How we stopped and prevented the 2017 NHS Wannacry attack on one of the largest UK NHS Trusts

Recognising the need for 24×7 monitoring and threat hunting, an investment in Secon Cyber’s Managed Detection and Response allowed one NHS Trust to avoid devastation during the WannaCry ransomware attack.

A large NHS Trust wanted centralised visibility and control of its security estate to reduce their cyber risk and quickly detect threats in their environment. This investment proved crucial during the WannaCry ransomware attack of 2017. While other NHS Trusts were crippled by the attack and had to turn away patients, this Trust was able to contain the ransomware within minutes and continue treating patients.

What was achieved?

With the implementation of Managed Detection and Response, the customer gained 24x7x365 continuous log monitoring, management and proactive incident response by our in-house security operations centre (SOC). This helped them become resilient to threats, which became apparent during the WannaCry attack.

Through threat hunting activities, our security engineers were able to identify the WannaCry ransomware and within three minutes, they were on a remote session with the Trust and had the malware contained. Ultimately, this kept the Trust’s name out of the media and let them continue with business as usual.

After the WannaCry attack, we carried out a Cyber Risk Assessment with the NHS Trust to identify areas of improvement so they could continue to be resilient to threats and work towards cyber security maturity. We were able to bring technology, processes, people, and their organisational priorities together to detect and respond to the genuine threats in their environment faster, helping to protect the Trust from future high-profile attacks.

What were the benefits?

  • Implemented Managed Detection and Response to provide the customer with access to our SIEM and 24×7 SOC.
  • Detected suspicious behaviour on their endpoints within three minutes during the WannaCry ransomware attack.
  • Stopped the malware from propagating in their environment.
  • Identified all infected resources and helped to restore machines from backups made by the Trust.
  • Provided advice and guidance on how to recover from the attack.
  • Performed a Cyber Risk Assessment to identify how the NHS Trust could continue to improve their security posture and reduce their cyber risk.

What’s the supporting data?

  • It took just three minutes for the ransomware to be identified and for our SOC team to contact the customer.
  • The malware was contained within 15 minutes by creating bespoke policies to stop WannaCry from propagating.
  • Only 300 of the Trust’s 14,000 endpoints were affected by the ransomware, allowing them to continue seeing patients.