Massive ransomware cyber-attack hits 74 countries around the world
More than 45,000 attacks recorded in countries including the UK, Russia, India and China may have originated with theft of ‘cyber weapons’ from the NSA
By Julia Carrie Wongand Olivia Solonin San Francisco
May 12 2017
A ransomware cyber-attack that may have originated from the theft of “cyber weapons” linked to the US government has hobbled hospitals in England and spread to countries across the world.
Security researchers with Kasperksy Lab have recorded more than 45,000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefonica were infected.
By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.
Markus Jakobsson, chief scientist with security firm Agari, said that the attack was “scattershot” rather than targeted.
“It’s a very broad spread,” Jakobsson said, noting that the ransom demand is “relatively small”.
“This is not an attack that was meant for large institutions. It was meant for anyone who got it.”
The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA). At the time, there was skepticism about whether the group was exaggerating the scale of its hack.
On Twitter, whistleblower Edward Snowden blamed the NSA.
“If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened,” he said.
“It’s very easy for someone to say that, but the reality is the US government isn’t the only one that has a stockpile of exploits they are leveraging to protect the nation,” said Jay Kaplan, CEO of Synack, who formerly worked at the NSA.
“It’s this constant tug of war. Do you let intelligence agencies continue to take advantage of vulnerabilities to fight terrorists or do you give it to the vendors and fix them?”
The NSA is among many government agencies around the world to collect cyber weapons and vulnerabilities in popular operating systems and software so they can use them to carry out intelligence gathering or engage in cyberwarfare. The agency did not immediately respond to a request for comment.
Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. This attack was caused by a bug called “WanaCrypt0r 2.0” or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.
“This was eminently predictable in lots of ways,” said Ryan Kalember from cybersecurity firm Proofpoint. “As soon as the Shadow Brokers dump came out everyone [in the security industry] realized that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.”
The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the “payment will be raised” after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.
“Attacks with language support show a progressive increase of the threat level,” Jakobsson said.