3 min read

Ransomware forced hospitals to cancel 2,800 operations and shut down systems


December 06, 2016

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Ransomware forced hospitals to cancel 2,800 operations and shut down systems

Ransomware is a serious enough threat for most organisations, but just imagine if you’re in the business of keeping people healthy and saving lives.

At the end of October, three British hospitals suffered a “major incident”, as a malware attack infected the Northern Lincolnshire and Goole NHS Foundation Trust (NLAG), forcing the almost complete shutdown of IT systems and the cancellation of routine patient operations for several days.

As ZDNet reports, NLAG has now confirmed that the malware that infected their computer systems was a variant of the Globe ransomware, which uses the Blowfish cryptographic algorithm to encrypt victims’ files.


As if that weren’t bad enough the Globe2 ransomware also deletes your PC’s Shadow Volume Copies. Shadow Volume Copies are backups made of your files by default every day that allow you to roll back in time to recover earlier versions should they be required.

Obviously, that’s a pretty useful safety net to have at your disposal should you be hit by data-encrypting ransomware. But, of course, online criminals are well aware that users are less likely to pay off the ransom if they are able to recover their data in this way.


Mystery currently surrounds precisely how the hospital trust was hit by ransomware. Speaking to Computing, NLAG NHS Trust’s Pam Clipson debunked theories touted in the media that the malware had entered the organisation via an infected USB stick:

“We can confirm that recent publicly reported information alleging that access was gained through a USB stick or due to remote working have no grounding in fact. We can assure our patients and other stakeholders that we acted swiftly to enhance our existing cyber security but in order to maintain security and support the police investigation, we are unable to share specific information at this time on the exact steps we have taken.”

No doubt the investigation is exploring whether the malware might have entered the organisation via a malicious email or perhaps via a drive-by-download as a user visited a boobytrapped website. I would be surprised if it was eventually determined that the hospital trust was specifically targeted by online extortionists, but stranger things have happened.

Whatever the source of the infection, Clipson emphasised that the Trust’s security team responded quickly to the ransomware attack, cleaning and checking servers:

“The majority of our systems were up and running again within 48 hours. A total of just over 2,800 patient appointments were cancelled as a result of the disruption.”

NLAG says it has worked closely with law enforcement, and the police’s regional cyber crime unit are investigating the incident.

The good news is that it appears that most of the trust’s IT systems were brought back to working operation relatively quickly, and although 2,800 patient operations were cancelled there is no indication that any long term harm has been done.

I’m also pleased to see that NLAG does not appear to have considered the option of giving in to the blackmailer and paying them a ransom for the safe recovery of data.

That’s certainly not been the story when other hospitals have been hit by ransomware in the past. For instance, earlier this year the Hollywood Presbyterian Medical Centre paid some $17,000 worth of Bitcoins to recover its encrypted data after an attack

Whenever a ransom demand is shown to work for the bad guys – meaning whenever victims pay up – all that happens is that criminals are incentivised to launch more ransomware attacks. And that is bad news for all of us.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like