The NHS cyber attack

Acronis Cyber Protect
formerly Acronis Cyber Backup

What type of cyber-attack was used?

How ransomware attacks health care providers and other industries

For many, ransomware became known, when WannaCry tore across the globe, infecting a quarter million machines in more than 150 countries in 2017. The largest ransomware attack ever, it affected a diverse collection of entities, including the NHS, Spain-based Telefonica, America’s FedEx, German railway company Deutsche Bahn, and LATAM Airlines.

But what is ransomware?

Ransomware is a type of malicious software that infects computer servers, desktops, laptops, tablets and smartphones, often spreading across networks to other devices. Once it compromises a system, it quietly encrypts every data file it finds, then displays a ransom note to the user demanding an online payment of hundreds or thousands of pounds (to be paid in cryptocurrency like Bitcoin) in return for the decryption keys needed to restore the user’s locked files.  The demand often includes a series of deadlines for payment.  Each missed deadline leads to a higher ransom demand and often, destroyed files. If the victim doesn’t pay up, the attacker discards the decryption keys, making the data permanently inaccessible.

Find out more about ransomware and how it works here


One of the most well-known examples of a ransomware attack which hit companies worldwide in the spring of 2017 was the WannaCry outbreak, afflicting over 200,000 computers in over 150 countries. Costing the UK £92 million and running up global costs of up to a whopping £6 billion.

The ransomware in this case, known as ‘WannaCry’, is often delivered via emails which trick the recipient into opening attachments and releasing malware onto their system in a technique known as phishing.  Once your computer has been affected, it locks up the files and encrypts them in a way that you cannot access them anymore. It then demands payment in bitcoin in order to regain access.


How did the attack happen and what was affected?

On Friday 12th May 2017, the NHS, was brought to a standstill for several days due to the WannaCry outbreak, affecting hospitals and GP surgeries across England and Scotland.  Although the NHS was not specifically targeted, the global cyber-attack highlighted security vulnerabilities and resulted in the cancellation of thousands of appointments and operations, together with the frantic relocation of emergency patients from stricken emergency centres. Staff were also forced to revert to pen and paper and use their own mobiles after the attack affected key systems, including telephones.

The WannaCry ransomware exposed a specific Microsoft Windows vulnerability, not an attack on unsupported software. Most of the NHS devices infected with the ransomware, were found to have been running the supported, but unpatched, Microsoft Windows 7 operating system, hence the extremities of the cyber-attack. The ransomware also spread via the internet, including through the N3 network (the broadband network connecting all NHS sites in England), but fortunately, there were no instances of the ransomware spreading via NHSmail (the NHS email system).

NHS England reported at least 80 out of the 236 trusts were affected in addition to 603 primary care and other NHS organisations, including 595 GP practices.  The Department, NHS England and the National Crime Agency reported that no NHS organisation paid the ransom, but the Department does not know how much disruption to services cost the NHS although estimates total £92m

Who was behind the attack?

The attack used Eternalblue, the name given to the software vulnerability in Microsoft’s Windows operating system, and works by exploiting the Microsoft Server Message Block 1.0. The Server Message Block (SMB) is a network file sharing protocol and ‘allows applications on a computer to read and write to files and to request services’ that are on the same network.

Ironically, it was allegedly developed as a cyber-attack exploit by the US National Security Agency.  Although they were reported to have known of the tool’s vulnerabilities, the NSA didn’t bring it to Microsoft’s attention until the hacker group called Shadow Brokers leaked EternalBlue to an obscure website.

Further analysis of the attack by companies such as Symantec revealed links to the Lazarus group who in turn have been linked to North Korea although the attack does not bear the hallmarks of a nation-state campaign.

What caused the attack?

On Tuesday, March 14, 2017, Microsoft issued a security bulletin, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time. The Department of Health was warned about the risks of cyber-attacks on the NHS a year before WannaCry and although it had work under way it did not formally respond with a written report until July 2017.

At the time of the attacks, the NHS was criticized for using outdated IT systems, including Windows XP, a 17-year-old operating system that could be vulnerable to cyber-attacks. In an unusual move, Microsoft released a WannaCry patch for unsupported systems such as Windows XP which Microsoft stopped supporting in 2014.

The NHS had not rehearsed for a national cyber-attack it was not immediately clear who should lead the response. There were problems with communications because emails were either infected or shut down to prevent the ransomware spreading. It’s clear that the disaster recovery plan at the time had not accounted for a cyber-attack of this scale nor were there communication contingencies if the main network was inaccessible. There was no clear relationship between trusts infected by WannaCry and the quality of their leadership, as rated by the Care Quality Commission.

What stopped the attack?

The cyber-attack was stopped by an accidental kill switch discovered by Marcus Hutchins, a computer security researcher, by registering a domain that the ransomware was programmed to check.  In the week after, the kill switch became the target of powerful botnets hoping to knock the domain offline and spark another outbreak.

What lessons can we learn from the NHS cyber-attack?

According to the National Crime Agency (NCA), ransomware remains the most common cyber extortion method in the UK, whilst the technical skill required to commit cyber-attacks continues to decrease.

A report based on an FOI request by SolarWinds revealed the overall percentage of UK public sector respondents who experienced a cyber-attack in 2018 compared to 2017 went down (38% experienced no cyber-attacks in 2018, while 30% experienced none in 2017), there were also more organisations that experienced over 1,000 cyber-attacks - 18% in 2018 compared to 14% in 2017.

Security experts warned the health sector is seen by cyber criminals as a particularly lucrative target with health records worth up to ten times the amount as other data such as banking details.  9 months after the attack, it was revealed by NHS Digital that none of the 200 NHS trusts passed a cyber security vulnerability inspection. Most of the failures were related to patching.

Insufficient funding was highlighted as the main reason why the NHS was still using supporting systems and did not reach cyber security standards. In December 2015, the NAO concluded that the continued deterioration in financial performance was not sustainable and that financial problems in the NHS were endemic.

The WannaCry attack triggered a boost in investment from the government for cyber security in the NHS.  This is a classic example of how a lack of understanding about the risks associated with cyber security vulnerabilities did not warrant a sufficient level of funding to meet the growing needs of large public institutions such as the NHS.

There is further evidence that the understanding of cyber security by senior management in the UK public sector must improve. In a recent survey by Sophos, a worrying 55% of public sector IT leaders believe their organisation’s digital data is less valuable than that of the private sector. 36% of IT leaders say that recruiting and retaining cybersecurity professionals is the single greatest challenge, while frontline IT professionals don’t appear to feel under-resourced, with just 14% of them concerned about the lack of such skills. Clearly there is a communication bridge to be gapped.

Technology is expected to “transform” the NHS. Innovations like the increased use of Artificial Intelligence, cloud computing and connected devices can support more effective care. However, as healthcare relies more on technology, the risk of cyber disruption will also significantly increase, unless appropriate actions are taken.

Final thoughts and further reading

To avoid becoming victims of the next widespread ransomware attack healthcare providers will have to deploy the basic measures, and consider deploying leading-edge technologies for ransomware defence like Acronis Ransomware Protection, a free extension to Acronis Backup and Acronis Backup Advanced that uses machine learning to identify ransomware attacks in progress, instantly terminate them, and automatically restore any damaged files.

For details on how Active Protection works, see:

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.