UPDATE–Attackers have hit several hospitals in the UK, along with major corporations in Spain and other countries with a ransomware attack, disrupting network and phone operations and forcing some of the hospitals to postpone non-emergency services and divert patients to other facilities.
The attack, initially detected at hospitals and other medical facilities in the UK and some large enterprises in Spain, has spread to more than 70 countries and affects more than 45,000 victims, researchers at Kaspersky Lab said. Attackers are using a vulnerability that Microsoft patched in March to compromise target machines and install a strain of ransomware known as WCRY or WannaCry. The vulnerability that the attackers are exploiting is one of the bugs revealed in the latest Shadowbrokers tool dump in April. Microsoft was aware of the flaw and issued a patch the previous month.
But attackers are now taking advantage of vulnerable machines to install the WannaCry ransomware. The countries with the most visible infections are the UK and Spain. There are 16 medical facilities affected in the UK right now, and several large companies in Spain, including Telefonica, a major telecom provider.
“The special criticality of this campaign is caused by exploiting the vulnerability described in bulletin MS17-010 using EternalBlue / DoublePulsar, which can infect other connected Windows systems on the same network that are not properly updated. Infection of a single computer can end up compromising the entire corporate network,” Spain’s CCN-CERT said in an alert published Friday.
The vulnerability the attackers are exploiting is in the SMBv2 component in Windows, and both the details of the flaw and exploit code for it have been public for weeks. The WannaCry ransomware used in the attacks is asking for about $600 ransom for each infection.
“The malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands,” an analysis by Kaspersky researchers says.
Among the hospitals affected in the UK is the East and North Hertfordshire NHS Trust. Officials there said the hospitals in the system are asking people not to call and warning that non-urgent services will be delayed.
“We’re currently experiencing significant problems with our IT and telephone network. Which we’re trying to resolve as soon as possible. This means that people will have difficulty phoning us for the time being – please bear with us. Apologies for any inconvenience,” a statement on the system’s site says.
The Barts Health group of the National Health Service also was hit by the attack and said in a statement that it has activated its incident response plan.
“We are experiencing a major IT disruption and there are delays at all of our hospitals. We have activated our major incident plan to make sure we can maintain the safety and welfare of patients. We are very sorry that we have to cancel routine appointments, and would ask members of the public to use other NHS services wherever possible. Ambulances are being diverted to neighbouring hospitals,” the statement says.
“The problem is also affecting the switchboard at Newham hospital but direct line phones are working. All our staff are working hard to minimise the impact and we will post regular updates on the website.”
Reports have indicated that staff at the affected hospitals saw messages on their computers saying they had been encrypted and demanding payment, which is typical of ransomware infections.
“A number of NHS organisations have reported to NHS Digital that they have been affected by a ransomware attack,” the NHS said in a statement. “NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.”
This story was edited on May 12 to include information on attacks in other countries and the Kaspersky Lab analysis.
Image: KOMUnews, CC by license.