NHS Ransomware Attack – Latest News

We are currently looking into a large scale incident regarding a ransomware attack at a number of UK NHS Hospitals/Trusts.

More to follow.

Update 17:55 12/05/2017:

Shropshire Trust have informed all employees to disconnect from the network and shut down all devices.

Update 17:51 12/05/2017:

Correction to previous information – there is a patch for Windows 7,

Please see: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Update 17:32 12/05/2017:

Up to 25 NHS organisations now affected by the Wcry Ransomware.

Update 17:17 12/05/2017:

11 victims and counting have been confirmed to have paid the ransom.

Update 16:54 12/05/2017:

Breaking: The exploit found in MS17-010 is currently unpatched and therefore considered a Zero-Day.

Update 16:27 12/05/2017:

Wrcy Ransomware has been found to Microsoft Windows Shadow Copy and Windows Safety Mode. Part of the command that is run as follows: “/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet”

Update 16:24 12/05/2017:

16 hospitals now believed to be affected. Some Internal sources recommend to disconnect from the NHS’s N3 backbone network and shut down all computer systems.

Update 16:19 12/05/2017:

Hospitals London, Blackburn, Nottingham, Cumbria and Hertfordshire have been affected, while East and North Hertfordshire NHS Trust has today admitted that it has been affected and urged people not to attend A&E.

Update 16:12 12/05/2017:

Ransomware strain appears to be  aka  with around an estimated 36,000 infected devices across the globe.

Update 16:05 12/05/2017:

NHS Nottingham and Cumbria have also been affected.

Update 15:41 12/05/2017:

A sample of “Wana Decryptor 2.0” is now being reverse engineered in the Zepko Malware Lab.

Update 15:33 12/05/2017:

It is believed both East and North Hertfordshire NHS Hospitals have been hit.

It correlates with the Spanish telecoms giant, Telefonica, who have also being hit with the same strain of ransomware. It is believed a number of other industries and organisations have been affected.

It has been speculated that the attackers have exploited a critical vulnerability (MS17-010) which first received a patch on 14 March.
It said the affected systems include:

  • Microsoft Windows Vista SP2
  • Windows Server 2008 R2 and R2 SP1
  • Windows 7
  • Windows 8.1
  • Windows RT 8.1
  • Windows Server 2012 and R2
  • Windows 10
  • Windows Server 2016

Update 15:20 12/05/2017:

It is speculated that the attack is using a ransomware strain named “Wana Decryptor 2.0” a.k.a “WCry”.