On 12 May, the UK National Health Service (NHS) was forced into meltdown by a widespread ransomware cyberattack. The computer virus, which sent some hospitals back to a pen and paper system, locked down vital patient files and demanded bitcoin for them to be decrypted.

An NHS statement read: "A number of organisations have reported to NHS Digital that they have been affected by a ransomware attack which is affecting a number of different organisations. The investigation is at an early stage but we believe the malware variant is Wanna Decryptor.

"The trust is postponing all non-urgent activity for today and is asking people not to come to A&E - please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency."

The NHS is now working with law enforcement to investigate the incident. Here's what you need to know:

What happened?

At least 40 NHS healthcare organisations across England and Scotland were infected with ransomware, which is a strain of malware which locks down sensitive files and demands money for their return.

The virus typically circulates via email phishing, however, in this case it remains unknown how it got inside the networks. It was reportedly exploiting a known Microsoft Windows flaw that was patched last month (MS17-010).

What this an isolated incident?

No, the NHS was not the only organisation caught up in the digital assault. As IBTimes UK reported, Spanish telecommunications giant Telefonica was also hit on the same day. Cybersecurity experts have said the ransomware was sent as part of a widespread attack in nearly a dozen countries. MalwareHunterTeam, a well-known cybersecurity outfit, said on Twitter the strain was "spreading like hell." Here is the full list of known NHS victims so far.

Who is behind the attacks?

It remains unknown (at the time of writing) who is responsible for the incident. In the past, groups have targeted hospitals, governments and schools with similar tactics - and often they dissapear without ever being caught. The developers of these tools can range from sophisticated groups to so-called "script-kiddies". However, the tools are increasingly available on the dark web to purchase.


A re-cap of events so far:

  • Roughly 40 NHS health organisations, dental practices and GPs have been hit
  • Operations have been cancelled and some patients are being sent home
  • NHS says it is a "national major incident"
  • The attack reportedly used a "loophole" exposed by Shadows Brokers' NSA leaks
  • Kaspersky Lab says the global campaign saw 45,000 attacks in 74 countries around the world.
  • IT networks, booking systems and telephones lines are impacted nationwide
  • The NHS incident was initially believed to be limited to England, but has spread to Scotland
  • The ransomware appears to be a strain known as "Wanna Decryptor"
  • It appears to be linked to an ongoing digital assault in at least 11 countries
  • A similar ransomware attack was recorded on the same day in Spain
  • The fault appears to be linked to a previously-patched Microsoft Windows vulnerability
  • The computer virus is demanding $300 from each terminal by Monday or the cost will go up
  • However, experts do not believe the NHS was specifically targeted in the attack
  • NHS Digital and the National Cyber Security Centre are investigating
  • Backup plans are being established to deal with weekend patients

How many people will be impacted?

Reports indicate that health organisations, dental practices and GPs were hit with the ransomware, sending many into a state of emergency. When contacted by IBTimes UK, the NHS press office declined to comment on the scope of the hack or provide an estimate of the amount of patients impacted. One therapy radiographer said on Twitter: "Our cancer patients getting sent home missing a day of important radiotherapy. A sad and broken world we live in."

Ransomware attacks
36,000 detections of WannaCry ransomware found, one expert said Jakub Kroustek

How to deal with ransomware, according to Action Fraud:

Don't click on links or open any attachments you receive in unsolicited emails or SMS messages. Remember that fraudsters can 'spoof' an email address to make it look like one used by someone you trust. If you are unsure, check the email header to identify the true source of communication.

Always install software updates as soon as they become available. Whether you are updating the operating system or an application, the update will often include fixes for critical security vulnerabilities.

Create regular backups of your important files to an external hard drive, memory stick or online storage provider. It's important that the device you back up to aren't left in an insecure location or on the same network that your machines are connected too.

weekend effect
NHS personnel have been forced to resort to pen and paper following the major incident Getty