This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.theguardian.com/society/live/2017/may/12/england-hospitals-cyber-attack-nhs-live-updates

The article has changed 42 times. There is an RSS feed of changes available.

Version 12 Version 13
Cyber-attack hits 74 countries with UK hospitals among targets – live updates Cyber-attack hits 74 countries with UK hospitals among targets – live updates
(35 minutes later)
2.23am BST
02:23
Thank you, Sam. Friday’s ransomware attack has seen Taiwan become one of its main victims and we’re working to find out more details about how organisations there have been affected. The island is one of the most hacked places in the world, with its geopolitical situation. Dozens of its schools have been targeted with ransomware this year. Of course, this latest cyber-attack is more random in nature.
2.07am BST
02:07
What we know so far
Here’s what we know so far about the massive ransomware cyber-attack that has affected countries across the globe:
There have been reports of tens of thousands of attacks in 99 countries, including the UK, Russia, Ukraine, India, China, Italy and Egypt.
The NHS was hit as part of the attack, and staff across at least 16 trusts in the UK were affected – locked out of computers and forced to divert emergency patients.
Thousands of patients across England and Scotland were stuck in limbo, with many having operations cancelled at the last minute.
By late Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia were most hard hit.
A group called Shadow Brokers made the malware dump available online earlier this month, claiming to have stolen a cache of “cyber weapons” from the National Security Agency (NSA).
The malicious software is known as WanaCrypt0r 2.0 and was asking for a $300 (£233) ransom per machine to be paid in cryptocurrency Bitcoin to unlock computers.
In Spain, megaphone announcements told employees at telecom giant Telefónica to shut down their workstations immediately while the attack spread.
Scotland reported that 11 health boards and its ambulance service attacked.
Whistleblower Edward Snowden blamed the NSA, saying: “If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened.”
FedEx also announced it was impacted and said it was “implementing remediation steps as quickly as possible”.
The Guardian’s Graham Russell will now be taking over the blog.
1.57am BST
01:57
Olivia Solon
Guardian tech reporter Olivia Solon explains how a cybersecurity researcher was able to block the spread of the malware:
The global spread of the WannaCry ransomware has been stopped by a cybersecurity researcher tweeting as @malwaretechblog, with the help of a researcher at Proofpoint.
The malware contains a hardcoded “kill switch” that the creator could choose to implement if he or she wanted. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. Of course, this relies on the creator of the malware registering the specific domain. In this case, the creator failed to do this. And @malwaretechblog did early this morning (Pacific Time), stopping the rapid proliferation of the ransomware.
“They get the accidental hero award of the day,” said Proofpoint’s Ryan Kalember. “They didn’t realize how much it probably slowed down the spread of this ransomware.”
The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organizations were affected, but gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.
It’s possible that there are other variances of the malware with different kill switches that have not yet been intercepted.
1.35am BST1.35am BST
01:3501:35
Patients left waiting for hoursPatients left waiting for hours
There are thousands of patients across England and Scotland who have been left in limbo, many forced to cancel operations at the last minute, the Guardian’s Kevin Rawlinson reports:There are thousands of patients across England and Scotland who have been left in limbo, many forced to cancel operations at the last minute, the Guardian’s Kevin Rawlinson reports:
Senior medics sought to reassure patients that they could be seen in the normal way in emergencies, but others were asked to stay away if possible.Senior medics sought to reassure patients that they could be seen in the normal way in emergencies, but others were asked to stay away if possible.
According to one junior doctor who works in a London hospital, the attack left hospitals struggling to care for people. “However much they pretend patient safety is unaffected, it’s not true. At my hospital we are literally unable to do any x-rays, which are an essential component of emergency medicine,” the doctor told the Guardian.According to one junior doctor who works in a London hospital, the attack left hospitals struggling to care for people. “However much they pretend patient safety is unaffected, it’s not true. At my hospital we are literally unable to do any x-rays, which are an essential component of emergency medicine,” the doctor told the Guardian.
Read more about the chaos in hospitals here:Read more about the chaos in hospitals here:
1.18am BST1.18am BST
01:1801:18
The US Department of Homeland Security (DHS) has released a statement saying it is “aware of reports of ransomware known as WannaCry affecting multiple global entities”. DHS noted that Microsoft released a patch in March that addresses this vulnerability, adding:The US Department of Homeland Security (DHS) has released a statement saying it is “aware of reports of ransomware known as WannaCry affecting multiple global entities”. DHS noted that Microsoft released a patch in March that addresses this vulnerability, adding:
Individual users are often the first line of defense against this and other threats, and we encourage all Americans to update your operating systems and implement vigorous cybersecurity practices at home, work, and school.Individual users are often the first line of defense against this and other threats, and we encourage all Americans to update your operating systems and implement vigorous cybersecurity practices at home, work, and school.
DHS said it is also “actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally”. The agency further said it is working with chief information officers in other US federal departments to ensure “our own networks are protected against the threat”.DHS said it is also “actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally”. The agency further said it is working with chief information officers in other US federal departments to ensure “our own networks are protected against the threat”.
12.48am BST12.48am BST
00:4800:48
The rapid spread of the malware may have been stopped when a researcher who tweets at MalwareTech and works for security firm Kryptos Logic took control of key domain name, according to tech blog ArsTechnica.The rapid spread of the malware may have been stopped when a researcher who tweets at MalwareTech and works for security firm Kryptos Logic took control of key domain name, according to tech blog ArsTechnica.
God damn. Looks like @MalwareTechBlog stopped the spread of this global ransomware attack https://t.co/pgDiTS9oTR pic.twitter.com/YyFKt7cQwyGod damn. Looks like @MalwareTechBlog stopped the spread of this global ransomware attack https://t.co/pgDiTS9oTR pic.twitter.com/YyFKt7cQwy
The site reports:The site reports:
The address appeared to serve as a sort of kill switch the attackers could use to terminate the campaign. MalwareTech’s registration had the effect of ending the attacks that had started earlier Friday morning in other parts of the world. As a result, the number of infection detections plateaued dramatically in the hours following the registration.The address appeared to serve as a sort of kill switch the attackers could use to terminate the campaign. MalwareTech’s registration had the effect of ending the attacks that had started earlier Friday morning in other parts of the world. As a result, the number of infection detections plateaued dramatically in the hours following the registration.
This won’t, however, help companies that have already been infected.This won’t, however, help companies that have already been infected.
12.31am BST12.31am BST
00:3100:31
Corporations in Spain regain controlCorporations in Spain regain control
The Cybersecurity National Institute in Spain is reporting that many of the country’s corporations targeted in the ransomware attack are regaining control over their systems and resuming operations, according to the AP.The Cybersecurity National Institute in Spain is reporting that many of the country’s corporations targeted in the ransomware attack are regaining control over their systems and resuming operations, according to the AP.
A statement released by the institute did not identify affected companies, though Telefonica, Spain’s telecommunications corporation, acknowledged the attack earlier in the day.A statement released by the institute did not identify affected companies, though Telefonica, Spain’s telecommunications corporation, acknowledged the attack earlier in the day.
The institute said that many Spanish corporations were alerted early enough that they were able to dodge the malware, the AP reported.The institute said that many Spanish corporations were alerted early enough that they were able to dodge the malware, the AP reported.
Telefonica said earlier that the attack was limited to its internal network computers and had not impacted services or clients.Telefonica said earlier that the attack was limited to its internal network computers and had not impacted services or clients.
12.07am BST12.07am BST
00:0700:07
US congressman Ted Lieu, a Democrat from California and one of the more technologically savvy lawmakers, criticized the NSA’s suspected role in the WannaCry malware on Twitter.US congressman Ted Lieu, a Democrat from California and one of the more technologically savvy lawmakers, criticized the NSA’s suspected role in the WannaCry malware on Twitter.
Best way to protect US & the world is for NSA/CIA to DISCLOSE zero-day vulnerabilities to software owner, NOT WRITE MALWARE. #ransomware https://t.co/dAsbDJywHtBest way to protect US & the world is for NSA/CIA to DISCLOSE zero-day vulnerabilities to software owner, NOT WRITE MALWARE. #ransomware https://t.co/dAsbDJywHt
If true, unacceptable NSA wrote malware & did not disclose vulnerability. I've been working on bill to address this very issue. #ransomware https://t.co/sujC648iZsIf true, unacceptable NSA wrote malware & did not disclose vulnerability. I've been working on bill to address this very issue. #ransomware https://t.co/sujC648iZs
To be clear, the NSA is not necessarily suspected of writing the actual malware involved in this hack, but rather of knowing about and failing to disclose the flaw in Windows that the ransomware exploits.To be clear, the NSA is not necessarily suspected of writing the actual malware involved in this hack, but rather of knowing about and failing to disclose the flaw in Windows that the ransomware exploits.
Software companies offer bug bounties to hackers who inform them about such vulnerabilities, allowing them to issue security patches through software updates. But intelligence agencies stockpile their knowledge of such flaws in order to use them for intelligence gathering or cyber warfare.Software companies offer bug bounties to hackers who inform them about such vulnerabilities, allowing them to issue security patches through software updates. But intelligence agencies stockpile their knowledge of such flaws in order to use them for intelligence gathering or cyber warfare.
Sam Levin in San Francisco will be taking over the blog for now.Sam Levin in San Francisco will be taking over the blog for now.
UpdatedUpdated
at 12.09am BSTat 12.09am BST
11.58pm BST11.58pm BST
23:5823:58
The National Cyber Security Centre’s CEO Ciaran Martin has issued a new statement on the ransomware attack.The National Cyber Security Centre’s CEO Ciaran Martin has issued a new statement on the ransomware attack.
Martin said the NCSC is “working round the clock” with UK, international, and private sector partners to respond to the attack, and reiterated that there is no evidence that NHS patient data has been stolen.Martin said the NCSC is “working round the clock” with UK, international, and private sector partners to respond to the attack, and reiterated that there is no evidence that NHS patient data has been stolen.
“We are very aware that attacks on critical services such as the NHS have a massive impact on individuals and their families, and we are doing everything in our power to help them restore these vital services.”“We are very aware that attacks on critical services such as the NHS have a massive impact on individuals and their families, and we are doing everything in our power to help them restore these vital services.”
The NCSC’s guidance for protecting yourself from ransomware can be found here.The NCSC’s guidance for protecting yourself from ransomware can be found here.
11.35pm BST11.35pm BST
23:3523:35
The Russian interior ministry said earlier today that about 1,000 computers of its computers had been affected. The country’s largest bank, Sberbank, was also targeted, according to the Associated Press, but said that it had successfully repelled the attack.The Russian interior ministry said earlier today that about 1,000 computers of its computers had been affected. The country’s largest bank, Sberbank, was also targeted, according to the Associated Press, but said that it had successfully repelled the attack.
Russia was hit early and hard by the attack, which could be a sign that the attacks originated in that country, according to Markus Jakobsson, chief scientist with security firm Agari.Russia was hit early and hard by the attack, which could be a sign that the attacks originated in that country, according to Markus Jakobsson, chief scientist with security firm Agari.
Since the malware spreads by email, he told the Guardian, it’s possible that the criminals had access to a large database of Russian email addresses.Since the malware spreads by email, he told the Guardian, it’s possible that the criminals had access to a large database of Russian email addresses.
However, Jakobsson warned that the origin of the attack remains unconfirmed.However, Jakobsson warned that the origin of the attack remains unconfirmed.
10.59pm BST10.59pm BST
22:5922:59
Scotland: 11 health boards and ambulance service attackedScotland: 11 health boards and ambulance service attacked
Eleven of Scotland’s 14 geographical health boards and its ambulance service have been affected by the global cyberattack, according to the Press Association.Eleven of Scotland’s 14 geographical health boards and its ambulance service have been affected by the global cyberattack, according to the Press Association.
“I have convened a Scottish Government resilience meeting to ensure that we are closely monitoring the situation,” first minister Nicola Sturgeon said. “All necessary steps are being taken to ensure that the cause and nature of this attack is identified. There is no evidence that patient data has been compromised.”“I have convened a Scottish Government resilience meeting to ensure that we are closely monitoring the situation,” first minister Nicola Sturgeon said. “All necessary steps are being taken to ensure that the cause and nature of this attack is identified. There is no evidence that patient data has been compromised.”
The impacted health boards are NHS Borders, Dumfries and Galloway, Fife, Forth Valley, Lanarkshire, Greater Glasgow and Clyde, Tayside, Western Isles, Highlands, Grampian, Ayrshire and Arran, and the Scottish Ambulance Service.The impacted health boards are NHS Borders, Dumfries and Galloway, Fife, Forth Valley, Lanarkshire, Greater Glasgow and Clyde, Tayside, Western Isles, Highlands, Grampian, Ayrshire and Arran, and the Scottish Ambulance Service.
10.44pm BST10.44pm BST
22:4422:44
Ransomware attacks have been on the rise around the globe, and hospitals are particularly vulnerable, thanks to outdated IT systems and increasing reliance on electronic health records.Ransomware attacks have been on the rise around the globe, and hospitals are particularly vulnerable, thanks to outdated IT systems and increasing reliance on electronic health records.
The BBC reported in April that the NHS hospital trusts in England saw 55 cyber attacks in 2016.The BBC reported in April that the NHS hospital trusts in England saw 55 cyber attacks in 2016.
Last year, a hospital in Los Angeles was infected with ransomware. Doctors and nurses resorted to using paper charts and fax machines for days before the hospital paid $17,000 in bitcoin to the ransomware hackers.Last year, a hospital in Los Angeles was infected with ransomware. Doctors and nurses resorted to using paper charts and fax machines for days before the hospital paid $17,000 in bitcoin to the ransomware hackers.
“The attack against the NHS demonstrates that cyber-attacks can quite literally have life and death consequences,” Mike Viscuso, chief techology officer of security firm Carbon Black, told the Guardian. “When patients’ lives are at stake, there is no time for finger pointing but this attack serves as an additional clarion call that healthcare organizations must make cybersecurity a priority, lest they encounter a scenario where lives are risked.”“The attack against the NHS demonstrates that cyber-attacks can quite literally have life and death consequences,” Mike Viscuso, chief techology officer of security firm Carbon Black, told the Guardian. “When patients’ lives are at stake, there is no time for finger pointing but this attack serves as an additional clarion call that healthcare organizations must make cybersecurity a priority, lest they encounter a scenario where lives are risked.”
10.17pm BST
22:17
Global courier company FedEx has been infected by the ransomware.
“Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware,” a spokesperson said in a statement. “We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers.”
10.14pm BST
22:14
The WannaCry ransomware has now spread to 99 countries, according to security firm Avast.
9.56pm BST
21:56
The suspected origin of the ransomware in a vulnerability known to the US’s National Security Agency is already leading to finger-pointing by some critics.
Experts believe that WannaCry works by taking advantage of a flaw in Windows that the NSA knew about but kept secret. Intelligence agencies keep a stockpile of such vulnerabilities and use them to carry out intelligence gathering or engage in cyberwarfare.
This particular vulnerability was publicly disclosed by a group calling itself Shadow Brokers, which claimed to have stolen it from the NSA. Once the flaw was public, Microsoft issued a fix, but many users and institutions are slow to install security updates.
Edward Snowden articulated the critique of the NSA’s role in the attack on Twitter.
If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened https://t.co/lhApAqB5j3
9.43pm BST
21:43
Kaspersky Lab, a cybersecurity company based in Moscow, has published a blogpost in which it estimates that 45,000 attacks have been carried out in 74 countries, mostly in Russia. It added that the totals could be “much, much higher”. You can read the full analysis here.
Julia Wong in San Francisco will now be taking over the liveblog.
Updated
at 9.46pm BST
9.38pm BST
21:38
NHS staff and patients have been getting in touch with us.
One NHS junior doctor at a London hospital, who wishes to remain anonymous, said they were unable to look after patients properly:
However much they pretend patient safety is unaffected - it’s not true. At my hospital we are literally unable to do any X-rays, which are an essential component of emergency medicine.
It’s a good hospital in many ways but the IT is appalling ... This is the 3rd or 4th time there has been major computer downtime since I started at my current hospital, 8 months ago. I know the staff will do their very best to keep looking after everyone, but there are no robust systems in place to deal with blackouts like this - information sharing is hard enough in a clinical environment when everything works.
Without the IT systems I suspect test results will be missed, and definitely delayed. Handovers are much more difficult. It will, absolutely certainly, impact patient safety negatively, even if that impact can’t be clearly measured.
Updated
at 9.38pm BST
9.11pm BST
21:11
Hacking tool was probably stolen from NSA, expert says
A little more detail on how the attack on may have come about: According to Prof Alan Woodward, a security expert at Surrey University, it resembles an exploit of “EternalBlue” - the name given to a weakness in Microsoft’s security that is thought to have been identified secretly by the US National Security Agency (NSA).
A hacking group calling itself Shadow Brokers claimed to have stolen information about the vulnerability from the NSA last year, as part of a cache of files. It tried to auction them off but, after no one made a satisfactory bid, reportedly dumped them online for free. Microsoft released a fix and some researchers have suggested that a failure to implement it may have exacerbated the problem. He told the Guardian:
From the analysis that has been done, it looks like it is the ‘EternalBlue’ weakness that has been exploited because it is using the same ports and protocols. We don’t know publicly if it is the NSA (that found the vulnerability) but it is widely assumed it is and that is what Shadow Brokers said.
Updated
at 9.15pm BST
8.34pm BST
20:34
More than half of Scotland’s health boards have been affected by the large-scale cyber-attack on NHS computer systems. GP surgeries and dental surgeries were among some of the locations hit by the ransomware attack on IT networks, the Press Association reports.
NHS Lanarkshire said only those patients requiring emergency treatment should attend hospital while they dealt with the issue on Friday.
Scotland’s biggest health board, NHS Greater Glasgow and Clyde, as well as NHS Tayside, NHS Dumfries and Galloway and NHS Forth Valley confirmed that some of their GP surgeries had been caught up in the incident.
NHS Western Isles, NHS Fife and NHS Borders said they have been affected to some extent. It means that at least eight of Scotland’s 14 health boards have reported some level of disruption as a result of the attack.
There is no evidence that patient data has been compromised.
Updated
at 9.16pm BST
7.50pm BST
19:50
The Agence France-Presse news agency reports that, in Spain, employees at the telecom giant Telefónica were told to shut down their workstations immediately through megaphone announcements as the attack spread.
Forcepoint Security Labs said that “a major malicious email campaign” consisting of nearly 5m emails per hour was spreading the ransomware.
The group said in a statement that the attack had “global scope”, affecting organisations in Australia, Belgium, France, Germany, Italy and Mexico.
Updated
at 8.14pm BST
7.44pm BST
19:44
Some more quotes from the prime minister. She has told reporters:
I think what is important is that we have recognised that increasingly we need to be aware of the need to address cyber security issues, that’s why the National Cyber Security Centre has been set up. It is now able to work with the NHS to support the organisations concerned and to ensure that patient safety is protected.
7.36pm BST
19:36
After the prime minister said she was “not aware of any evidence that patient data has been compromised”, Ross Anderson, a professor of security engineering at Cambridge university, advises caution.
The NHS are saying that patient privacy hasn’t been compromised, but if significant numbers of hospitals have been negligently running unpatched computers for two months after the patch came out, how do they know?