Malicious software that blocks access to computers is spreading swiftly across the world, snarling critical systems in hospitals, telecommunications and corporate offices, apparently with the help of a software vulnerability originally discovered by the National Security Agency.
The reports of the malware spread began in Britain, where the National Health Service (NHS) reported serious problems throughout Friday. But government officials and cybersecurity experts later described a far more extensive problem growing across the Internet and unbounded by national borders. Europe and Latin America were especially hard hit.
“This is not targeted at the NHS,” British Prime Minister Theresa May told reporters. “It’s an international attack, and a number of countries and organizations have been affected.”
Cyber experts said the malicious software works by exploiting a flaw in Microsoft software that was described in NSA documents stolen from the agency and leaked publicly by a criminal group called Shadow Brokers.
Microsoft released a patch fixing the flaw in March, but it was apparently applied inconsistently, with many computers continuing to be unprotected. The malicious software — called “ransomware” because it encrypts systems and threatens to destroy data if a ransom is not paid — is spreading among computers that have not been patched, experts said.
So-called “phishing” attacks are delivering the malicious software by tricking email recipients to open misleading links that take over computers. Such attacks have become increasingly common in recent years, mainly because they are simple to execute and lucrative for attackers.
But the speed and scale of the spread of the malicious software startled experts.
“It’s one of the first times we’ve seen a large international global campaign,” said Chris Camacho, chief strategy officer for Flashpoint, a cyber-intelligence company.
This ransomware program has hit companies including FedEx and the Spanish telecommunications giant Telefonica.
“Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers,” FedEx said in a statement Friday.
The program is called Wanna Decrypt0R 2.0 and appears to support 28 different languages, indicating its potential worldwide reach. A shorthand for the ransomware’s name “#wannacry” began trending on Twitter on Friday.
The ransomware locks computers and then launches a ransom note in a text file, according to researchers at the Avast security software company in the Czech Republic.
The note says that “you need to pay service fees for the decryption” and asks for $300 worth of Bitcoin to be sent electronically to an address.
It was not clear who would receive the funds, nor the group or individual behind the attack.
A sum of $300 is a fairly low ransom when compared to some previous attacks, such as last June at the University of Calgary, which agreed to pay nearly $16,000 in bitcoin currency to an unknown group of hackers.
The WannaCry ransom note also says, dryly: “Don’t worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users.”
Though the exploit used by the ransomware attack relies on a computer flaw discovered by the NSA, some experts said responsibility for the wide spread of Friday’s problems lies with the failure of many institutions to keep their computers updated.
In a statement Friday, Microsoft said: “Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows Update enabled, are protected. We are working with customers to provide additional assistance.”
The BBC broadcast a screen shot of a message apparently sent to National Health Service medical facilities demanding payments for unlocking computer files that had been “encrypted” by the attack.
Officials made no public comment on the possible source of the hack, which touched off havoc and confusion across the state-run health system. Operations were canceled, emergency room services were scaled down, and medical personnel went back to using handwritten notes.
Health officials offered no indication of when services might return to normal, or whether patient records could be permanently lost to the attack.
“The most exploitable industry in the world is the health-care sector,” said Tom Kellerman, chief executive of Strategic Cyber Ventures. He said the industry is chronically hobbled by regulation and insufficient investment in computer security.
A statement from NHS Digital — the computer services arm of the health service — said at least 16 hospitals or doctor’s offices were directly affected by the attack. Officials later acknowledged the number was rising, though they did not give a precise figure.
Other health-care centers, meanwhile, turned off their computers to avoid potential infiltration. NHS Digital said it did “not have any evidence that patient data has been accessed.”
There also was no immediate evidence to suggest disruptions to medical procedures that use high-tech tools. But the basic business of hospitals was being thrown into turmoil.
The style of attack that appeared to be on display Friday has become increasingly common in recent years, said Cornell University computer science professor Emin Gun Sirer. . The attackers typically demand payment be made in bitcoins because “there are no take-backs. Once a transfer has been made, it’s final.”
Sirer said ransomware has become a lucrative business for criminal syndicates that can make millions of dollars a day from such attacks. Once a victim has been successfully attacked, their choices are limited.
“Undoing the hack is going to be just about impossible,” he said. “The only options are to wipe the machines and move on or to pay the ransom.”
Nigel Inkster, former director of operations and intelligence for MI6, told Sky News that one of the reasons the NHS in particular was vulnerable was its outdated software system. “A lot of hospital trusts in the U.K. — 40-plus last time I checked — are running their systems on Windows XP software, which hasn’t been supported by Microsoft for two or three years,” he said. “In other words, Microsoft is no longer looking for and seeking to repair vulnerabilities in the system.”
Attacks on health-care systems can also be especially high-stakes, creating potential life-or-death situations and raising the chances that the victim will ultimately pay.
Signs hung on the door at the emergency ward at the Royal London Hospital Friday afternoon read: “The emergency department has no IT facilities”
Across England on Friday, as well as at a handful of facilities in Scotland, internal tech systems were down in hospitals ranging from the center of London to rural parts of the country’s south and north.
The attack affected emergency services in some locations, and patients were urged to avoid visits to the emergency room unless absolutely necessary.
NHS Digital said it would be working with Britain’s National Cyber Security Center in efforts to resolve the outage. It soon became clear that the assault extended far beyond Britain’s health service.
“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” NHS Digital said in its statement without giving details.
The attack came as Spain’s National Cryptologic Center announced a “massive ransomware attack” against Spanish companies. The statement said the attackers were demanding a ransom payment in bitcoins.
The attack in Britain had immediate impacts in hospitals across the country.
Richard Harvey, 50, was just about to undergo surgery Friday afternoon on his leg following a motorcycle accident when a nurse told him that the procedure had been canceled due to a cyberattack.
“I’m a bit of a nervous person and had to get settled about the operation, which I was. Now I had to go through that again,” said Harvey, a former hospital porter who had been fasting since the previous evening in preparation for the operation at Royal London Hospital in east London. “A cyberattack? That doesn’t happen every day.”
Stephen Hirst, a doctor in the northern English town of Preston, told the BBC that the first sign of the infiltration was an error message warning that “we’d have to pay money to unlock the computer because it’s been encrypted.
“It’s compromising having to open files and complete prescriptions. It’s interfering with day-to-day functioning,” Hirst said.
Doctors were using pen and paper as the National Health Service struggled to get computers back online. Routine appointments were being canceled.
The BBC reported that a list of affected locations included London, Blackburn, Nottingham, Cumbria and Hertfordshire.
Cybersecurity has been high on the agenda of many high-level gatherings of Western military and political leaders.
A report issued Wednesday by the European Commission called for greater attention to cyberthreats as the world becomes “more vulnerable to cyberattacks, with security breaches causing significant damage.” It said the commission plans a full review of European Union cybersecurity measures by September.
Witte and Adam reported from London.