UPDATE: NHS Digital says malware variant is Wanna Decryptor; Reports of ransomware attack affecting a number of NHS trusts, as healthcare staff report cancelled operations and lack of access to medical files
Many NHS hospitals across the UK are experiencing a large-scale cyber attack during the afternoon of 12 May, with the attackers reportedly demanding money to release files.
NHS Digital said that 16 NHS organisations had reported being affected by the attack, which it said was believed to be the malware variant Wanna Decryptor. It added that it did not have any evidence to show that patient data had been accessed.
Those organisations affected include East and North Hertfordshire, which said in a statement that it had experienced “a major IT problem” that was believed to be a cyber attack, and that it had responded by shutting down all its IT systems to protect it.
This means that the trust’s telephone system cannot take incoming calls, and the trust has postponed all non-urgent activities and is asking patients not to come to A&E – and instead to call 999 for life-threatening emergencies.
“To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need,” it said in a statement.
Confirming it had fallen victim to the attack, London’s Barts Health NHS Trust said on its website that it was experiencing “a major IT disruption and there are delays at all of our hospitals”.
Its statement said: “We have activated our major incident plan to make sure we can maintain the safety and welfare of patients. We are very sorry that we have to cancel routine appointments, and would ask members of the public to use other NHS services wherever possible.
“Ambulances are being diverted to neighbouring hospitals. The problem is also affecting the switchboard at Newham hospital but direct line phones are working. All our staff are working hard to minimise the impact and we will post regular updates on the website.”
Meanwhile, other healthcare workers took to Twitter, with reports of it affecting X-ray systems, test results, phones and pager systems, as well as medical records and administrative systems.
According to reports from users who say they work in the health service, hospitals in Newcastle, Preston, Blackpool, Liverpool and Lincolnshire are under attack.
Commenting on the scale of the problem on Twitter, one doctor – who said that this was not occurring at his hospital, but those of colleagues’ said it would be a “miracle if no one comes to harm”.
— Dominic Marley (@DominicMarley) May 12, 2017
Screenshots of the messages that are reported to be showing up on hospital computers have been tweeted by multiple users.
It reads: “Ooops, your files have been encrypted!”
And continues to say that “nobody can recover your files without our decryption service”, and demands a payment of $300, in Bitcoin.
— gigi.h (@fendifille) May 12, 2017
NHS Digital said in a statement that 16 NHS organisations had reported they have been affected by a ransomware attack.
“The investigation is at an early stage but we believe the malware variant is Wanna Decryptor,” the statement said.
“At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.
“NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations.
“This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.
“Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available.”
Among the other organisations thought to be affected are universities, as well as institutions and businesses in other countries – it is thought that the attack is the same strain of malware behind a series of attacks on businesses in Spain, which includes Telefonica and Iberdrola.
Money being paid
It appears that money has been paid to the Bitcoin addresses shown in screenshots of the attack.
One address, seen in the tweet above, has – according to the Blockchain tracker – received two payments, at a total value of 0.32 Bitcoins, equivalent to £438 or $564 at the time of writing. It isn’t possible to say who made the payment.
This article is being updated as more information becomes available