Another major cyber-attack could be imminent after Friday’s global hit that infected more than 125,000 computer systems, security experts have warned.
A UK security researcher known as MalwareTech, who helped to limit the ransomware attack, warned of “another one coming… quite likely on Monday”.
The virus, which took control of users’ files, spread to 100 countries, including Spain, France and Russia.
In England, 48 NHS trusts fell victim, as did 13 NHS bodies in Scotland.
Some hospitals were forced to cancel procedures and appointments, as ambulances were directed to neighbouring hospitals free from the computer virus.
UK Home Secretary Amber Rudd said on Saturday that all but six NHS trusts’ systems had been restored, but that “there’s always more” that could be done to protect against computer viruses.
‘No reason to stop’
After taking computers over, the virus displayed messages demanding a payment of $300 (£230) in virtual currency Bitcoin to unlock files and return them to the user.
BBC analysis of three accounts linked with the global attack suggests the hackers have already been paid £22,080.
MalwareTech, who wants to remain anonymous, was hailed as an “accidental hero” after registering a domain name to track the spread of the virus, which actually ended up halting it.
The 22-year-old told the BBC: “It’s very important that people patch their systems now.
“We have stopped this one, but there will be another one coming and it will not be stoppable by us.
“There’s a lot of money in this. There’s no reason for them to stop. It’s not really much effort for them to change the code and then start over.
“So there’s a good chance they are going to do it… maybe not this weekend, but quite likely on Monday morning.”
Fellow security researcher Darien Huss, from tech firm Proofpoint, echoed MalwareTech’s view.
“I highly suspect that, with the amount of coverage that this incident is getting, there are probably already people that are working to incorporate the exploit that was used for spreading,” he said.
Investigators are working to track down those responsible for the ransomware used on Friday, known as Wanna Decryptor or WannaCry.
‘Bring them to justice’
The virus exploits a vulnerability in Microsoft Windows software, first identified by the US National Security Agency, experts have said.
Europol described the cyber-attack as “unprecedented” and said its cyber-crime team was working with affected countries to “mitigate the threat and assist victims”.
Oliver Gower, of the UK’s National Crime Agency, added: “Cyber criminals may believe they are anonymous, but we will use all the tools at our disposal to bring them to justice.”
Update not applied
In the UK, critics said the government had known about the threat of a cyber-attack for some time, but hospitals had not made the right upgrades to protect themselves.
A security update – or patch – was released by Microsoft in March to protect against the virus, but it appears many organisations had not applied it or were using an older version of the operating system no longer supported – namely Windows XP.
Kingsley Manning, a former chairman of NHS Digital, claimed that several hundred thousand computers were still running the out-of-date operating system.
Mr Manning told BBC Radio 4’s PM programme: “Some trusts took the advice that was offered to them very seriously and acted on it and some of them may not have done.
“If you’re sitting in a hard-pressed hospital in the middle of England, it is difficult to see that as a greater priority than dealing with outpatients or A&E.”
NHS Digital said that 4.7% of devices within the NHS use Windows XP, with the figure continuing to decrease.
The Liberal Democrats and Labour have both demanded an inquiry into the cyber-attack.
Get news from the BBC in your inbox, each weekday morning