Disruption from cyber-attack to last for days, says NHS Digital – as it happened

The Scottish government says 13 NHS boards in Scotland were affected by Friday’s cyber attack.

More from Amber Rudd. Amid suggestions outdated software left some NHS systems vulnerable, the home secretary said it is important to remember that it was not the health service alone that has been affected.

“If you look at who’s been impacted by this virus, it’s a huge variety across different industries and across international governments. This is a virus that attacked Windows platforms. The fact is the NHS has fallen victim to this,” Rudd said.

“I don’t think it’s to do with that preparedness. There’s always more we can all do to make sure we’re secure against viruses, but I think there have already been good preparations in place by the NHS to make sure they were ready for this sort of attack.”

Amber Rudd admitted “there’s always more” that could be done to protect against viruses.

A fifth of trusts were hit by the ransomware on Friday afternoon, forcing hospitals to cancel and delay treatment.

Rudd said: “Of the 48 that have been impacted, most of them are back to normal course of business, so only six of them have some limits on their business.”

Amber Rudd has been speaking to Sky News political correspondent Beth Rigby:

The Liberal Democrats have called for an inquiry into why the Conservatives cut cyber-security support for the NHS by ending a deal with Microsoft.

The party’s shadow home secretary, Brian Paddick, said: “We need to get to the bottom of why the government thought cyber-attacks were not a risk, when a combination of warnings and plain common sense should have told ministers that there is a growing and dangerous threat to our cyber-security.

“It is worrying that in Amber Rudd we have a home secretary in the digital age more suited to the era of analogue. This is not the first time she has looked lost in cyber-space. The government likes to look tough but this is an example of where it has left Britain defenceless. We demand to be told why.”

The “accidental hero” who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.

The ransomware used in Friday’s attack wreaked havoc on organisations including FedEx and Telefonica, as well as the UK’s National Health Service(NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.

But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a “kill switch” in the malicious software.

The researcher, who identified himself only as MalwareTech, is a 22-year old from south-west England who lives with his parents and works for Kryptos logic, an LA-based threat intelligence company.

Sky News political correspondent Beth Rigby tweets that the Cobra meeting, scheduled to start at 230pm, has now concluded.

Many have been asking where health secretary Jeremy Hunt has been amid the computer chaos in the NHS.

He has finally emerged and was spotted earlier this afternoon arriving for the Cobra meeting in Whitehall, as Jon Vale of Press Association tweets.

Technology commentator Charles Arthur says the Tories are responsible for the sorry state of IT in the NHS:

Public services aren’t disproportionately targeted by hackers; if anything, they tend to offer less interesting pickings to profit-seeking hackers than smaller commercial outfits. But they constitute low-hanging fruit for ransomware in particular.

Amber Rudd can burble as much as she wants, but the £1bn put into the National Cyber Security Centre is a fraction of the amount needed to upgrade the NHS’s IT systems. The next government should acknowledge that fact.”

A Welsh government spokesperson said there had been no incidents in NHS Wales like those affecting NHS systems in England and Scotland.

“We have recently invested in upgrading IT to protect potentially vulnerable frontline NHS Wales systems. We have also introduced a national standard for IT security for all GP surgeries in Wales. We continue to monitor the situation closely,” the spokesperson said.

The global ransomware cyber-attack that targeted tens of thousands of computers in 100 countries and crippled NHS systems appears to have raised just $20,000 (£15,500) for the criminals behind it, experts working with investigators have told the Guardian.

Tom Robinson, co-founder of Elliptic, a company that identifies illicit activity involving bitcoin and provides services to most major law enforcement agencies in the US and UK, said that at least three bitcoin addresses have been identified as being associated with the malware used in Friday’s worldwide attack.

Read more here:

More from Germany, where the main victim of the cyber-attacks appears to be Deutsche Bahn, the national rail network, whose surveillance technology has been seriously affected.

Germany’s federal crime police office the BKA has taken over the criminal investigation to find the culprits, according to interior minister Thomas de Maiziere. He said the attack has caused a “very serious threat” that authorities had repeatedly warned was likely.

According to a DB spokesman, the attack led to the partial shutting down of digital display boards across the country, as well as the failure of ticket machines at railway stations. Video surveillance technology across the country was also affected, a spokesman for the interior ministry said.

According to the interior ministry spokesman, government computer networks remained unaffected by the attack. DB appears to be the only organisation that has been attacked in Germany, but whether it has also been affected by the “WannaCry” trojans is unclear.

Across the country, travellers reported that digital arrival and departure information display boards had been disrupted. Instead of the normal information, the empty display boards flashed messages informing passengers: “please refer to timetables”.

The bahn.de website and smartphone app appeared to have been unaffected, a spokesman for DB said. Ticket offices remained opened and rail traffic was apparently unaffected by the attack.

The UK-based cybersecurity researcher credited with helping to stop the spread of the ransomware attack has written an article - How to Accidentally Stop a Global Cyber Attack - explaining what happened on his MalwareTech blog.

You might need a computer science degree to understand some of it though.

The digitalhealth.net site reports that some of the disruption to NHS services has been caused by trusts turning computer systems off as a precautionary measure, rather than them being infected by the ransomware.

One leading NHS IT director told Digital Health News: “All of the reports on the BBC [about disruption] are directly related to people having shut down networks, nothing to do with the ransomware itself.

“I know people have been hit, but I fail to see how disconnecting clinical systems from networks helps anyone. If your clinical system can be attacked by ransomware, there is something seriously wrong with its deployment.”

Mikko Hypponen, chief research officer at Helsinki-based cyber security company F-Secure, says the attack is “the biggest ransomware outbreak in history”, affecting 130,000 systems in more than 100 countries.

He says that Russia and India were hit particularly hard, partly because the older Windows XP operating system is still widely used in the countries.

German rail operator Deutsche Bahn said its systems were infected as part of the global cyber attack that has wreaked havoc in almost 100 countries.

Although train services were not disrupted, some arrivals and departures boards at stations had been affected.

Pictures posted online by travellers showed red windows appearing on announcement boards with a message demanding payment to restore access. Deutsche Bahn said it was working to rectify the problem.

German interior minister Thomas de Maiziere said government computer systems were not affected.

Labour leader Jeremy Corbyn has also responded to the attack:

What we’ve now got is a bunch of 21st Century highway robbers that have hacked into our NHS and are basically offering protection money to get the information back in order to treat cancer patients or anybody else. It’s unbelievably disgusting and I’ve got nothing but contempt for those people that have done it, and I’m sure all of you would share that.

But I’m also very angry that in 2014, there was a one-year renewal of the protection system on the NHS systems which was not renewed after that and not renewed the year after that and so are systems are now not upgraded and not protected. As a result, we’ve got this dreadful situation that NHS workers are facing today.

And so we obviously support our NHS workers but I tell you this, a Labour government would not leave our NHS’s very vital information systems unprotected. We would protect them.”

Labour said there have been repeated warnings about the vulnerability of the outdated NHS systems, including from the National Cyber Security Centre and the National Crime Agency.

Many had been left “extremely vulnerable” to an attack since 2015, when they continued to use an outdated version of Windows after a security package had been stopped, Jon Ashworth said.

“NHS Trusts have been running thousands of outdated and unsupported Windows XP machines despite the Government ending its annual £5.5m deal with Microsoft, which provided ongoing security support for Windows XP, in May 2015,” the shadow health secretary wrote in his letter to Jeremy Hunt.

“It effectively means that unless individual trusts were willing to pay Microsoft for an extended support deal, since May 2015 their operating systems have been extremely vulnerable to being hacked.”

A freedom of information request in February found that 79 English NHS trusts had suffered ransomware attacks since June 2015, Ashworth said.

It’s worth remembering that back in February 2016 a Californian hospital paid $17,000 in bitcoin after hackers installed a virus on its computer systems that encrypted their computer files.

Hollywood Presbyterian Medical Center lost access to its computer systems on 5 February. Almost two weeks later the hospital said it had paid up to regain access to its data.

The move was one of the most high-profile examples of a hacking victim paying the fee for so-called ransomware.

BBC technology correspondent Rory Cellan-Jones tweets:

French carmaker Renault is the first French firm to be hit by the global cyberattack, management said on Saturday.

“Work is going on since last night. We are doing what is needed to counter this attack,” a spokesperson said.

“The problems were mainly related to France, where some of Renault’s factories also faced a malfunctioning of certain parts of its information system,” she added.

The attack has also halted production at Renault’s Revoz subsidiary in Slovenia after computer systems were hit.

The Guardian’s Samuel Gibbs reported in May 2015 that the Government Digital Service had decided not to continue its £5.5m deal with Microsoft to extend support for Windows XP. That decision left government computers still running on the obsolete operating system at risk from hackers and may be one reason why some NHS trusts fell victim to the attack on Friday.

The service said ending the support meant “weaknesses that are found in unsupported products will remain unpatched and will be exploitable by relatively low-skilled attackers”.

Microsoft withdrew its extended support programme for Windows XP, its 14-year-old operating system, in April 2014. Given the number of Windows XP PCs still being used in government and businesses at the time, Microsoft provided paid-for extended support on a one-off basis.

The threat posed by the cyber-attack has receded for the time being, partly because a UK-based cyber security researcher registered a domain that he noticed the malware was trying to connect to, limiting its spread.

“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” said Vikram Thakur, principal research manager at Symantec. “The numbers are extremely low and coming down fast.”

But the attackers could yet tweak the code and start the new cycle. The British-based researcher, whose Twitter handle is @MalwareTechBlog, said he had not seen any such tweaks yet, “but they will”.

Russia’s central bank says it had detected “massive” cyber-attacks on domestic banks, which successfully defended them, the RIA news agency reports.

Russian media said that state-owned Russian Railways also successfully defended itself from a cyber-attack.

The cyber-attack has affected some hospitals, schools and universities in Asia, but the extent of any damage remains unclear.

China’s official news agency, Xinhua, said secondary schools and universities were hit but did not say how many. Sun Yat-sen university said it received a large number of virus complaints on Friday, financial magazine Caixin reported.

William Saito, cyber security adviser to the Japanese cabinet government, said some institutions were affected but did not elaborate.

South Korea’s Yonhap news agency said a university hospital in Seoul had been hit as well. Two hospitals in Jakarta were hit, according to an Indonesian official.

G7 finance ministers turned their focus today to combating cybercrime in what Italy’s Pier Carlo Padoan described as an “unfortunately very timely” discussion, AFP reports.

The ministers from the group of seven wealthy democracies will say that cyber incidents represent a growing threat to their economies and that tackling them should be a priority, Italian officials said.

The talks, scheduled before Friday’s events, focused particularly on the potential threat to the global financial system in the event of hackers being able to infiltrate the computer systems that run the global banking system, capital and equity markets.

The ministers, who also discussed inequality, and transnational tax evasion during their two-day review of the world economy, were due to wrap up their talks at lunchtime.

“We are agreed on many things ... including on the fight against cybercrime which is unfortunately very timely,” Padoan said on his arrival for Sunday’s closing session.

The UK National Cyber Security Centre is sharing advice on how to prevent a ransomware hack and what to do if you’ve been targeted.

The Scottish government has said it is working closely with health officials following the hack of 11 of Scotland’s 14 NHS health boards.

The Scottish health secretary, Shona Robison, who chaired a Scottish government resilience meeting earlier this morning, said work to fix the systems had entered a “recovery phase”. She told the BBC’s Good Morning Scotland programme:

People are working very, very hard and have worked through the night. The update I’ve got this morning is that we’re very much into recovery phase now, with a lot of work going on to get systems back up running.

The GP systems, which of course were the main problem across our health boards - work is going on, and there is a level of confidence that many will be back up and running before GP surgeries open on Monday morning.

Robison added that there has been no detection of breach to patient confidentiality “so patients should be reassured by that”.

NHS trusts unaffected by the hack are taking precautionary measures.

Here’s some more from the home secretary’s media round this morning, in which she’s giving very few details about the investigation into the attack.

Rudd said the attack “feels random in terms of where it’s gone to and where it’s been opened”, but said the authorities did not yet know where it had originated.

She added: “Windows XP is not a good platform for keeping your data as secure as the modern ones, because you can’t download the effective patches and anti-virus software for defending against viruses.

“CQC (Care Quality Commission) does do cyber-checks on the NHS trusts, on hospitals when they do their visits, and they will be advising NHS trusts to move to modernise their platforms and I think that after this experience, I would expect them all to move forward with modernising.”

Rudd said the UK was a world leader in cyber security, adding: “So far, all we have seen is patients inconvenienced, some hospitals, some doctors making changes to their daily life.

“But the fact is no data has yet been accessed and the NHS are brilliantly managing to weave through this disruption.”

Microsoft said its decision to make the software patch available to all was “made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind”.

It warned that some of the attacks relied on common phishing tactics and urged customers to be vigilant when opening documents from untrusted or unknown sources.

Microsoft has released a solution for all Windows users, regardless of whether they are supported or not. The corporation said it was “painful” to see how businesses and individuals had been affected by the attack.

The security expert credited with halting the spread of the bug – at least in its current iteration – might have quite a busy weekend by the looks of it.

Here is a fuller read on the plight of the NHS as we enter day two of the crisis for the organisation, which appears by far the biggest victim of the cyber-attack.

Patients at hospitals and GP surgeries in England and Scotland will face a weekend of disruption, as delays that began on Friday spill over into the weekend.

The shadow health secretary Jonathan Ashworth urged the government to be “clear about what’s happened”, describing the attack as “terrible news and a real worry for patients”.

The notoriously difficult process of tracking down the source of the attack begins.

Ciaran Martin, the head of the UK’s cyber security agency, told the BBC on Friday night: “It’s important to understand that cyber attacks can be different from other forms of crime in that their sometimes highly technical and anonymous nature means it can take some time to understand how it worked, who was behind it and what the impact is.”

The malware researcher who helped curtail the spread of the attack has pointed out that escaping this attack does not necessarily safeguard against further, similar attacks.

Taiwan’s department of cyber security has said the island’s government agencies and hospital systems appear to be so far unaffected by the attack. Taiwan was prominent on the list of places affected by the WanaCrypt0r 2.0 bug.

However, Howard Jyan, the director general of the government department said there had been no disruption and that Taiwan was ready for any future attacks, adding “We can control the situation.”

Meanwhile, Ross Feingold, a Taiwan-based political analyst who advises on Taiwan and Hong Kong political affairs, said: “As the attack commenced on Friday night Taiwan time, many organisations, whether government or private sector, will only know the true impact on Monday morning when personnel return to work, turn on their computers, and possibly click on malware and/or otherwise discover that the organisation is the victim of ransomware.”

“However, it once again demonstrates that Taiwan’s cyber security, as in other areas of its defences, requires ongoing investment in software, hardware, and personnel training so that they can identify suspicious emails in both Chinese and English.”

This malware tracker from MalwareTech gives a map view of where the ransomware struck across the globe. The timeline underneath shows just how quickly it spread, and the sharp dip coincides presumably with the moment the “accidental hero” registered the domain name that halted the attack for the most part.

The Register reports that payments appear to have been made to Bitcoin addresses given as part of the attack on the UK’s National Health Service. This attack asks for $300 in Bitcoin payments to release files encrypted on the infected device. Affected users face the prospect of paying up – with no guarantee a cyber-criminal will indeed unlock his files – or trying to resort to back-up files.

The blame game for what has been described by Rohyt Belani, the chief executive of email security company PhishMe, as the “atom bomb of ransomware”, has a long way to run.

The New York Times here considers whether it should be the hackers (who found and used the tool) the NSA (which appears to have had some role in exploiting a vulnerability it discovered) or the victims (organisations and people who, for a variety of reasons, did not keep their system sufficiently secure).

A handy guide here by Alex Hern and Samuel Gibbs on the tech aspect of this event. It gives an idea of how quickly this kind of attack can spread, and how vulnerable major institutions around the world can be if their security upgrades are outpaced by hackers.

The human cost of what is a random attack, spread via email, is still emerging. In the UK, thousands of patients faced disruption as x-rays, test results and patient records became unavailable and operations were cancelled.

Royal London hospital had to delay the release of newborns to go home, according to one father, whose child did not have any wrist tags. Warren Jones said: “It is normal to have two baby tags – we have got no tags. They can’t print them out, I’m guessing. It is a bit disappointing, really. I don’t know how easy it is but they have taken over a whole system and shut it down.”

Patient transfers were also hit. One woman said her daughter, who is in a wheelchair, could no longer be moved to another hospital. “I went to the nurses: ‘Oh, I need to know, is it tonight?’ and they went: ‘Did you not hear about the cyber-attack? Everything is on hold.’”

You can read more here:

NHS Digital, the information arm of the UK’s health service, has said “we do not have any evidence” that patient data has been accessed as a result of the attack. It has yet to address the issue of whether the organisation’s IT network had an outdated security set-up.

Here is the full read on the cybersecurity researcher who appears to have played a huge role in tackling the spread of the malware, by taking control of the domain name to which the code is linked.

Officials in Australia are working to ascertain whether the attack has affected organisations there. The prime minister, Malcolm Turnbull, said via a spokesman: “We are continuing to monitor the situation closely and stand ready to deal with any cyber-security threat to Australia’s critical infrastructure.”

There are no confirmed reports Australian organisations have been hit.

Thank you, Sam. Friday’s ransomware attack has seen Taiwan become one of its main victims and we’re working to find out more details about how organisations there have been affected. The island is one of the most hacked places in the world, with its geopolitical situation. Dozens of its schools have been targeted with ransomware this year. Of course, this latest cyber-attack is more random in nature.

Guardian tech reporter Olivia Solon explains how a cybersecurity researcher was able to block the spread of the malware:

The global spread of the WannaCry ransomware has been stopped by a cybersecurity researcher tweeting as @malwaretechblog, with the help of a researcher at Proofpoint.

The malware contains a hardcoded “kill switch” that the creator could choose to implement if he or she wanted. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. Of course, this relies on the creator of the malware registering the specific domain. In this case, the creator failed to do this. And @malwaretechblog did early this morning (Pacific Time), stopping the rapid proliferation of the ransomware.

“They get the accidental hero award of the day,” said Proofpoint’s Ryan Kalember. “They didn’t realize how much it probably slowed down the spread of this ransomware.”

The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organizations were affected, but gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.

It’s possible that there are other variances of the malware with different kill switches that have not yet been intercepted.

The US Department of Homeland Security (DHS) has released a statement saying it is “aware of reports of ransomware known as WannaCry affecting multiple global entities”. DHS noted that Microsoft released a patch in March that addresses this vulnerability, adding:

Individual users are often the first line of defense against this and other threats, and we encourage all Americans to update your operating systems and implement vigorous cybersecurity practices at home, work, and school.

DHS said it is also “actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally”. The agency further said it is working with chief information officers in other US federal departments to ensure “our own networks are protected against the threat”.

The rapid spread of the malware may have been stopped when a researcher who tweets at MalwareTech and works for security firm Kryptos Logic took control of key domain name, according to tech blog ArsTechnica.

The site reports:

The address appeared to serve as a sort of kill switch the attackers could use to terminate the campaign. MalwareTech’s registration had the effect of ending the attacks that had started earlier Friday morning in other parts of the world. As a result, the number of infection detections plateaued dramatically in the hours following the registration.

This won’t, however, help companies that have already been infected.

US congressman Ted Lieu, a Democrat from California and one of the more technologically savvy lawmakers, criticized the NSA’s suspected role in the WannaCry malware on Twitter.

To be clear, the NSA is not necessarily suspected of writing the actual malware involved in this hack, but rather of knowing about and failing to disclose the flaw in Windows that the ransomware exploits.

Software companies offer bug bounties to hackers who inform them about such vulnerabilities, allowing them to issue security patches through software updates. But intelligence agencies stockpile their knowledge of such flaws in order to use them for intelligence gathering or cyber warfare.

Sam Levin in San Francisco will be taking over the blog for now.

The National Cyber Security Centre’s CEO Ciaran Martin has issued a new statement on the ransomware attack.

Martin said the NCSC is “working round the clock” with UK, international, and private sector partners to respond to the attack, and reiterated that there is no evidence that NHS patient data has been stolen.

“We are very aware that attacks on critical services such as the NHS have a massive impact on individuals and their families, and we are doing everything in our power to help them restore these vital services.”

The NCSC’s guidance for protecting yourself from ransomware can be found here.

The Russian interior ministry said earlier today that about 1,000 computers of its computers had been affected. The country’s largest bank, Sberbank, was also targeted, according to the Associated Press, but said that it had successfully repelled the attack.

Russia was hit early and hard by the attack, which could be a sign that the attacks originated in that country, according to Markus Jakobsson, chief scientist with security firm Agari.

Since the malware spreads by email, he told the Guardian, it’s possible that the criminals had access to a large database of Russian email addresses.

However, Jakobsson warned that the origin of the attack remains unconfirmed.

Ransomware attacks have been on the rise around the globe, and hospitals are particularly vulnerable, thanks to outdated IT systems and increasing reliance on electronic health records.

The BBC reported in April that the NHS hospital trusts in England saw 55 cyber attacks in 2016.

Last year, a hospital in Los Angeles was infected with ransomware. Doctors and nurses resorted to using paper charts and fax machines for days before the hospital paid $17,000 in bitcoin to the ransomware hackers.

“The attack against the NHS demonstrates that cyber-attacks can quite literally have life and death consequences,” Mike Viscuso, chief techology officer of security firm Carbon Black, told the Guardian. “When patients’ lives are at stake, there is no time for finger pointing but this attack serves as an additional clarion call that healthcare organizations must make cybersecurity a priority, lest they encounter a scenario where lives are risked.”

Global courier company FedEx has been infected by the ransomware.

“Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware,” a spokesperson said in a statement. “We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers.”

The WannaCry ransomware has now spread to 99 countries, according to security firm Avast.

The suspected origin of the ransomware in a vulnerability known to the US’s National Security Agency is already leading to finger-pointing by some critics.

Experts believe that WannaCry works by taking advantage of a flaw in Windows that the NSA knew about but kept secret. Intelligence agencies keep a stockpile of such vulnerabilities and use them to carry out intelligence gathering or engage in cyberwarfare.

This particular vulnerability was publicly disclosed by a group calling itself Shadow Brokers, which claimed to have stolen it from the NSA. Once the flaw was public, Microsoft issued a fix, but many users and institutions are slow to install security updates.

Edward Snowden articulated the critique of the NSA’s role in the attack on Twitter.

Kaspersky Lab, a cybersecurity company based in Moscow, has published a blogpost in which it estimates that 45,000 attacks have been carried out in 74 countries, mostly in Russia. It added that the totals could be “much, much higher”. You can read the full analysis here.

Julia Wong in San Francisco will now be taking over the liveblog.

NHS staff and patients have been getting in touch with us.

One NHS junior doctor at a London hospital, who wishes to remain anonymous, said they were unable to look after patients properly:

However much they pretend patient safety is unaffected - it’s not true. At my hospital we are literally unable to do any X-rays, which are an essential component of emergency medicine.

It’s a good hospital in many ways but the IT is appalling ... This is the 3rd or 4th time there has been major computer downtime since I started at my current hospital, 8 months ago. I know the staff will do their very best to keep looking after everyone, but there are no robust systems in place to deal with blackouts like this - information sharing is hard enough in a clinical environment when everything works.

Without the IT systems I suspect test results will be missed, and definitely delayed. Handovers are much more difficult. It will, absolutely certainly, impact patient safety negatively, even if that impact can’t be clearly measured.

More than half of Scotland’s health boards have been affected by the large-scale cyber-attack on NHS computer systems. GP surgeries and dental surgeries were among some of the locations hit by the ransomware attack on IT networks, the Press Association reports.

NHS Lanarkshire said only those patients requiring emergency treatment should attend hospital while they dealt with the issue on Friday.

Scotland’s biggest health board, NHS Greater Glasgow and Clyde, as well as NHS Tayside, NHS Dumfries and Galloway and NHS Forth Valley confirmed that some of their GP surgeries had been caught up in the incident.

NHS Western Isles, NHS Fife and NHS Borders said they have been affected to some extent. It means that at least eight of Scotland’s 14 health boards have reported some level of disruption as a result of the attack.

There is no evidence that patient data has been compromised.

The Agence France-Presse news agency reports that, in Spain, employees at the telecom giant Telefónica were told to shut down their workstations immediately through megaphone announcements as the attack spread.

Forcepoint Security Labs said that “a major malicious email campaign” consisting of nearly 5m emails per hour was spreading the ransomware.

The group said in a statement that the attack had “global scope”, affecting organisations in Australia, Belgium, France, Germany, Italy and Mexico.

Some more quotes from the prime minister. She has told reporters:

I think what is important is that we have recognised that increasingly we need to be aware of the need to address cyber security issues, that’s why the National Cyber Security Centre has been set up. It is now able to work with the NHS to support the organisations concerned and to ensure that patient safety is protected.

After the prime minister said she was “not aware of any evidence that patient data has been compromised”, Ross Anderson, a professor of security engineering at Cambridge university, advises caution.

The NHS are saying that patient privacy hasn’t been compromised, but if significant numbers of hospitals have been negligently running unpatched computers for two months after the patch came out, how do they know?

Some more on that statement from the prime minister, Theresa May, who says:

We are aware that a number of NHS organisations have reported that they have suffered from a ransomware attack.

This is not targeted at the NHS, it’s an international attack and a number of countries and organisations have been affected.

The National Cyber Security Centre is working closely with NHS Digital to ensure that they support the organisations concerned and that they protect patient safety.

And we are not aware of any evidence that patient data has been compromised.

Of course, it is important that we have set up the National Cyber Security Centre and they are able to work with the NHS organisations concerned and to ensure that they are supported and patient safety is protected.

There are reports around that as many as 40 NHS organisations have been hit by the cyber-attack. NHS Digital says it is not going to confirm the number until tomorrow.

One expert who has worked closely with law enforcement says this would be seen as an attack on critical national infrastructure. He says investigators will be examining systems affected by the ransomware to see how badly they are affected and whether they, in turn, can or already have infected other computer systems connected to them.

He adds that the fear is that the ransonware cannot be broken and thus data and files infected are either lost or that the only way to get them back would be to pay the ransom, which would involve giving money to criminals.

If the systems hit by the attack are backed up properly, the infected files can be junked with minimal loss. But ransomware can also drive through systems and hunt down back-up files if they are stored on a system connected to the internet and to the computers originally attacked.

Law enforcement believe that organised crime groups rent out ransomware for short periods so criminals can stage attacks, and organise themselves like a commercial firm: “This is a cash raising business.”

One question arising from the attack on a sector of critical national infrastructure is whether the government has a policy on paying ransom to cyber hackers.

British government policy in the case of a terrorist attack or of the taking of a person hostage is clear: ransom will not be paid. But it is not clear if a policy exists for the 21st-century cyber equivalent. The lead agency dealing with the attack on the NHS is the National Cyber Security Centre, an arm of GCHQ.

The New York Times is reporting that 12 countries, including the UK, have been affected.

It reports that the attack struck “computers across a wide swath of Europe and Asia”, saying that Japan, Russia, Turkey, Vietnam and the Philippines are among those affected.

Prof Alan Woodward, a security expert from the University of Surrey, says the attackers appear to have taken advantage of a chink in the armour of Microsoft XP.

He says the problem may have been exacerbated because organisations have not updated their software with the fixes made available, or are using outdated versions.

From what we can see, it is a piece of ransomware called wanna decryptor. It goes by other names but it emerged in February 2017. Since then, it has been modified and there is evidence that it is spreading using a flaw in the Microsoft network protocol called SMB, which was exposed in the recent dump of exploits that were allegedly from US intelligence agencies.

It is not just the NHS affected: reports suggest it is a global problem. The virulence is likely to be because some organisations have either not applied the patch released by Microsoft, or they are using outdated operating systems (such as XP) that are no longer supported by Microsoft and hence no patch exists.

My concern is that this isn’t the last of this type of attack. Since the dump of the exploits earlier this year, it was obvious that someone was going to enhance their ransomware (or some other form of malware) using the SMB flaw to allow the malware to spread across large networks once a foothold had been established. The disappointing aspect of this is that the patch has been around since March but many organisations have clearly not applied to patch or, worse, they are on something such as XP which is no longer supported and hence cannot be patched.

Wanna Decryptor is actually just a reincarnation of wcry (I first saw it in Feb 2017) but it has been enhanced using the SMB/eternalblue exploit to spread more easily. The concern is that even once this attack dies down it won’t be the only ransomware that has been enhanced in this way. The result is inevitable.

This is not about having some fancy technology in place to protect yourself. It is about the basics: use supported software and keep it updated.

NHS England have released an updated statement. Dr Anne Rainsberry, the NHS incident director, said:

We’d like to reassure patients that if they need the NHS and it’s an emergency that they should visit A&E or access emergency services in the same way as they normally would and staff will ensure they get the care they need.

More widely, we ask people to use the NHS wisely while we deal with this major incident, which is still ongoing. NHS Digital are investigating the incident and across the NHS we have tried and tested contingency plans to ensure we are able to keep the NHS open for business.

Here’s a little background from my colleagues Damien Gayle, Alexandra Topping and Sarah Marsh. They report the situation as it stood at about 5pm today:

Hospitals across England have been hit by a large-scale cyber-attack, the NHS has confirmed, which has locked staff out of their computers and forced many trusts to divert emergency patients.

The IT systems of NHS sites across the country appear to have been simultaneously hit, with a pop-up message demanding a ransom in exchange for access to the PCs. NHS England has declared a major incident. NHS Digital said it was aware of the problem and would release more details soon.

Details of patient records and appointment schedules, as well as internal phone lines and emails, have all been rendered inaccessible.

It is now thought that some services in Scotland have also been hit, with three GP surgeries in Dumfries and Galloway reporting being affected.

The NHS has declared a major incident after it was hit by a cyber attack that is thought to have affected services across England and Scotland. Staff have been locked out of their computers and many trusts have been forced to divert emergency patients.

We’ll be updating you here as this story develops.

Meanwhile, my colleague Alex Hern and Samuel Gibbs have prepared a Q&A on the attack.