Updated Sat. May 13 at 10:10 a.m. ET
Cyber security experts are still scrambling to contain a global ransomware attack that has infected tens of thousands of computers in nearly 100 countries, including the U.S., U.K., Russia, China, Ukraine, and India.
First, there were reports of Spain’s largest telecom being hit with pop-up windows demanding a $300 ransom, paid in the cryptocurrency bitcoin, to access files. Then, at least 16 hospitals in England’s National Health Service were affected, locking doctors and nurses out of patients’ records unless they paid up. Then came word that networks around the world were under attack Friday.
The attacks are being blamed on a piece of malware called WCry, WannaCry or Wana Decryptor, alleged to have been stolen from the National Security Agency, as the Bleeping Computer site reports. It was reportedly distributed by the Shadow Brokers, which claimed to have hacked an NSA-linked team of hackers last August. The Shadow Brokers group, which is suspected of having ties to Russia, posted Windows hacking tools last month.
“The problem is, once you break in, you make digital keys, you can’t really control who gets them,” tech reporter Aarti Shahani told Weekend Edition Saturday. “So this attack is raising one of these fundamental issues that we talk about in the security world, about whether NSA surveillance protects people or creates unexpected damage that does more harm than good.”
Edward Snowden, the former NSA contractor who leaked evidence of the agency’s data collection program in 2013, has spoken out on Twitter to criticize the NSA for building this “dangerous attack tool.” Yesterday he posted a New York Times article detailing the attack on the NHS in the UK, writing, “Today we see the cost.”
Victims of the attack are confronted with a pop-up window that tells them their files are now encrypted and that they need to send $300 in bitcoin to unlock them.
“You can decrypt some of your files for free,” reads the message, which we’re seeing in a variety of languages. “But if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled.”
The window includes a countdown clock that threatens the files will be lost permanently in seven days.
Wana Decryptor exploits a Windows flaw that was patched in Microsoft’s Security Bulletin MS17-010 in March. But on machines that haven’t been updated or patched, the malicious code encrypts all of an infected machine’s files — and then spreads itself.
“The fact that so many organizations were vulnerable to this was quite a surprise,” cyber expert and CEO of Capital Alpha Security in the U.K. Matt Tait told NPR. “This patch came out three months ago,” he adds.
“Infection of a single computer can end up compromising the entire corporate network,” Spain’s National Cryptologic Center says.
The malware is both powerful and insidious, computer security expert Craig Williams of CISCO Talos tells Aarti: “You could just walk up to your computer and it’s infected, even if you didn’t even touch it. You don’t have to be there. All that has to happen is your computer is on and on the network.”
“Activity from this ransomware family was almost inexistent prior to today’s sudden explosion when the number of victims skyrocketed in a few hours,” Bleeping Computer’s Catalin Cimpanu writes.
In the U.S., the Computer Emergency Readiness Team, or CERT, says it has “received multiple reports of ransomware infections in several countries around the world.” The agency did not identify those countries.
The Department of Homeland Security says it’s coordinating with “international cyber partners” in the wake of the widespread attacks. When asked to confirm that Wana Decryptor has struck in the U.S., and at what scale, Acting Deputy Press Secretary Scott McConnell did not provide specifics.
“We routinely provide cybersecurity assistance upon request, including technical analysis and support,” McConnell says. “Information shared with DHS as part of these efforts, including whether a request has been made, is confidential.”
Commenting on Friday’s attack, Sen. Ben Sasse, a member of the Senate Armed Services Committee, says:
“This is big: around the world, doctors and nurses are scrambling to treat patients without their digital records or prescription dosages, ambulances are being rerouted, and millions of people’s data is potentially exposed. Cybersecurity isn’t a hypothetical problem – today shows it can be life or death. We’ll likely look back at this as a watershed moment.”
England’s NHS says at least 16 of its organizations were hit by the ransomware. In a statement released around 11:30 a.m. ET, Friday, the system’s digital office said, “This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors.”
The attack also hit facilities in Scotland, where Health Secretary Shona Robison says officials are “taking immediate steps to minimize the impact of the attack across NHS Scotland and restrict any disruption.”
“The investigation is at an early stage, but we believe the malware variant is Wanna Decryptor,” the NHS says, referring to software that is being blamed for a number of ransom attacks in Europe Friday.
“At this stage we do not have any evidence that patient data has been accessed,” the system says.
An IT worker at the public health care system tells The Guardian newspaper that it’s the biggest problem they’ve seen in their six years working for the service.
The problem erupted around 12:30 p.m. local time, the IT worker says, with a number of email servers crashing. Other services soon went down, and then, the unidentified NHS worker says, a “bitcoin virus pop-up message” started taking over computer screens.
The U.K.’s National Cyber Security Center says it’s working with both the digital office of the NHS and law enforcement.
Images that were posted online of the NHS pop-up look nearly identical to pop-up ransomware windows that hit Spain’s Telefonica, a powerful attack that forced the large telecom to order employees to disconnect their computers from its network and to resort to an intercom system to relay messages, according to Bleeping Computer.
In an update after midnight local time, Russia’s Interior Ministry acknowledged to state-run Tass media that its computers had also been hit.
“As of now the virus has been localized,” ministry spokeswoman Irina Volk told TASS. “There have been no inside information leaks from the Russian Interior Ministry’s information resources.”