Europol confirmed Sunday that computer networks in more than 150
countries and more than 200,000 people had been affected by one of the biggest
cybersecurity attacks in recent history. “It is the biggest ransomware attack
ever,” Europol spokesman Jan Op Gen Oorth said.
number of affected networks and individuals is likely to go up, he said,
because “many workers left their computer turned on last Friday and will
probably find out that they are also affected by the malware on Monday
the investigation is ongoing, Europol thinks the malware began to spread
Friday from Britain’s National Health Service. It then affected other networks
in countries including Germany, Spain, China, Russia and India. “It remains
unclear what the motivation was. Usually, ‘ransomware’ attacks are designed to
be revenue sources, but in this case the ransom was quite low,” Op Gen Oorth
said. According to Europol, only few companies or individuals have so far opted
to pay the ransom of $300 or more, following law enforcement recommendations.
around the world faced potentially substantial costs after hackers threatened
to keep computers disabled unless victims paid a ransom to receive a decryption
malware hit Britain’s beloved but creaky National Health Service
particularly hard, causing widespread disruptions and interrupting medical
procedures across hospitals in England and Scotland. The government said that 48
of the NHS’s 248 organizations were affected, but by Saturday evening
all but six were back to normal. When asked if the British government paid any
ransom in this situation, a Downing Street spokesman said Saturday that it had
not. Amber Rudd, Britain’s home secretary, also advised against others paying
people posted pictures on social media of scheduling screens at train stations
displaying the ransomware message. Deutsche Bahn, Germany’s national railway
service, tweeted that its train service had not been compromised and that it
was working full speed to solve the problems. According to DPA news agency,
Deutsche Bahn’s video surveillance technology also was hit.
targets in Europe included Telefónica, the Spanish telecom giant; the
French carmaker Renault; and a local authority in Sweden, which said about 70
computers were infected.
still unclear who was behind the sophisticated attack. “We’re not able to tell
you who is behind that attack. That work is still ongoing,” Rudd told the BBC.
She said that it has affected “up to 100 countries” and that it wasn’t
specifically targeted at Britain’s NHS.
attack was notable because it took advantage of a security flaw in Microsoft
software found by the National Security Agency for its surveillance tool
kit. Files detailing the capability were leaked online last month, though after
Microsoft, alerted by the NSA to the vulnerability, had sent updates to
computers to patch the hole.
countless systems were left vulnerable, either because system administrators
failed to apply the patch or because they used outdated software. It was a
jarring reminder of a stubborn reality facing security experts: Companies and
other organizations collectively spent $73 billion on cybersecurity
measures in 2016, according to the research firm IDC. Yet systems around the
world were crippled by human error — failure to do routine software updates and
employees unknowingly clicking on email attachments that contained the malware.
“This was a completely preventable attack — to the extent that organizations
have comprehensive patching systems in place,” said Paul Lipman, chief
executive of the cybersecurity firm BullGuard. “However, life is never that
simple.” On Friday, Microsoft released additional security updates to
Windows and guidelines for consumers and businesses to protect themselves.
possible that the malware didn’t spread further because of the enterprising
work of a 22-year-old British cybersecurity researcher.
researcher, whose Twitter handle is @MalwareTechBlog, realized the hackers had
designed a “kill switch,” which involved a domain name that enabled them to
stop the attack from spreading if the victims paid the ransoms. The researcher
bought the domain name of the kill switch, and when the site went live, the
attack stopped spreading.
move didn’t help organizations that were already affected by the attack, but
experts said that it limited the spread of the virus. The researcher, however,
warned in a blog post that the hackers could alter the code and try
IT experts said it was no surprise that hospitals so easily fell victim to the
ransomware attack. Health systems have faced hundreds of ransomware attacks in
the past two years.
organizations in the United States are also subject to additional regulations,
which constrain their ability to do updates. Many updates require systems to go
dark for some period of time, and many hospitals are not allowed to put
critical systems out of use.
hospitals are particularly vulnerable. While wealthy hospitals have effectively
built cybersecurity war rooms over the past two years, some smaller hospitals
“don’t have enough budget to keep the lights on,” said Rubin. They often cannot
afford to back up data, perhaps the most critical tool in fighting
researchers were far more surprised that sophisticated telecommunications
firms, such as Spain’s Telefónica, were so vulnerable. “This just goes to show
that even the largest, most resource-rich enterprises can be brought low by
something as simple as a skipped patch,” said Lipman.
malware, known as WanaCrypt0r 2.0, or WannaCry, also affected systems for FedEx,
major telecommunications firms, Brazil’s social security administration, and
many others around the world.
post, a Chinese online news outlet focusing on the Internet industry,
reported that a number of Chinese universities had been affected by the attack.
schools — including Nanchang University, Shandong University and University of
Electronic Science and Technology of China — issued alerts on their
Weibo social-media feeds, warning staff and students to back up important files
and not to open suspicious emails.
to Chinese magazine Caijing, some students’ graduation theses and projects have
reportedly been encrypted.
hacking attacks were confirmed Saturday at the Health Ministry, the state-run
Russian Railways and the telecommunications company Megafon, along with the
Interior Ministry, which manages the police force. There were also reports that
the powerful Investigative Committee, which investigates high-level crime, and
several other telecommunications companies had been targeted.
Interior Ministry said that 1,000 of its computers had been blocked by prompts
demanding payment. By Friday evening, the ministry said it had “contained” the
attack and denied that any of its information had been stolen.
Kroustek, a malware researcher with Avast, a security software company in the
Czech Republic, said in a blog post that Russia was the most-affected country
so far. “We are now seeing more than 75,000 detections of WanaCrypt0r 2.0 in 99
countries,” he wrote Friday night.
Lab, a Moscow-based Internet security firm, also said that the attacks were
mostly in Russia.One reason Russia may have been hit so hard is the use of
outdated software by government agencies. “Russia has a very rickety,
out-of-date infrastructure, using not just outdated software but pirated
out-of-date software,” said Mark Galeotti, a senior researcher at the Institute
of International Relations Prague.
to Galeotti, one Interior Ministry official in 2013 estimated that
40 percent of the ministry’s computers could be using pirated Windows
software, which is widely available in Russia for download or at local computer
Brazil, the attack struck at the heart of the government — employee computers
at the Justice Ministry and Brazil’s social security administration were
infected. The local media also reported that the attack locked up computers in
the country’s labor courts and the public prosecutor’s office.
which is in the middle of an election campaign, the cyberattack triggered
criticism of the NHS’s aging computer systems, particularly the use of
Windows XP, an outdated version of the Microsoft operating system that doesn’t
have the same level of defense against cyberattacks as newer operating systems.