Today, a massive cyber attack has crippled the IT systems of several NHS hospitals across England, forcing some trusts to redirect emergency patients and send employees home, causing chaos.
According to The Guardian, computers in several NHS England hospitals have been simultaneously struck, locking clinicians out until a ransom had been paid. A photo of the malware shows that the ransomware is asking for $300 to be paid in Bitcoin.
— gigi.h (@fendifille) May 12, 2017
In addition to several local GPs surgeries across Liverpool and Greater Manchester, the following trusts have been confirmed to be impacted:
- East and North Hertfordshire NHS trust
- Barts Health in London
- Essex Partnership University NHS Trusts
- University Hospitals of Morecambe Bay NHS Foundation Trust
- Southport and Ormskirk Hospital NHS Trust
- Blackpool Teaching Hospital NHS Foundation Trust
In response, several trusts and hospitals have been forced to cancel non-essential surgeries, and are requesting patients not attend A&E (accident and emergency) unless it’s absolutely essential.
We apologise but we are having issues with our computer systems. Please don't attend A&E unless it's an emergency. Thanks for your patience
— Blackpool Hospitals (@BlackpoolHosp) May 12, 2017
In response to the chaos, some hospitals have been forced to send employees home.
I've had confirmed reports from friends in the NHS that they've been sent home as their systems were hit by ransomware.
— Scott Helme (@Scott_Helme) May 12, 2017
In a statement, NHS Digital said:
A number of NHS organisations have reported to NHS Digital that they have been affected by a ransomware attack.
The investigation is at an early stage but we believe the malware variant is Wanna Decryptor.
This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.
At this stage we do not have any evidence that patient data has been accessed.
NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.
Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available.
It’s believed that the ransomware is the WanaCrypt0r 2.0 ransomware, which has spread through several high-profile targets today. According to security architect Kevin Beaumont, it spreads by infected machines joining a network, rather than the traditional ransomware attack vector, which is malicious attachments.
It arrives via internal PCs, e.g. unpatched laptops on Guest Wi-Fi returning back to office, partner VPN etc.
— Kevin Beaumont (@GossiTheDog) May 12, 2017
Several credible individuals have said the ransomware takes advantage of EternalBlue – an exploit for SMB originally discovered by the NSA, and released to the public through the ShadowBrokers leak.
Confirmed – wcry ransomware spreading across Europe uses EternalBlue/MS17-010/SMB. PATCH NOW EVERYWHERE.
— Kevin Beaumont (@GossiTheDog) May 12, 2017
WannaCry/WanaCrypt0r 2.0 is indeed triggering ET rule : 2024218 "ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response" pic.twitter.com/ynahjWxTIA
— Kafeine (@kafeine) May 12, 2017
One company decimated by this is the Spanish telco Telefonica. According to El Mundo, 85 percent of Telefonica computers are infected with the malware. The paper noted that the company has instructed employees to turn off their computers, and disconnect from the company internal VPN.
Employees of Telefoninica, speaking to Bleeping Computer, said that the company had instructed them to disconnect from the Wi-Fi, and that messages are being broadcast on the headquarter’s speaker system instructing them to shut down their machines.
According to El Pais, the ransomware attack has also attacked the systems of consultancy group KPMG and Spanish bank Santander. Spanish bank BBVA denied on Twitter that it has fallen victim to the ransomware.
A raíz de la publicación de ciertas informaciones, BBVA confirma que estamos trabajando con normalidad y que la red no se ha visto afectada.
— BBVA (@bbva) May 12, 2017
Update 1:20 (PST): Microsoft is aware of the problem, and has issued a fix to protect those not yet infected, as well as alerting those that are, according to Reuters. “Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt.”
Update: 12:44 (PST): WannaCry has now hit Russian computers, according to the interior ministry.