Hospitals across the UK hit by WannaCrypt ransomware cyberattack, systems knocked offline

Updated: 'Major Incident' declared as at least 45 NHS hospital groups across the country are taken offline by WannaCrypt ransomware attack
Written by Danny Palmer, Senior Writer

Ransomware: Everything you ever wanted to know

Hospitals across England and Scotland are being forced to postpone appointments and divert patients elsewhere because systems have been taken offline by a ransomware attack in an event NHS England has declared as a 'major incident'.

In a statement, NHS Digital, which runs IT systems for the health service, has confirmed that systems across the country have been brought down by a ransomware attack - specially by the Wanna Decryptor ransomware.

As of 15:30 on Friday afternoon, 16 NHS organisations reported they are affected - that number has risen to 25 as of 17:30, with NHS organisations in parts of Scotland also stating they've come under cyberattack. That number had risen to 33 as of 20:00 and 45 by Saturday morning.

NHS Digital said: "A number of NHS organisations have reported to NHS Digital that they have been affected by a ransomware attack. The investigation is at an early stage but we believe the malware variant is Wanna Decryptor."

It went on: "This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors. At this stage we do not have any evidence that patient data has been accessed."

Also: Ransomware: These four industries are the most frequently attacked | Windows 10 tip: Keep unwanted software off PCs you support | Will your business be next? Customizable ransomware makes it easy for criminals to target organisations

NHS Digital says it is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations - and NHS England has launched an investigation into the incident.
Prime Minister Theresa May has also commented on the ransomware incident, describing the hospital cyberattack part of wider international attack which wasn't specifically targeting the NHS and that there's no evidence data has been stolen by hackers.

NHS Trusts across the country appear are experiencing trouble with their IT systems, with some hospitals forced to shut down their computer networks entirely and urging patients not to visit Accident & Emergency departments.

Hospitals across the country are affected, ranging from hospitals in Manchester, Lister Hospital in Hertfordshire and Bart's Health NHS Trust in London - the largest hospital group in the UK.

"We are experiencing a major IT disruption and there are delays at all of our hospitals. We have activated our major incident plan to make sure we can maintain the safety and welfare of patients," said Barts in a statement.

"We are very sorry that we have to cancel routine appointments, and would ask members of the public to use other NHS services wherever possible. Ambulances are being diverted to neighbouring hospitals." The trust said the problem is also affecting the switchboard at Newham hospital but direct line phones are working.

Some hospitals have already taken the step of cancelling appointments scheduled over the weekend. "Outpatient appointments have been cancelled tomorrow. We'll phone you to re-arrange on Monday," Southport and Ormskirk Hospital NHS said in a statement.

NHS Trusts in Scotland have also been impacted by the cyberattack with NHS staff in Dundee telling the BBC News channel that they're also experiencing issues - and Scottish Government First Minister Nicola Sturgeon is set to chair a resilience meeting in response to the attack.

"We are taking immediate steps to minimise the impact of the attack across NHS Scotland and restrict any disruption," the Scottish government said in a statement.

East and North Herts Hospitals have said they're "experiencing significant problems with our telephone network" and that the issue is also impacting on IT systems.

While the NHS has been hugely affected by this attack, it isn't specifically targeting the NHS with organisations in a range of sectors across the globe having come under attack by Wanna Decryptor malware. Researchers have detected tens of thousands of instances of the ransomware across the globe, with incidents in the UK, Spain, Russia and more.

Wanna Decryptor is a variant of the WCry/WannaCrypt, a ransomware which first was first spotted in February this year. Researchers at Tripwrire describe it as 'nothing out of the ordinary' but it still encrypts files on the infected computer and demands a ransom for unlocking them, rendering networks unusable until it is.

Those infected with the latest variant of WannaCrypt ransomware are instructed to pay for the the "Wanna Decryptor" application in order to retrieve their files at the cost of 0.1 Bitcoins - or around $300. This version is more robust than the original, providing workarounds for the ransomware, just incase anti-malware software is able to remove elements of it.

Cybersecurity researchers have suggested the ransomware attacks are so potent because they exploit a a known software flaw dubbed EternalBlue. This Windows flaw is one of many zero-days which was apparently known the NSA -- before being leaked by the Shadow Brokers hacking collective.

NHS England has moved to reassure patients that there are backup plans in place and that in an emergency, they'll get the care that they need.
We'd like to reassure patients that if they need the NHS and it's an emergency that they should visit A&E or access emergency services in the same way as they normally would and staff will ensure they get the care they need. More widely we ask people to use the NHS wisely while we deal with this major incident which is still ongoing, said Dr Anne Rainsberry, NHS Incident Director.

"NHS Digital are investigating the incident and across the NHS we have tried and tested contingency plans to ensure we are able to keep the NHS open for business," she added.


Editorial standards