Described as "unprecedented" in scale by Europol, the wave of WannaCry ransomware attacks over the last four days brought hospital infrastructure to its knees. But ransomware is no new threat: will WannaCry finally act as a catalyst to a wider infosec wake-up call?
WannaCry was launched on Friday 12 May, and over the weekend had affected more than 200,000 IT systems worldwide. Independent researcher Kafeine discovered WannaCry was using code based on the NSA's EternalBlue exploit, which was publicly leaked by a hacker group called the Shadow Brokers in April this year. EternalBlue uses a vulnerability in the Microsoft Server Message Block protocol for file-sharing to distribute itself on the local network as well as a network worm. An infected device will display a message demanding up to roughly $600 (£460) in bitcoin payment to decrypt locked files.
Home secretary Amber Rudd confirmed that one in five NHS England trusts were hit by the attack. She said that no patient data had been stolen – and while that's a plus, operations were affected, with hospitals and GP surgeries turning patients away.
Many of the trusts were running Windows XP, an operating system that has not been officially supported for most users since April 2014. Microsoft patched the offending exploit but older, legacy software and operating systems without Windows Update, such as XP, would have remained at risk. Following the wave of attacks, Microsoft took the unusual step to issue a patch to older versions of Windows in order to make moves towards resolving the problem.
And a report from Citrix found through a Freedom of Information request, the majority of NHS Trusts were still running Windows XP. The government ended a £5.5 million contract in 2015 for customised support for the dated operating system.
Britain's National Cyber Security Centre claimed it was working closely with the National Crime Agency "around the clock" to address the problem.
But critics have claimed that health secretary Jeremy Hunt was warned last year in the Caldicott Report that NHS security infrastructure was a ticking timebomb.
After days of silence, Hunt appeared on Sky News. Speaking of the attacks, he said: "According to our latest intelligence we have not seen a second wave of attacks and the level of criminal activity is at the lower end of the range that we had anticipated so I think that is encouraging.
"But the message is very clear not just for organisations like the NHS but for private individuals for businesses – although we've never seen anything on this scale when it comes to ransomware attacks they are relatively common and there are things that you can do, that everyone can, do all of us can do to protect ourselves against them."
While Hunt is right that anyone can be hit by ransomware, that it is fairly common, and that it can be mitigated against to a degree, he doesn't mention the funding required to do so. The Guardian's Charles Arthur links underfunding in the NHS to the success of the attacks, where he mentions previous ransomware incidents such as that suffered by Papworth hospital in 2016. The IT director of that hospital said of that attack: "If we'd been doing a heart operation on a Sunday, it would have been a huge problem."
"A lack of funding or priority for investments will have certainly played a big part for a cash-strapped NHS," says Martin Courtney, principal analyst for TechMarketView, speaking with Computerworld UK. "The way it is set up, individual NHS trusts would have to be upgraded from Windows XP one by one, rather than within any national programme or co-ordinated timeline, leaving ongoing protection against cyber attacks patchy at best.
"Nor is it just PCs and laptops at risk, there is likely to be a lot of bespoke medical equipment that uses Windows XP embedded with similar vulnerabilities, so any upgrade would be expensive, disruptive and time-consuming."
At least in the UK, the real-world physical impact of the attacks is like nothing that's ever been seen before. But whether the attacks will serve as a 'wake-up call' is up for debate.
"If it is to be a wake-up call, it's one that has been sounded many times before and either successfully ignored or effective remedial action delayed," says TechMarketView's Martin Courtney. "The UK government knows the country is vulnerable to cyber attack and has consistently urged private companies to up their game – it seems to have ignored its own advice."
"The scale of this particular incident should bump cyber security improvements to the top of the priority list for any UK Critical National Infrastructure provider, though given the crisis elsewhere in the NHS, I wouldn't hold my breath."
Most security professionals understand that it's not a case of 'if' but 'when' an organisation will be hit by an attack. Mitigation as well as prevention is key, but it's something that is difficult to achieve without recognising cyber security as a serious priority.
More alarming still, the chain of IT disasters caused by this attack seem to have been an unintended consequence – the attacks are thought to be the responsibility of an organised criminal gang with the primary driver being financial.
But it doesn't take much of a leap to imagine the damage that could be achieved if it was deliberately designed to do so against under-funded public sector departments and other vital public infrastructure.
The American government has taken flak for the attack. Microsoft's general counsel Brad Smith wrote in a blog post over the weekend that the the ransomware underlines why "the stockpiling of vulnerabilities by governments is such a problem".
"This is an emerging pattern in 2017," he wrote. "We have seen vulnerabilities stored by the CIA show up on Wikileaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.
"And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organised criminal action."
Smith went on to mention Microsoft's calls for a 'Digital Geneva Convention' to set out rules of play in cyber, including requirements for governments to report vulnerabilities to vendors. Carbon Black's Rick McElroy expressed doubt to sister title Techworld that joined-up, international efforts to address cyber risk will exist in a meaningful way before devastating attacks take place, rather than after it's too late.