Hospitals across England are having to cancel patient operations and divert ambulances after a major ransomware attack on the National Health Service (NHS).
Computer systems in 48 different hospital and health trusts across England, as well as a handful in Scotland, have been infected by the Wanna Decryptor ransomware. Declared a “major incident” by NHS England, the attack has led to phone systems going offline and IT systems being shut down in some hospitals.
“A number of NHS organisations have reported to NHS Digital that they have been affected by a ransomware attack,” said a statement by NHS Digital, which runs IT systems for the health service.
“This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.
“At this stage we do not have any evidence that patient data has been accessed.”
As is the case in ransomware attacks, criminals have encrypted computer files at the health and hospital trusts and are demanding an online payment for decryption. It appears to be the case that digital details of patient records and appointments have been rendered inaccessible, with some hospitals reverting to paper records. Reports suggest the ransomware is demanding a bitcoin payment of $300 to decrypt files.
Here’s the malware attack which appears to have hit NHS hospitals right across England today pic.twitter.com/zIAJ6wbAG5
— Lawrence Dunhill (@LawrenceDunhill) 12 May 2017
Hospitals across England have been affected, including those run by East and North Hertfordshire NHS trust, Barts Health in London, Essex Partnership university NHS trusts, the university hospitals of Morecambe Bay NHS foundation trust, Southport and Ormskirk hospital NHS trust and Blackpool teaching hospital NHS foundation trust, as well as GP surgeries in Manchester and Liverpool. A number of hospital trusts in Scotland have also been affected, and had to shut down IT systems and restrict non-emergency care.
“We are experiencing a major IT disruption and there are delays at all of our hospitals. We have activated our major incident plan to make sure we can maintain the safety and welfare of patients,” Barts said in a statement.
Barts, East and North Hertfordshire NHS trust and Colchester General Hospital are postponing all non-urgent appointments for today, with Barts also diverting ambulances to neighbouring hospitals.
Derbyshire Community Health Services NHS Foundation Trust was one of a number of health trusts that shut down all IT systems.
“We’d like to reassure patients that if they need the NHS and it’s an emergency that they should visit A&E or access emergency services in the same way as they normally would and staff will ensure they get the care they need,” said Dr Anne Rainsberry, incident director for NHS England.
“More widely we ask people to use the NHS wisely while we deal with this major incident which is still ongoing.”
Healthcare is a high-profile target for cybercriminals mounting ransomware attacks, accounting for 15 percent of attacks. A ransomware attack against an LA hospital last year highlighted the problem, taking the network offline for days until the hospital paid a $17,000 Bitcoin ransom.
NHS Digital said it is working with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to protect patient safety.
Organizations beyond the NHS are being targeted by the Wanna Decryptor ransomware attacks, particularly in Spain, where communications giant Telefonica said it had been affected by a “cybersecurity incident”.
UK prime minister Theresa May told the BBC: “This is not targeted at the NHS, it’s an international attack and a number of countries and organisations have been affected.”
Wanna Decryptor is a variant of the WCry, a ransomware first spotted in February this year. Those infected with the latest variant are instructed to pay 0.1 Bitcoins for decryption. This version is more robust than the original, providing workarounds for the ransomware, in case anti-malware software is able to remove elements of it.
Spain’s national CERT warned of a “massive attack of ransomware” worldwide and said the ransomware’s potency resulted from it exploiting a known software flaw called EternalBlue. This Windows flaw was part of an hoard of software vulnerabilities apparently collected by the NSA, and later leaked by the so-called Shadow Brokers.
Update: As of the afternoon of Saturday 13 May, computer systems at all but six of the affected health trusts have returned to normal, according to UK Home Secretary Amber Rudd.
- Infographic: The 5 phases of a ransomware attack (TechRepublic)
- Easy to carry out, difficult to fight against: Why ransomware is booming in 2016 (ZDNet)
- New ransomware skips files, encrypts your whole hard drive (ZDNet)
- Infographic and interview: The explosion of cybercrime and how to protect your business (TechRepublic)