In May 2017, the biggest ransomware attack in history hit the world.

The “WannaCry ransomware attack”, as it has since been named, exploited a Microsoft Windows vulnerability in Windows XP and Windows 7 devices. It is unique in that it originated from an exposed, vulnerable internet-facing Server Message Block (SMB) port and not phishing as with most malware.

The attack is estimated to have affected over 300,000 computers, but it perhaps only garnered the attention it did because of what it hit. In the UK, the NHS was the worst hit. WannaCry malware infected thousands of NHS computers, locking out the end-user, encrypting their files and demanding payment in Bitcoin to decrypt.

The result of this was thousands of NHS staff members, and entire NHS departments were locked out and resigned to using pen and paper. For a largely digitalised service like the NHS, this was absolutely devastating.

In some parts of the country, ambulances were diverted to other hospitals as paperwork piled up, and some A&E departments were having to send hundreds of low-risk patients elsewhere. Patients who had already booked an appointment to see their GP were being turned away, and the pressure on critical services in hospitals reached an all-time high as access to patient data became difficult. This all happened between 1 pm and 4 pm.

Sometime between these hours, the NHS entered panic mode and began to pull connections on N3, the national broadband network which connects all NHS locations and 1.3 million employees. They hoped this would stop the malware from spreading, but it had a severe downside which no one anticipated – communication.

It took FOUR HOURS for management to get a communication out about WannaCry, hampered in part because of the N3 cull. So, the attack happened at 13:00, and the NHS only declared a major incident at 16:00. By the time all of the NHS had realised it was under attack, the ransomware had spread to 16 trusts and thousands of computers.

Mercifully, on the same day as the attack, two cybersecurity researchers discovered a “kill switch” which stopped the spread. If this hadn’t been discovered, the NHS’s services would have been crippled even further.

A week later, it was revealed the malware had spread to at least 80 out of 236 hospital trusts in England, as well as 603 primary care and affiliate NHS organisations. It’s reasonable to assume that without the intervention of Marcus Hutchins and Jamie Hankins, the whole of the NHS would have gone under. 

Could it all have been avoided?

It’s important to point out the attack didn’t specifically target the NHS.

The WannaCry malware was designed to infiltrate ANY computer and system without prejudice. But unfortunately for the NHS, it had a transport mechanism to automatically spread itself across vulnerable systems. It turns out the NHS failed to undertake basic IT procedures such as patching and updating software.

Ultimately, from a cybersecurity POV, the WannaCry ransomware attack was relatively unsophisticated. It could have definitely been prevented with basic IT security best practice, which we will take a closer look at below.

Out of date tech

All computers run an operating system. All operating systems have bugs, which are vulnerable to exploits, which are developed by hackers over time. OS makers such as Microsoft release patches and updates to protect against these exploits — but they only work if the end-user bothers to download them. The NHS didn’t bother.

Microsoft had actually released a patch for similar exploitation on out of date Windows machines before WannaCry was written. Most NHS trusts failed to deploy it, leaving them vulnerable to the eventual infection.

The simple solution is to ensure machines are kept up to date with the automation of patch management essential.

No anti-malware software

Good anti-malware software could have prevented the spread of WannaCry. It turns out many NHS computers were running no anti-virus or anti-malware software at all — instead, just a very basic firewall with incorrect settings.

If NHS computers had a program like Webroot, WannaCry wouldn’t have been anywhere near as big an issue as it was. Webroot blocks the malware at the source, preventing it from infecting a PC and infiltrating a system.

Poor staff training

It became apparent after the attack that NHS staff had no idea they were spreading WannaCry through NHS Mail, fake invoices and network lures. The virus spread through a .zip file which, when opened, initiated the malware.

Had NHS staff known about the risk of fake files (or had they been warned before sharing and opening them, which Webroot or any good anti-virus software would do) WannaCry’s impact on the NHS would have been far less severe.

Cyberattack planning

Something that came to light after WannaCry was the NHS had no plan to respond to a major cyberattack, leaving them woefully unprepared. They were held to ransom by WannaCry and decision-makers within the NHS had no idea what to do. So, they panicked and started pulling plugs in the N3 broadband network which destroyed the ability for trusts to communicate.

If the NHS had an incident response plan, this catastrophic failure would not have happened, and WannaCry would have been dealt with more quickly. Organisations small and large should learn from this and have a plan in place to deal with a cyberattack. Prevention alone is never enough.