Sign in Subscribe
By Oli Fletcher

How the NHS Could Respond Today: A Breakdown of the 2017 Cyber Crisis

How the NHS Could Respond Today: A Breakdown of the 2017 Cyber Crisis

In May 2017, the UK’s National Health Service became the highest-profile victim of the WannaCry ransomware epidemic.
Appointments were cancelled. Ambulances were diverted. Hospital staff reverted to pen and paper. And the public saw firsthand just how deeply a cyberattack could disrupt a modern healthcare system.

Seven years on, WannaCry remains a defining case study - not because it was the most sophisticated attack, but because of the disruption caused across the UK whilst a slow, manual response and investigation took place.
The same is still true for thousands of organisations facing ransomware today.

Strand Intelligence exists for these moments - when prevention has failed, and fast, confident, reactive response is the only way forward.

This case study explores what a tool like Strand could have done differently - and why the lessons from 2017 are more relevant than ever in 2025.

Incident Overview

Date of Incident: 12 May 2017
Malware Used: WannaCry ransomware
Attack Vector: EternalBlue exploit (SMB vulnerability in Windows)
Scope of Impact:

  • Over 80 NHS Trusts affected
  • Approx. 19,000 appointments cancelled
  • Patient records, email, and internal systems offline
  • Ambulances diverted, surgeries postponed
  • Staff forced to work without access to clinical tools

Financial Impact

The Department of Health and Social Care estimated the total financial cost at £92 million, broken down as:

  • £20 million in lost output during the attack
  • £72 million in IT support, rebuilds, and restoration

But the operational cost was far greater:

  • IT teams had no central view of what systems were affected across a huge, geographically spread out technical estate
  • Containment required manual isolation of individual machines
  • Identifying persistence, lateral movement, or attacker tooling was slow and inconsistent
  • Reporting for leadership, regulators, and the public was delayed and fragmented
  • Recovery couldn't begin until the threat was contained

It took days to contain the threat and weeks to fully recover.

Enter Strand: Designed for the Moment After Compromise

Strand Intelligence is a reactive incident response platform. We are what you deploy the moment you realise something’s gone wrong.

It helps incident responders:

  • Reconstruct the attack with forensic-level clarity
  • Identify root cause and lateral movement paths
  • Detect persistence mechanisms left by attackers
  • Take decisive containment action (reset credentials, disable sessions, remove access) in one click
  • Deliver a regulator-ready forensic report that clearly documents the breach, and how to prevent it in the future

If the NHS faced WannaCry today, the response would be faster, more coordinated, and far less costly with Strand.

Traditional vs Strand-Enabled Response

Response PhaseNHS in 2017With StrandEstimated Time Savings
InvestigationManual log collection & triageStructured forensic timeline and root cause analysis2-3 Weeks
ContainmentManual machine-by-machine isolationCentralised action: account lockouts, password resets, session killsDays reduced to <1 hour
Persistence HuntLargely overlooked in early responseAutomated detection of known persistence mechanismsCritical gaps closed early, so recovery can begin immediately
ReportingSlow, ad hoc briefings and PDFsInstant, exportable forensic summaries and executive-level briefsDays to minutes

Even in a geographically dispersed, resource-constrained environment like the NHS, Strand would have accelerated clarity, improved coordination, and drastically reduced operational friction.

Rewriting the Economics of Incident Response

With faster containment and better insight into the scope of compromise, the NHS could have cut its response cost dramatically:

  • Lost Output: If disruption was reduced and technical resources focused on recovery - not response - lost output would drop from £20 million to under £1 million
  • IT Costs: A more surgical response — knowing exactly which systems were compromised and how — would mean far less blanket reimaging and rebuilds
  • Estimated Savings: Strand could have saved tens of millions while delivering better assurance to government, media, and the public

Why This Still Matters

From hospitals to law firms to local councils, most organisations today are still responding to ransomware and compromise the way the NHS did in 2017:

  • No unified forensic timeline
  • No automated containment
  • No fast, regulator-grade reporting
  • Weeks of disruption
  • Weeks of uncertainty

Strand changes that.

It’s built for the first hour after detection — when confidence is low, pressure is high, and every decision counts.

The Bottom Line

If the NHS had had Strand, WannaCry would still have been a crisis — but it wouldn’t have been a catastrophe. And in 2025, with ransomware still claiming victims every week, the question isn’t what went wrong in 2017.

It’s: When this happens again — will you be ready?

Discover how Strand can accelerate your next incident response →

Subscribe to Strand Intelligence Blog

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe