{
	"id": "6a3ee510-7743-4668-a5b5-f16252350655",
	"created_at": "2026-04-06T00:10:05.618744Z",
	"updated_at": "2026-04-10T13:12:28.35228Z",
	"deleted_at": null,
	"sha1_hash": "22ab24b693f6d978c849a647227ce59e8589cc91",
	"title": "U.K. Hospitals Hit in Widespread Ransomware Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 161166,
	"plain_text": "U.K. Hospitals Hit in Widespread Ransomware Attack\r\nPublished: 2017-05-13 · Archived: 2026-04-05 14:43:51 UTC\r\nAt least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer\r\nsystems there were infected with ransomware, a type of malicious software that encrypts a victim’s documents,\r\nimages, music and other files unless the victim pays for a key to unlock them.\r\nIt remains unclear exactly how this ransomware strain is being disseminated and why it appears to have spread so\r\nquickly, but there are indications the malware may be spreading to vulnerable systems through a security hole in\r\nWindows that was recently patched by Microsoft.\r\nThe ransom note left behind on computers infected with the Wanna Decryptor ransomware strain. Image:\r\nBleepingComputer.\r\nIn a statement, the U.K.’s National Health Service (NHS) said a number of NHS organizations had suffered\r\nransomware attacks.\r\n“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of\r\nsectors,” the NHS said. “At this stage we do not have any evidence that patient data has been accessed.”\r\nAccording to Reuters, hospitals across England are diverting patients requiring emergency treatment away from\r\nthe affected hospitals, and the public is being advised to seek medical care only for acute medical conditions.\r\nNHS said the investigation is at an early stage but the ransomware that hit at least 16 NHS facilities is a variant of\r\nWana Decryptor (a.k.a. “WannaCry“), a ransomware strain that surfaced roughly two weeks ago.\r\nLawrence Abrams, owner of the tech-help forum BleepingComputer, said Wana Decryptor wasn’t a big player in\r\nthe ransomware space until the past 24 hours, when something caused it to be spread far and wide very quickly.\r\nhttps://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/\r\nPage 1 of 2\n\n“It’s been out for almost two weeks now, and until very recently it’s just been sitting there,” Abrams said. “Today,\r\nit just went nuts. This is by far the biggest outbreak we have seen to date.”\r\nFor example, the same ransomware strain apparently today also hit Telefonica, one of Spain’s largest\r\ntelecommunications companies. According to an article on BleepingComputer, Telefonica has responded by\r\n“desperately telling employees to shut down computers and VPN connections in order to limit the ransomware’s\r\nreach.”\r\nAn alert published by Spain’s national computer emergency response team (CCN-CERT) suggested that the\r\nreason for the rapid spread of Wana Decryptor is that it is leveraging a software vulnerability in Windows\r\ncomputers that Microsoft patched in March.\r\nAccording to CCN-CERT, that flaw is MS17-010, a vulnerability in the Windows Server Message Block (SMB)\r\nservice, which Windows computers rely upon to share files and printers across a local network. Malware that\r\nexploits SMB flaws could be extremely dangerous inside of corporate networks because the file-sharing\r\ncomponent may help the ransomware spread rapidly from one infected machine to another.\r\nThat SMB flaw has enabled Wana Decryptor to spread to more than 36,000 Windows computers so far, according\r\nto Jakub Kroustek, a malware researcher with Avast, a security firm based in the Czech Republic.\r\n“So far, Russia, Ukraine, and Taiwan leading,” the world in new infections, Kroustek wrote in a tweet. “This is\r\nhuge.”\r\nAbrams said Wana Decryptor — like many ransomware strains — encrypts victim computer files with extremely\r\nstrong encryption, but the malware itself is not hard to remove from infected computers. Unfortunately, removing\r\nthe infection does nothing to restore one’s files to their original, unencrypted state.\r\n“It’s not difficult to remove, but it also doesn’t seem to be decryptable,” Abrams said. “It also seems to be very\r\npersistent. Every time you make a new file [on an infected PC], it encrypts that new file too.”\r\nExperts may yet find a weakness in Wana that allows them to way to decode the ransomware strain without paying\r\nthe ransom. For now, however, victims who don’t have backups of their files have one option: Pay the $300\r\nBitcoin ransom being demanded by the program.\r\nWana Decryptor is one of hundreds of strains of ransomware. Victims who are struggling with ransomware should\r\npay a visit to BleepingComputer’s ransomware help forum, which often has tutorials on how to remove the\r\nmalware and in some cases unlock encrypted files without paying the ransom. In addition, the No More Ransom\r\nProject also includes an online tool that enables ransomware victims to learn if a free decryptor is available by\r\nuploading a single encrypted file.\r\nUpdate, May 13, 9:33 a.m.: Microsoft today took the unusual step of releasing security updates to fix the SMB\r\nflaw in unsupported versions of Windows, including Windows XP, Windows 8, and Windows Server 2003. See\r\nthis post for more details.\r\nSource: https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/\r\nhttps://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/"
	],
	"report_names": [
		"u-k-hospitals-hit-in-widespread-ransomware-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434205,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/22ab24b693f6d978c849a647227ce59e8589cc91.pdf",
		"text": "https://archive.orkl.eu/22ab24b693f6d978c849a647227ce59e8589cc91.txt",
		"img": "https://archive.orkl.eu/22ab24b693f6d978c849a647227ce59e8589cc91.jpg"
	}
}