Hackers behind NHS attack 'may have used NSA cyber weapon'

Friday 12 May 2017 at 9:37pm

At least 16 NHS organisations have been hit in the cyber attack Credit: PA

Video report by ITV News security editor Rohit Kachroo

The malicious software used in the cyber attack on the NHS may have come from a cyber weapon developed by the US National Security Agency (NSA), an expert has claimed.

The malware used in the ransomware attack on the NHS and a number of Spanish companies "exploits a similar vulnerability" to an NSA-developed tool known as ExternalBlue, researcher Marco Cova said.

The programme was made public as a result of a "data dump" of NSA cyber tools earlier in the year by a group calling itself The Shadow Brokers.

"The NSA has known about this vulnerability in Windows for quite some time now," Lastline senior security researcher Mr Cova said.

"This incident will certainly refuel the discussion on whether security agencies should responsibly inform vendors about vulnerabilities they find or sitting on them for their own use - as in this case - the leak of the exploit enabled today's hack."

Ransomware: What is it and how do you avoid it?

Following the leak, Microsoft released a fix - or patch - for the issue, which occurred before The Shadow Brokers leak, but Mr Cova said anyone who had not updated would have still been at risk to similar hacking tools.

"In other words, in this case there actually was time for people to patch," Mr Cova said.

But he said that while it was easy to blame those who did not upgrade their software, the realities of large technical operations often meant things were more complicated.

It is possible to remove ransomware such as Wanna Decryptor without payment by using advanced anti-malware software.

Ransomware does not traditionally aim to steal personal or sensitive data held on a computer or system, instead focusing on blocking access to and threatening to delete files.

Aatish Pattni, from cyber security firm Check Point, said the version of Wanna Decryptor used in the attack was a new piece of malware.

"The ransomware used in this attack is relatively new - it was first seen in February 2017, and the latest variant emerged earlier today, Friday 12 May," he said.

"Even so, it's spreading fast, with organisations across Europe and Asia being hit."