Home / News / Internet News / NHS Hack: What we know so far about today's cyber attack

NHS Hack: What we know so far about today's cyber attack


NHS hack

NHS Cyber Attack: The NHS has been targeted by a serious attack, with IT and phone systems in five areas across the UK downed by the 'WannaCry' ransomware. Here's what we know about the hack.

The large-scale cyber attack saw hackers demanding a ransom equivalent to $300 (~£235) in Bitcoin to rid the computers of the 'WannaCry' or 'Wanna Decryptor' malware – widely understood to be the strain involved.

As the image above indicates, it now appears to be affecting the NHS across the board, with phone lines, websites and IT systems down for both hospitals and GP practices down across the country.

The NHS has described it as a "major incident" but sought to reassure the public that emergency services are still functioning thanks to "tried and tested" contingency plans.

In a statement, Dr Anne Rainsberry, NHS Incident Director, said:

“We’d like to reassure patients that if they need the NHS and it’s an emergency that they should visit A&E or access emergency services in the same way as they normally would and staff will ensure they get the care they need. More widely we ask people to use the NHS wisely while we deal with this major incident which is still ongoing. NHS Digital are investigating the incident and across the NHS we have tried and tested contingency plans to ensure we are able to keep the NHS open for business."

It seems that the NHS was one of the most high-profile targets of a co-ordinated global hacking assault, with reports emerging from the infosec community revealing that upwards of 45,000 attacks were carried out across 74 countries around the world.

More worrying still, the so-called 'WannaCry' ransomware may have originated from the 'cyber weapons' recently stolen from the NSA in the United States.

British Prime Minister Theresa May said the NHS has not been singled out, pointing to the global nature of the attack. She says cyber security officials are "not aware of any evidence" patient data had been compromised.

In a statement she says: "This is not targeted at the NHS, it’s an international attack and a number of countries and organisations have been affected. The National Cyber Security Centre is working closely with NHS Digital to ensure that they support the organisations concerned and that they protect patient safety. And we are not aware of any evidence that patient data has been compromised."

News of the attack first surfaced during the afternoon of Friday May 12, with reports flooding Twitter.

Verified user Dr Ben White subsequently sharing the following snap of the ransomware screen seen by NHS staff.

The social media reports were subsequently confirmed by the NHS, with the East and North Hertfordshire NHS Trust releasing the following statement:

“Today (Friday, 12 May 2017), the trust has experienced a major IT problem, believed to be caused by a cyber attack.

“Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust’s telephone system is not able to accept incoming calls.

“The trust is postponing all non-urgent activity for today and is asking people not to come to A&E - please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency.

“To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need.”

NHS hospitals also issued advisories on social media, with GP practices also understood to be affected by the attack.

In total, 16 NHS organisations across five parts of the country were affected by the cyber attack.

The areas affected were:

  • London
  • Blackburn
  • Nottingham
  • Cumbria
  • Hertfordshire

The NHS' online arm, NHS Digital, issued a statement saying that it does not believe patient data was been accessed as a result of the attack.

It's understood that the UK's National Cyber Security Centre and National Crime Agency are working with NHS Digital.

Who's behind the attack? That's all we know for now, but stay tuned, as we'll update this post with more information as and when it becomes available.

Given the global nature of the incident, we're sure this is just the beginning.

Watch: Who's to blame when robot cars kill?

What sort of unspeakable cretin would hack the NHS? Share your thoughts in the comments below.


May 12, 2017, 3:22 pm

Now, if that's $300 per computer to decrypt that's a lot. If it's the total ransom then this is proof of concept and something I've been on about for years. The NHS is utterly backwards when it comes to security and I redundancy. They want to go paper free but won't put the resources into ensuring it's robust. TV broadcasting has way more redundancy than NHS computer systems.


May 12, 2017, 9:13 pm

Didn't a TV station succumb to just such an attack recently, in France?


May 12, 2017, 10:47 pm

I was going to go into it but couldn't be arsed but as you've pushed me...

I was referring to structural redundancy / backup hardware in vulnerable outside broadcast situations. Almost all the equipment is doubled and there are often two backup generators running on tick over, either of which could power the whole operation.

The penalty for the OB company for going off air is huge and so they put a lot of resources into preventing it. In the NHS one trust recently had their pathology servers (bloods, etc) go down for a week+ due to a lack of redundancy and failure of a hard to get part. In outside broadcast this part would have had a duplicate which was automatically switched to, possibly the only noticeable interruption being half a second of black. They had to send samples to hospitals all over the region because they would not invest in redundancy. The clinical impact was huge. Imagine you're a patient undergoing chemotherapy and you go in, get a shot, get some bloods done and have to wait for those results before knowing if you can have your treatment that day... And that's one example of which there are loads. INR in warfarinised patients coming in for surgery, troponin tests in possible heart attack patients.... And TV at a footie match has more redundancy. It's mental.

Edit - as for security, the weakness for this attack was human. It required a human to open and run an emailed executable (an invoice apparently) and then it used an exploit revealed by the NSA some time ago and a patch was released early March to spread. The lack of up to date patching of systems and human error in opening an executable from an unknown source was the issue here.


May 13, 2017, 1:32 pm

The EternalBlue worm which enabled the ransomware package to spread so efficiently was crafted by the NSA. It had a killswitch built in, presumably to allow the NSA to terminate it once it had done its job, and prevent it careering evermore around the internet.

The bad guys obtained the worm and strapped a ransomware package to it, oblivious of the killswitch, and launched it.

Question: once news broke that the ransomware was working its way around the world courtesy of the NSA's worm, why did they not activate the killswitch? Why was it left to some guy in the UK to stumble unwittingly onto the killswitch and activate it?

Observation: does Amber Rudd need any further evidence that software hacks (eg backdoors into secure systems) developed for the State to 'protect' us from the bad guys will inevitably be found and exploited against us by the bad guys, probably with greater energy.


May 13, 2017, 10:24 pm

I'm not going to say you're wrong but I've heard a different chain of events which I'll list below, I'd be interested to see your source so that I might put things together better. Mine is various articles on the BBC news website and emails from my employer during the outbreak.

The chain of events I have is:
- NSA discovered (rather than implanted) a zero day back door
- This was leaked which forced them to come forward with it officially to Microsoft
- MS released a patch in mid March which should have been applied
- The patch caused issues with certain (poorly coded) browser based software and wasn't applied widespread in some companies for this reason
- Ransomware based on this bug was created and released by parties unknown, although unlikely to be a state actor and could be a 12 year old with the power of weaponised autism or a gang - bitcoin wallets filling up suggest the latter. The bug was discovered by the NSA but not put into ransomware or used for this purpose, it was simply an exploit which was then incorporated into the appropriate software.
- The "killswitch" wasn't really a killswitch, although it had the same effect. It was the malware trying to connect to a website which didn't exist and if it received traffic back from that connection, it assumed it was being manipulated within a virtual machine and analysed. The thing that "killed" is was a researcher registering the site being pinged in order to collect the traffic being sent to that address. When it was registered, all the malware out there got a response to the ping and therefore assumed it was operating within a VM and stopped dead in order to prevent analysis. Total luck. Possibly. Or as you say, possibly a kill switch made in order to keep things from getting out of hand but if that was the case I would have thought it would just have happened randomly rather than a security researcher being hailed as an "unintentional hero".

Frankly this is just a different interpretation of the same data, I feel and really open to personal opinion.

As for your observation - I agree (although my chain of events does suggest developed BY the state rather than FOR but frankly I appreciate the immense bias in my source). But this is how it has been since GCHQ started tapping into the first transatlantic cables. They won't give it up easily.

Regardless, I'd be interested in where your information has come from so I can integrate it with my own.


May 14, 2017, 7:25 am

I don't disagree. As you say, will we ever know for sure , especially about the 'killswitch/anti-analysis' question.

The guy who discovered it leans towards 'anti-analysis' (see link).


But even he concluded that as such it is a very poor implementation. One would have to impute on the part of whomever would have implemented it as an 'anti-analysis' far less aptitude than seems credible for one who dabbles in these arts.

However as a 'killswitch' it is highly effective. Recall that this element was part of the worm, the package developed by the NSA to exploit the Windows SMBv1 vulnerability, and which is the vehicle by which the ransomware payload travelled so effectively around each corporate network. It would make perfect sense in that context - the NSA would only ever want to insert their (covert) payload on the back of this worm into a specific target and then kill it stone dead anywhere beyond that target. The last thing they would want is it rampaging around the internet forever.

So I don't think the miscreants did any coding at all, beyond sticking together two existing tools, the worm stolen from the NSA (complete with its killswitch, unbeknownst to them), and the ransomware virus.


May 14, 2017, 9:23 pm

Cheers dude. Perfectly reasonable explanation. As you say, stitching together and existing malware is pretty easy. I'll have a read of that site.

You have to wonder if these intelligence community tools could be more dangerous / extensively destructive than a nuke.

Michael Furse

May 15, 2017, 1:42 pm

Contrast this with the approach taken by a Scandinavian bank seeking to upgrade its software. I understand that the individual hired to oversee this only took the job on the understanding that the committee overseeing it consisted of the 12 most senior members of the bank staff, and that he would walk if they didn't make every meeting. I understand it's going well.

I accept that a bank is a very different animal to the behemoth that is the NHS. But the key difference is personal responsibility, and none of this appears to have been borne by the politicians or NHS senior management.

I would also add that the complexity and imperatives of the NHS computer architecture is going to demand open 24 hour access across the network. It would be hard enough to keep that secure with up to date software - with XP as the standard to which many aspire, there's no chance of security.

Open source, anyone?


May 15, 2017, 5:21 pm

That's a really interesting story, thanks for that. He seems to be pointing out just how important the IT infrastructure is to them and also that he won't be made a scapegoat of if things go wrong as there's no way the top brass aren't informed.

This is probably the level of importance IT should get in the NHS as it enables so much of the stuff they do. Today I informed a company that makes pulmonary function testing machines that yes, there is a patch for their XP based systems and they might want to get on that... It's not just the NHS IT people, a lot of medical equipment runs on XP of some flavour.

As for 24 hour access, there are ways around this and upgrades or essential maintenance has to happen at some time so it's a matter of planning it when there's the least disruption and also ensuring there are other ways of accessing important information during the down time. Even if that's a phone service for critical emergency stuff.

comments powered by Disqus