Tomorrow could see a ZOMBIE cyber-attack: IT expert who stopped the NHS hack warns the virus could come BACK TO LIFE in computers that have already been 'fixed'
- EXCLUSIVE: Expert who stopped virus predicts 'another attack likely on Monday'
- Operations were cancelled after cyber attack affected 45 NHS trusts in England
- More than 200,000 computer systems in 150 countries fell victim to the attack
- Fears that a similar attack could strike the Met Police, which uses same system
- Security expert fears he may not be able to stop a second imminent attack
A cyber attack which crippled more than 200,000 computers in 150 countries could strike again on Monday coming back to life in systems that have already been fixed.
The anonymous British IT expert who discovered a 'kill switch' which slowed the spread of the ransomware fears that it has a 'back door' installed - meaning hackers could easily inject a new strain of the virus.
Concerns have been raised that Monday could see a resurgence of the chaos which struck at the end of last week as office workers power up their machines.
The attack which began on Friday struck banks, hospitals and government agencies, exploiting known vulnerabilities in old Microsoft computer operating systems.
An anonymous British blogger, 22, became an accidental hero by putting the brakes on the spread of the mass cyber attack, pictured
Experts fear that an email containing the virus could be laying dormant in hundreds of thousands of inboxes across the globe.
But now MalwareTech, the cyber expert who halted the first strain of the ransomware, has revealed exclusively to MailOnline that a new wave of chaos could begin across the globe if hackers have installed a back door.
The British cyber whiz was hailed an 'accidental hero' after he registered a domain name that unexpectedly stopped the spread of the virus, which exploits a vulnerability in Microsoft Windows software.
He said: 'I'm not so worried with emails, it's supposedly that this ransomware actually drops a back door and we don't know yet if our fix kills the backdoor as well.
'There is a possibility someone could just re-hack the systems.
'Assuming the backdoor wasn't killed, any computer that was infected previously would then be re-infectable.
'They could essentially scan the internet for the backdoor and access it and drop the ransomware.
He continued:'Users would have to power up their systems tomorrow, not connected to the internet and then check them for the backdoor before connecting to the internet.
'It would be pretty tricky, you would need custom tools to actually scan and remove the backdoor.'
MalwareTech reckons he has prevented 200,000 computers across the globe from being infected.
But a Chinese hacker is thought to have mounted a bid to steal the domain name earlier today which would enable them to shut off the kill switch and resume the infections.
MalwareTech explained to MailOnline: 'I got a very strange email from a Chinese registrar trying to confirm the transfer of the domain.
The ransomware hit computers around the globe including in Germany where the rail network was infected
'So it looks like maybe someone has attempted to steal our domain.
'If you can take the domain you can turn the server off and the infections will continue.
'Everyone who hasn't had the software killed by our domain would then be vulnerable to infection.
'With a Chinese email from a Chinese registrar in Mandarin I think they would be Chinese.
US package delivery giant FedEx, European car factories, Spanish telecoms giant Telefonica, the NHS and Germany's Deutsche Bahn rail network were among those targeted.
Europol director Rob Wainwright said he is now 'worried' about staff in companies across the globe turning their computers on on Monday.
An international manhunt is now under way for the plotters behind what is being described as the world's biggest-ever computer ransom assault.
Defence Secretary Sir Michael Fallon has ruled out concerns over the threat of viruses on Trident operating systems - but refused to deny the Government uses the same computer system hit by the hackers.
Defence Secretary Sir Michael Fallon has ruled out concerns over the threat of viruses on Trident operating systems
Home Secretary Amber Rudd (pictured with former Metropolitan Police Commissioner Sir Bernard Hogan-Howe) chaired a Cobra meeting into the cyber attack crisis
Meanwhile health authorities are racing to upgrade security software amid fears hackers could exploit the same vulnerability with a new virus.
The NHS is now facing a weekend of chaos as hospitals and GP surgeries have a six-week backlog of postponed appointments to contend with, including operations, once the crisis is brought under control.
It has since emerged that hospitals had been sent a 'patch' which could have protected them against the attack just two weeks ago - but few apparently downloaded it.
But Britain's nuclear deterrent is protected from cyber attacks, Sir Michael Fallon has said.
The Government had set aside more than £1.9 billion to tackle cyber threats, of which some £50 million went to the NHS, after an official security review highlighted hacks as a major threat, he said.
Sir Michael told the BBC's Andrew Marr Show: 'We never comment on the different systems, obviously for reasons of security, that our submarines use but our Vanguard submarines I can absolutely assure you, are safe and operate in isolation when they are out on patrol, and I have complete confidence in our nuclear deterrent.'
Pressed further, he said: 'I can assure you that the nuclear deterrent is fully protected.'
Sir Michael said the NHS had been warned over cyber threats in the months before Friday's attack but every effort is going into protecting the NHS.
He added: 'Let me just assure you we are spending money on strengthening the cyber defence of our hospital system.'
Speaking to ITV's Peston on Sunday, Europol director Rob Wainwright said the attack was indiscriminate across the private and public sectors.
He said: 'At the moment we are in the face of an escalating threat, the numbers are going up, I am worried about how the numbers will continue to grow when people go to work and turn their machines on Monday morning.
'The latest count is over 200,000 victims in at least 150 countries. Many of those will be businesses including large corporations.'
Britain's nuclear deterrent is protected from cyber attacks, Sir Michael Fallon told the BBC's Andrew Marr Show
Data released under the Freedom of Information Act in December suggested 90 per cent of NHS trusts are using Windows XP.
There have been calls for an inquiry into the circumstances surrounding Friday's major incident, with the Government and NHS chiefs facing questions over their preparedness and the robustness of vital systems.
Mr Wainwright explained: 'We have been concerned for some time. The healthcare centres in many countries are particularly vulnerable. They are processing a lot of sensitive data.'
On Sunday MalwareTech issued a warning that hackers could upgrade the virus to remove the kill switch.
'Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You're only safe if you patch ASAP,' he wrote on Twitter.
He and a team of analysts are collaborating and attempting to track the hackers and are investigating the possibility of a second wave of attacks.
He told MailOnline earlier: 'The hackers were infecting anyone they could.
'But there is a good chance I might not be able to shut down the next one, because they could patch the method we used to disable it.
'If the system has not yet been affected, there is a risk a new variant could affect them tomorrow.
'If they are already affected, it could lie dormant. Anyone turning their computers on could find all their files will be encrypted.'
Ciaran Martin, chief executive of the National Cyber Security Centre (NCSC), also warned there could be a fresh wave of victims on Monday.
He said: 'We have not yet seen Friday's attack reoccur, there's been no new wave of attacks.
'On Monday morning at the start of the new working week we can expect, it's likely that successful attacks from Friday that haven't yet become apparent will become apparent.
'And also existing known infections can spread, we can't say what scale the new cases will occur at but it's likely there will be some.'
The Metropolitan Police is still using outdated software Windows XP, which is 15 years old and has been branded 'obsolete', leaving systems more vulnerable to attacks
A number of hospitals in England and Scotland were forced to cancel procedures after dozens of NHS systems were brought down in Friday's attack.
Medical staff reported seeing computers go down 'one by one' as the attack took hold, locking machines and demanding money to release the data.
Around a fifth of trusts were hit amid concerns networks were left vulnerable because they were still using outdated Windows XP software.
The apparent chink in the NHS's defences led to criticism of the Government and NHS bosses, with the Liberal Democrats demanding an inquiry takes place.
Speaking after a Cobra meeting on Saturday, Home Secretary Amber Rudd admitted 'there's always more' that can be done to protect against viruses.
She said: 'If you look at who's been impacted by this virus, it's a huge variety across different industries and across international governments.
'This is a virus that attacked Windows platforms. The fact is the NHS has fallen victim to this.
'I don't think it's to do with that preparedness. There's always more we can all do to make sure we're secure against viruses, but I think there have already been good preparations in place by the NHS to make sure they were ready for this sort of attack.'
Labour's shadow health secretary, Jonathan Ashworth, in a letter to Mr Hunt, said concerns were repeatedly flagged about outdated computer systems.
Speaking to Robert Peston, he demanded that the Conservatives publish the Department of Health's risk register to see how seriously they were taking IT threats.
MalwareTech - who lives at home in the south of England with his mother and father - spotted a loophole in the code that meant he could block the virus.
He says he inadvertently halted the ransomware just hours after hearing news of a cyber attack on the NHS while out for lunch with a friend while on a week off from his job at an information security company.
But speaking exclusively to MailOnline, the computer expert revealed yesterday that cyber attackers are working to bring down the 'emergency stop' which is halting the virus from spreading in a bid to infect millions more across the globe.
He said: 'We've actually been getting attacks today - we don't think it's the actual group who were spreading the malware but another group is trying to attack us so the infections resume.
Cyber security worker @MalwareTech exploited a loophole by spending £8 to register the domain name the virus tries to connect to when infecting a new computer, causing a 'kill switch' to activate
He confirmed the block on the virus was an accident because he did not realise registering the website would work
The cyber expert, who goes by the username MalwareTechBlog online, continued: 'Obviously they haven't actually been successful, but had they been that would actually be quite a serious thing and it wouldn't really be something to laugh about.'
The security worker spent £8 registering the domain name the virus tries to connect with when it infects a new computer and pointed it at a 'sinkhole server' in Los Angeles.
It caused the malicious software to enact an 'emergency stop', immediately halting its spread - but at first the cyber expert feared he had actually made the virus epidemic worse.
Speaking of the moment he stopped the virus, the anti-malware expert told MailOnline: 'It should have been really nice but someone had made a mistake and told me that our registering of the domain actually caused the infection.
'When I found out that it was actually the opposite it was more a relief.
'Rather than a feeling of 'yes, we've done this' - it was like 'oh god, I haven't f***** up the world, so that's really great'.'
The virus infection resulted in a ransom message appearing on screens across the German rail network creating 'massive disturbances'
He revealed that he has been in touch with the government's National Cyber Security Centre about the fix - and that to say thank you his bosses have given him another week off work, which he plans to spend surfing.
He said: 'I was trying to avoid doing work for a week, doing odd jobs around the house, but I just got pulled back in.
'I don't really want anything, I just want to get back to my job really. My boss rewarded my with a new week off to replace my not-really week off.'
But the 22-year-old does not believe the attack was specifically targeted at the NHS - rather that the health service 'happened to be vulnerable' and got 'caught in the crosshairs'.
Nevertheless he says it is 'a serious thing and there is a real risk to real people's health if you're shutting down hospital systems.'
One Twitter user posted this picture of computers in their university lab that were infected with the ransomware - it has wreaked havoc after spreading quickly around the globe
The young self-taught expert said he initially became interested in computers at the age of 11 when his mother and father installed parental control software on their family machine.
He set about working out how to get around the filters sparking a long interest in information security that got him his first job in the industry 10 years later in September last year.
MalwareTechBlog said: 'It was a bit 'red and blue wire' thing - but more fumbling about trying to figure out if the registering of the domain caused the infections or stopped them.'
He also issued advice for people who are infected - or those who are concerned that their computers could get the malware.
He said: 'The people who're already infected, there's not really much you can do. You can potentially pay the ransom but I don't know if this one will decrypt the files yet.
The blogger warned vulnerable users to update their system and said the code could always be changed and the virus could start spreading again
This map released by cybersecurity experts, shows the impact of the ransomware around the world - with blue dots showing where attacks have been made. Russia is thought to be the worst affected, while Taiwan fears being the victim of a second wave. Europe was targeted first, meaning there were fewer incidents in the US because companies were able to prepare themselves better
Speaking about his temporary halt, @MalwareTechBlog said: 'Essentially they relied on a domain not being registered and by registering it, we stopped their malware spreading,'
The anonymous researcher warned however that people 'need to update their systems ASAP' to avoid a fresh attack.
He added: 'The crisis isn't over, they can always change the code and try again.'
@MalwareTechBlog added: 'I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental.
But computers already affected will not be helped by the solution.
'So long as the domain isn't revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.'
Forcepoint Security Labs said in a Friday statement that the attack had 'global scope' and was affecting networks in Australia, Belgium, France, Germany, Italy and Mexico.
Pictures posted on social media showed screens of NHS computers with images demanding payment of $300 (£230) in Bitcoin, saying: 'Ooops, your files have been encrypted!'
It demands payment in three days or the price is doubled, and if none is received in seven days, the files will be deleted, according to the screen message.
A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the NSA, according to Kaspersky Lab, a Russian cybersecurity provider.
Ransomware: How do hackers take your data hostage?
A Nissan spokesman told the Newcastle Chronicle staff were working to restore the multimillion pound factory to working order.
A spokesman said: 'Like many organisations, our UK plant was subject to a ransomware attack affecting some of our systems on Friday evening. Our teams are working to resolve the issue.'
It is understood production has still not resumed today, but that the plant was not operating at full capacity when the attack began.
The attack came at an embarrassing time for Prime Minister Theresa May after she pledged to make Britain the 'safest place to do business online' during campaigning for the General Election.
Mrs May said: 'We want social media companies to do more to help redress the balance and will take action to make sure they do.
'These measures will help make Britain the best place in the world to start and run a digital business, and the safest place in the world for people to be online.'
Many are questioning where Health Secretary Jeremy Hunt is after he has so far remained silent on the crisis.
Shadow health secretary Jonathan Ashworth said concerns were repeatedly flagged about the NHS's outdated computer systems, which left it vulnerable to the virus.
In a letter to Mr Hunt on Saturday he wrote: 'As Secretary of State, I urge you to publically outline the immediate steps you'll be taking to significantly improve cyber security in our NHS.
'The public has a right to know exactly what the Government will do to ensure that such an attack is never repeated again.'
He added: 'NHS Trusts have been running thousands of outdated and unsupported Windows XP machines despite the Government ending its annual £5.5million deal with Microsoft, which provided ongoing security support for Windows XP, in May 2015.
'It effectively means that unless individual trusts were willing to pay Microsoft for an extended support deal, since May 2015 their operating systems have been extremely vulnerable to being hacked.'
Speaking to the BBC, Ms Rudd said no patient data had been 'stolen' but she could not confirm that all NHS files are backed-up, and 'hoped the answer was yes'.
She said: That is the instructions that everybody has received in the past. That is good cyber defence, but I expect, and we will find out over the next few days if there are any holes in that.'
She added: 'There may be lessons to learn from this but the most important thing now is to disrupt the attack, let's come back to afterwards whether there are lessons to be learned.'
Ms Rudd later told Sky News: 'It is disappointing that they have been running Windows XP - I know that the Secretary of State for Health has instructed them not to and most have moved off it.'
She added: 'Where the patient data has been properly backed up, which has been in most cases, work can continue as normal because the patient data can be downloaded and people can continue with their work.'
But data released under the Freedom of Information Act in December suggested 90 per cent of NHS trusts are using outdated software Windows XP, which is 16 years old and has been branded 'obsolete', leaving systems more vulnerable to attacks.
Speaking to BBC Radio 4's Today programme, Ms Rudd added the virus had not been targeted at the NHS, saying the attack 'feels random in terms of where it's gone to and where it's been opened'.
She added: 'Windows XP is not a good platform for keeping your data as secure as the modern ones, because you can't download the effective patches and anti-virus software for defending against viruses.
'CQC (Care Quality Commission) does do cyber checks on the NHS trusts, on hospitals when they do their visits, and they will be advising NHS trusts to move to modernise their platforms and I think that after this experience, I would expect them all to move forward with modernising.'
Labour leader Jeremy Corbyn branded the hackers 'unbelievably disgusting'.
He said: 'What we've now got is a bunch of 21st Century highway robbers that have hacked into our NHS and are basically offering protection money to get the information back in order to treat cancer patients or anybody else.
'It's unbelievably disgusting and I've got nothing but contempt for those people that have done it, and I'm sure all of you would share that.
'But I'm also very angry that in 2014, there was a one-year renewal of the protection system on the NHS systems which was not renewed after that and not renewed the year after that and so are systems are now not upgraded and not protected. As a result, we've got this dreadful situation that NHS workers are facing today.
'And so we obviously support our NHS workers but I tell you this, a Labour government would not leave our NHS's very vital information systems unprotected. We would protect them.'
Speaking to Sky News, computer expert Lauri Love warned this may not be the end of the attack.
The Finnish-British national, who is accused of stealing data from the US government, said: 'I'm sad to say that this is probably only just beginning; administrators are in for a very difficult weekend,' he said.
'We should expect to see this in almost every country in the world.
'If you've been infected, not only have your files been encrypted and you're being held to ransom, but your machine is being used as a zombie to attempt to affect other machines on the internet.'
Labour leader Jeremy Corbyn, pictured in Lowestoft today, called the hackers '21st Century highway robbers'
Ciaran Martin, chief executive of the National Cyber Security Centre (NCSC), said thousands of organisations have been affected in dozens of countries around the world.
'The picture is emerging that this is affecting multiple countries and sectors and is not solely targeted at the NHS,' he added.
'We are very aware that attacks on critical services such as the NHS have a massive impact on individuals and their families, and we are doing everything in our power to help them restore these vital services.
'It is important that organisations reduce the risks of these attacks happening to them.'
The NCSC has warned organisations to ensure security and anti-virus software is up to date and to back up important data.
National Crime Agency (NCA) investigators are working with NCSC experts to track down those behind the virus.
Oliver Gower, deputy director of the NCA cyber crime unit, said: 'This was a large-scale attack, but we are working closely with law enforcement partners and industry experts in the UK and overseas to support victims and identify the perpetrators.
'Cyber criminals may believe they are anonymous but we will use all the tools at our disposal to bring them to justice.
'Victims of cyber crime should report directly to ActionFraud. We encourage the public not to pay the ransom demand.'
Gang behind 'unprecedented' attack using 'atom bomb of malware' which has now spread to 130,000 systems in more than 100 countries are targeted by global task force
More than 100 countries across the world have been affected by the 'unprecedented' cyber attack using a computer virus 'superweapon' dubbed the 'atom bomb of malware'.
It is believed more than 130,000 IT systems are affected around the world, including hospitals in the UK, telecoms and gas firms in Spain, schools in China, railways in Germany and the FedEx delivery company.
The European Union's police agency, Europol, says it is working with countries hit by the ransomware scam to rein in the threat, help victims and track down the criminals.
The German rail system was also experiencing issues due to the ransomware. Photos surfaced on social media showing ticket machines at train stations having been affected
Several computers at a university in Italy were also randomly targeted in the cyber attack
In a statement, Europol's European Cybercrime Centre, known as EC3, said the attack 'is at an unprecedented level and will require a complex international investigation to identify the culprits.'
EC3 says its Joint Cybercrime Action Taskforce, made up of experts in high-tech crime, 'is specially designed to assist in such investigations and will play an important role in supporting the investigation.'
The attack, which has locked up computers and held users' files for ransom, is believed the biggest of its kind ever recorded.
Meanwhile Russia is believed to be the worst affected country with computers in its interior ministry hit and its second largest phone network - Megafon - also targeted.
Ticketing machines and computers at German railway stations have also been affected alongside Spanish companies including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural.
Union members at French carmaker Renault say the global cyberattack has forced it to halt production at sites in France in an effort to stop the malware from spreading.
The two unionists spoke on condition of anonymity because of the sensitiveness of the issue.
They say the factory of Renault factory at Sandouville, in northwestern France, was one of the sites affected.
Hundreds of private users in Taiwan were also struck by the malware.
Deutsche Bahn in Germany said departure and arrival display screens at its stations were hit Friday night by the attack.
The railway said that there was no impact on actual train services.
The head of Turkey's Information and Communication Technologies Authority or BTK says the nation was among those affected by the ransomware attack.
Omer Fatih Sayan said the country's cyber security center is continuing operations against the malicious software.
The company said it deployed extra staff to busy stations to provide customer information, and recommended that passengers check its website or app for information on their connections.
Heart surgery I waited ten months for was cancelled at the last minute because of the cyber attack, reveals patient
A heart patient told last night how his long-awaited operation was cancelled because of the cyber attack as he waited to go into the operating theatre.
Patrick Ward, 47, had travelled with his family from his home in Steeple, Dorset, to St Bartholomew's Hospital in Central London for open heart surgery.
He was due to have a septal myectomy, for which he had been waiting ten months.
The surgery involves removing part of the septum – a wall of tissue that separates part of the heart – which is obstructing the flow of blood.
Patrick Ward, 47, had travelled with his family to St Bartholomew's Hospital in Central London for open heart surgery only to have the operation cancelled
After having his arms and chest shaved and a cannula inserted into the back of his hand, he was ready to go into theatre when his surgeon told him they had to cancel the operation.
'I was told at about 1.30 that there had been a cyber hack and we couldn't proceed today,' he said. 'Apparently if I needed a blood transfusion during the procedure they would need to access files on their database, which they can no longer do.
'They can't tell me when the next available slot is to reschedule, so we'll stay at a hotel in London tonight and head back to Dorset tomorrow.'
Mr Ward, a sales director for an ice cream company, said: 'It's a specialist operation so it could be a while before I get another appointment. What I have isn't life-threatening but it has impacted my life a lot. It's very restricting.
'I think this is one of the few hospitals that can do it, and they only do it on certain days which is why I've had to wait so long to get a date set. It prevents me from doing exercise and I get pains when I walk. I was hoping to be able to play football again after the operation.
'I was supposed to spend a week in hospital recovering. My daughter travelled from Liverpool today to spend the weekend with me.'
Emma Simpson and her son whose appointment was delayed after the attack
Emma Simpson took her son, Sebastian, to Whipps Cross University Hospital in Leytonstone, east London, for an X-ray on his broken toe but was sent home because of the cyber attack.
They had an appointment with an orthopaedic clinic to check that the toe was healing properly.
But when they arrived they were greeted by 'chaos' and told that computers would be down until 'at least Monday'.
'They sent us away and said they would call us with a new appointment,' she told ITV London. 'Lots of people were very disappointed.'
A woman with a suspected blood clot was turned away from the Lister Hospital in Stevenage, Hertfordshire.
Anthony Brett from Bow, east London, was about to have a stent put in his liver to treat his cancer when he was told the procedure could not happen
Janetts Douras originally went to the A&E department on Thursday with the suspected clot but was sent home after six hours and told to return yesterday for a CT scan.
But after an hour she was sent away again with medication that she must inject herself to thin her blood.
She was asked to come back on Monday but said: 'I can't see it happening.'
Most watched News videos
- Moment escaped Household Cavalry horses rampage through London
- Household Cavalry 'seen before dramatic rampage through London'
- Wills' rockstar reception! Prince of Wales greeted with huge cheers
- 'Dine-and-dashers' confronted by staff after 'trying to do a runner'
- Moment Met Police officer tasers aggressive dog at Wembley Stadium
- BREAKING: King Charles to return to public duties Palace announces
- Russia: Nuclear weapons in Poland would become targets in wider war
- Shocking moment pandas attack zookeeper in front of onlookers
- Don't mess with Grandad! Pensioner fights back against pickpockets
- Ashley Judd shames decision to overturn Weinstein rape conviction
- Prince Harry presents a Soldier of the Year award to US combat medic
- Shocking moment British woman is punched by Thai security guard