The National Health Service (NHS) says 16 of its organizations were attacked with ransomware today (May 12), locking doctors out of patient records and reportedly forcing emergency rooms to send patients to other hospitals.
“The investigation is at an early stage but we believe the malware variant is Wanna Decryptor,” said NHS Digital in a statement.
Experts say the large-scale attack is currently spreading throughout Europe and Asia and has affected at least 45,000 systems.
Ransomware is a form of malware that encrypts a computer’s files and displays a message to the user, saying it will decrypt the files for a payment, typically via bitcoin. Security experts say the Wanna Decryptor is exploiting a vulnerability in Microsoft Windows that was leaked last month by an anonymous hacker group calling itself the Shadow Brokers. The group claimed it had stolen the exploits it released from the US National Security Agency.
The message displaying on NHS computers has been circulated in photos on social media, and it includes instructions to send $300 to a bitcoin address.
The photos show a bitcoin address where payments are meant to be sent, and wallets tied to bitcoin addresses are publicly accessible. As of 11 a.m. EDT, the wallet tied to the address in the message had 0.15 bitcoin (about $265 USD) in it.
Microsoft released a patch in March for the Windows vulnerability being exploited by the attack, and security experts say the affected systems would have been safe if they had simply run a Windows update.
Costin Raiu, director of global research and analysis at Kaspersky Lab, said on Twitter that the lab has found 45,000 instances of the attack in 74 countries.
According to a recent cybersecurity report, ransomware incidents rose each quarter in 2016.
In the US, ransomware attacks made news throughout 2016 by forcing money out of private and public organizations, including a hospital in Los Angeles and the public transportation system in San Francisco. So far in 2017, hackers have demanded $35,000 from St. Louis libraries, an undisclosed amount from an Illinois police station, and wreaked havoc on 28,000 database servers, among other attacks.
Victims of these attacks often have no choice but to pay the ransom, particularly when the infected systems run critical institutions like hospitals. In its statement, NHS Digital said the attack “was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.”
“At this stage we do not have any evidence that patient data has been accessed,” the statement said.