Cyber 'weapon' that can be bought online for as little as £16: Hackers post step-by-step ransomware guides on YouTube instructing would-be attackers on how to create viruses

  • NHS was hit by major cyber attack with criminals taking control of computers
  • Operations were cancelled as attack affected 45 NHS trusts in England
  • The health service was hit by 'ransomware' that locks users' computers
  • Now YouTube has deleted videos that teach would-be cyber attackers how to create it themselves 

Hackers have posted step-by-step video guides on YouTube instructing would-be cyber attackers on how to create their own ransomware.

The virus software that crippled the NHS can be bought for as little as £16 online and requires little technical know-how to get up and running.

The video website has deleted a number of videos that were uploaded by hackers.

It comes after cyber attackers held the NHS to ransom in an unprecedented global assault crippling hospitals across Britain.

YouTube has deleted a number of videos that were uploaded by hackers including step-by-step guides on how to create ransomware

YouTube has deleted a number of videos that were uploaded by hackers including step-by-step guides on how to create ransomware

Countless operations were cancelled and patients were turned away as 45 NHS organisations and trusts and hundreds of GP surgeries were locked out of their computer systems.

NHS staff pleaded with patients to stay away from A&E except in an emergency, and ambulances were diverted away from hospitals struggling to cope, with medics facing a weekend of chaos.

Meanwhile Russia was believed to be the worst affected country with computers in its interior ministry hit and its second largest phone network - Megafon - also targeted.

Ticketing machines and computers at German railway stations have also been affected alongside Spanish companies including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural. Shipping company FedEx also confirmed it was hit by the attack. 

The NHS was one of the several global government agencies hit by the WannaCry attack, which affected computers, phones and emergency bleepers in hospitals and GP surgeries - pop-ups like the one pictured appeared demanding a ransom of $300 (£230)

The NHS has been hit by a major cyber attack hitting computers, phones and emergency bleepers in hospitals and GP surgeries - and pop-ups like this one have appeared demanding a ransom

Experts say the cyber attack used code developed by the US National Security Agency which was leaked online last month by a mysterious group called the Shadow Brokers.

Data released under the Freedom of Information Act in December suggested 90 per cent of NHS trusts are using outdated software Windows XP, which is 15 years old and has been branded 'obsolete', leaving systems more vulnerable to attacks.

But it is understood the hack has now been stopped thanks to a 'kill switch' that was built into the malware code.

The hackers made the attack able to spread itself by using the NSA code, which is known as Eternal Blue.

The Shadow Brokers released Eternal Blue last month as part of a trove of hacking tools that they said belonged to the US spy agency.

Cambridge University professor Ross Anderson said the attack looked to have exploited a weakness in Microsoft software that was previously fixed by a patch released earlier this year.

But he said the patch may not have been installed on NHS computers and said Health Secretary Jeremy Hunt should be 'roasted' in Parliament.

He told the Guardian: 'If large numbers of NHS organisations failed to act on a critical notice from Microsoft two months ago, then whose fault is that?

'This is the sort of thing for which the secretary of state should get roasted in parliament.'

With the virus spreading at a rate of five million emails per hour, tens of thousands of victims have now been reported in 99 countries including the US, Australia, Belgium, France, Italy and Mexico.

This map released by cybersecurity experts, shows the impact of the ransomware around the world - with blue dots showing where attacks have been made. Russia is thought to be the worst affected, while Taiwan fears being the victim of a second wave. Europe was targeted first, meaning there were fewer incidents in the US because companies were able to prepare themselves better

This map released by cybersecurity experts, shows the impact of the ransomware around the world - with blue dots showing where attacks have been made. Russia is thought to be the worst affected, while Taiwan fears being the victim of a second wave. Europe was targeted first, meaning there were fewer incidents in the US because companies were able to prepare themselves better

Ransomware: How do hackers take your data hostage?

Ransomware: How do hackers take your data hostage?

Researchers with security software maker Avast said they had observed 57,000 infections worldwide with Russia, Ukraine and Taiwan the top targets.

Asian countries reported no major breaches on Saturday, but officials in the region were scrambling to check and the full extent of the damage may not be known for some time.

China's official Xinhua news agency said some secondary schools and universities had been affected, without specifying how many or identifying them. 

The virus's global spread has been slowed by the triggering of the virtual 'kill switch'.

According to The Register, the switch is built in to the virus and causes it to search for a website address that, once activated, stops the transmission.

It is believed that website was activated on Friday, pausing the spread of the virus.  

Home Secretary Amber Rudd said work was ongoing to identify the attackers, and that no patient data had been stolen.

She told BBC Radio 4's Today programme the virus had not been targeted at the NHS, saying the attack 'feels random in terms of where it's gone to and where it's been opened'. 

She added: 'Windows XP is not a good platform for keeping your data as secure as the modern ones, because you can't download the effective patches and anti-virus software for defending against viruses.

'CQC (Care Quality Commission) does do cyber checks on the NHS trusts, on hospitals when they do their visits, and they will be advising NHS trusts to move to modernise their platforms and I think that after this experience, I would expect them all to move forward with modernising.'

Ms Rudd said the UK was a world leader in cyber security, adding: 'So far, all we have seen is patients inconvenienced, some hospitals, some doctors making changes to their daily life.

'But the fact is no data has yet been accessed and the NHS are brilliantly managing to weave through this disruption.'

Computer expert Lauri Love, who is facing extradition to the US over the alleged theft of data from government computers, said the attack is being powered by a 'top of the range cyber weapon' used by spies in the US.

'It appears the cyber attack affected so many computers in the UK in the NHS and in Spain by taking advantage of a very nasty vulnerability in Microsoft Windows, which was dumped by hacking group Shadow Brokers who obtained it from the NSA in America.'  

Amid a huge row over cyber security flaws in the NHS, Theresa May was forced to reassure the public that their patient records had not been compromised.

As a massive hunt began for the hackers and the NHS declared a 'major incident':

  • The hack reportedly hit up to 74 countries, but the NHS is thought to have been the biggest institution affected;
  • NHS computers, MRI machines and telephones were switched off to stop the attack spreading;
  • Staff described computers going down 'one by one';
  • Doctors were forced to resort to using pen and paper, while patients told of their agony at having operations cancelled;
  • Police sources said the attack bore the hallmarks of a co-ordinated Eastern European or Russian gang operation;
  • Experts said they had been warning about an attack on the NHS for months;
  • It was claimed the hackers may have taken advantage of a chink in the armour of the Microsoft system revealed by a WikiLeaks dump of CIA documents. 

The 'Wanna Decryptor' virus, spread via email in what experts called a 'highly co-ordinated and aggressive' attack, locked staff out of their terminals and demanded $300 (£230) worth of the virtual currency bitcoins to release the files on each employee account. 

Microsoft had apparently launched a defence patch against the virus in March, but experts said few hospitals had updated their systems. 

Police discussed the cyber attack with NHS staff at Lister Hospital in Stevenage

Police discussed the cyber attack with NHS staff at Lister Hospital in Stevenage

The Prime Minister insisted the ransomware hit was 'not targeted' at the health service but was part of a wider assault. 

She added: 'The National Cyber Security Centre is working closely with NHS Digital to ensure that they support the organisations concerned and that they protect patient safety.' 

Mrs May stressed it was unlikely the hackers could access private patient data. But the virus is thought to have locked doctors out of patient records, test results and X-ray scans. 

The hackers said the ransom will double if it is not paid within three days and the data will be deleted if it is not paid within a week. 

A note which appeared on computers throughout the afternoon said: 'Ooops, your files have been encrypted! Maybe you are looking for a way to recover your files, but do not waste your time.' 

As of 6.30pm yesterday, at least 37 NHS trusts in England had been affected. Hospitals in London, Blackpool and Colchester are thought to have been the worst hit – but last night the virus spread over the border into Scotland as the NHS admitted the extent of the chaos had not yet become clear. 

It is not known how many computers were affected but if all of the NHS's 1.4 million employees were affected, the health service would have to hand over £326 million to unlock the scrambled data. Security sources said the Government would not pay a ransom. 

RANSOMWARE: THE CYBER ATTACK THAT CRIPPLED THE WORLD

What is ransomware? 

Ransomware is a type of malicious software that criminals use to attack computer systems.

Hackers often demand the victim to pay ransom money to access their files or remove harmful programs.

The aggressive attacks dupe users into clicking on a fake link – whether it's in an email or on a fake website, causing an infection to corrupt the computer.

In some instances, adverts for pornographic website will repeatedly appear on your screen, while in others, a pop-up will state that a piece of your data will be destroyed if you don't pay.

In the case of the NHS attack, the ransomware used was called Wanna Decryptor or 'WannaCry' Virus. 

The WannaCry virus targets Microsoft's widely used Windows operating system and can quickly spread through an entire network of computers in a business or hospital, encrypting files on every PC

The WannaCry virus targets Microsoft's widely used Windows operating system and can quickly spread through an entire network of computers in a business or hospital, encrypting files on every PC

What is the WannaCry virus? 

The WannaCry virus targets Microsoft's widely used Windows operating system.

The virus encrypts certain files on the computer and then blackmails the user for money in exchange for the access to the files.

It leaves the user with only two files: Instructions on what to do next and the Wanna Decryptor program itself.

When opened the software tells users that their files have been encrypted and gives them a few days to pay up or their files will be deleted.

It can quickly spread through an entire network of computers in a business or hospital, encrypting files on every PC.

How to protect yourself from ransomware 

Thankfully, there are ways to avoid ransomware attacks, and Norton Antivirus has compiled a list of prevention methods:

1. Use reputable antivirus software and a firewall

2. Back up your computer often

3. Set up a popup blocker

4. Be cautious about clicking links inside emails or on suspicious websites

5. If you do receive a ransom note, disconnect from the Internet

6. Alert authorities 

Advertisement

A spokesman at Barts NHS Health Trust, which runs five hospitals in London, said: 'We have activated our major incident plan to make sure we can maintain the safety and welfare of patients.' 

Dr Krishna Chinthapalli, a registrar at London's National Hospital for Neurology and Neurosurgery, said it was the worst attack of its kind ever seen. 

Just 24 hours before the attack, Dr Chinthapalli wrote in a British Medical Journal paper that the NHS was ill-prepared for a cyber attack – warning that nine out of ten NHS trusts ran an 'obsolete' version of Windows. 

He wrote: 'We should be prepared – more hospitals will almost certainly be shut down by ransomware this year.' 

Brian Lord, the former deputy director of GCHQ Cyber and Intelligence, said the attack had been 'inevitable' because firms were 'neglecting basic cyber hygiene'. 

Police at Southport Hospital following the NHS cyber attack on Friday where ambulances were diverted to other hospitals

Police at Southport Hospital following the NHS cyber attack yesterday

A spokesman for NHS Digital said: 'At this stage we do not have any evidence that patient data has been accessed. 

'This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.' 

Experts have been warning for months that the NHS was at risk. Gordon Morrison, director of government relations at Intel Security, warned last November that many NHS hospitals used 'antiquated' computer equipment which did not have the latest security programmes. 

Experts estimate roughly a third of NHS trusts had been attacked before last night. 

Last year an investigation revealed that seven NHS trusts, serving more than two million people, spent nothing on cyber security throughout the whole of 2015. 

East and North Herts NHS Trust issued this warning to patients on their website

East and North Herts NHS Trust issued this warning to patients on their website

Sky News, working with security experts, uncovered misconfigured email servers, outdated software and security certificates.

 It also found NHS trusts' emails and passwords were available through public searches. 

In a similar attack, Wichita Heart Hospital in Kansas last year agreed to pay the hackers' fine, but instead of unlocking all of the information, they released only part of it and tried to extort more cash. 

The hospital refused, and has been left permanently locked out of some data. 

Cyber attack Q&A: What happened, why are hospitals vulnerable and didn't the NHS know it was at risk? 

Cyber criminals have unleashed their most dangerous weapon on the NHS – 'ransomware'. CHIEF REPORTER SAM GREENHILL explains.

What happened?

At 1.30pm yesterday, NHS computers came under massive attack from cyber criminals threatening to destroy patient files unless they received a ransom. Staff found computers locked, with a warning that files had been scrambled to make them unintelligible. It gave a one-week deadline to pay up and recover the data – or see it deleted. In response, dozens of NHS Trusts shut down their IT systems – cutting off phone lines and medical machinery.

Who is affected?

At least 37 NHS Trusts have been attacked by the 'Wanna Decryptor' ransomware virus.

What is ransomware?

A malicious virus which infects devices and holds information hostage until a ransom is paid. It can be triggered by a staff member clicking on a link in a malicious email that may look innocent. The virus lies low until it is activated, either by a timer or remotely by the cyber gang.

Blackpool Victoria Hospital is one of many across the country hit - operations have been cancelled and ambulances diverted 

Blackpool Victoria Hospital is one of many across the country hit - operations have been cancelled and ambulances diverted 

What are the cyber criminals demanding?

The ransom note warns: 'Do not waste your time. Nobody can recover your files without our decryption service.' It demands $300 (£230) worth of the digital currency bitcoins – per computer infected – within three days or the price doubles. If the ransom is not paid by Friday, the files will be wiped 'forever'.

What are bitcoins?

The controversial web currency, dubbed 'geek's gold', recently overtook the value of an ounce of gold. One bitcoin is worth £1,367. They are not physical coins and only exist in cyberspace. Users can remain anonymous, which is why they are often used for illegal activity.

Why are hospitals vulnerable?

Many NHS computers are running very out-of-date software which can have serious security flaws. At least ten health trusts still rely on the Windows XP operating system, released in 2001.

Why target hospitals?

This is viewed as 'unethical' by some hackers, but hospitals are increasingly being seen as easy targets who will pay up quickly because getting systems running is a matter of life and death.

Who are the prime suspects?

Sources said the attack pointed to a criminal network rather than a state. Security insiders have vowed that the Government will not pay a ransom. Hackers in Russia, China, Ukraine and Taiwan have been pioneering ransomware lately.

Didn't the NHS know it was at risk?

Almost a third of NHS trusts have been infected by ransomware, according to the latest edition of the British Medical Journal. Experts have been warning about the risk to the NHS for years. Last year the Papworth Heart Hospital in Cambridge was attacked, but fortunately, a backup had just been completed of its files, meaning the system could be rebooted and the data was safe. The IT director said: 'We were very, very lucky.'

How can attacks be prevented?

Software should be kept up to date. Anti-virus programs can also be used to 'clean' malicious software from a computer. 

Advertisement
 

Heart surgery I waited ten months for was cancelled at the last minute because of the cyber attack, reveals patient

Patrick Ward, 47, had travelled with his family

Patrick Ward, 47, had travelled with his family

A heart patient told last night how his long-awaited operation was cancelled because of the cyber attack as he waited to go into the operating theatre.

Patrick Ward, 47, had travelled with his family from his home in Steeple, Dorset, to St Bartholomew's Hospital in Central London for open heart surgery.

He was due to have a septal myectomy, for which he had been waiting ten months.

The surgery involves removing part of the septum – a wall of tissue that separates part of the heart – which is obstructing the flow of blood.

After having his arms and chest shaved and a cannula inserted into the back of his hand, he was ready to go into theatre when his surgeon told him they had to cancel the operation.

'I was told at about 1.30 that there had been a cyber hack and we couldn't proceed today,' he said. 'Apparently if I needed a blood transfusion during the procedure they would need to access files on their database, which they can no longer do.

'They can't tell me when the next available slot is to reschedule, so we'll stay at a hotel in London tonight and head back to Dorset tomorrow.'

Mr Ward, a sales director for an ice cream company, said: 'It's a specialist operation so it could be a while before I get another appointment. What I have isn't life-threatening but it has impacted my life a lot. It's very restricting.

'I think this is one of the few hospitals that can do it, and they only do it on certain days which is why I've had to wait so long to get a date set. It prevents me from doing exercise and I get pains when I walk. I was hoping to be able to play football again after the operation.

'I was supposed to spend a week in hospital recovering. My daughter travelled from Liverpool today to spend the weekend with me.'

Emma Simpson and her son whose appointment was delayed after the attack

Emma Simpson and her son whose appointment was delayed after the attack

Emma Simpson took her son, Sebastian, to Whipps Cross University Hospital in Leytonstone, east London, for an X-ray on his broken toe but was sent home because of the cyber attack.

They had an appointment with an orthopaedic clinic to check that the toe was healing properly.

But when they arrived they were greeted by 'chaos' and told that computers would be down until 'at least Monday'.

'They sent us away and said they would call us with a new appointment,' she told ITV London. 'Lots of people were very disappointed.'

A woman with a suspected blood clot was turned away from the Lister Hospital in Stevenage, Hertfordshire.

Anthony Brett from Bow, east London, was about to have a stent put in his liver to treat his cancer when he was told the procedure could not happen

Anthony Brett from Bow, east London, was about to have a stent put in his liver to treat his cancer when he was told the procedure could not happen

Janetts Douras originally went to the A&E department on Thursday with the suspected clot but was sent home after six hours and told to return yesterday for a CT scan.

But after an hour she was sent away again with medication that she must inject herself to thin her blood.

She was asked to come back on Monday but said: 'I can't see it happening.' 

 

The day the screens went dead: NHS staff tell of shock as computers freeze then hospitals plunge into chaos

The screens went blank one by one. Shortly after 1.30pm staff in busy hospital wards, GP surgeries, operating theatres and NHS offices up and down the country sat blinking uncomprehendingly at their screens as their systems went down.

Yesterday stunned doctors, nurses and staff revealed how the NHS was paralysed over a matter of hours from a catastrophic cyber attack.

A spam email set off an irreversible train of events, infecting computers, critical hospital software and finally even the phones went dead.

The NHS has been hit by a major cyber attack and criminals have taken control of computers and cut off phone lines across England, leaving some departments working with pen and paper

The NHS has been hit by a major cyber attack and criminals have taken control of computers and cut off phone lines across England, leaving some departments working with pen and paper

One shocked worker at Colchester General Hospital described how her office's computers were 'wiped out, one by one'. 'My computer locked at about 3pm and I couldn't get anything to work. Then my colleague sat next to me said her computer was down. It swept through the office and everyone was affected and didn't know what was going on. One by one the computers were wiped out.'

Tim Dawson, a doctor in a hospital in the North West, said: 'NW hospital computer systems under cyber attack 4 ransom... Sitting in front of a blank screen & can't do any work. Criminal. Poor patients.' Another medic, Chris Lofthouse said: 'Someone has hacked into the computer network at Royal Blackburn Hospital!! Can't give out prescriptions to anyone!!!!'

Nurses and doctors were forced to resort to pen and paper and by 3pm, the only form of communication was hand-held radios. One father, Warren Jones, said staff could not even print out an identity tag for his baby daughter born at 10.30am yesterday. The 24-year-old courier said: 'They don't want to let people go [from the hospital]. It is normal to have two baby tags – we have got no tags. They can't print them out.'

Patients, relatives and friends flocked to social media to vent their fury as patients were told at the last minute their operations were cancelled.

The NHS is investigating "an issue with IT" amid reports of a cyber attack on its systems

The NHS is investigating 'an issue with IT' amid reports of a cyber attack on its systems

Pharmacist Chris Maguire tweeted: 'All shut down in Yorkshire – even in GP practice. Back to handwriting notes while seeing patients without full histories!' Richard Davidson, a junior doctor in Carlisle, tweeted: 'Clinic in ruins. This is chaos. Why would anyone do this?'

Another doctor posted: 'Massive NHS hack cyber-attack today. Hospital in shut down. Thanks for delaying emergency patient care & endangering lives. A**holes.'

Twitter user fendifile, a doctor based in London, shared a photo of her computer screen following the cyber attack. She added: 'We are in middle of an #nhscyberattack computers now all powered off. Happy Friday. Our emergency surgeries are running doors open, we can access our software but ransomware window pops up every 20-30 seconds so we are slow.'

Patient Mark Pritchard wrote: 'Can't get discharged from Colchester general and my test results inaccessible – all computers down from what I hear.'

Dr Tarek Seda, who works at Kings Mill Hospital in Mansfield, said he had to divert a serious case because of the cyber attack. He told the BBC: 'I had a lady today who has severe back pain which potentially could paralyse her, and we had to divert her to another hospital... for further management.'

And an ambulance driver who works for a subcontractor at London's St Bartholomew's Hospital claimed that another ransomware attack had happened six months previously. He said: 'It's terrible if this has happened again...the system was down for a few days.'