The heart of tech is coming to the heart of the Mediterranean. Join TNW in Valencia this March 🇪🇸

This article was published on May 12, 2017

Huge ransomware attack spreading through hospitals, banks, and telcos [Updated]

Huge ransomware attack spreading through hospitals, banks, and telcos [Updated]
Matthew Hughes
Story by

Matthew Hughes

Former TNW Reporter

Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twi Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twitter.

Today, a massive cyber attack has crippled the IT systems of several NHS hospitals across England, forcing some trusts to redirect emergency patients and send employees home, causing chaos.

According to The Guardian, computers in several NHS England hospitals have been simultaneously struck, locking clinicians out until a ransom had been paid. A photo of the malware shows that the ransomware is asking for $300 to be paid in Bitcoin.

In addition to several local GPs surgeries across Liverpool and Greater Manchester, the following trusts have been confirmed to be impacted:

  • East and North Hertfordshire NHS trust
  • Barts Health in London
  • Essex Partnership University NHS Trusts
  • University Hospitals of Morecambe Bay NHS Foundation Trust
  • Southport and Ormskirk Hospital NHS Trust
  • Blackpool Teaching Hospital NHS Foundation Trust

In response, several trusts and hospitals have been forced to cancel non-essential surgeries, and are requesting patients not attend A&E (accident and emergency) unless it’s absolutely essential.

In response to the chaos, some hospitals have been forced to send employees home.

In a statement, NHS Digital said:

A number of NHS organisations have reported to NHS Digital that they have been affected by a ransomware attack.

The investigation is at an early stage but we believe the malware variant is Wanna Decryptor.

This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.

At this stage we do not have any evidence that patient data has been accessed.

NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.

Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available.

It’s believed that the ransomware is the WanaCrypt0r 2.0 ransomware, which has spread through several high-profile targets today. According to security architect Kevin Beaumont, it spreads by infected machines joining a network, rather than the traditional ransomware attack vector, which is malicious attachments.

Several credible individuals have said the ransomware takes advantage of EternalBlue – an exploit for SMB originally discovered by the NSA, and released to the public through the ShadowBrokers leak.

One company decimated by this is the Spanish telco Telefonica. According to El Mundo, 85 percent of Telefonica computers are infected with the malware. The paper noted that the company has instructed employees to turn off their computers, and disconnect from the company internal VPN.

Employees of Telefoninica, speaking to Bleeping Computer, said that the company had instructed them to disconnect from the Wi-Fi, and that messages are being broadcast on the headquarter’s speaker system instructing them to shut down their machines.

According to El Pais, the ransomware attack has also attacked the systems of consultancy group KPMG and Spanish bank Santander. Spanish bank BBVA denied on Twitter that it has fallen victim to the ransomware.

Update 1:20 (PST): Microsoft is aware of the problem, and has issued a fix to protect those not yet infected, as well as alerting those that are, according to Reuters. “Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt.”

Update: 12:44 (PST): WannaCry has now hit Russian computers, according to the interior ministry.