The NHS has been left reeling after a ransomware cyber attack led to patients being turned away and emergency services being re-routed. A statement from the NHS pointed to a particular virus called Wanna Decryptor. "The investigation is at an early stage but we believe the malware variant is Wanna Decryptor," explained a spokesperson.
"At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this. "NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations." Wanna Decryptor first appeared around February 2017 and works by encrypting files on target computers before demanding a ransom be paid in the cryptocurrency Bitcoin.
How does Wanna Decryptor work?
The malware is delivered as a Trojan through a loaded hyperlink that can be accidentally opened by a victim through an email, advert on a webpage or a Dropbox link. Once it has been activated, the program spreads through the computer and locks all the files with the same encryption used for instant messages. Once the files have been encrypted it deletes the originals and delivers a ransom note in the form of a readme file. It also changes the victim's wallpaper to a message demanding payment to return the files.
How can you remove it?
Not by paying the ransom. Security experts point out that some antivirus software is capable of catching the Wanna Decryptor virus. "This particular ransomware is correctly identified and blocked by 30% of the AV vendors using current virus definitions. It is correctly handled by both Kaspersky and BitDefender," said Phil Richards, the CISO at Ivanti. "There is no public decryption (crack code) available at present. "This malware modifies files in the /Windows and /windows/system32 directories and enumerates other users on the network to infect. Both of these actions require administrative privileges."