We’re closing the liveblog coverage now. Here’s our latest story from my colleagues Haroon Siddique and Jessica Elgot. Thanks for reading.
The Guardian has spoken to an IT worker whose company has paid out in total around £80,000 to ransomware attackers over the last year, most recently following an attack three months ago.
The 34-year-old IT support worker in the UK, who wishes to remain anonymous, said once the ransom was handed over, those behind the attack were “very, very helpful”.
Due to the high level of encryption the company was provided keys to decrypt the files with the worker describing the “support” from company from the hackers - given once they had extorted the ransom fee and after causing huge disruption - as “excellent”.
“The data we had was encrypted on a number of volumes due to a Windows vulnerability. We experienced a few attacks which were often happening as a result of someone opening a Word document containing a malicious macro,” he said.
“These attacks probably happen more often than we think. I don’t think the people behind the ransomware attacks realised it would be as successful as it is. These days it’s about the value of real time data - data that is a day old can normally be recovered by backups. But the possibility of data loss for even 24 hours in some industries can have massive ramifications. This makes the files more valuable.”
Updated
The director general of the NCA, the law enforcement agency that leads UK response to cyber crime, have said there is no indication of a second surge of cyber-attacks but warned there still could be one.
In a statement, Lynne Owens said:
As things stand, there is no indication of a second surge of cases here in the UK. But that doesn’t mean there won’t be one.
We’re trawling through huge amounts of data associated with the attack and identifying patterns.
The NCA is leading the criminal investigation into the attack, but for operational reasons we cannot give a running commentary.
Because of the quantity of data involved and the complexity of these kinds of enquiries we need to be clear that this is an investigation which will take time
But I want to reassure the public that investigators are working round the clock to secure evidence and have begun to forensically analyse a number of infected computers.
Specialist cyber-crime officers from the NCA and our partner regional organised crime units are speaking directly with victims.
That includes visiting NHS sites to help protect victims and secure and preserve evidence. Those visits are continuing.
More than 150 countries have been affected, and we’re in constant communication with international partners, including Europol, Interpol and the FBI and the collaboration has been strong and effective.
The NCA issued the following advice in the wake of the attack:
- Make sure your security software patches are up-to-date.
- Make sure that you are running anti-virus software.
- Back-up your data in multiple locations, including offline.
- Avoid opening unknown email attachments or clicking on links in spam emails.
- Victims of fraud should report it to Action Fraud. We encourage the public not to pay any ransom demand.
Ransomware attack nothing to do with Russia - Putin
Russia had nothing to do with a massive global cyberattack, President Vladimir Putin said Monday, criticising the US intelligence community for creating the original software, AFP reports.
“As for the source of these threats, Microsoft’s leadership stated this directly, they said the source of the virus was the special services of the United States,” Putin said.
He was referring to a weekend blog post by Microsoft president Brad Smith stating that the US National Security Agency had developed the code being used in the attack.
It was leaked as part of a document dump, according to researchers.
“A genie let out of a bottle of this kind, especially created by secret services, can then cause damage to its authors and creators,” Putin said on the sidelines of an international summit in Beijing.
“This completely doesn’t concern Russia.”
The US has accused Russia in the past of mounting several cyberattacks.
Three hospitals in Ireland have been targeted by the cyber attack.
Health chiefs blocked external communication to servers until Wednesday to stop the spread of the “ransomware” virus as officials confirmed that up to 20 computers had been affected.
“They were quickly isolated,” a spokeswoman for the Republic’s Health Service Executive (HSE) said.
“We are not naming the hospitals. It’s just to allow the hospitals themselves to deal with it and so that patients are not unduly concerned.
“Patient care is broadly unaffected.”
Hunt breaks silence on cyber attack
The health secretary, Jeremy Hunt, has broken his silence on the cyber- attacks after pressure to comment.
He said there has not been a second wave of cyber attacks after the NHS was struck by ransomware attacks on Friday, PA reports.
In his first public comments since the attack on Friday, Hunt told Sky News: “I have this morning been briefed by GCHQ and the National Cyber Security Centre, and according to our latest intelligence, we have not seen a second wave of attacks and the level of criminal activity is at the lower end of the range that we had anticipated, and so I think that is encouraging.”
Hunt said all organisations need to do more to protect themselves from cyber attacks, which he said were “relatively common”.
He said: “Although we have never seen anything on this scale when it comes to ransomware attacks, they are relatively common and there are things that you can do, that everyone can do, all of us can do, to protect ourselves against them.
“In particular, making sure that our data is properly backed up and making sure that we are using the software patches, the anti-virus patches that are sent out regularly by manufacturers.
“These are things that we can all do to reduce the risk of the impact that we’ve seen over the last 48 hours.”
Hunt has come under fire for failing to appear in public since the attack, which hit 47 trusts in England and 13 Scottish health boards on Friday.
Updated
Thousands of NHS computers were still using the old Windows XP operating system, the government has revealed, though a Number 10 spokesman insisted other Windows’ systems were also affected.
The prime minister’s spokesman said the NHS had updated the vast majority of its systems but just under 5% were still operating Windows XP.
“There’s been much focus on the idea that NHS systems were running this XP Windows system,” the spokesman said. “Firstly, other Windows systems were affected, this was not in any way limited to XP and more broadly on that, the percentage of NHS [England] systems that were running XP fell from 15-18% in December 2015 to 4.7% now.”
Number 10 said those using the old operating systems were not limited to PCs. “It’s complicated in terms of who uses them, for example with MRI scanners, it’s not as simple as just switching a piece of software,” the spokesman said. “There is an extra £50m allocated for updating cybersecurity in the spending review... made available to NHS bodies.”
No other public bodies have been affected so far but the spokesman said it was “too early to say” that no other breaches were possible. “The Russian interior ministry was affected for one... it was across the range, Scottish Power, Renault, Nissan, Telefonica, state-owned rail services, FedEx.
“I can’t rule anything out, experts said over the weekend you can expect the situation to change as people turn on their computers this morning but I am not aware of any at this point.”
Hunt has faced criticism over the weekend for allowing Rudd to lead on the hack, but Downing Street said the attack was under the remit of the Home Office.
“This is an international cyber crime committed on an unprecedented scale,” the spokesman said. “The Home Secretary has the lead responding to cyber crime and it’s quite right that she takes the lead. The health secretary has been working round the clock co-ordinating the NHS response to this which has been a hugely impressive response and both the health secretary and the prime minister pass on their gratitude to staff who have been working this weekend.”
Authorities were “determined to find out who is responsible,” the spokesman said, though stressed the situation’s complexity.
NHS trusts sent IT security patch that would have protected them
Health trusts across England were sent details of an IT security patch that would have protected them from the crippling ransomware attack, NHS Digital said.
NHS Digital, the arms-length body of the Department of Health that provides information, data and IT systems for the NHS, said it had made health trusts aware last month of IT protection that could have prevented the attack.
It said in a statement: “NHS Digital issued a targeted update on a secure portal accessible to NHS staff on April 25, and then via a bulletin to more than 10,000 security and IT professionals on April 27 to alert them to this specific issue.
“These alerts included a patch to protect their systems. This guidance was also reissued on Friday following emergence of this issue.”
The French government cyber security agency ANSII knows of “fewer than 10” French companies that have fallen victim to a global hacking attack that hit car factories, hospitals and other organisations in about 100 countries, an ANSII spokesman said on Monday.
Where's Hunt?
The Prime Minister’s official spokesman has defended health secretary Jeremy Hunt’s lack of public statements or appearances since the cyberattack on Friday.
“This is an international cyber crime, committed on an unprecedented scale.
“The Home Secretary has the lead on responding to crime and cyber crime and it is quite right that she should be taking the lead.
“The Health Secretary has been working round the clock on co-ordinating the NHS response to this, which has been a hugely impressive response.
“Both the Prime Minister and the Health Secretary pass on their thanks to NHS staff who have been working round the clock over this weekend.”
Home Secretary Amber Rudd is to chair a meeting of the Government’s emergency Cobra committee at the Cabinet Office on Whitehall at 5pm on Monday to assess progress on dealing with the attack. Hunt will not be attending.
PM denies claims Government ignored cyber-attack warnings
Theresa May has rejected claims the government ignored warnings the NHS was vulnerable to a possible cyber security attack.
The Prime Minister said warnings had been given to hospital trusts.
During a visit to Oxfordshire, she insisted cyber security was being taken seriously in Whitehall.
Asked if warnings had been ignored, May said: “No. It was clear warnings were given to hospital trusts but this is not something that focused on attacking the NHS here on the UK.”
May said the Government was putting £2 billion into cyber security.
She added: “Europol say there are 200,000 victims across the world.
“Cyber security is an issue that we need to address. That’s why the Government, when we came into Government in 2010, put money into cyber security.
“It’s why we are putting £2 billion into cyber security over the coming years and, of course, created the National Cyber Security Centre.
“We take cyber security seriously.”
Updated
If you paid money as a victim of ransomware we’d like to hear from you. How much were you asked to pay? Why did you decide to pay the ransom? What happened afterwards? We’d also like to hear the experiences of those who paid in other recent attacks.
You can share your stories with us - anonymously if you wish - by filling in our form here.
Few major problems have been reported in India with the hea of the government response team saying “everything seems to be normal, so far”, AP reports.
Experts estimated 5% of affected computers were in India, with the Computer Emergency Response Team of India issuing a red-colored “critical alert”.
But few major problems were reported. The head of the government response team told Press Trust of India news agency that “everything seems to be normal, so far. No reports have come in” detailing cyberattacks in the country.
Microsoft’s top lawyer has called on governments around the world to treat the international cyber attack as a “wake-up call” as he laid part of the blame at the door of the US administration, PA reports.
Brad Smith, the technology firm’s president and chief legal officer, criticised US intelligence agencies the CIA and the National Security Agency (NSA) for “stockpiling” software code which could be exploited by hackers.
Smith said the “ransomware” attacks had used data stolen from the NSA earlier this year, which contained information on software vulnerabilities the government had hoped to hoard, and subsequently leaked them online.
In a blog post, he said: “An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.
“And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cyber security threats in the world today - nation-state action and organised criminal action.”
“Hundreds of thousands” of Chinese computers at nearly 30,000 institutions including government agencies have been hit by the global ransomware attack, a leading Chinese security-software provider has said.
The enterprise-security division of Qihoo 360, one of China’s leading suppliers of anti-virus software, said 29,372 institutions ranging from government offices to universities, ATMs and hospitals had been “infected” by the outbreak as of late Saturday, AFP reports.
In a statement dated Sunday, Qihoo 360 said the ransomware had spread particularly quickly through higher education, affecting more than 4,000 Chinese universities and research institutions.
It gave few details on the extent of any damage, however, and China’s government has said little about the situation.
Blackpool Teaching Hospitals NHS Foundation Trust, NHS Blackpool Clinical Commissioning Group (CCG) and NHS Fylde and Wyre CCG are still experiencing some IT problems.
They said services are open and operating “as best as possible” but asked patients only to attend A&E in life-threatening and urgent cases.
Many GP practice computer and telephone systems in the area have also been affected by the attack, though all will be open as usual today. However, patients may be required to wait longer to be seen.
The Royal Liverpool and Broadgreen University Hospitals Trust reported their IT system had not been attacked and was operating normally.
Likewise the Pennine Acute Hospitals NHS Trust, which runs hospitals in Manchester, Oldham and Rochdale, said they had not been affected by the attack but had taken precautionary measures to protect their IT systems.
The Southport and Ormskirk Hospital NHS Trust said patient safety is being “maintained” but difficulties are continuing.
Patients scheduled to have operations today have been asked not to attend hospital unless they have been contacted directly.
All outpatients and endoscopy appointments and routine MRI and CT scans scheduled for today have also been cancelled.
Patients have been contacted directly if they need to attend, the trust said.
Patients needing dialysis have been told to attend as usual and the pregnancy assessment unit and all antenatal clinics will be open as usual.
New cyber chaos appears to have been avoided - Europol
European governments and companies appeared early Monday to have avoided further fallout from a crippling global cyberattack, the police agency Europol said.
“The number of victims appears not to have gone up and so far the situation seems stable in Europe, which is a success,” senior spokesman for Europol, Jan Op Gen Oorth told AFP.
“It seems that a lot of internet security guys over the weekend did their homework and ran the security software updates.”
Europol said more than 200,000 computers around the world had been affected over the weekend in what it said was “an unprecedented attack”.
Europol executive director Rob Wainwright had warned on Sunday the situation could worsen when workers return to their offices on Monday after the weekend and logged on.
No patient data has been lost in the ransomware attack on Scottish NHS computer systems, Nicola Sturgeon has said.
Eleven health boards as well as NHS National Services and the Scottish Ambulance Service were affected Friday’s attack, PA reports.
The attack impacted on acute hospital sites in Lanarkshire, as well as GP surgeries, dental practices and other primary care centres around the country.
Systems in Scotland were expected to be recovered by Monday and the First Minister said more than 120 public bodies have been contacted to ensure their defences are adequate.
Foreign Secretary Boris Johnson, arriving in Brussels for a meeting of EU foreign ministers, said the cyber-threat was not on the agenda.
He said: “Cyber-security is a huge issue for all of us in all our countries.
“It’s not specifically on the agenda today, but a huge amount of work goes on between the UK Government and all our friends and partners around Europe, and indeed in the United States, where they are now stepping up their precautions against cyber attacks of these kinds.”
Fewer than a hundred victims of attack have paid ransom - analysis
Three days on from the initial outbreak, fewer than a hundred victims of the WeCry malware appear to have given in and paid the ransom, according to analysis of the two bitcoin addresses to which the software demanded payment.
In order to restore encrypted files, the malware demands a payment of $300 in the cryptocurrency, sent to one of two addresses hardcoded into the software. Yet the contents of the addresses, which like all bitcoin wallets are publicly viewable, shows just under 14 bitcoin has been sent to them in total. At current exchange rates, that is worth slightly under $25,000, suggesting just 82 victims have paid the ransom.
The three-day deadline is notable: at the end of the that period, the ransom doubles, to $600, which means many of those who are planning on paying the fee will have already done so. A week after infection, the malware claims, the encryption key will be deleted forever.
The low figure of ransoms paid may not be as counterintuitive as it first seems. For smaller firms and individuals hit by ransomware, the key risk is total loss of files due to faulty, or non-existent, backups. For many of them, the motivation to pay the ransom will be high, even if it is unclear whether the malware author will actually had over the encryption key.
But larger firms and organisations, like those very publicly hit on Friday, backups will exist. The key damage of the ransomware instead lies in the time during which the machines are rendered unusable, and paying the fine won’t reduce that period by much more than restoring from backups.
Additionally, the malware spread itself primarily through exploitation of a Windows vulnerability, first discovered by the NSA, leaked by a group of hackers calling themselves Shadow Brokers, and fixed by Microsoft three months ago. Smaller organisations with less complex IT needs often install patches more quickly than larger firms, which need to test how the update affects their intricate networks.
The fact that we have the ability to track the payments sent to the hackers at all is yet another piece of evidence underlining the relative incompetence of the authors of the software, according to security researchers. More advanced ransomware automatically generates a new bitcoin address for each victim, to aid both tracking who has paid, and obscure the identity of the criminals.
The other major piece of evidence for the author or authors’ inexperience, according to researchers, is the existence of a “kill switch” in the codewhich allowed a malware researcher to prematurely end the spread of the software.
Health secretary warned last year of NHS hacking risk - reports
Jeremy Hunt was warned last summer that the NHS was failing to prioritise cybersecurity and continued to use obsolete computer systems, the Times reported.
The Care Quality Commission and Dame Fiona Caldicott, the national data guardian, wrote to the health secretary to point out a worrying “lack of understanding of security issues” and that “the external cyberthreat is becoming a bigger consideration”.
The letter last July proposed a 13-point plan to improve cybersecurity including the replacement of obsolete IT systems “as a matter of urgency”.
York Teaching Hospital NHS Foundation Trust, which was hit by the attack on Friday, said some out-patient appointments had been cancelled on Monday - especially at Selby War Memorial Hospital - but most were not affected.
The trust said bone scan appoints had been cancelled in Scarborough and in Selby: “All outpatient appointments are cancelled except blood-taking and MSK physiotherapy.”
But it said in a statement: “All outpatient clinics at York Hospital, Malton Hospital, Bridlington Hospital are going ahead.
“Planned operations are also going ahead as scheduled.”
The statement added: “The situation will be reviewed daily and information will be shared regarding any cancellations to appointments and services later in the week.
“There will be some delays to our services as we recover from the effects of the cyber attack, and we ask for people’s patience and understanding as we work to fully restore our systems.
“We will ensure that we re-schedule any cancelled appointments as soon as possible.”
Cyber attack hero fears for safety after being named
The British cybersecurity researcher described as an “accidental hero” for halting the global spread of the ransomware attack has spoken of his fears for his safety after a number of media outlets revealed his identity.
The 22-year-old, who tweets as @malwaretechblog, told the MailOnline: “In future someone might want to retaliate - they could find my identity within seconds.
“If they know where I live, they could really do anything.”
He referred to the case of another security blogger who was subject to intimidation, including death threats, after his identity was leaked online.
“I’ve seen posts about the terrible things people have done to him and for me in future it could be the same things,” he said.
Writing on his Twitter account, he said journalists had already tracked down a friend, whose photograph was published in the press and turned up at her house, saying: “Please if you want an interview that badly, DM me.”
The online community pleaded for his identity not to be outed online - a research process known as “doxing” - to protect him.
He earlier told the Guardian: “It just doesn’t make sense to give out my personal information, obviously we’re working against bad guys and they’re not going to be happy about this.”
Meanwhile in Japan, AP reports the ransomware attack hit computers at 600 locations but appeared to cause no major problems as Japanese started their workday Monday even as the attack caused chaos elsewhere.
Nissan Motor Co. confirmed some units had been targeted, but there was no major impact on its business.
Hitachi spokeswoman Yuko Tainiuchi said emails were slow or not getting delivered, and files could not be opened. The company believes the problems are related to the ransomware attack, although no ransom appears to have been demanded so far. They were installing software to fix the problems.
The Japan Computer Emergency Response Team Coordination Center, a nonprofit providing support for computer attacks, said 2,000 computers at 600 locations in Japan were reported affected so far, citing an affiliate foreign security organization that it cannot identify.
At least one hospital was affected, according to police.
The city of Osaka said its home page suddenly went blank, although email and other problems had not been detected.
“We cannot confirm why this happened, and we are in the middle of investigating,” said Hajime Nishikawa of the city hall’s IT division.
Global nature of attack comes into focus
As the UK wakes up on Monday braced for fresh impact as NHS returns to work, Chinese state media say more than 29,000 institutions across China have been infected by the global “ransomware” cyberattack, AP reports.
Xinhua News Agency reports that by Saturday evening, 29,372 institutions had been infected along with hundreds of thousands of devices. It cited the Threat Intelligence Center of Qihoo 360, a Chinese internet security services company.
It says universities and educational institutions were among the hardest hit, numbering 4,341, or about 15 percent of internet protocol addresses attacked. Also affected were railway stations, mail delivery, gas stations, hospitals, office buildings, shopping malls and government services.
Xinhua says the system used by PetroChina’s gas stations was attacked, meaning customers could not use their cards to pay. Most stations had recovered.
Updated
Welcome to live coverage of the fallout from last Friday’s ransomware attack.
Ben Wallace, UK security minister has been on BBC Radio 4’s Today programme defending its record on investment in cyber-security.
He said he did not know if the ransomware attack would escalate or stabilise.
Asked if the Government was to blame for cutting budgets, Wallace said reasons for failures to protect against the attack dated back to decisions made by the Labour government in 2007 in relation to agreements with Microsoft.
Wallace said the Government had committed £1bn to countering cyber threats across all Government.
“The blame lays with these individuals who have decided to blackmail and destroy our public services,” he said.
“We have always said as a Government that if you follow the very basic steps, continue to back yourself up as an organisation, you will always be in a position where a ransomware attack is minimised if not entirely deferred.”
