On Friday afternoon, NHS hospitals across England and Scotland fell victim to a cyberattack that caused ambulances to be diverted, equipment to shut down, and clinical services to be disrupted.
It wasn't just NHS computers that were affected. It also hit major corporations, including Spanish telecoms giant Telefónica (the parent company of the UK mobile network O2), in Russia, the US, Japan, and France. The attack has prompted fears among commentators and on social media of a deliberate attempt to damage the NHS, or even to interfere in the UK election. But early evidence suggests it was neither deliberately targeted against hospitals nor aimed at health data.
Identifying the source of a cyberattack is a lengthy process usually requiring a forensic examination of both the code used in the attack and how it spread across the internet, meaning we don't yet know with certainty how the NHS attack spread.
The NHS computer systems were hit by what's known as ransomware, which locks the files on any affected machine and makes it unusable unless its owner pays a set amount, usually in the virtual currency bitcoin, to an anonymous account.
This latest attack, a variant of one seen earlier in the year called WCry, or WanaCryptor, demands $300 of bitcoin to be sent to an account that had never received any payments before today – but at the time of writing had received two $300 payments.
This payment is a typical amount for ransomware aimed at targeting a lot of domestic users: It's an attainable sum that victims could be willing to pay to retrieve their files. Too high, and people give up on the computer; too low, and the attack is barely worth the perpetrators' time. Earlier versions of the same ransomware made no effort to steal data, instead just making it unusable, suggesting the latest attack is simply for profit.
Ransomware that was deliberately targeted at Telefónica or the NHS could raise far higher payments due to the nature of the data they hold. And screengrabs of affected machines at the two organisations show the same bitcoin address, suggesting it is one broad attack that has hit both.
Early reports on the blog of a UK cybersecurity firm suggest the attack has spread based on a vulnerability in Microsoft Windows that featured in a leak of exploits used by the US National Security Agency that was published by the hacking group Shadow Brokers. This suggests the NSA was long aware of the danger but used it to develop hacking techniques of its own rather than advising Microsoft to fix it.
In March, Microsoft issued a "critical alert", warning customers that the vulnerability could allow malicious hackers to run programs without the user or admins having any chance to stop it. The company released a free and urgent fix (known as a "patch").
If it is the same vulnerability involved in the latest attack, this will raise serious questions for IT officials at the top of NHS trusts, who may have missed a critical security update and failed to patch the vulnerability, leading to severe consequences almost two months later.
BuzzFeed News contacted NHS Digital to ask if it had established whether the unpatched Microsoft vulnerability was connected to the attack. A spokesperson said: "We don't know."
Large organisations are particularly vulnerable to this ransomware because of the way it spreads. The mechanism appears to involve a user opening a malicious file embedded in a Word document that then automatically spreads itself to other computers on the same network – with no further human involvement.
Essentially, the only way to prevent a computer on a compromised network being hit by the ransomware is to turn it off or shut down the network.
The early reports may also raise questions for Telefónica, as the company provides some IT networking services to the NHS through the network that appears to be how the ransomware is spreading.
If Telefónica's systems were involved in spreading a major cyberattack to NHS systems, this would renew concerns over the role of private IT providers in the UK's healthcare system.
BuzzFeed News contacted Telefónica to ask about the Microsoft vulnerability, and the possibility the company's systems were involved in the spread of the ransomware to the NHS, but had not had a response by the time of publication.
James Ball is a special correspondent for BuzzFeed News and is based in London. PGP: here
Contact James Ball at James.Ball@buzzfeed.com.
Got a confidential tip? Submit it here.