Cyber attacks on the NHS

The cyber attacks detected on the 12th May 2017 affected hundreds of thousands of computers across many countries, including the UK's National Health Service. So what happened, and what should we be doing now? Chris and guests Andrew Holding and Kate Feller from Cambridge University spoke to cyber security expert Paul Harris - Managing Director of the Manchester-based firm Secarma...

Chris - First of all, what is this threat that’s brought computers to their knees across the world?

Paul - The attack that happened on Friday 12th May was a ransomware attack and it was called WannaCry. Multiple strains of ransomware attacks are out there currently and this was just one particular type that attacked certain versions of windows software.

Chris - How did people’s computers get infected?

Paul - It was most likely triggered by a phishing email, where people are either encouraged to click on a link, or open an attachment which then downloads malware. In the instance of WannaCry, the payload as it’s called, this ransomware software, then started to encrypt all of the files on the computer that it attacked. That means that they're effectively locked and you can’t unlock them unless you get a decryption key.

What this then went on to do, in this particular attack, was to then searched for other devices and computers on the network and start to attach those, so it spread very quickly. Then once it had attacked all of those computers it would then start pinging externally and look for other computers to attack.

Chris - Do we know where this threat came from?

Paul - No. I think when it started, like most ransomware attacks, the assumption was that it was an individual cyber criminal. It’s probably unlikely we’ll ever find out for certain. There are some interesting theories though around whether this is actually a government attack. So if you think about countries in the world that are posturing at the moment and putting on big displays of their military capabilities. The malware behind WannaCry was actually based on some malware that was out in the world earlier in the year, around January, that was created by a hacking team in North Korea called the Lazarus Group.

Chris - Given that the people who are doing this are asking for a ransom, can we not just see where the money goes and then we go and catch them?

Paul - Unfortunately not, no. Because the cyber criminals’ currency of choice is something called ‘Bitcoin,’ which is a cryptocurrency. So what you can see is their wallet, so you can see money in this wallet. So from the attack from Friday there was about £60,000 put into this wallet. You don’t know who has put money in and you can’t see who takes money out. The reason that criminals like Bitcoin is because there is no central bank, so it’s very, very difficult to trace who has them. And once you’ve got that money, like most criminals, what they do is then launder that through one or two sources to turn it into cash.

Chris - Once your computer has been locked is there no way back without paying the ransom?

Paul - The advice is don’t pay. It does pose quite a difficult question for you. If you're smart you’ll have kept backups, regular backups, and you’ll have system in place to ensure that you’re able to reinstate. It’s a bigger problem for businesses, but if a business is regularly taking backups, and those backups are separated from the network, then you’re much, much safer. If you haven’t got that, then you are faced with a difficult choice, which is do I pay? It’s a relatively small amount of money but, at the end of the day, you’re dealing with criminals and there’s nothing to say that someone won’t come back next week and attack you if you’ve demonstrated that you are able to pay.

Chris - Andrew?

Andrew - My real concern is that I have to use lots of very old Windows computers for my work because they’re attached to a piece of hardware which is worth quarter of a million pounds, maybe more. We don’t have the budget to replace the hardware, even if the computers are cheap to replace, and no-one’s going to write a driver for that hardware. So, what can we do?

Paul - What Microsoft have done following this recent attack is they’ve gone back to software that had been obsoleted by them; they were no longer supporting it. They have gone back and created security patches to try and close these vulnerabilities down. But it’s the way that software companies work; they will only support software for so long and then they move onto their new product, and they want everyone else to move onto their new product.

So you can protect yourself to a degree by all of the basics that we should be doing, which is running patches on our software, particularly critical security patches, running antivirus software, having firewalls, having strong passwords. Not using the same password for everything that we do, which is something that we all do because it’s so much easier. But really - don't! And have really good discipline about emails.

Chris - Kate?

Kate - Are these attackers able to get your data or information off of your computer, or is it just a lockdown?

Paul - Yes. Everybody needs to step away from the idea that you can be safe online because that’s a dangerous concept. We don’t expect our houses, for example, to be completely impenetrable. We accept that there’s a certain element of risk there and it’s the same online.

So cyber criminals, whoever they are, they are after multiple things. They are after your data; they are after credit card information; they want to try and get into your bank account; they’re looking to steal company secrets, military secrets. We’ve all got things digitally that are valuable to us and it is impossible to entirely protect them. It comes down to how valuable is it to you and how much time, and effort, and budget are you prepared to spend protecting it? You can make it very, very difficult and you can make yourself safe from most of these types of attacks, but you’ll never be 100% secure.

Chris - Is it fair to say as well, Paul that sometimes some of these threats, the worst ones are the ones you don’t know about because you could well have things lurking on your computer where the hacker has created for themselves access to your computer and all of your data that Kate’s worried about, and you don’t know that and they can, when they want to, access your computer or call up your computer and use it to do their bidding from afar?

Paul - That’s very true. The majority of cyber attacks are stealthy; they don’t want you to know they’re there. Ransomware is a very noisy attack because you have to be alerted because they want you to pay, but by far the majority of attacks are stealthy. So, yes, you don’t necessarily know and they not always necessarily after you. They might just be taking over your machines to help them attack other people.

Chris - And just to finish Paul - what proportion do you think of people’s computers probably do have malware on them, if you took an average person off the street? I appreciate this is a hard question for you to answer, but plucking a number from the air, with all of the risk attached thereto, what proportion do you think?

Paul - If you think that last year 3.1 billion records were leaked, I think it’s probably fair to assume that most of us have got our data on the dark web. It’s been stolen at some point either from us directly, or from websites that we use, which is why it’s really important to change the information that you have. And if you think in business terms, I’ve seen stats between 50 and 75% of businesses in the UK are reporting cyber attacks last year. So it’s one in two or worse your probability of being attacked.