Wannacry case study

wannacry

Chronology of the incident

The WannaCry ransomware attack happened on May 12 2017. Within 24 hours, the attack had spread to 100 countries until a 22 years old researcher found a kill switch that slowed down the attack.  Three days later, the attack had reached 150 countries.

It targeted computers that were running through the Microsoft Windows Operating System by encrypting data and asking for ransom in Bitcoins (Ehrenfeld & SpringerLink, 2017). It affected computers that had not configured Microsoft security updates from March of 2017 and those that operated through unsupported versions of Microsoft Windows like Windows XP or Windows Server 2003.

These computers were under attack as they had security patches since the last released security updates for Windows XP happened in 2014 and for Windows Server 2003 in July 2015. The attack affected about 200,000 computers in 150 countries and it brought losses amounting to billions of dollars.

The most hardly hit nations were Taiwan, Ukraine, Russia and India. The biggest agency to suffer from the hack was the National Health Service hospitals in Scotland and England where up to 70000 components were infected (Ehrenfeld & SpringerLink, 2017). The worm was eventually discovered to have come from North Korea or institutions working for them.

Organization response (What worked)

            After the attack happened, the hackers demanded $300 worth of bitcoins which they later increased to $600 (Bhattacharjee, 2018). They victims were threatened that if they did not pay within 3 days, their files would be erased for good.

On this note, it is always advisable not to succumb to pressure and pay the ransom since there is no guarantee that the stolen data will be returned (Petersen & Rnn, 2020). This advice proved right as coding that was used in the attack was found to be faulty and therefore when a victim paid ransom, there was no way of connecting the payout with a target’s computer. A corporation named F-Secure however claimed that some of those who paid ransom got their data back.

            The spread was brought to a stop by a cyber-security researcher who was tweeting as @malwaretechblog and who was assisted by a man named Darien Huss from a security firm known as Proofpoint. They activated a ‘kill switch’ in the malicious software.

The Twitter individual hardcoded a kill switch into the malware incase the creator wanted to stop it. This worked by having a long domain that the wannacry malware made a request to just as it would on any other website (Mohanta, Hahad & Velmurugan, 2018).

When the request came back, it showed that the domain was live and the kill switch was activated and the malware spreading stopped. Microsoft and Facebook acted to disable the attacks too on their own volition. They took steps to protect their customers. Microsoft strengthened Windows defense mechanisms to prevent infection

Prior to the attack happening, the department had developed a response plan to cyber-attacks. It comprised roles and responsibilities of local and national institutions. Unfortunately, this had not been tested before the attack came. It was therefore unclear what actions would need to be taken if such an attack happened.

NHS England had resolved to lead the response working together with NHS Digital and NHS Improvement. NHS England had not prepared a response to a cyber-attack and it encountered problems like taking additional time to pinpoint the source of the issue, the scale and the sum of individuals or institutions affected.

With the absence of elaborate guidelines on how to respond to such an attack, the attack was reported to various bodies like the police, NHS Digital and NHS England. The National Cyber Security Centre provided support to all organizations in UK that were affected by the attack.

The use of email communication was limited. Some IT systems were shut down as a precautionary measure. The affected trusts were triaged via the EPRR route and also obtained help from national bodies like physical technical support. The NHS England, NHS Digital and NHS Improvement also worked round the clock in order to have the matter put to rest during that second weekend of May 2017.

The IT team from NHS England came voluntary to help address the issue and shared information through the mobile phones including through the WhatsApp application. Even though this was not the official communication channel, it worked magic to save the day.

Methods used to investigate the attack

            The investigation to the attack was led by National Crime Agency (NCA) working together with Regional Organized Crime Units (ROCU), National Cyber Security Centre (NCSC), industry partners and Europol. The UK and US governments collaborated to bring those responsible to book. The National Audit Office also investigated the impact of the ransomware on NHS and its patients. It sought to dig out why some parts of NHS were affected and how the NHS national bodies responded to the attack.

It was found out that the Wannacry attack was executed by a team of hackers from North Korea. It is these hackers who had hacked Sony Pictures and were also responsible for theft of 81 million dollars from Bangladesh Central Bank a while back.

These attacks were part of elaborate schemes to undermine entities around the globe by trying to cripple them. The Wannacry attack appeared to have been motivated by North Korea need for cash and desire to control US and UK corporate behavior and instill fear and chaos (Mohanta, Hahad & Velmurugan, 2018).

How the organization could have been well prepared

  • Technical recommendations

            There was not enough assessment of trusts. An assessment that was done after the attack by NHS Digital found that out of the 236 trusts, 88 of them did not pass the obligatory cyber security principles (Ehrenfeld & SpringerLink, 2017).

NHS trusts had not acted on crucial alerts from NHS digital and a caveat from Department of Health was ignored. Also ignored was a memo from the Cabinet Office for institutions to migrate away from old and susceptible software.

The Department of Health also did not have essential information according to a report that was later generated. Before May 2017, there were no established mechanisms for assessing if the institutions under National Health Services had abided with the briefs and advices given.

The report noted that most institutions had not managed their computer firewalls as expected. The previous chairperson of NHS Digital, Kingsley Manning observed that enough time and resources was not allocated for the fighting the ransom ware. There was also no focus and the institutions failed to regularly do cyber security improvements.

A response plan was also missing. With a response plan, the institutions would have ensured that crucial cyber security updates got to be done (Ehrenfeld & SpringerLink, 2017). As one observer noted, this attack could have been barred by just following rudimentary IT security practices.

It was also established that most institutional executives took cyber security as among their high risks and gave this a priority. The problem came with a lack of planning at the local level. The Department of Health had a solid developed plan only that it was not communicated to the NHS trusts. When the incident happened, there was no particular person who was in charge of handling the process.

Most of the NHS systems used Windows XP systems where security patches were not done to protect the systems.  Investigations established that the Wannacry ransom ware penetrated the NHS systems through a vulnerable and outdated Windows XP operating system which was not being supported by Microsoft since 2014 (Barker, 2020). This means that most NHS computers did not receive the latest patches which could have helped in preventing widespread infections.

There was no adequate audit of systems and processes. There lacked on-site data security assessments to NHS organizations. Like is the norm now, there was no ‘Good Practice Guides’ that is now available through the NHS Digital.

The NHS did not work with other institutions to ensure that the necessary information was offered that could help in preventing advancement of a cyber-attack. With the presence of ‘Good Practice Guides’ that are under regular monitoring and evaluation, an attack like that of WannaCry nature would have been easily stopped.

  • Social recommendations

There lacked a mechanism for how to handle such an attack. Something like a ‘cyber handbook’ to define the tactic and activities to be engaged by NHS England when an attack of such a nature happened.

This handbook would have stated the entity that could have been responsible for coordinating the system response. The book could have stipulated the cyber response activities in depth, including most important, the mechanisms of communication.

There was also a lack of on-site cyber assessments of NHS trusts. There was no capital investment on areas like addressing weaknesses in their infrastructure to secure weaknesses like for instance upgrading firewalls, enhancing network resilience and segmenting so that the risk could be lowered.

There also lacked a mechanism for enhancing device security by having device replacements and automation of patch management. Anti-virus protection was also not being done often. The attack could also have been prevented if there was enough funding for supporting organizations that had self-assessed as being non-compliant so that they can strengthen their hardware and software across the system.

There was no enough investment in the cyber sector and mostly, in the local infrastructure and the national systems to help enhance monitoring and response. The NHS did not commit local revenue funding to support versions of software needed to deal with cyber security.

Like is the case now, there was no CareCert suite of services which helps in providing local and national support around cyber resilience. There was also no mechanism for registering technical compliance and passing on technical information to help in preventive activities.

The other thing that lacked is the presence of an information governance toolkit. This would have spelt out the data security standards which define the data and cyber security programs. The governance toolkit would also have helped enhance the prevailing data security services which would have gone a long way into preventing the escalation of the ransom ware.

There was an absence of a Digital Data Security helpline that could have been operating throughout the day and night. This would have made it possible to have a call team that is supported by a data security expert where one would have called if they noticed a mishap (Bell, 2020). The warnings by NHS Digital that were being distributed were largely ignored.

There was also an absence of incidence response plans which would have assisted in disseminating local and national incident handling plans. The digitization programs that were in place then did not support cyber security. There was also no mechanism of ensuring that the suppliers made the information systems secure.

The providers were never involved in the implementation of data security standards and there were no plans of removing and isolating any unsupported software in the NHS.  There was also a lack of mechanism of delivering text alert to NHS CEOs when email functionality was unavailable so that they are able to act on information swiftly. The NHS also lacked capital support for supporting trusts with risky infrastructure.

  • Political recommendations

To prevent such an incident again, there needs to be leadership governing the entire process (Bell, 2020). The importance of cyber security needs to be communicated especially to trust leaders which were not the case.

There should have been a set of annual statements of requirements to the various boards and expectations set for every NHS board that they should have a data security lead. Regional support should have been offered through the NHS England and Global Digital Exemplars used to get lessons on what good cyber preparedness should look like.

The political leaders should ensure that steps are taken on those countries that aid such attacks like what North Korea did for the Wanna-cry attacks. Countries that undertake cyber-terrorism should not be left to go unpunished.

 

References

Barker, J. (2020). Confident Cyber Security: How to Get Started in Cyber Security and     Futureproof Your Career.

Bell, G. J. (2020). The organizational resilience handbook: A practical guide to achieving            greater resilience.

Bhattacharjee, S. (2018). Practical Industrial Internet of Things security: A practitioner’s guide   to securing connected industries.

Ehrenfeld, J. M., & SpringerLink (Online service). (2017). WannaCry, Cybersecurity and Health             Information Technology: A Time to Act. (Journal of medical systems.)

Petersen, K. L., & In Rnn, K. V. (2020). Intelligence on the frontier between state and civil          society.

Mohanta, A., Hahad, M., & Velmurugan, K. (2018). Preventing Ransomware: Understand,          prevent, and remediate ransomware attacks.

 

Order from us and get better grades. We are the service you have been looking for.
WeCreativez WhatsApp Support
Our customer support team is here to answer your questions. Ask us anything!
👋 Hi, how can I help?