Continuation of the ransomware attacks on healthcare sector in Great Britain


Ransomware "Bit Paymer" infects critical systems in Scottish hospitals via RDP services. Vulnerabilities in shadow IT serve as an attractive target for attackers.



Hospitals of the Scottish National Health Service (NHS) Lanarkshire (GB) were attacked and infected by the ransomware "Bit Paymer" on Friday, researchers from Bleeping Computer report. Once established, the ransomware spread to other systems within hospitals. Although the people in charge noticed the process quickly, cleaning and restarting the affected systems took until Monday. This affected so many critical systems that appointments and procedures had to be cancelled.

Researchers suspect that "Bit Paymer" is spreading via RDP (Remote Desktop Protocol). The protocol is widely used for graphical administration of IT systems. RDP is becoming more and more popular for ransomware infections as companies increasingly use modern virus scanners for incoming emails to reduce the traditional attack vector "phishing emails"). In the current case, a simple brute force attack on available RDP services was executed.

Vulnerabilities of systems that are unknown to the respective company (so-called "Shadow-IT") are becoming more and more attractive for the attackers. Often obsolete systems are still in use or appear to be "off the radar". In the past it has been shown that open SMB shares, forgotten network printers or - in the current case - RDP can be well exploited by the attackers. Researchers at Bleeping Computer alone have identified RDP as the path of infection in twelve other malware families (namely RSAUtil, Xpan, Crysis, Samas (SamSam), LowLevel, DMA Locker, Apocalypse, Smrss32, Bucbi, Aura/BandarChor, ACCDFISA and Globe). The use of such vulnerabilities of Shadow IT has increased significantly in recent months.

Binaries of the current ransomware "Bit Paymer" have been registered since June 21st. It can therefore be assumed that several companies and institutions have already been targeted by the attack in recent weeks. The developers of "Bit Paymer" seem to focus only on larger companies in order to stay under the radar for a longer time. More and more ransomware families are being registered. The ransomware identification page "ID Ransomware" currently lists over 472 items. In addition, each ransomware can have a number of different binaries and encryption variants from which protection is required.

Affected Systems:

  • Microsoft Windows systems with available RDP service


According to the researchers, general vulnerabilities such as weak passwords and RDP services accessible from the Internet were exploited by brute force to infect with "Bit Paymer". The malware itself has apparently been optimized against common protection systems such as virus scanners until it is not detected.

Current backups, minimization of the attack area and the strengthening of resistance of the company's own IT systems offer protection against such ransomware. Access to internal systems from the Internet via RDP should not be allowed without good reason and should be generally forbidden. If these are still necessary, this should only be done on constantly patched systems. In addition, a modern monitoring system should continuously monitor network traffic for weak points and unwanted connections.

Detection with the finally safe Advanced Security Analytics Platform:

With the solution, users can check whether their systems are accessed using the RDP protocol or whether they have been accessed in the past. Moreover, users can check if they are the target of a spam/phishing wave or if they have been recently. This information depends on the modules used:

  • Anomaly Detection will alert network admins about ongoing brute force attacks on the network.
  • Management Reports constantly report accesses in use to internal IT systems via the RDP protocol.
  • Advanced Threat Detection uncovers specific RDP accesses (port-independent) and directly determine the IP addresses of your RDP servers or clients. In addition, you can check the details to see which user accounts have actually been targeted by the login attempts.
  • The Expert System can be used to display all network traffic on RDP ports that occurred in the past.

Sources/further information:


Go back