Case study: NHS WannaCry

Case study : NHS WannaCry

A piece of malware spread rapidly and infected many computers across the globe. Many data files in infected computers were not openable. 2.1 What was the Incident? 200 000 computers in 150 countries had been infected by WannaCry. Universities, government departments, hospitals, manufacturers, telecommunications companies and many other organisations were affected, including large, well-known companies and organisations such as FedEx, Hitachi, Honda, the National Health Service (England and Scotland), Nissan Motoring Manufacturing UK, O2 Germany, Renault and Telefonica.

The malware was of a type known as ransomware, which locks the data files of an infected computer using encryption and demands a ransom payment for unlocking them. In the UK, the worst-affected organisation was the National Health Service (NHS): around 50 health trusts in England and 13 in Scotland, including hospitals, GP surgeries and pharmacies, were affected. Problems with emails, clinical IT systems and patient IT systems caused a major disruption. This led to several problems including delays at hospitals, medical equipment malfunctioning, ambulances being diverted to neighbouring hospitals, and cancellation or postponement of non-urgent activities. It was believed that up to 70 000 devices, including computers and medical equipment, were affected. 2.2 How did it work? WannaCry belongs to a class of malware known as ‘worms’. As you saw in Activity 2, these are stand-alone, self-replicating programs that spread through network connections, accessing uninfected machines and then hijacking their resources to transmit yet more copies across the network. Like a typical malware worm, WannaCry contains an infection module and a ‘payload’. The infection module is responsible for spreading the malware, while the payload module undertakes the actual attack. The payload module of WannaCry locks data files using encryption and handles the process for demanding a ransom. Once the malware is executed, both modules work at the same time. However, compared to other worms, WannaCry spread much more quickly. How did it achieve this rapid spreading? The security experts who analysed the malware believed it employed a powerful hacking tool known as EternalBlue. This exploited a vulnerability in Microsoft Windows operating systems, allowing the malware to install and execute itself on a vulnerable computer without any action from the computer user. The vulnerability exploited by EternalBlue existed in almost all versions of Windows operating systems including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10, as well as some server and embedded versions. EternalBlue is believed to have been developed by the US National Security Agency (NSA) and then stolen by a hacking group known as the Shadow Brokers, who had been trying to sell it on the black market for a number of months before the WannaCry attack. EternalBlue exploited a defect in Microsoft’s implementation of the Server Message Block (SMB) protocol, which allows applications on a computer to access files and services on other computers. This remote access to files and services usually happens within the same local area network (LAN), but it is possible for a computer outside the LAN to access files and services too if firewall settings allow it to do so (e.g. through the internet). However, allowing computers outside your LAN access will significantly increase the risk of attacks. Once the WannaCry malware infects a computer, it will scan all computers within the same local network and some computers on the internet for the EternalBlue vulnerability. When vulnerable computers are found, it installs itself on these computers and executes the malware. 2 Therefore each infected computer becomes an attacker and will keep looking for new victims. This is how the malware can spread so quickly.

Figure 1 illustrates how WannaCry infects a computer. Once installed, the payload module will look for a range of data files, including documents and images, on the infected computer and encrypt them using a complex combination of symmetric and asymmetric methods to ensure the files cannot be unencrypted easily. It then executes the ‘Wana Decrypt0r 2.0’ and displays a black Windows desktop background image with instructions in red text. Figure 2(a) shows the desktop background image, while shows the interface of the ‘Wana Decrypt0r 2.0’. This tells the victims that their data files have been encrypted and that they have to pay a ransom of $300 to a given address if they want to recover all their files. The ransom is to be paid in bitcoin, which is a digital currency but can be bought with real money at bitcoin exchanges. The interface also has three-day and seven-day countdown timers – these are used to create a sense of urgency, as the note in the interface states that the ransom will be doubled after three days and the data files will be deleted after seven days. To convince the victims that the ‘Wana Decrypt0r 2.0’ can recover their files, it offers a free demonstration of a few files being decrypted. 3 Who were the attackers? At the time of writing, nobody has claimed responsibility, nor has anyone been arrested for spreading the malware. One suspect is the Shadow Brokers group, as they were alleged to have stolen the hacking tool from the NSA. Moty Cristal, a professional negotiator, believed that the attackers did it not for money but to make a point, which was to show the group’s strength and remind large organisations to revise their cyber security strategies. He said: However, according to the NSA believed that the hacking group Lazarus, linked to the North Korean government, was behind the WannaCry attack. The report stated that the Obama administration previously believed the Lazarus group was behind a series of cyber-robberies of banks in Asia as well as the 2014 hack of Sony Pictures Entertainment, which demanded that the company withdraw a film that ridiculed the North Korean leader, Kim Jong Un. Sanctions were imposed on North Korea by the US government after these attacks.

The report further stated that the security researchers who analysed the code of WannaCry found similarities to the malware used by the Lazarus group, and that there was military intelligence indicating that North Korea was behind the attack. Without firm evidence and a proper court trial, it is hard to pinpoint who the culprit behind the WannaCry attack was. However, the Lazarus and Shadow Brokers groups appear to be the prime suspects. 2.4 What lessons can be learnt? As the NHS was the organisation most affected by the WannaCry attack in the UK, the discussion here is focused on the experience of the NHS. Some of the lessons learnt might apply to other organisations too. You might have expected a large and important organisation such as the NHS to have enough resources, BCP, DRP, IRT and support to protect itself against cyber-attacks and a business continuity plan in place. Furthermore, Microsoft announced the EternalBlue vulnerability and released a patch, which was almost two months before the attack.

 This should have given organisations enough time to patch the security hole and protect themselves against the WannaCry attack. So why was the NHS still so badly affected by the WannaCry attack? What went wrong and what lessons can be learnt from this incident? According to Dan Taylor, Head of Security, NHS Digital, the following were the main reasons that the NHS was so affected. 3

• The NHS had a complicated organisational structure that allocated the responsibilities of policy making, service commissioning and data and information organisation to three different bodies, namely the Department of Health, NHS England and NHS Digital respectively. Although NHS Digital acted as the central data and information organisation, each NHS trust or GP surgery looked after its own data security. NHS Digital did not have direct control over the maintenance of computing assets in local hospitals and GP surgeries.

 • The NHS’s main order of business is health and care. Technology and data security are not its main concerns, even though it has an obligation to protect the data it holds. With the NHS under severe financial constraints, keeping computing equipment up to date was not its priority. Although the patch for the EternalBlue vulnerability had been available for two months, most NHS trusts had not applied it to their computing equipment.

 • To make matters worse, the NHS trusts had many different systems, including some old legacy systems. Applying patches to all these systems – especially the legacy systems – without affecting the critical clinical systems was not simple. Improperly applying a patch to a clinical system could render it unusable. These systems are critical for the NHS to operate its business. If the choice was between clinical risk and security risk, many NHS trusts would bear the security risk.

• Finally, communication was a problem too. The language and terminology used by NHS Digital were not always understandable by the health professionals. The responses to queries were not very timely either

1. Purpose

This coursework is intended to help you develop your awareness and understanding of the various aspects and components of Business Continuity Planning. 

2. Organization 

This is the only one assignment for the module. It is a group-based task where each group should consist of a Maximum of Three and Minimum of Two (2) members, which you are responsible for forming. There are two parts on this assignment – (i) a group task and presentation; and (ii) individual (self-reflection report). For more information, please see below.

Each team must take responsibility to plan and coordinate its work, and make sure that in the end everything fits together. It is important that team members cooperate to deliver the requested final documentation according to the tasks described in the coursework. 

This module complies with the School’s Turnitin policy. The assignment is submitted online ONLY by 11:59PM of the submission date shown on the first page.

The total words should not exceed more than 4000 words excluding the self-reflection report, tables, Table of contents, and references (if any)

3.1 Getting started 

Groups must be formed before 1^st November 2021 using the link provided above. Each group member must ensure that they duly participate, work and contribute towards the completion of each Task listed in the coursework. In addition, each member must participate in the oral presentation, and complete the self-reflection report alone.  

3.2 You need to choose a Scenario from the allocated Scenarios  

As a business continuity specialist, you have been allocated a scenario (select from the Case Study Scenarios in the Assessment and Feedback folder on Moodle) to develop a business continuity plan for a company or an organization. It is highly essential that you apply realistic assumptions in order to elaborate the chosen casestudy scenario and all other/similar business context. This include, for example, assets, business process, perceived threats/risks, etc. You should also conduct further research of similar cyber-attacks to support your critical thinking and analytical skills. 

Through this set of case studies, you will also be able to analyse various types of attack, look at what lessons can be learnt from major incidents and consider what business continuity measures you should apply to protect your organization. 

To help your interpretation of the case studies, a framework has been adopted to analyse and explain each attack. Each case study will answer the questions: 

1. What was the attack?
2. How did it work?
3. Who were the attackers?
4. What lessons can be learnt?

Note: The chosen scenario must to be agreed with the module leader

3.3 The Report must be structured to include the following sections: 

• Title 
• Abstract
• Introduction 
• Case Study
• Summary/Conclusion 
• References 
• Individual Self-Reflection 

TASKS

Task 1: Security Incident Handling Report (15 marks)

Considering the incident against the case study, the stakeholders are concerned that this may cause widespread disruption and potential business interruption that could affect critical services now and in the future. Your task is to develop an incident response process that the company can use to quickly halt, minimize damage and prevent future attacks. 

You should follow the NIST incident response lifecycle that structures incident response into four main phases. You should focus on the specific attributes of each phase of incident handling process

1. Preparation Phase: 

• Introduction (Scope of the Incident Response) o Purpose and Scope of the Plan  o Mission 
  • Incident reporting mechanisms 
• Develop a CSIRT Team consisting key members, roles and responsibilities  o CSIRT Type  o CSIRT Member Type o Role  o Responsibilities  o Contact Details 
• Identify at least 5 critical assets belonging to the company  o Asset Type  o Description 
  • Sensitivity/Criticality 

2. Detection and Analysis Phase

•           Provide Incident Details   o Incident Type o Incident Description  o Incident Status  o Attack Vectors  o Assets affected  o Evidence Collected  o Severity/Impact of the Incident 

• Incident Category  o Incident Priority  
• Source of Evidence 

• Containment, Eradication and Recovery Phase: 
  • Highlight Containment, Eradication and Recover Measures for the Incident  o Containment Measure and Description  o Eradication Measure and Description 

o Recovery Measure and Description 

• Lessons-Learned 
  • Describe how well the incident was handled 

Task 2: Disaster Recovery Plan (15 Marks)

A disaster recovery plan (DRP) as a strategy can help the organisation to quickly resume its operation after the event. The principal objective is to develop and document a well-structured and easily understood plan that will help the company recover as quickly and effectively as possible from the disaster that interrupted business operations. In this task, you must develop a disaster recovery plan (DRP) for the organization according to output from the previous step and based on the properties described below: 

1. Conduct a Business Impact Analysis (BIA):

• Introduction and Purpose 
• Scope 
• Possible Assumptions 
• Critical Services Functions  o Identify Critical Functions  o Inventory Critical Assets  o Define RTO for Assets/Functions o Define RPO for Assets/Functions  o Critical Function Recovery Priority 
• Risk Assessment  o Risk Type  o Risk Name 
  • Potential Impact (functional, information and recoverability impacts) 
  • Control Actions 

2. Recovery Strategies 

•           Pick a backup method and alternate site strategy  o Backup Type and Description  o Backup Retention Period

o Alternate Site Strategy and Description

3.1Audit Program (10 Marks) 

An Audit Program is an independent assessment of the effectiveness of the business continuity plan and its alignment with subordinate continuity plans such as disaster recovery, and incident response. Consider the ISO 22301Audit checklist (available on Moodle) and choose the audit questions related to your chosen context. Based on your assumptions, identify the risks, threats, existing controls, proposed controls in order to complete the audit check list. You should make realistic assumptions for performing this task.  The report should include following headings:

• Audit Objectives 
• Audit Scope 
• Key Risk Areas 
• Audit Approach 
• ISO 22301 Control Clause
• Audit Question
• Evidence used 
• Result: (as: non-conformity/potential non-conformity/conformity)
• Recommended Action: corrective/preventive action 

Task 4: Self Reflection and Presentation (10 Marks)

Self-Reflection: each group member must write a self-reflection report in no more than 500 analysing the consequences of the absence of a business continuity planning, and recommendations on actions that should be taken. The self-reflection report should be included in the same file

Presentation: each group must produce and deliver a 10 minutes oral presentation summarizing: 

• The results or outcome of the tasks performed and sources of reference use; 
• The lessons learned from the incident and case study:

Each group must plan and structure their presentation together rather than just dividing up the work into individual tasks. The presentation date will be agreed with the tutor. If a student is absent on the day of presentation, then Zero marks will be allocated to the student. 

Marking Scheme 

Task	Description	Mark Allocation
1	Security Incident Handling Report	15
2.	Disaster Recovery Plan	15
3	Audit Program	10
4.	Self-reflection and Presentation	10
	Total (%)	50

Appendices: Useful Case-study Resources

Bain, I. (2015) ‘TalkTalk cyber-attack: customer got scam call nearly a day before’, The Guardian, 23 October. Available at: www.theguardian.com/business/2015/oct/23/talktalk-cyber-attackcustomers-scam-calls-day-before-announcement (Accessed: 19 October 2018). 

Ball, T. (2017) ‘Top 5 critical infrastructure cyber attacks’, Computer Business Review, 18 July. Available at:

www.cbronline.com/cybersecurity/top-5-infrastructure-hacks/(Accessed: 19 October 2018). 

Baraniuk, C. (2017) ‘Should you pay the WannaCry ransom?’, BBC News, 15 May. Available at:

www.bbc.co.uk/news/technology-39920269 (Accessed: 19 October 2018). 

BBC News (2015) ‘TalkTalk hack “affected 157,000 customers”’, BBC News, 6 November. Available at:

www.bbc.co.uk/news/business-34743185 (Accessed: 19 October 2018). 

Burgess, M. (2016) ‘TalkTalk hack toll: 100k customers and £60m’, WIRED, 2 February. Available at: www.wired.co.uk/article/talktalk-hack-customers-lost (Accessed: 19 October 2018). 

Davis, J. (2017) ‘New WannaCry variant takes down North Carolina provider’, Healthcare IT News, 24 October. Available at: www.healthcareitnews.com/news/new-wannacry-variant-takes-down-northcarolina-provider (Accessed: 19 October 2018). 

Evenstad, L. (2017) ‘CW500: How the NHS WannaCry cyber attack unfolded’, Computer Weekly,

17 October. Available at: www.computerweekly.com/news/450428252/CW500-How-the-NHSWannaCry-cyber-attack-unfolded (Accessed: 19 October 2018). 

Great Britain. Computer Misuse Act 1990: Elizabeth II. Chapter 18 (1990) London, The Stationery Office. 

Krebs, B. (2016) ‘Alleged vDOS Proprietors Arrested in Israel’, Krebs on Security, 10 September [Blog]. Available    at: https://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/ (Accessed: 19 October 2018). 

Krebs, B. (2017) ‘Mirai IoT Botnet Co-Authors Plead Guilty’, Krebs on Security, 13 December [Blog]. Available at: https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/ (Accessed: 19 October 2018). 

MacAskill, E. (2018) ‘Major cyber-attack on UK a matter of “when, not if” – security chief’, The Guardian, 23 January. Available at: www.theguardian.com/technology/2018/jan/22/cyber-attack-on-uk-matterof-when-not-if-says-security-chief-ciaran-martin (Accessed: 19 October 2018). 

Mimoso, M. (2017) ‘WannaCry Variants Pick Up Where Original Left Off’, Threatpost, 15 May. Available at: https://threatpost.com/wannacry-variants-pick-up-where-original-left-off/125681/     (Accessed: 19 October 2018). 

Smart, W. (2018) Lessons learned review of the WannaCry Ransomware Cyber Attack, London, Department of Health and Social Care, UK Government. Available at@ www.england.nhs.uk/wpcontent/uploads/2018/02/lessons-learned-review-wannacry-ransomware-cyber-attack-cio-review.pdf (Accessed: 19 October 2018). 

Swinford, S. (2018) ‘Russia preparing to mount cyber-attack on Britain’s “critical infrastructure”, GCHQ and FBI warn’, The Telegraph, 16 April. Available at: www.telegraph.co.uk/politics/2018/04/16/russiapreparing-mount-cyber-attack-britains-critical-infrastructure/ (Accessed: 19 October 2018). 

 Ungoed-Thomas, J., Henry, R. and Gadher, D. (2017) ‘Cyber-attack guides promoted on YouTube’, The Times, 14 May. Available at: www.thetimes.co.uk/article/cyber-attack-guides-promoted-on-youtube972s0hh2c (Accessed: 19 October 2018).