World-leading Papworth Hospital has escaped a full-on zero-day crypto ransomware attack thanks to the "very, very lucky" timing of its daily backup.
It's believed that an on-duty nurse at the heart and lung hospital in Cambridgeshire, UK, unwittingly clicked on something in an infected email, activating the attack at about 11pm on a Saturday night a few months back.
But the malware did not start encrypting files until after midnight – just after the daily backup had completed, ICT director Jane Berezynskyj has said.
The NHS foundation trust had made recovery plans and recruited experienced staff following earlier attacks, but Berezynskyj said: "We were also very, very lucky. Timing absolutely was everything for us."
Papworth has since moved to hourly incremental backups, using mixed media including tape, given that some attacks target digital backups.
Berezynskyj, speaking at the EHI Live healthcare conference in Birmingham this week, said Papworth was hit by a new variant of crypto software for which there was no remedial software.
"We've got some fairly ancient application architecture so we've got some file-shares, and actually that's what happened to us – a crypto attack went through our file-shares and encrypted the data."
"Thank God for that full backup, then," she added.
"We're pretty certain that when we suffered our ransomware attack, the user concerned navigated away from that screen that said: 'This is a ransomware attack, please pay X amount in bitcoins'," Berezynskyj said, but the person never reported what happened. "One of our key weaknesses is our people and user behaviour," she added, despite a programme of staff education and communication.
The trust's four-person IT team worked from 1am to 9pm on the Sunday, with further work with suppliers on Monday and Tuesday, to recover its systems.
Papworth had not budgeted for such an attack, although Berezynskyj said she had been able to absorb its cost within existing budgets. It did not hit clinical care, but this again was down to timing. "We don't do Sunday operations, so it didn’t affect operating theatres," she said. "If we'd been doing a heart operation on a Sunday, it would have been a huge problem."
Full Story: The Register