As I’m sure you’ll be more than aware by now, on Friday 12th May 2017, businesses in 150 countries and as many as 47 NHS trusts were affected by an attack from ransomware known as “WannaCry”. The spread of the attack was halted “accidentally” by a 22-year old self-trained web security expert who found a “kill switch” by inadvertently registering a domain name hidden within the program.
What is ransomware?
Ransomware is malicious software which uses cryptovirology to block access to data, demanding payment to unlock it (hence “ransom”). Ransomware was initially popular in Russia, but have spread globally in recent years. Notable examples of ransomware include CryptoLocker, CryptoWall and Fusob, which targets mobile phones. WannaCry is the latest widespread ransomware attack targeting Microsoft Windows, and the method of attack and infilitration is currently unknown.
What can we learn from this?
While the origin of the attack remains unclear, the fact that it managed to spread so widely – particularly in the NHS where data is critical – raises some questions about how prepared organisations really are for events of this nature. Copycat scams – with tweaked versions of the WannaCry code – seem likely, so what should organisations, particularly public sector ones, take away from this?
It’s definitely time to ditch unsupported operating systems
Although not the sole reason the virus managed to infiltrate many systems, for those running outdated and unsupported operating systems, it almost certainly left them extremely vulnerable. In December 2016, it was reported that 90% of the NHS were still using Windows XP – a 15 year old operating system, and 29% were vague or unclear about when they would be upgrading. Microsoft ended extended support for XP in April 2014, meaning that no further security updates protecting from hackers and malware have been released since that date. The same goes for Server 2003, support for which ended in July 2015.
In an unusual move, Microsoft released an urgent patch for older Microsoft operating systems – including XP, Vista and Server 2003 – to protect users and systems from the WannaCry virus. This is an unprecedented action – as Microsoft usually charge organisations for extended support for operating systems – and for those affected by the attacks, is a bit like closing the stable door after the horse has bolted.
Upgrading from Windows XP and Server 2003 was an urgent matter over 2 years ago when support ended, but it’s beyond critical now. There are countless worrying stats around the exponential growth of malware and ransomware in the UK and across the globe – in the NHS alone, 1 in 3 trusts were affected by ransomware in 2016. This attack certainly won’t be the last of its kind, and unsupported operating systems leave your organisation wide open to threats like ransomware.
It’s important here as well to remind yourself of the end of extended support for Windows 7 (14th Jan 2020) and Windows 8.1 (10th Jan 2023). The aforementioned dates are fast approaching, so even if you’re not on XP, it’s vital to get an upgrade plan in place in order to prevent being vulnerable to inevitable similar attacks in the future.
Standardisation is key
It’s been speculated that the vulnerabilities and security issues within IT in the NHS come from a lack of standardisation. Following healthcare reforms in 2012, which saw the separation of decision-making powers, there has been no central organisation actively responsible for IT and technical standards within in the NHS. The Health and Social Care Information Centre (now NHS Digital) are responsible for data standardisation and driving digital transformation, but not for technical standardisation. This has meant that it’s been easy for many trusts to slip under the radar and continue to use, what is essentially, outdated technology to support and run life critical systems.
But it’s not just the NHS who should take heed of this lesson. Lack of standardisation and a centralised approach to IT might sound familiar to organisations across the public sector, including schools. The rising numbers of academies and independent schools in the UK mean that many institutions are moving away from Local Authority support and essentially “going it alone”. Many academies now find safety in numbers in Multi Academy Trusts (MATs), but bringing a number of separate schools under one organisation, who will have differing levels of investment, resource and governance around IT. For MATs, there’s an opportunity and a need to ensure from the central organisation that there’s a level of standardisation across all member schools, in order to avoid any individuals being left vulnerable due to being left behind.
There is much for public sector organisations to think about in the wake of this attack. Due to its reach and level of infilitration, WannaCry gained global attention, but attacks like this are happening every day. Vulnerability to ransomware puts users, students, patients and stakeholders at risk, and you should take every step you can to make your organisation secure.
What you can do now
If you are running an older Windows operating system – at work or at home – download and run the appropriate updates found on this page immediately. You should also ensure that your security software is up to date and providing sufficient protection, and you are backing up your files and data. For Windows Server users, we would also recommend disabling legacy protocols such as SMBv1, in order to protect against future versions of malware and ransomware. You can find out how to do that here.