by Ann Bachman, BS MT(ASCP), CLC(AMT)
June 30th, 2017
The WannaCry (short for WannaCrypt) ransomware* attack experienced worldwide in mid-May 2017 affected some 300,000 computers running Microsoft Windows operating systems in more than 150 countries. It affected healthcare institutions, communications providers, gas stations, and banks.
The attack began on Friday, May 12, 2017, encrypting data and demanding ransom payments in untraceable Bitcoin cryptocurrency. Microsoft had learned of the problem earlier and had released a “critical” security patch on March 14, 2017, for supported versions of Microsoft, but many Microsoft users had not yet applied it.
Before the malware did too much damage in the United States, a lone researcher on vacation identified as “Malware Tech” accidentally found a “kill switch” and bought the Internet domain that was coded into the malware but was not active. This triggered the kill switch, effectively shutting down WannaCrypt.
The cryptoworm particularly targeted older, unsupported versions of Microsoft Windows, such as Windows XP and Windows Server 2003; most victims were running Windows 7. When Microsoft learned of the attack, they quickly provided emergency patches for unsupported older versions. The spread of WannaCry was contained within four days, with new infections happening much slower.
Meanwhile, as of May 25, 2017, WannaCrypt victims had deposited 302 payments for a total worth $126,742.48, or 49.60319 BTC. At least two multi-state hospital systems in the U.S. were attacked. BTC, or Bitcoin currency, is an Internet currency that is mathematically limited to 21 million bitcoins. That number can never be changed, meaning that Bitcoin cannot be counterfeited or inflated at will, unlike government-issued currency. Bitcoin, which is also a digital payment system, can be used to make payments to any entity that accepts the currency, often at significant savings.
Ransomware is a malicious software program that is being used more and more frequently by hackers to extort money from businesses, including healthcare entities. It originated in Russia but is now international and has grown exponentially over the past few years, becoming one of the most prevalent types of cyber-crime. It is very lucrative!
Ransomware encrypts digital files and holds them hostage while demanding payment for their release. Typically, victims receive an email addressed to them and open it, clicking on an attachment that looks legitimate, such as an invoice or an electronic fax, but the file holds the ransomware code. It could be a link to a legitimate-looking URL.
Once the victim opens the attachment, the malware installs itself on the computer. When the victim clicks on that URL, they are taken immediately to a website that infects their computer. The malware then encrypts files and folders, attached drives, backup drives, and possibly other computers in the same network. Victims are not aware of the attack until they can no longer access data or they see a message demanding the ransom. Until the victim pays the ransom the files are completely unavailable. Some files may never be retrieved, may be corrupted, or may be entirely eliminated.
How did WannaCry spread?
Malware is delivered as a Trojan virus through a loaded hyperlink that could be accidentally opened through an email, advertisement, or a Dropbox link. After it is activated, the software spreads through the computer, locking files with the same encryption used for instant messaging.
How should you respond to a ransomware attack?
1. Do not pay the ransom! There is no guarantee that the files will be returned. WannaCry did not identify who paid, so files were not returned.
2. Work with your IT team to restore data if possible.
3. Contact the FBI Field Office Cyber Task Force (www.fbi.gov/contact-us/field/field-offices) or the U.S. Secret Service Electronic Crimes Task Force (www.secretservice.gov/investigation/#field) to report the event and request assistance.
4. Report the incident to US-CERT (www.us-cert.gov/ncas) and the FBI’s Internet Crime Complaint Center (www.ic3.gov).
5. If the attack may have affected medical devices, contact the FDA’s emergency line at 866-300-4374. Reports for multiple systems should be reported together.
6. Avoid or reduce HIPAA fines for loss of PHI by documenting a strong compliance plan.
Report healthcare-specific attacks to HHS’s Healthcare Cybersecurity and Communications Integration Center at HCCIC_RM@hhs.gov