NHS Trusts across the UK have been brought to their knees by a massive cyber attack.

Several hospitals and GP surgeries were forced to shut down their entire IT systems over the weekend, after ransom notes from hackers appeared on computer screens, threatening to delete all of their files within seven days unless a ransom of $300 in bitcoin currency was paid.

Many non-urgent operations were cancelled, and affected hospitals were forced to divert ambulances to nearby A&E departments.

Meanwhile, medics in as many as 40 NHS organisations were completely unable to access patient records, and had to revert to pen and paper.

“The investigation is at an early stage but we believe the malware variant is Wanna Decryptor,” an NHS spokesperson said in a statement on Friday.

“At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.

“NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations.”

So who is behind the attack? here’s what we know so far:

The ransom is very small

Several security experts have pointed out that the ransom being demanded is very small, suggesting this is a random attack rather than a targeted one.

“If a cyber criminal can impact so many systems at once, why not ask for lots of money?” said David Emm, principal security researcher at Kaspersky Lab.

Vince Warrington, director of Protective Intelligence, added: “The very low value of the demanded ransom would tend to indicate that this is an opportunistic attack rather than one that has a large degree of control.

“I would expect a sophisticated cyber criminal gang to be demanding a larger ransom.”

The NHS is not the only organisation affected

The Wanna Decryptor ransomware – also known as WanaCrypt0r 2.0 or WannaCry – has spread incredibly fast, with 57,000 detections worldwide so far, according to cyber security firm Avast .

Spanish telecoms giant Telefonica has been hit, as well as other major international companies such as FedEx.

This reinforces the suggestion that the hackers aren’t specifically targeting the NHS.

“Early reports show it originating in Europe and impacting healthcare organisations, hospitals, doctors’ surgeries, telecommunication systems as well as gas and electricity utilities,” said Adam Meyers, security expert at CrowdStrike .

He added that the hackers probably sent out phishing emails in bulk, with attached .zip files posing as invoices, job offers, security warnings or undelivered email notices.

Is it the Russians?

Attacks of this scale are often propagated by foreign governments, but this attack does not bear the hallmarks of a nation state attack.

For one thing, the group behind the attack does not appear to be picky about the nation or sector it is targeting. Russia is one of the worst-hit countries, according to security researchers at Kaspersky, with around 1,000 computers at the Russian Interior Ministry affected.

It is also unusual for hostile governments to use ransomware – as the aim of nation state attacks is usually to gather intelligence by flying under the radar, rather than financial gain.

“The signs do not point to a typical nation state attack such as Russia or China, as this is about disruption for a small financial return,” said Dan Raywood, contributing editor at Infosecurity Magazine.

“Instead I wouldn’t be surprised if this was a more low key attacker or group, who got their hands on some very effective ransomware.”

Then who?

While it’s still not known who is behind the attack, the ransomware is thought to have got into NHS networks by exploiting a vulnerability in Microsoft’s Windows operating system.

An organisation known as the Equation Group, which is widely suspected of having ties to the US National Security Agency (NSA), secretly created a hacking tool designed to exploit this vulnerability, called “EternalBlue”.

EternalBlue somehow got into the hands of a hacker group called Shadow Brokers, which leaked the details online, making it available for anyone to use.

Jakub Kroustek, head of the Threat Intelligence team at Avast, said that whoever installed the Wanna Decryptor ransomware probably used the EternalBlue exploit to do so.

Is Microsoft to blame?

EternalBlue targets a vulnerability in the Microsoft network protocol called SMB.

The day after the EternalBlue exploit was leaked online, Microsoft released a software update to fix the vulnerability.

However, Prof Alan Woodward, a security expert from the University of Surrey, pointed out that anyone running an outdated version of the Windows operating systems, would not have benefited from the patch.

“The virulence is likely to be because some organisations have either not applied the patch released by Microsoft, or they are using outdated operating systems (such as XP) that are no longer supported by Microsoft and hence no patch exists,” he said.

According to the British Medical Journal, up to 90% of NHS computers still run Windows XP. It is possible that the ransomware got in through one of these computers.

 

“I’m sure we’ve all seen Windows XP PCs in hospitals around the country,” said Andrew Barratt, managing principal for Coalfire.

“Since the PCs are no longer patched by Microsoft, it’s highly likely these devices are unprotected and potentially littered with vulnerabilities that could be exploited by a cyber criminal.

“With stretched budgets, the NHS is constantly under scrutiny to maximise their investments and this can often mean a deprioritisation of security protection and IT support, leaving them completely exposed and at the mercy of a large ransomware attack.”

Microsoft has now taken the unprecedented step of issuing a patch for Windows XP and other older operating systems.

“This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind,” the company told customers in a blog post.

What does Wanna Decryptor do?

Wanna Decryptor is distributed through spam emails and fake ads, which trick users into downloading the virus onto their computer.

It then sets about creating encrypted copies of files on the victim’s computer, and deleting the originals, leaving the victim with only the encrypted copies, which cannot be accessed without a decryption key.

A ransom not then appears on the victim’s screen, demanding money in exchange for revealing the decryption key and restoring access to the affected files.

In the case of the NHS, the message read: “Ooops, your files have been encrypted! Maybe you are looking for a way to recover your files, but do not waste your time.”

Health service staff were told to pay the ransom within seven days or everything on their systems would be deleted.

Security experts believe that the ransomware is self-propagating, meaning that once it it is downloaded onto one machine it spreads laterally to other vulnerable computers on the network.

“For those who remember the early 2000’s this is a worm – malware that infects a machine and then looks for other vulnerable hosts on the same network or randomly scans and looks for other vulnerable hosts to infect,” said Rich Barger, director of threat research at Splunk.

Meyers added: “We’ve not seen a large-scale ransomware campaign that uses self-propagating technique at this scale before, which makes it really unique.”

What now?

The affected organisations need to decide whether or not to pay the ransom.

Security experts warn against this, claiming that paying up won’t guarantee that victims regain control of their devices and files.

“Some ransomware operators will refuse to unlock your device even after you’ve paid, and demand more money or attempt to defraud you by other means with the financial information you’ve provided them,” said Brian Kennedy from US security consultancy iSight.

However, several of organisations already appear to have given in and paid up. According to the Blockchain website, the Bitcoin address quoted in one of the ransom messages (pictured above) had received 5 payments at the time of writing. The total amount paid so far is 0.65490604 Bitcoin – worth about £890.

It is unlikely all NHS Trusts will pay the ransom, but if they decide not to, they will have to find another way to regain control of their data.

Home Secretary Amber Rudd said that, in theory, their files should be backed up, rendering the ransom demands redundant.

“Where the patient data has been properly backed up, which has been in most cases, work can continue as normal because the patient data can be downloaded and people can continue with their work,” she told Sky News.

However, she admitted that there may be “holes”, where data has not been backed up.

“There may be lessons to learn from this,” she said.