LONDON/MADRID (Reuters) – A global cyber attack leveraging hacking
tools believed to have been developed by the U.S. National Security
Agency has infected tens of thousands of computers in nearly 100
countries, disrupting Britain’s health system and global shipper FedEx.
Cyber extortionists tricked victims into opening malicious malware
attachments to spam emails that appeared to contain invoices, job
offers, security warnings and other legitimate files.
The ransomware encrypted data on the computers, demanding payments of
$300 to $600 to restore access. Security researchers said they observed
some victims paying via the digital currency bitcoin, though they did
not know what percent had given in to the extortionists.
Researchers with security software maker Avast said they had observed
57,000 infections in 99 countries, with Russia, Ukraine and Taiwan the
top targets.
Asian countries reported no major breaches on Saturday, but officials
in the region were scrambling to check and the full extent of the
damage may not be known for some time.
China’s official Xinhua news agency said some secondary schools and
universities had been affected, without specifying how many or
identifying them.
The most disruptive attacks were reported in Britain, where
hospitals and clinics were forced to turn away patients after losing
access to computers on Friday.
International shipper FedEx Corp said some of its Windows computers
were also infected. “We are implementing remediation steps as quickly as
possible,” it said in a statement.
FROM ARGENTINA TO SPAIN
Only a small number of U.S.-headquartered organizations were hit
because the hackers appear to have begun the campaign by targeting
organizations in Europe, said Vikram Thakur, research manager with
security software maker Symantec.
By the time they turned their attention to the United States, spam
filters had identified the new threat and flagged the ransomware-laden
emails as malicious, Thakur added.
Infections of the worm appeared to have fallen off significantly
after a security researcher bought a domain that the malware was
connecting to, by chance undermining the malware’s effectiveness.
Making the domain active appears to have stunted the spread of the worm, Thakur said on Saturday.
“The numbers are extremely low and coming down fast,” he said, while
cautioning that any change in the original code could lead the worm to
flare up again.
The U.S. Department of Homeland Security said late on Friday it was
aware of reports of the ransomware, was sharing information with
domestic and foreign partners and was ready to lend technical support.
Telecommunications company Telefonica was among many targets in
Spain, though it said the attack was limited to some computers on an
internal network and had not affected clients or services. Portugal
Telecom and Telefonica Argentina both said they were also targeted.
Private security firms identified the ransomware as a new variant of
“WannaCry” that had the ability to automatically spread across large
networks by exploiting a known bug in Microsoft’s Windows operating
system.
The hackers, who have not come forward to claim responsibility or
otherwise been identified, likely made it a “worm”, or self spreading
malware, by exploiting a piece of NSA code known as “Eternal Blue” that
was released last month by a group known as the Shadow Brokers,
researchers with several private cyber security firms said.
“This is one of the largest global ransomware attacks the cyber
community has ever seen,” said Rich Barger, director of threat research
with Splunk, one of the firms that linked WannaCry to the NSA.
The Shadow Brokers released Eternal Blue as part of a trove of
hacking tools that they said belonged to the U.S. spy agency.
Microsoft said it was pushing out automatic Windows updates to defend
clients from WannaCry. It issued a patch on March 14 to protect them
from Eternal Blue.
“Today our engineers added detection and protection against new
malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in
a statement on Friday, adding it was working with customers to provide
additional assistance.
SENSITIVE TIMING
The spread of the ransomware capped a week of cyber turmoil in Europe
that began the previous week when hackers posted a trove of campaign
documents tied to French candidate Emmanuel Macron just before a run-off
vote in which he was elected president of France.
On Wednesday, hackers disrupted the websites of several French media
companies and aerospace giant Airbus.Also, the hack happened four weeks
before a British general election in which national security and the
management of the state-run National Health Service (NHS) are important
issues.
Authorities in Britain have been braced for cyber attacks in the
run-up to the vote, as happened during last year’s U.S. election and on
the eve of the French vote.
But those attacks – blamed on Russia, which has repeatedly denied
them – followed a different modus operandi involving penetrating the
accounts of individuals and political organizations and then releasing
hacked material online.
On Friday, Russia’s interior and emergencies ministries, as well as
its biggest bank, Sberbank, said they were targeted. The interior
ministry said on its website that about 1,000 computers had been
infected but it had localized the virus.
The emergencies ministry told Russian news agencies it had repelled
the cyber attacks while Sberbank said its cyber security systems had
prevented viruses from entering its systems.
NEW BREED OF RANSOMWARE
Although cyber extortion cases have been rising for several years,
they have to date affected small-to-mid sized organizations, disrupting
services provided by hospitals, police departments, public transport
systems and utilities in the United States and Europe.
“Seeing a large telco like Telefonica get hit is going to get
everybody worried. Now ransomware is affecting larger companies with
more sophisticated security operations,” said Chris Wysopal, chief
technology officer with cyber security firm Veracode.
The news is also likely to embolden extortionists when selecting
targets, Chris Camacho, chief strategy officer with cyber intelligence
firm Flashpoint, said.
In Spain, some big firms took pre-emptive steps to thwart ransomware
attacks following a warning from the National Cryptology Center of “a
massive ransomware attack”.
Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked
staff to turn off computers or cut off internet access in case they had
been compromised, representatives from the firms said.
The attacks did not disrupt the provision of services or networks
operations of the victims, the Spanish government said in a statement.