A ransomware attack that has infected dozens of NHS trusts uses a “backdoor” to Windows which was created by the US National Security Agency, it has emerged.

In email to all trusts seen by HSJ, NHS Digital’s cyber unit, CareCERT, confirmed that the ransomware attack - which led to the shutting down of the NHS network in some regions, cancelled appointment and diverted ambulances - was based on an exploit designed by the NSA, known as Eternal Blue.

Microsoft released an update patching the vulnerability in March, theoretically protecting any trust that had kept their Windows computers and devices updated. The patch was last night sent to trusts.

CareCERT said that once a computer is infected with the malware, known by several names including Wanna Decryptor, it will spread to other connected devices over the network.

“If a computer on your network becomes infected with ransomware it will begin encrypting local machine files and files on any network the logged-in user has permission to access,” it said. 

The malware will use a “strong” encryption files, which could include videos, documents and pictures, and spread malicious and fake files widely throughout a operating systems.

If a system administrator’s computer is infected, even back-up files could be vulnerable to encryption, CareCERT said.

HSJ understands the attack likely started with a phishing email, that spread quickly within a system once a person clicked on the malicious link.

 Infected computers display a demand that users pays $300 worth of bitcoin within three days or risk losing their encrypted data.

In a separate message to NHS trusts on Friday evening, NHS Improvement chief executive Jim Mackey said 25 trusts had  been been “affected” and the attack had been declared a “major incident”. The estimate of affected organisations later increased to around 50.

Mr Mackey said NHS Digital would send all trusts a copy of the latest Windows patch that should protect against future attacks.

“This is a developing situation. The effect on different organisations is variable, while issues around causes and ‘coordination’ remain unclear.”

In a statement on Friday night, prime minister Theresa May reiterated that the attack was not targeted specifically at the NHS, as reports emerged of Wanna Decryptor infections of major organisations across Europe, Asia and the United States. 

“The National Cyber Security Centre is working closely with NHS Digital to ensure that they support the organisations concerned and that they protect patient safety.

“And we are not aware of any evidence that patient data has been compromised,” she said.

While some parts of the NHS appear unaffected, in other areas large swathes of IT systems have been shut to prevent the spread.

Speaking to HSJ on Friday night, Liverpool CCG vice-chairman Simon Bowers said, in response, the NHS in North Merseyside had shut off internet and network access across all NHS organisations.

“We are on mobile phones, twitter and faxes,” he said. 

This meant trusts across the region cannot not access the internet, picture, archiving and communication, e-prescribing or e-referral services.

Major hospitals affected included Aintree University Hospital FT and Alder Hey Children’s FT, although Bowers said both trusts still had internal IT systems, such as electronic patient records, running.

For about 150 GP practices in that area, the shutdown has meant no access to electronic patient records, forcing GPs to return to pen and paper.

“All the doors are open and the lights are on but they don’t have access to some of those systems.”

Dr Bowers said he was aware of only one trust in the area, Southport and Ormskirk Hospital Trust, that was infected but shutting down any shared system was necessary to prevent the infection spreading.

HSJ understands other areas have also shut-off GPs’ access to their Emis electronic patient records as a precaution to prevent the spread of malware.

In its email, CareCERT recommends any NHS organisation that is infected should identify the source of infection and unplug or disconnect any infected machine. 

Isolating an infected machine from the network was “essential to damage limitation”.