
reporte...](https://www.digital.nhs.uk/article/1491/Statement-on-reported-NHS-
cyber-attack)

===begin quote===

A number of NHS organisations have reported to NHS Digital that they have been
affected by a ransomware attack which is affecting a number of different
organisations.

The investigation is at an early stage but we believe the malware variant is
Wanna Decryptor.

At this stage we do not have any evidence that patient data has been accessed.
We will continue to work with affected organisations to confirm this.

NHS Digital is working closely with the National Cyber Security Centre, the
Department of Health and NHS England to support affected organisations and to
recommend appropriate mitigations.

This attack was not specifically targeted at the NHS and is affecting
organisations from across a range of sectors.

Our focus is on supporting organisations to manage the incident swiftly and
decisively, but we will continue to communicate with NHS colleagues and will
share more information as it becomes available.

Notes to editors As at 15.30, 16 NHS organisations had reported that they were
affected by this issue.

===end quote===

I'd be interested to know how many patients are under the care of those 16
organisations.

~~~
martindevans
Do we know which 16 are affected?

~~~
DanBC
I don't. It's frustrating - I have no idea if these are tiny hospital trusts
or a massive CCG or massive multi-county trusts.

------
alva
Bitcoin address transactions

[https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNX...](https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn)

[https://blockchain.info/address/1QAc9S5EmycqjzzWDc1yiWzr9jJL...](https://blockchain.info/address/1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY)

[https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6N...](https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94)

~~~
watbe
The BBC have tweeted a screenshot[1] showing another address as well, showing
a lot of activity at the address[2]

1:
[https://twitter.com/BBCBreaking/status/863046075002884097](https://twitter.com/BBCBreaking/status/863046075002884097)

2:
[https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6N...](https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94)

------
pjc50
NHS IT is, of course, vastly under-funded compared to even modest startups,
and entangled in bureaucracy of upgrades. I used to work with someone who was
one of two sysadmins for a hospital of several thousand staff.

~~~
kristianc
This is partly a consequence of the NHS Connecting for Health debacle, which
on an original budget of £2.3 billion managed to hit a projected cost of
£12.4bn with almost nothing to show for it apart from a patchy implementation
of Choose and Book.

[https://en.wikipedia.org/wiki/NHS_Connecting_for_Health#Cost...](https://en.wikipedia.org/wiki/NHS_Connecting_for_Health#Costs)

~~~
petepete
Booze and Chuck, for the uninitiated.

------
mark_l_watson
Two weeks ago I contacted my Congressman explaining how important encryption
and general IT security is. While he said he agreed with me in principle, he
said that terrorism is such a huge problem that things like back doors, weaker
encryption, etc. are more important than strong encryption and general IT
security. His reply was lengthy, but didn't say what I wanted to hear.

~~~
dredmorbius
I'm aware of a number of people pushing for similar types of initiatives,
though I don't know of a combined effort.

Word I've heard is that working through the DC office liason is probably the
more effective route.

------
MichaelGG
For $300, even per machine, it seems like a cheap "mind your backup/restore
system" lesson.

~~~
k-mcgrady
>> $300, even per machine

Plus potentially hundreds of cancelled procedures, including all electives for
the next two days, cancelled GP appointments, etc. etc. The lesson is going to
cost a lot more than $300 per machine (and as it's per machine that could end
up being $300k per hospital when you consider the number of machines they
have).

~~~
MichaelGG
Why would they have even anything close to 1000 machines storing data though?
Not even sloppy, that just seems outright difficult to manage.

~~~
k-mcgrady
I didn't consider the 'storing data' aspect as I'm not sure how the ransomware
works. I thought it was taking each machine hostage (not just the networked
storage).

------
LinuxBender
Ransomware is doing a good job of partitioning sensitive data from those that
should not be (mis)managing it.

------
TomK32
Like the NHS didn't have enough problems with unhappy staff, unfilled
positions and Brexit looming... very uncool.

------
frereubu
The NHS is notorious for using outdated software, so I'm surprised it's taken
so long. We build websites for third-sector organisations who often deal with
the NHS and we're only just now persuading them to drop support for Windows XP
/ IE8.

~~~
petepete
Yeah, I left the NHS in 2009 after much frustration in trying to implement
modern(ish) replacements for various reporting systems. Every idea was
discussed and watered down until what's left was neither use nor ornament.

There are __many __great and extremely dedicated employees but the vendor
lock-in has painted them into many (disparate) corners.

------
uxhacker
This must be a new virus. It is hitting Spanish and Portugese
Telecoms.[https://www.usnews.com/news/technology/articles/2017-05-12/s...](https://www.usnews.com/news/technology/articles/2017-05-12/spanish-
companies-hit-by-ransomware-cyber-attack)

[http://sicnoticias.sapo.pt/pais/2017-05-12-PT-Vodafone-
EDP-e...](http://sicnoticias.sapo.pt/pais/2017-05-12-PT-Vodafone-EDP-e-KPMG-
alvo-de-ataque-informatico) (Portuguese)

The worrying part is distribution and essencial companies and services

------
sofaofthedamned
_lol_

[https://twitter.com/GCHQ/status/863039131399663618](https://twitter.com/GCHQ/status/863039131399663618)

~~~
zigzigzag
Classic. GCHQ and NSA are joined at the hip. If telefonica are right and it's
spreading through the NSA hacks revealed by the Shadow Brokers then
GCHQ/5-eyes has some responsibility for what's been happening.

~~~
sofaofthedamned
Exactly. I'd hope something good would come out of this, i.e. no exploit
hoarding by the NSA/CESG, but instead they'll double down and use it as a
reason to remove even more of our rights online.

------
clydethefrog
A Dutch news article is claiming that ransomware can be fixed by "big IT
security companies". [1] I thought there was no fix to these cyber-attacks
unless you have a backup. I am interested how any fixes are possible?

[1] [http://nos.nl/artikel/2172840-waarschuwing-voor-grote-
intern...](http://nos.nl/artikel/2172840-waarschuwing-voor-grote-
internationale-gijzelsoftware-campagne.html)

------
cronopios
Telefónica, the main telecommunications provider in Spain, is also hit.
Employees were instructed to shut down their PC's and go home.

~~~
Cyph0n
Damn. I wonder how much money they lost due to the decrease in productivity.

~~~
lottin
Technically speaking productivity is amount of output per unit of time worked,
working less time typically reduces both the numerator and the denominator so
it doesn't necessarily affect productivity.

~~~
ptaipale
But this definitely impacts the production, i.e. the total amount of output.

------
ge96
Does it not make sense to have a "sub-layer" a local network of files rather
than files being accessible by outside. I guess once "something" is in, like
that Iran Stuxnet PLC attack, then it's inside and can execute from within.

Unless it's like a local attack whether by a worker or something like found a
thumb drive outside, plugged it into my work computer.

not my field

------
cjrp
I wonder how many of these systems have already been exploited (silently) in
order to extract things like patient details? Scary.

------
EternalData
It seems like for that amount of money, you could have tried doing a bug
bounty instead :/

I get that this is probably social hacking/phishing, so not really analogous
-- but I wonder if there's a way to apply that kind of mentality to good. I
wonder if there's white hat phishing (though I guess that might be
oxymoronic).

------
n3storm
Spanish biggest telecom and others had been hit too:
[http://www.elmundo.es/tecnologia/2017/05/12/59158a8ce5fdea19...](http://www.elmundo.es/tecnologia/2017/05/12/59158a8ce5fdea194f8b4616.html)

WannaCry ramsoware is the culprit.

------
lol768
Shutting _everything_ down seems like a really rash response, especially when
these systems seem to be used for critical communication e.g. the phones too.
The Twitter messages seem to suggest that doctors are seeing this on their
personal machines, but why would this impact the phone system? Are they not
separated out?

I'm also really curious as to how this started. The article mentions a "bug"
in the IT systems - some sort of novel zero day in the software they're using
that was exploited remotely? Or is it more likely someone screwed up and ran
something without thinking?

Edit: There are reports on twitter that this is impacting X-rays, pagers as
well as the phone system. This is ridiculous if true and suggests there have
been some major failings when putting this infrastructure in place.

~~~
FLUX-YOU
>There are reports on twitter that this is impacting X-rays, pagers as well as
the phone system. This is ridiculous if true and suggests there have been some
major failings when putting this infrastructure in place.

Take a look at that operating system and the UI from the article and tell me
how that's unexpected.

~~~
alex_hitchins
That will be stock photography, rather than taken today.

~~~
FLUX-YOU
It is still accurate. We still have XP machines floating around our campus.
They are running EMR software.

~~~
alex_hitchins
Christ. There is no excuse for that whatsoever. A live machine?

~~~
pjc50
If the software doesn't run on versions higher than XP, then there's no
alternative. There's a lot of expensive equipment which is stuck on XP.

~~~
mercurial
Virtual machines are a thing.

~~~
pjc50
How does that help? We're talking about devices that need, for whatever
driver-related reason, to run on the bare metal.

A non-health example: [http://www.effectivebits.net/2011/08/to-run-windows-or-
not-t...](http://www.effectivebits.net/2011/08/to-run-windows-or-not-to-run-
windows.html)

~~~
peterwwillis
And medical devices cannot just be modified after they are approved for
medical use. Any changes must be introduced by the original vendor (or an
approved 3rd party vendor) and put through a barrage of tests and
certifications needed to release such a device for use on a human. Those
include EMC/EMI testing, QC testing, safety testing, RF testing, clinical
trials, regulatory compliance, etc.

When you buy a medical device running Windows 3.1, it will run that until it
is thrown away or replaced.

------
jasonkostempski
This recently happened to a hospital in Buffalo NY:
[http://www.wgrz.com/news/local/ecmc-still-fixing-computer-
sy...](http://www.wgrz.com/news/local/ecmc-still-fixing-computer-system-
problems/431724954)

------
Asdfbla
If only intelligence agencies spent as much money and effort on securing its
critical systems as they invest in sabotaging other countries' infrastructure.
Maybe putting defense first would be helpful, especially considering how easy
the proliferation of offensive tools is.

------
fencepost
Something like this (though I don't know if it was targeted or a combination
of luck+poor procedures) took down > 400 medical practices hosted by Greenway
a few weeks ago. Some were down for as much as 9 days, and at day 11 I know of
one that still didn't have access to their scanned documents.

Greenway had backup procedures in place, but they were file-based - backing up
databases, transaction logs, files, etc. and able to restore them onto a new
server image as required. The problem arose when they had to do that for
hundreds of customer servers at once.

One of my customers knew there was a big problem when she signed onto their
server (Intergy On Demand, hosted by Greenway, accessed via RDP) and saw
ransom icons on the server desktop.

------
devrandomguy
I would be interesting in finding a medical doctor's or a biologist's
perspective on this. Suppose we consider the NHS to be a body, in the greater
environment of the internet/economy/government. What traits of that
environment led to the evolution of this ransomware pathogen? Now that we have
had a massive, but not lethal exposure to it, how can we build up an immunity?
What changes to the environment would eliminate the refuges of this pathogen?

~~~
titanomachy
It's like when smallpox was brought to the New World... the NHS's internal IT,
existing in isolation, hasn't developed immunity to pathogens which are common
elsewhere (i.e. they stopped installing Windows security updates).

There may be certain mission-critical, non-internet-connected machines for
which it's still safer not to install updates, but for the average doctor's
workstation it will probably become the norm to install Windows patches.

Where I live, doctors have more freedom in how they run their clinics and IT.
That probably causes its own problems, but at least they're free to run a
modern version of their OS and keep it patched. This kind of virus wouldn't
affect us the same way since there's no top-down tech policy which prevents
individual doctors from following good security practices; in fact, if you
just follow all the recommended settings when installing Windows/macOS, you'll
end up with automated patching by default.

So if you really want an epidemiological analogy, maybe the best one is a
monoclonal, monoculture crop (e.g. the Gros Michel banana) being decimated by
a pathogen which has just evolved the ability to infect it: take down one
banana, and you take them all. Take down one English doctor's computer...

------
rdiddly
"There is no evidence patient data has been compromised, NHS Digital has
said."

Um, doesn't "encrypted beyond your reach" fall somewhere under "compromised?"

~~~
iak8god
Well, hopefully they have backups, but the point of this statement is to
reassure everyone that patient data has not been _leaked_.

------
Animats
The parent article does not use the word "Microsoft".

------
GedByrne
It says the attack hit multiple sites simultaneously. A worker said that the
ransomware came through on the computers around 2pm.

This doesn't sound like a spread by phishing or attachment.

How could such an attach be co-ordinated?

I can think of two possibilities:

1) The attack has been spreading over days or weeks with a trigger date for
activation. 2) The ransomware has been distributed through the desktop update
system.

Any other ideas?

~~~
detaro
3) The internal networks are open enough that something worm-y can rapidly
spread through bugs in common services (file shares or something like that),
once it has infected one internal machine through some other channel.

------
crocal
This is affecting pretty much all Europe. We are shutting down everything
here: France, UK, Italy, Spain, Sweden, ...

~~~
silverkity
Same attack happened in China. Most of the affected are college students.

------
dberhane
The BMJ published an article recently about hackers targeting hospitals, "The
hackers holding hospitals to ransom":
[http://www.bmj.com/content/357/bmj.j2214](http://www.bmj.com/content/357/bmj.j2214)

------
r721
Kaspersky Lab's Analysis:

[https://securelist.com/blog/incidents/78351/wannacry-
ransomw...](https://securelist.com/blog/incidents/78351/wannacry-ransomware-
used-in-widespread-attacks-all-over-the-world/)

------
fasinfranco
Maybe related to the cyber attack on Telefonica?
[http://www.elmundo.es/tecnologia/2017/05/12/59158a8ce5fdea19...](http://www.elmundo.es/tecnologia/2017/05/12/59158a8ce5fdea194f8b4616.html)

------
crocowhile
I think the most interesting aspect of all this is that it's a clear evidence
that even machines possessing highly sensitive data (like NHS computers) are
super vulnerable to any remote penetration. The request for a ransom may just
be the tip of the iceberg here.

~~~
scholia
I think it's just evidence of a decrepit IT system. They were caught because
they were running Windows XP with inadequate or no anti-virus software. They
would not have the problem if they'd been running patched Windows 7. Microsoft
fixed the vuln in March.

------
rcarmo
Maltracker entry:
[https://maltracker.net/analysis/file/ed01ebfbc9eb5bbea545af4...](https://maltracker.net/analysis/file/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa/)

------
DanBC
Here's a list of the trusts / etc that are affected.

[https://twitter.com/ShaunLintern/status/863116822228422656](https://twitter.com/ShaunLintern/status/863116822228422656)

------
boznz
Strange question but why is this data in file-systems and not on SQL/Cloud
systems?

------
justforFranz
I wonder what the odds are that an attack on infrastructure like this could
kill someone?

~~~
astrodust
I honestly do not care if people use a proprietary closed-source operating
system, but it freaks me out on an existential level that important things
that _might kill you_ are closed source.

Life support machines, x-ray machines, heart-rate monitoring machines, even
voting machines. Nobody knows what's going on in there, and a software fault
or hack could be the end of you. Like that Toyota "unintended acceleration"
bug which would've been discovered a lot sooner had other people been looking
at the code.

This is also coupled with the fact that these vendors, for reasons that
challenge the absolute limits of my comprehension, insist on using old
versions of Windows. I would not be surprised if equipment of that sort sold
_today_ still runs unpatched versions Windows XP.

ATMs and cash-registers are likewise a total farce. Some of them are packaged
so poorly it should be criminal.

~~~
synotna
[https://en.m.wikipedia.org/wiki/Therac-25](https://en.m.wikipedia.org/wiki/Therac-25)

~~~
astrodust
Every time I go through one of the airport scanners I think about that
particular event.

Who knows if an intern forgot to convert properly and the thing spews out a
million times more radiation than intended.

------
a2decrow
And this is the reason why you don't centralize _critical_ infrastructure and
don't put yourself in vendor lock-ins.

Makes me wonder how many of those infected machines didn't have to be
connected to the internet in the first place.

~~~
UK-AL
NHS isn't centralised. And not really locked in. NHS relies patch work of
legacy software.

Each trust and hospital handle I.T their own way. Which is why some are
affected and some are not.

So far it spread via file sharing and emails.

The main issue is they don't patch, and update their stuff!

------
jjgreen
Sounds like ransomeware
[https://twitter.com/asystoly/status/863027172453351424](https://twitter.com/asystoly/status/863027172453351424)

------
mobiplayer
If I were CEO of one of the big companies I would fire the CIO for not
tracking critical patching and I would later resign for not making him/her
accountable until now.

------
Animats
How is this attack being distributed? It can't take much user involvement, or
it wouldn't be hitting large numbers of systems that only run in-house
applications.

~~~
fourthdwarf
It looks like it was MS17-10/EternalBlue, or at least that's what twitter is
saying.

[https://twitter.com/AdamTheAnalyst/status/863040924783345665](https://twitter.com/AdamTheAnalyst/status/863040924783345665)

------
ziikutv
Something like this also happened at Carleton University, but they did not pay
the ransom. I assume they just used backups. They have really good (and super
nice) IT people.

------
jumpkickhit
How do these things decrypt?

Couldn't someone take the "already paid" bitchain address from someone else,
put it in and click "paid" with that to unlock it?

------
tonmoy
How can I protect myself from these NSA level attacks (not attacks by NSA, but
by criminals who now have these tool)? Is keeping Windows up to date enough?

------
politician
Is it not a form of malpractice by these hospitals to be running medically
critical services on obsolete unsupported devices?

------
la_oveja
Spanish big companies like Telefonica, Inditex, Iberdrola, Endesa... are being
attacked too.

Seems serious.

~~~
pcardoso
Some portuguese too: EDP, PT and NOS...

~~~
nathanlied
I've heard from some people in Portugal that MEO is affected, as well as the
Spanish Vodafone. A friend working for the Portuguese Vodafone is saying that,
so far, they're unaffected.

This seems to be quite serious.

------
lumberjack
This is probably the first major hacking incident that will cause multiple
deaths.

------
djsumdog
So we should build backdoors into encryption to prevent this, right? /s

------
peteretep
I guess it's only a matter of time until patient records are available.

------
genericacct
Surely just a coincidence that BTC reached a new all time high today ?

------
BillFranklin
On the other hand, $300 sounds like a bargain.

~~~
kaoD
Per computer.

If the ransomware has no vulns itself, this is going to be a hit to economy,
either by paying the ransom (it's already hit some major companies) or the
losses produced by it.

~~~
gtsteve
I should hope that they can just reimage the workstations and if network
drives were affected, just restore from shadow copy or backups.

~~~
kaoD
You can reimage the workstations but how much work has been lost? Probably an
awful lot.

I can't even fathom how many spreadsheets with no backup have been lost today.

WRT backups... :^)

~~~
jermaustin1
I've rarely worked at a place that didn't shadow copy your user directory to a
network location. The only thing that SHOULD be lost is whatever hadn't been
saved when they were ransomwared.

The company should be able to pull a backups from the last file change prior
to that event.

------
crocal
It's a large scale attack impacting many companies. We are under attack and
are shutting down everything here: France, Spain, Italy, UK, Sweden, ...

------
amiga-workbench
Why the hell do they need thick Windows boxes to handle patient records, would
a dumb terminal not do and be far more resistant to this kind of problem.

~~~
H1Supreme
They don't need them, at all. Every business and organization that isn't using
CAD or Photoshop or some other CPU / Memory intensive software could get by on
thin clients alone. No problem.

Secondly, how the hell are these records being stored? These viruses usually
search for pdf,jpeg,doc, and xls files. Is patient data in spreadsheets and
word docs? I don't get it.

------
corpMaverick
How long until paying ransom for a cyber attack becomes a crime ?

~~~
watty
I don't know, how long will humans exist? It will never be a crime.

~~~
corpMaverick
"What I will argue is that when looking at a public policy problem, the best
place to create liability is where it will have the desired impact. If the
goal is to stop ransomware attacks, raising the costs of paying ransoms beyond
what the criminals are demanding is the best way to do that."

[http://blogs.cfr.org/cyber/2016/02/29/paying-ransom-on-
ranso...](http://blogs.cfr.org/cyber/2016/02/29/paying-ransom-on-ransomware-
should-be-illegal/)

------
adv0r
the same is happening in spain [https://www.ccn-cert.cni.es/seguridad-al-
dia/comunicados-ccn...](https://www.ccn-cert.cni.es/seguridad-al-
dia/comunicados-ccn-cert/4464-ataque-masivo-de-ransomware-que-afecta-a-un-
elevado-numero-de-organizaciones-espanolas.html)

~~~
rjtavares
And Portugal, affecting telecom companies (confirmed by the cybercrime unit of
the police):
[https://www.publico.pt/2017/05/12/tecnologia/noticia/ataque-...](https://www.publico.pt/2017/05/12/tecnologia/noticia/ataque-
informatico-internacional-afecta-empresas-e-hospitais-1771939)

------
adv0r
look at what is happening in spain Telefonica giant

------
aluhut
I'm sure some secret agency has backups of that data.

~~~
sharemywin
not sure why the IT department wouldn't have a backup.

------
pyrale
And I thought the tories were tech illiterates... they sure have improved!

~~~
matthewdrussell
No, just the odd HN user

------
easilyBored
_NHS in England hit by 'cyber-attack' with ransomware demanding $300 in
Bitcoin_

Excuse us but we just found out that you're NHS. Please make it $300,000 or
else.

Asking for just a little is a pretty good tactic, used by these guys, patent
trolls and the mafia for protection money.

------
6stringmerc
In the aftermath I wonder if we'll ever find out how the attack was enabled.
As in, who opened the attachment. My hunch? An Executive high enough in
Leadership who won't get fired. Will be interesting to see.

~~~
benjojo12
Why would you fire someone for opening an attachment?

~~~
teej
Cyber security is everyone's responsibility. In the US at least, hospitals and
their staff are held responsible for the proper care and handling of patient
health data. In my opinion a hospital administrator should definitely be held
accountable for poor computer practices that led to patient data being
compromised.

~~~
emodendroket
The rational response in such a system if you mess up is to not tell anybody,
wait, and hope the problem gets bad enough that it's not obvious where it
started.

