NHS ransomware attack: what happened and how bad is it?

A ransomware attack on a software supplier has hit the NHS across the UK and there are fears that patient data may have been the target.

Advanced, the UK company hit by the attack last week, said it was working with government agencies, including the National Cyber Security Centre and the Information Commissioner’s Office, in the aftermath of the incident.

Details such as the identity of the attacker(s) and the scale of the damage have yet to emerge, but here is a guide to what we know so far and how ransomware gangs operate.

What is a ransomware attack?

This is when a group gains access to an entity’s computer system, sometimes via an email “phishing” attack. They have also involved entering a virtual private network (VPN) that is used by employees to access their employer’s internal computer systems when, for example, they are working from home.

Once inside, rogue actors deploy a piece of malware – malicious software – that encrypts computers, making it impossible to access their content. The bad actor then demands money in exchange for decrypting or unlocking the computers.

While data is not always taken during attacks, if it is it can be used as part of the negotiations. Ransomware gangs have created websites where stolen data is displayed.

How severe was the attack?

The attack on the morning of 4 Augustcaused widespread outages across the NHS. The target was Advanced, a company that provides software for various parts of the health service. It affected services including patient referrals, ambulance dispatch, out-of-hours appointment bookings, mental health services and emergency prescriptions.

The impact can be worked out by looking at which Advanced systems were directly or indirectly hit. They included Adastra, which helps 111 call handlers dispatch ambulances and helps doctors access a patient’s GP records; Carenotes, which is used by mental health trusts for patient records; Caresys, which is used in care homes; Crosscare, which helps run hospices; and Staffplan, used by care organisations.

The Health Service Journal has reported that at least nine NHS mental health trusts have been affected by the outage, reducing their access to patients’ records. Advanced software is used in 36 acute trusts or mental health trusts in England, according to Digital Health Intelligence.

A leaked internal NHS England document seen by the Guardian has disclosed that “a number of NHS services, including NHS 111, some urgent treatment centres and some mental health providers use software that have been taken offline”.

In an email to staff reported by the Independent, the Oxford Health NHS foundation trust’s chief executive, Dr Nick Broughton, said: “The cyber-attack targeted systems used to refer patients for care, including ambulances being dispatched, out-of-hours appointment bookings, triage, out-of-hours care, emergency prescriptions and safety alerts. It also targeted the finance system used by the trust.

“We have now been advised that we should prepare for a system outage that could continue for two weeks for Adastra and possibly longer than three weeks for Carenotes.”

Advanced hinted in a statement late on Wednesday that a full recovery for some services could take weeks. Apart from work to get 111 back on track, contingency plans would have to be in place “for at least three to four more weeks”, it said. NHS England said some 111 callers may face longer waits than usual.

Who might be behind the attack?

No group has been named as the attacker, but it has been reported that it is likely to be a criminal gang rather than a state organisation.

The most notorious ransomware group in recent times is the one behind attacks using the Conti malware, which hobbled the Irish healthcare system last year and the Costa Rican government earlier this year.

This Russian-linked criminal group appears to have wound down its Conti malware attacks. However, there has been widespread speculation that the same group is behind a new piece of malware called Black Basta. There is no evidence that the Conti/Black Basta group is behind the NHS attack and there are many other potential candidates.

There are a variety of ransomware groups out there, with different malware (the names of the malware and the groups behind them are often viewed as interchangeable). Names of malware operations that have been linked to healthcare attacks over the past year include BlackCat, Quantum, Hive and AvosLocker.

Are healthcare organisations a popular target?

There had been signs of a hiatus in attacks on health organisations during the pandemic, with the ransomware group Maze saying it would not hit medical targets. But even before the Advanced attack it seemed the situation was changing. For instance, the Irish healthcare system attack was in May 2021.

Related: Fears for patient data after ransomware attack on NHS software supplier

The number of health organisations around the world targeted by cyber-attacks rose 90% in the three months to 30 June compared with the first three months of 2022, according to the risk consultancy Kroll. This study was based on the 3,200 incidents across all sectors reported to the consultancy over the past 12 months.

Ioan Peters, the managing director of cyber risk at Kroll, said: “This latest cyber-attack and possible data extraction impacting the NHS comes as healthcare organisations across the world are facing increased pressure from cybercriminals.”

He said the study showed healthcare was the most targeted sector and that “we’ve definitely reached the end of the truce that some criminal groups instituted earlier in the Covid pandemic”.

In the healthcare ransomware cases Kroll had seen, there was a “double extortion” tactic in which data was taken before the victim’s network was encrypted, and then the hackers threatened to leak the data in an attempt to gain leverage during negotiations.