As many as 74 countries have been hit by a huge, fast-moving and global ransomware attack that locks computers and demands the digital equivalent of $300, according to Kaspersky Lab, a Russian-based cybersecurity company.
The infections have disabled more than a dozen hospitals in the United Kingdom, Spain's largest telecom company and universities in Italy as well as some FedEx computers. The payment was demanded per computer, to be paid in Bitcoin, an untraceable digital currency.
Infected computers showed a screen giving the user three days to pay the ransom. After that, the price would be doubled. After seven days the files would be deleted, it threatened.
The ransomware is believed to be linked to National Security Agency hacking tools that were leaked by a group that called itself the Shadow Brokers, according to Avast, a Czech security company that is following the fast-moving attack.
That group has been leaking pieces of more than a gigabyte worth of older NSA software weapons since August.
Avast has recorded over 50,000 attacks globally as of Friday afternoon. The majority are targeted at Russia, the Ukraine and Taiwan but have also hit multiple other countries.
Services in London, the central city of Nottingham, and the counties of Hertfordshire — north of London — and Cumbria — in northern England — were affected, according to the BBC. The NHS said 16 of its organizations reported they were victims.
The hackers behind the "ransomware" attack were demanding $300 worth of the online currency Bitcoin to release files from encryption, the Mirror and the Telegraph reported.
In a statement, the NHS said: "A number of NHS organizations have reported to NHS Digital that they have been affected by a ransomware attack which is affecting a number of different organizations. The investigation is at an early stage but we believe the malware variant is Wanna Decryptor."
"At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organizations to confirm this."
It said the attack was not specifically targeted at the NHS and was affecting other organizations. It said it was working to resolve the problem.
#nhscyberattack pic.twitter.com/SovgQejl3X
— gigi.h (@fendifille) May 12, 2017
Hackers behind the Wanna Decryptor virus, a type of malware, often ask users for money to retrieve access to files they have encrypted.
NHS Merseyside, which operates a number of hospitals in northwestern England, tweeted, “we are taking all precautionary measures possible to protect our local NHS systems and services.” The NHS Merseyside website was down Friday afternoon local time.
East and North Hertfordshire NHS Trust, which runs four hospitals north of London, said in a statement: "Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust’s telephone system is not able to accept incoming calls.”
It said it was postponing all non-urgent work and asked people not to come to the accident and emergency unit.
Doctors at some surgeries were forced to use pen and paper to record patient details following the attack, local media reported.
John Caldwell, a doctor in Liverpool, told the Guardian he had “no access to record systems or results."
Chris Mimnagh, another doctor in Liverpool, told the Guardian: “Unable to access our clinical system – as a precaution our area has severed links to the wider NHS, which means no access to our national systems, no computers means no records, no prescriptions, no results. We are dealing with urgent problems only. Our patients are being very understanding so far.”
NHS Million, a campaign which supports NHS staff and is separate from the NHS, tweeted: "We just don't understand the mentality of some people. The only people suffering are people that need emergency care. #nhscyberattack"
We just don't understand the mentality of some people. The only people suffering are people that need emergency care. #nhscyberattack https://t.co/Rk2rGMOLDu
— NHS Million (@NHSMillion) May 12, 2017
