The day the NHS was taken hostage by North Korean hackers

It’s also refreshingly simple to explain compared to many other more complex cybercrime tactics. In a ransomware attack, hackers infect your computer with a virus that scrambles or “encrypts” your files. Then they charge you a ransom to decrypt them, most often paid in the virtual currency Bitcoin, which, if used correctly, makes the transaction impossible to trace back to the culprit.

Sounds easy enough for a technician, but how do you get a program that can encrypt files? Well, easily for hackers, Microsoft does just that. If a PC user wishes to encrypt their own files (perhaps for security or privacy reasons). they can use a tool called Windows Crypto. Once it is done scrambling the files, it puts WINCRY at the end of the filename. Of course, if you scramble your own files, you own the decryption key, so you can decrypt your files whenever you want.

The people behind the May 2017 virus used the same software to help encrypt victims’ files, but with one twist: they kept the decryption key and charged the victims a fee to recover it. They had a sense of humor too: they renamed WINCRY to WannaCry – because that’s what you want to do when you find out your precious photos, emails and music collection are being held hostage.

The ransomware business model may be simple, but it still faces the challenge of many cybercrime campaigns: scale. To make a profit, you need wide distribution. How are you going to install your ransomware on enough machines to make a lot of money? Traditionally, the answer has been spam. But WannaCry used a scary new tactic, as Hutchins discovered while examining the virus code. “WannaCry spread from computer to computer, which meant you didn’t have to open a malicious email or click on a weird link. He was just able to hack into your computer remotely,” he says.

In our modern world of interconnected technology, this meant the virus was out of control, spreading indiscriminately.

“People had assumed they were going after the NHS,” says Hutchins. “But seeing all this data it was clear that it was not aimed at the NHS. He wasn’t even targeting the UK. It would hit anything, anywhere in the world. It was on a phenomenal scale, the likes of which I had never seen before. It was just infections coming in by the thousands every few seconds. It was overwhelming.

Marcus isn’t the only one deeply disturbed by the spread of the virus. Three miles from the hospital Ward has just been discharged from, in an alleyway behind Vauxhall tube station, is a nondescript office building bristling with CCTV. It is the headquarters of the National Crime Agency. This Friday morning, staff members are turning up the sound on the office television. Sky News is reporting on a cyberattack on a hospital in North West England. More reports soon start pouring into the NCA, most of which end up on the desk of Mike Hulett, director of operations for the Agency’s National Cybercrime Unit.

“It becomes clear pretty quickly around lunchtime that day that this is not just an isolated incident affecting a hospital or an organization,” he says. Working with the newly created National Cybersecurity Center, NCA officers need to figure out how the virus is spreading so quickly. It first hit Argentina around midnight, and within half a day it was raging across Europe. Hulett and his team discern that the malware exploits a particular “port” – a digital gate built into computers that allows different machines on the same network to communicate with each other: port 445, to be precise. On some machines, port 445 not only allows communication from other computers on the same network, but is also configured to be “public-facing”, which means anyone, anywhere in the world, can send messages to the computer using the port – including computer viruses. This is how WannaCry is spreading around the world. It travels from one computer to another within a network, infecting each one and scrambling its files. Then it calls random computer addresses around the world, looking for a machine with a public 445 port. Once it finds one, it jumps on it, infects it and also starts spreading within that computer’s network.

The more connected the organization, the easier it is for WannaCry to spread. And that means that, although it may not have been the intended target, the NHS, as one of the biggest employers in the world, is becoming one of the hardest hit.

As Hulett notes: “The ability to connect across the country so that your results and tests etc. can be sent quickly from institution to institution means that you have a fairly widely interconnected system, particularly susceptible to infection.”

Meanwhile, in his room in Devon, Hutchins is still dissecting the WannaCry code and spots something unusual. Before infecting a victim, the virus tried to visit a particular website that had a seemingly random long address. If he discovered that the website was offline, the virus would trigger, scramble the files, demand a ransom and attempt to infect other machines. But if the virus discovered that the website was up and running, it would shut down, leaving the victim’s files untouched. Hutchins therefore comes up with the idea of ​​verifying who actually owns the website that the virus is trying to visit.

“And nobody owned it, so I immediately registered it,” he says. It cost him less than £10 – a cheap investment that would have, as the accountants say, ‘considerable upside’. By taking control of the website, Hutchins effectively stopped the outbreak. The virus code sees that the site is up and running, and so it shuts down, no longer infecting computers or trying to spread. “Seconds after registering the domain, the infection rate started to drop,” he says.

“Usually stopping malware is this huge feat where you fight for weeks or months against the guys on the other end. You find clever ways to take down their infrastructure. I had never encountered something so easy.

Hutchins just stopped one of the world’s most dangerous virus outbreaks for the price of a big fish and chips.

To read our exclusive interview with Geoff White, click here.

The Lazarus Heist – From Hollywood to High Finance: Inside North Korea’s Global Cyber ​​War by Geoff White (Penguin Random House) is out Thursday, June 9. Pre-order for £20 on or call 0844 871 1514

Comments are closed.