, , ,

The bad news is it’s extremely unlikely the data could be decrypted directly. Recovery will depend on backups – most employees don’t, and probably can’t because of security policy, make personal backups of their work.
The good news is there’s a slim possibility GPs and hospital IT staff could recover their data (without paying the tossers who thought hospitals were a good target, of course). File encryption actually works by making encrypted copies of the data before erasing the original files, which means the latter just might be recoverable using common drive imaging and data carving tools. It’s a long shot, but that’s what I’d be attempting in their position.

How did this happen? Actually I heard from others a couple of weeks ago there were spear phishing attempts at another NHS trust, and assumed it was related to a malicious hacker group that obtained staff addresses after a third-party was compromised. However, that affected trusts here in Wales, and the current ransomware thing isn’t affecting us (directly) yet.
Not everyone in a large organisation can differentiate between a legitimate hyperlink and one that’s disguised in an email. Someone, in fact several, will click the link or open the attachment. That’s not really a problem if the anti-malware system has a signature for it, but there’s still a good chance it doesn’t. Exploit mitigation features on modern operating systems play a huge role in preventing malware. You probably know all this already.

The thing is (and yes, this is a huge problem) the NHS does rely on outdated operating systems and software, and for roughly the same reasons banks still use COBOL and industrial systems might still use Windows XP. You can have a legacy system that works, or upgrade attempts that come with serious risks. Remember the chaos in 2012 after an update attempt crippled the mainframe of three major banks? So, to address the Home Secretary’s point, one doesn’t simply move a system like this onto Windows 10.
When you’re dealing with critical software that’s deployed nationally, and when lives depend on integrity of the data, any minor change in the configuration must be thoroughly tested before that change goes live. And there could be a stack of software from multiple vendors, and a range of hardware also, dependent on that same configuration.
On top of that, I’ve also come across third-party clinical software that’s been around since the 90s, and can’t easily be replaced because it’s critical, very complex, has features that are extremely specialised and became the standard across NHS trusts – and the software, in turn, depends on older operating systems. Some of these problems are outweighed by what recently happened, but still… Scary, isn’t it?

According to The Guardian, Professor Woodward stated the exploit is for an SMB vulnerability that enabled the malware to spread, and the vulnerability was in Windows XP for which Microsoft didn’t release a patch. Metasploit did include exploits for older versions of SMB since at least 2013, and SMB vulnerabilities showed up in Nessus scans against Server 2012 back then.
Of academic interest is the exploit here was developed (or at least hoarded) by the NSA, and was among those published by the ShadowBrokers – several years ago I warned that something like this was inevitable if governments started developing ‘cyber weapons’.