NHS ransomware: UK government says it's North Korea's fault WannaCry happened

The Foreign Office said it will find, pursue and respond to the malicious activity

12/05/2017:NHS hospitals targeted by ransomware attack

The NHS has been hit by a major ransomware attack, shutting down multiple hospital IT systems - as well as companies and universities elsewhere.

NHS Digital said the NHS itself was not specifically the target of the attack but part of a wider "Wanna Decryptor" ransomware campaign. Telefonica was also hit by a similar attackas well as arange of other Spanish organisations, and reports on Twitter suggest universities are facing similar malware.

Hospital trusts across England and Scotland have admitted they've been caught up in the attack, with appointments cancelled, phone lines down and ambulances diverted. Doctors and other staff have also been sharing further details on Twitter, with one screenshot suggesting the ransomware is demanding $300 in bitcoin to decrypt files, with the price doubling after three days.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

NHS Digital confirmed the attacks, with a spokesperson saying 16 NHS organisations had reported they've been impacted by ransomware. "The investigation is at an early stage but we believe the malware variant is Wanna Decryptor," the spokesperson said. "At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this."

The statement added:"This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available."

The East and North Hertfordshire NHS trust confirmed it was hit by the attack.

"Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust's telephone system is not able to accept incoming calls," a spokesperson said in a statement. "The trust is postponing all non-urgent activity for today and is asking people not to come to A&E - please ring NHS 111 for urgent medical advice or 999 if it is a life-threatening emergency."

"To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust's hospitals continued to receive the care they need," it added.

Blackpool Teaching Hospitals tweeted that it was having "issues with our computer system", asking people not to come to A&E unless it's an emergency, while North Staffordshire and Barts Health Trust in London have also said they've been hit by the ransomware.

Advertisement - Article continues below

"We are experiencing a major IT disruption and there are delays at all of our hospitals. We have activated our major incident plan to make sure we can maintain the safety and welfare of patients," a statement from Barts said. "We are very sorry that we have to cancel routine appointments, and would ask members of the public to use other NHS services wherever possible. Ambulances are being diverted to neighbouring hospitals. The problem is also affecting the switchboard at Newham hospital but direct line phones are working. All our staff are working hard to minimise the impact and we will post regular updates on the website."

Others have shared images of the screenshot that shows the ransom demand.

In a security alert, the Spanish National Centre for Cryptology stated: "The ransomware, a version of WannaCry, infects a computer, encrypting all its files and, using a remote code execution vulnerability through the SMB (server message block), distributes itself to the rest of the Windows machines connected to the same network."

The organisation stated that Windows Vista SP2 through to Windows 10, including RT 8.1, are all affected by the vulnerability that allows computers to be infected by the malware. Windows Server 2008 SP2 and SP1 through to Server 2016 are also affected.

Advertisement
Advertisement - Article continues below

Microsoft issued a patch for the vulnerability in March, but it would appear it hasn't been rolled out across all organisations. Windows XP isn't listed as one of the operating systems affected, however as support for the aged operating system ended in 2014, it's possible the vulnerability also affects that OS and will never be patched.

The researchers at MalwareHunterTeam reported earlier todaythat the particular strain of ransomware was quickly spreading, spotted in 11 countries within a few hours - and that's before the NHS attacks.

Research last year revealed that 90% of NHS trusts still used no-longer-supported Windows XP in some way, but it remains unclear how this ransomware infected the hospital trusts. Wanna Decryptor is also known as WannaCry or WCry. These attacks appear to be using the second version of the ransomware, based on the screenshots, which spreads via dodgy attachments in email.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020