More ransomware cases may come to light on Monday, possibly on “a significant scale”, the UK’s cyber-security agency has warned after a global cyber-attack.
The National Cyber Security Centre has advised firms how to protect computers as they start the working week.
It comes after Friday’s attack caused disruption in 150 countries. In the UK, NHS hospitals, pharmacies and GP surgeries were the worst-affected.
A handful of NHS trusts are still dealing with the problems it caused.
In a statement, the National Cyber Security Centre said a ransomware attack of this type and on this scale could happen again although there is “no specific evidence” as yet.
It said it knew of attempts to attack organisations other than the NHS, and warned more cases could “come to light” in the UK and elsewhere as the new working week begins.
Ransomware attacks are “some of the most immediately damaging forms of cyber-attack”, it said, and advised companies to:
- Keep your organisation’s security software patches up to date
- Use proper anti-virus software services
- Back up the data that matters to you, because you can’t be held to ransom for data you hold somewhere else
The NHS, Fedex and the main telecoms operator in Spain were among 200,000 known victims – organisations and private individuals – of Friday’s global cyber-attack.
The ransomware, which locked users’ files and demanded payment to allow access, spread to 150 countries, including Russia, the US and China.
In England, 47 trusts reported problems at hospitals, GP surgeries or pharmacies and 13 NHS organisations in Scotland were also affected.
Some hospitals were forced to cancel treatment and appointments and, unable to use computers, many doctors resorted to using pen and paper.
The cost of the attack is unknown, in the UK or beyond, but BBC analysis of three accounts linked to the ransom demands suggest hackers have already been paid the equivalent of £22,080.
What can patients expect?
The Scottish government said the cyber-attack had been isolated and it expected that most NHS computers would be back to normal by Monday. NHS England has told patients to attend hospital if they have an appointment unless they are told not to.
However, several trusts in England have issued their own advice to patients. As of Sunday night they were:
- St Bartholomew’s in London – IT disruption ongoing. Planned surgery and outpatient appointments will be reduced on Monday at the trust’s five hospitals – the Royal London, Newham, Whipps Cross, Mile End and St Bartholomew’s. Patients should attend booked appointments on Monday unless their hospital contacts them to say otherwise
- East and North Hertfordshire Trust – Patients should assume their appointment is going ahead unless they hear otherwise. Neither Lister Hospital nor the New QE2 are doing non-urgent blood tests
- James Paget University Hospitals Trust, Norfolk – All clinical and surgical appointments this weekend were cancelled. Patients with appointments on Monday and Tuesday are being advised to attend unless they hear from their hospital. AE wait times are longer than usual
- Southport and Ormskirk Hospital NHS Trust – Problems continuing with IT systems. Patients scheduled for surgery on Monday are being told not to attend unless they are contacted. All outpatient and endoscopy appointments for Monday are cancelled
- Lincolnshire Hospitals NHS Trust – Outpatient appointments, diagnostic tests and routine operations are cancelled on Monday
- York Teaching Hospitals NHS Trust – Services are “almost back to normal” albeit a little slower so patients can assume their appointments on Monday will go ahead
- Wrightington, Wigan and Leigh – People are told to avoid AE unless it is an emergency. The trust is working to restore its IT systems
What are the political parties saying?
The government is insisting that the NHS had been repeatedly warned about the cyber-threat to their IT systems.
Defence Secretary Michael Fallon said £50m of £1.9bn set aside for UK cyber-protection was being spent on NHS cyber systems to improve their security.
But Labour say the Conservatives have cut funding to the NHS’s IT budget and specifically a contract to protect computer systems was not renewed after 2015.
The Liberal Democrats and Labour have both demanded an inquiry into the cyber-attack.
In an interview on BBC One’s Andrew Marr show, Sir Michael said NHS trusts had been encouraged to “reduce their exposure to the weakest system, the Windows XP”, with fewer than 5% of trusts using it now.
“We want them to use modern systems that are better protected. We warned them, and they were warned again in the spring. They were warned again of the threats,” he added.
Shadow health secretary Jonathan Ashworth has written to Health Secretary Jeremy Hunt to ask why concerns repeatedly flagged up about the NHS’s “outdated, unsupported and vulnerable” machines had not been addressed.
On ITV’s Robert Peston, Mr Ashworth accused the government of having “cut the IT and infrastructure budget” by £1bn in the NHS, and said his party, if elected to power, would put £10bn into the infrastructure of the NHS.
He called for the Conservatives to publish the Department of Health’s risk register to see how seriously they were taking IT threats.
Scottish Justice Secretary Michael Matheson said more than 120 public bodies were being contacted to ensure their defences were adequate.
What are others saying?
Kingsley Manning, a former chairman of NHS Digital – which provides the health service’s IT systems – told the BBC on Saturday that several hundred thousand computers were still running on Windows XP.
And a neurology registrar from London, Dr Krishna Chinthapalli, wrote an article for the British Medical Journal just a week ago, warning that hospitals would “almost certainly be shut down by ransomware this year”.
He told the BBC the NHS was in a tricky position – treating sick patients, as a 24/7 operation with specialist software – making update implementation complicated.
“People developing ransomware know a hospital is a good target because the information is about patients and is time-sensitive – hospitals need to get their data back quicker,” he said.
Attacks on hospital data and patients were “despicable at the basic level”, he said.
Meanwhile, digital rights campaigners Open Rights Group has accused GCHQ of a “very dangerous strategy of hoarding knowledge of security problems”.
It said Britain’s electronic surveillance agency was “in charge of hacking us and protecting us from hackers”, making it hard to balance the risks of keeping vulnerabilities secret.
Jim Killock, the group’s executive director, said: “US and UK security agencies kept a widespread vulnerability secret rather than telling the companies so they could fix it.” He called for the National Cyber Security Centre to be made independent from GCHQ.
Has the virus been stopped?
It’s unlikely. Europol head Rob Wainwright said he was concerned that the number affected would continue to rise when people returned to work on Monday morning.
He told the BBC there was an escalating threat from the virus, known as Wanna Decryptor or WannaCry, adding: “We’ve never seen anything like this – it’s unprecedented in scale.”
Are you a patient or an NHS employee? Are you still being affected by the cyber attack and its aftermath? Share your story with us by emailing.
Please include a contact number if you are willing to speak to a BBC journalist. You can also contact us in the following ways:
- WhatsApp: +44 7555 173285
- Send pictures/video to
- Upload your pictures / video here
- Tweet: @BBC_HaveYourSay
- Text an SMS or MMS to 61124 (UK) or +44 7624 800 100 (international)
Do you have an unusual story to tell? E-mail email@example.com