At least 16 NHS trusts and as many as 74 countries affected as Theresa May confirms ransomware attack is part of wider international incident
The NHS has been hit as part of a global cyber-attack that threw hospitals and businesses in the UK and around the world into chaos.
The unprecedented attacks appeared to have been carried out by hackers using a tool stolen from the National Security Agency (NSA) in the US. They affected as many as 74 countries and at least 16 NHS trusts in the UK, compromising IT systems that underpin patient safety. Staff across the NHS were locked out of their computers and trusts had to divert emergency patients.
As the prime minister, Theresa May, confirmed that the NHS disruption was part of a wider international event, the attack was declared a major incident by NHS England. In Scotland, the first minister, Nicola Sturgeon, chaired a resilience meeting on the issue.
Global cyber-attack: NHS services among victims – live updates Read more
The same malicious software that hit NHS networks attacked some of the largest companies in Spain and Portugal, including phone company Telefónica, and has also been detected on computers in Russia, Ukraine and Taiwan among other countries. The international shipping company FedEx was also affected.
Kaspersky Lab, a cybersecurity company based in Moscow, estimated that 45,000 attacks had been carried out in 74 countries, mostly in Russia. In a blogpost, it added that the totals could be “much, much higher”.
In the UK, computers in hospitals and GP surgeries simultaneously received a pop-up message demanding a ransom in exchange for access to the PCs.
A warning was circulated on Friday within at least one NHS trust of “a serious ransomware threat currently in circulation throughout the NHS”, but the attack proved impossible to stop. Patient records, appointment schedules, internal phone lines and emails were rendered inaccessible and connections between computers and medical equipment were brought down. Staff were forced to turn to pen and paper and to use their own mobile phones.
Computer security experts suggested that the crisis could reflect weaknesses in the NHS’s cybersecurity. Ross Anderson, of Cambridge University, said the attack appeared to exploit a weakness in Microsoft’s software that was fixed by a “critical” software patch earlier this year but which may not have been installed across NHS computers.
The vulnerability that appears to have been exploited was allegedly discovered and developed by the NSA and then stolen by an online group known as the Shadow Brokers.
“If large numbers of NHS organisations failed to act on a critical notice from Microsoft two months ago, then whose fault is that?” Anderson said.
Alan Woodward, a visiting professor of computing at the University of Surrey, said the attack appeared to exploit the same problem as the Microsoft vulnerability. He added that the attack’s success “is likely to be because some organisations have either not applied the patch released by Microsoft, or they are using outdated operating systems”.
NHS Digital said it was unable to comment on the suggestion.
Play Video 0:32 Theresa May: 'This is not targeted at the NHS, it’s an international attack' – video
Last December, it emerged that 90% of NHS computers still run on Windows XP, two and a half years after Microsoft stopped supporting the operating system.
The Patients Association condemned the criminals behind the attack, adding that lessons from earlier incidents had not been learned. “It has long been known that the NHS struggles with IT in multiple respects and that this includes serious security problems,” it said.
Infected computers show a message demanding a $300 (£233) ransom per machine to be paid to a Bitcoin wallet address. It says: “Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.
“You only have three days to submit the payment. After that the price will be doubled. Also if you don’t pay in seven days, you won’t be able to recover your files forever.”
NHS Digital confirmed that a “number of NHS organisations” had been affected and refused to confirm or deny reports that put the total as high as 40. “The investigation is at an early stage but we believe the malware variant is Wanna Decryptor,” it said. “At this stage, we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.
NHS left reeling by cyber-attack: ‘We are literally unable to do any x-rays’ Read more
“NHS Digital is working closely with the National Cyber Security Centre (NCSC), the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations.”
Sixteen NHS organisations were affected as of 3.30pm on Friday, the statement added. However, the NHS has been unable to give a full list of affected sites.
British law enforcement agencies said they believed the attack was criminal in nature, as opposed to a cyber-attack by a foreign power, and was being treated as serious but without national security implications.
One NHS worker, who asked to remain anonymous, said that the attack began at about 12.30pm and appeared to have been the result of phishing. “The computers were affected after someone opened an email attachment. We get a lot of spam and it looks like something was sent to all the trusts in the country. Other hospitals have now been warned not to open these emails – all trusts communicate with each other.”
Another NHS worker, who works at an Essex hospital and also asked to remain anonymous, said her team’s computers went down at about 2pm. “We were told to shut down, take out network cables and unplug the phones,” she said. “A message came up for just one of our team about the fact that all the files would be wiped in two hours unless we gave $300 in bitcoins.”
Dr Chris Mimnagh, a GP in Liverpool, said his surgery had “severed links” to the wider NHS network as a precaution. He said: “Unable to access our clinical system – as a precaution our area has severed links to the wider NHS, which means no access to our national systems, no computers means no records, no prescriptions, no results. We are dealing with urgent problems only. Our patients are being very understanding so far.”
Lorina Nash, 46, from Hertfordshire, was bringing her mother for an appointment at Lister hospital in Stevenage when systems went down. “We have been here since 12.30pm and the computers were affected at about 12pm – patients are still waiting around but most of the A&E patients have been sent to other hospitals. I have never seen accident and emergency so empty.
Have you been affected by the cyberattack on the NHS? Read more
“They gave my mum a blood test but have had to send her blood to Cambridge by courier for testing. They said it could take two or three hours before it comes back with a result.”
Dr Asif Munaf, a gastroenterologist at Chesterfield hospital, said there was a backlog of patients in its A&E, which he said had been badly affected because it was unable to book new patients on the system.
“From my ward’s point of view, we’re not able to make referrals to, for example, psychiatry because they use a different system to us,” he said. “Everything’s getting delayed. Patients who were supposed to go home this afternoon won’t go home until Monday because they now won’t be seen and get a follow-up plan. It’s quite unfortunate for the patients.”
Dr Christopher Richardson, the head of the cybersecurity unit at Bournemouth University, said the process of recovering the NHS’s IT systems would involve a painful and longwinded “deep strip” of affected computers.
“You go down to the basic machine, you take everything off it, you reconfigure it and then you build it back up again,” he said. “If you’re talking national health, you’re talking a lot of machines on a single site and you’ve got to get them all because these nasty pieces of malware, they float around, so they only have to remain on one machine and when you reboot it will deliver the same thing again.”
Additional reporting by Sam Jones in Madrid
DWconnoisseur on May 12nd, 2017 at 18:53 UTC »
People beware : I just spent my entire day working on infected computers inside a French network, and this motherfucker @wanadecrypt@ is a fucking cunt ! From my experience first hand : The ransomware is deployed using the EternalBlue-like exploits. You can better read about those exploits and the microsoft patches here. **+ Read this other Redditor comment about the live situation developping !
Who is at risk : Everyone using Windows, up to Windows 10 without the hotfixes from March 2017 described in the article I linked above. What's happening on the computer when It's released : Blue Screen -> reboot -> you're fucked ! (In my situation the blue screen and viral spread across the main HDD happened only to computers without the hotfixes !) What Can I do to protect myself : install the hotfixes linked above if you are a Windows User, stay informed on this thread about the way the worm is spread, this is still unclear; be careful of any attachment in your mails until the crisis is over, especially PDF files.
The virus replicated itself across the network I worked today via SAMBA shares, and (fucking) cloud syncs. Be very careful ! On infected -without hotfixes- W7 computers, It took less than 5 minutes for the worm to reach the entire drive, and encrypt everything (15 computers to format.... don't worry guys I was able to backup everything, we are just going to reset the shit of this network and restore everything anew ;) -> For people wondering how It could be so fast : In my scenario I saw only files < 100Mb getting instantly encrypted, the worm avoided a lot of video formats, concentrating on documents extensions. But trust me It was really fast. More on this tomorrow when I test the drive that was infected on the main server in a safe environment at my home (will hook it up to several virtual machines running Windows WITHOUT the fixes) :> On infected -with hotfixes thank god my client had one !- W7 computers , the virus replicated itself only in the folder and subfolders of the cloud sync/SMB share, but fortunately, while It DID encrypt all the files there, It did NOT erase the original files next to the encrypted ones; and It did not spread to the rest of the drive. Crisis "almost" mitigated LOL xD
Stay safe people !
EDIT: Thanks for the gold stranger ! ;)
UPDATES on the original post from various comments below; and a little more context on my experience :
Patient Zero was the Windows Server R2 machine in my client's network, nobody saw It blue screen, the machine does not have a display attached. It was just rebooted as I saw when logging in the user session with RDP, and I witnessed the infected files right on the desktop (and everywhere else on the drive of the server). This server infected one part of the network with the SMB exploit, and all the machines that did not have the security updates were fucked very quiclky. (Total encryption of <100Mb files on their OS drives + other drives + USB attached in a matter of minutes !). However, another part of the network that wasn't infected had ANOTHER patient zero, that I witnessed blue screen WITHOUT anybody at the keyboard ! (Windows 7 machine without auto updates, and without any shady email attachments or anything). That's it : I don't know HOW the original infected payload (.dll shit I guess) was delivered in my scenario :/ And that's why you should be really careful until this crisis is resolved ! (Shady websites with javascript fuckeries; email attachments; firewalls with "too many loose rules" !; update your antivirus when possible tomorrow when they'll all detect this fucker).
EDIT 2 : I'm going to bed now. French people are rude, we curse, and we are not sorry for that. Asshole country IMO :>
best_of_badgers on May 12nd, 2017 at 18:32 UTC »
Reliable information:
tl;dr read this post by Symantec (added 5:30 PM)
This is a Windows worm. It didn't directly affect the NHS on purpose, but apparently they didn't patch their computers. (UPDATE 3:22) Information indicates that many NHS computers were still running Windows XP, which did not get a patch for this issue. (UPDATE 4:45) Article from December about the NHS running XP. The worm is spreading via leaked NSA cyber-weapons (ETERNALBLUE and maybe DOUBLEPULSAR) that were leaked by the Shadow Brokers. The vulnerability was patched by Microsoft in a critical patch update in March 2017. The NSA software was not originally a worm, but was modified. There appears to be more than one variant of the worm (so far, appears to be four five eight). The biggest ransomware on the scene is called Wcry / WannaCry / WannaCryptor, which was rarely seen until today. (UPDATE 4:08) - The ransomware aspect will still work, even if you aren't susceptible to the worm, so, as usual, be careful what you click on and execute. That hasn't changed. What's new here is the ability to spread to un-patched Windows computers without requiring user interaction.Edits:
All unpatched Windows versions up through Windows 10 are affected. If you have automatic Windows Update turned on, you're probably safe from being automatically infected. Windows XP and other outdated systems were not patched and will remain vulnerable forever. Odds are that if you're infected by this malware, you will not be able to recover your files without paying. You should always have an offline backup for this reason.Edit 2: Watch the ransoms piling up here.
Edit 3 (3:11 PM EDT):
And here So far, the attackers have made ~$12,000 in ransoms.Edit 4 (3:15 PM): Real-time infection map. Infections are present in 74 countries, with Russia by far the worst.
Edit 5 (3:24 PM): The infection trigger may have been registration of a specific domain. This allowed the worm to gain some traction prior to detonation. (Unconfirmed)
Edit 6 (3:31 PM): Infection has spread to the Philippines and New Zealand. Only a few countries left with no infections, like Indonesia, where it's the middle of the night.
Edit 7 (3:34 PM): Article with lots of technical detail from Kaspersky here
Edit 8 (3:54 PM): 70,000 75,000 (as of 4:50) infected IPs have been detected so far by MalwareTech's tracking servers. This isn't the same as the number of infected computers, because many infections will be contained to a LAN, and even if they can scan the Internet, multiple infected computers on the same LAN would appear to trackers as the same IP. Infection is spreading at ~100 IPs per minute.
Edit 9 (4:06 PM): Another ransom Bitcoin wallet, thanks /u/Koi-pond!
Edit 10 (4:27 PM): When we security folks say "computers", we aren't just talking about the kind you type on.
Edit 11 (4:31 PM): Bitcoin wallet payments have reached six figures in US dollars. People keep finding new ones, so I'm going to stop posting them here. (Unconfirmed) (UPDATE 5:14 probably not more than $20k total)
Edit 12 (4:49 PM): Country count is up to at least 99.
Edit 13 (5:28 PM): List from the Guardian of affected UK healthcare facilities
Edit 14 (5:38 PM): Which antivirus vendors have updated to detect this malware? (Green checkmark indicates that the sample was not detected.)
Edit 15 (5:54 PM): signing off for a bit, will add more updates later!
Edit 16 (8:58 PM): As /u/616d9e0 reported below, malware researcher Malware Tech (the same guy who has the live infection map) registered a domain that was hardcoded in the malware. His goal was to use it as a honeypot to track infections. Turns out to have been a master kill switch to turn off new infections. I'm sure we'll see a new variant with different domains shortly, but this pause will give people time to patch their systems.
Haystack67 on May 12nd, 2017 at 15:09 UTC »
I was working on the wards this morning, currently in the hospital library. Half-tempted to see how the clinical services are coping but I know it'll be chaotic enough already.
SO MUCH is on those computer systems. Appointments, treatment plans, scan results; some hospitals have gone completely computer-based and use it for patient notes & prescriptions.
Unless this is sorted very quickly, there will be patient death and suffering across the country. The people responsible are holding thousands of vulnerable people hostage and should be treated as terrorists.