Health and security chiefs have warned of possible fresh disruption from the global cyber-attack when workers switch on their computers for the first time at the start of the working week.
Europol, the pan-EU crime-fighting agency said the threat was escalating and predicted the number of “ransomware” victims was likely to grow across the private and public sectors.
One in five NHS Trusts was hit by the “Wannacry” attack on Friday. Operations planned for Monday have been cancelled at several major hospitals, with patients facing disruption to their treatment because computers used to share patients’ test results and scans with doctors remain frozen.
The National Cyber Security Centre also warned that more cases of the ransomware are expected to come to light beyond the NHS and “possibly at a significant scale”. However it also stressed there are software updates that are easy to install and which can prevent the spread of the malware which requests victims pay hundreds $300 or risk losing all their files.
Many of England’s 8,000 GP surgeries have been closed all weekend following Friday’s attack and the NHS fears many could be affected for the first time on Monday.
“Some parts of the NHS will not have clocked there is an issue,” a spokeswoman for NHS Digital told the Guardian. “If that is going to happen it is more likely to be primary care trusts.”
Surgeries were sent a bulletin on Sunday advising them what to do if they discover their computers have been hacked and how to get support from NHS Digital and the National Cyber Security Centre, which is handling the response.
Some planned operations are being cancelled at Barts Health NHS Trust which operates five London hospitals where computers remain down. GPs have also been asked not to request non-urgent scans and tests and some emergency cases were still being diverted to nearby hospitals.
“Where we need to cancel planned appointments, we will be contacting patients directly to make them aware,” said spokesman for the trust which operates the Royal London and Whipps Cross Hospitals as well as St Bartholemew’s, Mile End Hospital and Newham University Hospital. “It is possible that we will not be able to contact all patients that we need to speak to, so we apologise if we are unable to proceed with your treatment once you arrive at hospital.”
The attack has also hit companies and other organisations, from Russia to Australia, and Europol estimates there have been 200,000 victims in at least 150 countries.
“I am worried about how the numbers will continue to grow when people go to work and turn their machines on on Monday morning,” said Rob Wainwright, Europol director.
The hackers remain undetected but are believed to have so far gathered only $42,000 in ransom payments from around 100 victims. This is expected to rise as the malware threatens that unless victims pay $300 in bitcoin currency in three days the ransom will double. It threatens files will be deleted if there is no payment in seven days.
Organisations across the globe, including investigators from Britain’s National Crime Agency (NCA), are involved in what Europol described as a complex international investigation.
“Cyber criminals may believe they are anonymous but we will use all the tools at our disposal to bring them to justice,” said Oliver Gower, of the NCA.
Cyber security experts said the malware could spread through computers with unpatched versions of Microsoft Windows and have urged computer users to only run their computers in safe mode until they have checked that the update blocking the ransomware is installed.
Six NHS Trusts were still affected 24 hours after the attack began amid concerns networks were left vulnerable partly because they still used outdated Windows XP software and also because security upgrades issued last month had not been installed.
A computer security expert credited with stopping the spread of the ransomware on Saturday by activating a digital “kill switch” warned on Sunday that a fresh attack was likely.
The expert, known only as MalwareTech on Twitter, said hackers could upgrade the virus. “Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw,” he said on Twitter. “You’re only safe if you patch ASAP.”
He won praise on Sunday from the head of Europol’s European Cyber Crime Centre, Steven Wilson, who said “he made a significant step in slowing the advance of this malware”.
In Scotland, where 11 health boards and the ambulance service were hit, justice secretary Michael Matheson said more than 120 public bodies were being contacted to ensure their defences were adequate. He said NHS systems in Scotland were expected to be recovered by Monday and reassured patients with appointments they should attend as planned.
It emerged over the weekend that NHS Digital last month emailed 10,000 individuals in NHS organisations warning them to protect themselves against the specific threat of ransomware and included a software patch to block such hacks on the majority of systems. However, it would not work with outdated Windows XP systems that still run on about 5% of NHS devices.
NHS Digital said it did not yet know how many organisations installed the update and this would be revealed in a later analysis of the incident.
The hack sparked a bitter political row, with Labour blaming the Conservatives for cutting funding for NHS infrastructure.
The shadow health secretary, Jon Ashworth, on Sunday demanded the publication of the Department of Health’s “risk register” to show how seriously the government had taken a potential cyber-attack.
“If the Conservative prime minister thinks they were taking it seriously, then she shouldn’t have any problem in publishing that register,” he said.
He accused the government of “huge investment cuts in the infrastructure of the NHS” and said £1bn had been taken out in the last year.
He said “a big priority” of Labour’s promise to spend an extra £10bn on NHS infrastructure would “go to investing in cyber security and upgrading our IT”.
On Saturday, the Liberal Democrat home affairs spokesman, Brian Paddick, said: “A combination of warnings and plain common sense should have told ministers that there is a growing and dangerous threat to our cyber security.”
Amber Rudd, the home secretary, who is leading the response to the attack, said the same day: “I don’t think it’s to do with … preparedness. There’s always more we can all do to make sure we’re secure against viruses, but I think there have already been good preparations in place by the NHS to make sure they were ready for this sort of attack.”