World reels from massive cyberattack that hit nearly 100 countries

by Jethro Mullen, Samuel Burke and Selena Larson @CNNMoney

Organizations around the world were digging out Saturday from what experts are calling one of the biggest cyberattacks ever.
Hospitals, major companies and government offices were hit by a virus that seeks to seize control of computers until the victims pay a ransom.
Cybersecurity firm Avast said it had identified more than 75,000 ransomware attacks in 99 countries on Friday, making it one of the broadest and most damaging cyberattacks in history.
Avast said the majority of the attacks targeted Russia, Ukraine and Taiwan. But U.K. hospitals, Chinese universities and global firms like Fedex (FDX) also reported they had come under assault.
Security experts said the spread of the ransomware had been stopped late Friday. But it remained unclear how many organizations had already lost control of their data to the malicious software — and researchers warned that copycat attacks could follow.
Europol said Saturday that the attack was of an “unprecedented level and requires international investigation.” And the U.K. government called an emergency meeting over the crisis.
U.S. Treasury Secretary Steven Mnuchin, at a meeting of world leaders in Italy, said the attack was a reminder of the importance of cybersecurity. “It’s a big priority of mine that we protect the financial infrastructure,” he said.
The ransomware, called WannaCry, locks down all the files on an infected computer and asks the computer’s administrator to pay in order to regain control of them. The exploit was leaked last month as part of a trove of NSA spy tools.
The ransomware is spread by taking advantage of a Windows vulnerability that Microsoft (MSFT, Tech30) released a security patch for in March. But computers and networks that hadn’t updated their systems were still at risk.
In the wake of the attack, Microsoft said it had taken the “highly unusual step” of releasing a patch for computers running older operating systems including Windows XP, Windows 8 and Windows Server 2003.
But the patches won’t do any good for machines that have already been hit.
“Affected machines have six hours to pay up and every few hours the ransom goes up,” said Kurt Baumgartner, the principal security researcher at security firm Kaspersky Lab. “Most folks that have paid up appear to have paid the initial $300 in the first few hours.”
Related: 5 things to know about the attack
Experts told CNNTech that an unidentified cyber security researcher accidentally stopped the spread of WannaCry by registering a domain name contained in the ransomware’s code.
The researcher, who uses the Twitter handle @malwaretechblog, told CNNTech they registered the domain name in order to study the virus, but it turned out the ransomware needed it to remain unregistered to keep spreading.
However, a hacker could change the code to remove the domain name and try the ransomware attack again.
And WannaCry has already caused massive disruption around the globe.
Sixteen National Health Service organizations in the UK were hit, and some of those hospitals canceled outpatient appointments and told people to avoid emergency departments if possible. The NHS said in a statement on Saturday that there was no evidence that patient information had been compromised.
In China, the internet security company Qihoo360 issued a “red alert” saying that a large number of colleges and students in the country had been affected by the ransomware, which is also referred to as WannaCrypt. State media reported that digital payment systems at PetroChina gas stations were offline, forcing customers to pay cash.
Related: NSA’s powerful Windows hacking tools leaked online
“Global internet security has reached a moment of emergency,” Qihoo360 warned.
Major global companies said they also came under attack.
Fedex said Friday it was “experiencing interference with some of our Windows-based systems caused by malware” and was trying to fix the problems as quickly as possible. Two big telecom companies, Telefónica (TEF) of Spain and Megafon of Russia, were also hit.
“This is turning into the biggest cybersecurity incident I’ve ever seen,” U.K.-based security architect Kevin Beaumont said.
How a ransomware attack can affect emergency services

Russia’s Interior Ministry released a statement Friday acknowledging a ransomware attack on its computers, adding that less than 1% of computers were affected, and that the virus was now “localized” and being destroyed.
The U.S. Department of Homeland Security, in a statement late Friday, encouraged people to update their operating systems. “We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally,” the department said.
Related: How leaked NSA spy tools created a hacking free-for-all
According to Matthew Hickey, founder of the security firm Hacker House, the attack is not surprising, and it shows many organizations do not apply updates in a timely fashion.
When CNNTech first reported the Microsoft vulnerabilities leaked in April, Hickey said they were the “most damaging” he’d seen in several years, and warned that businesses would be most at risk.
Consumers who have up-to-date software are protected from this ransomware. Here’s how to turn automatic updates on.
It’s not the first time hackers have used the leaked NSA tools to infect computers. Soon after the leak, hackers infected thousands of vulnerable machines with a backdoor called DOUBLEPULSAR.
— Donna Borak, Samuel Burke, Mariano Castillo, Jessica King, Yuli Yang, Steven Jiang, Clare Sebastian and Livvy Doherty contributed to this report.
CNNMoney (Hong Kong)
First published May 13, 2017: 9:57 AM ET

Comment (1)

  • sprhd| May 14, 2017

    Repercussions Continue From Global Ransomware Attack

    May 14, 20171:14 PM ET

    A screenshot of the warning screen ransomware attack, as captured by a computer user in Taiwan, seen Saturday.
    Mark Schiefelbein/AP
    The ransomware attack unleashed on Friday has affected more than 100,000 organizations in 150 countries, according to Europe’s law enforcement agency Europol on Sunday.

    The malware, which locks files and asks for payment to unlock them, hit businesses and institutions across the world, including shipper FedEx, train systems in Germany, a Spanish telecommunications company, universities in Asia, Russia’s interior ministry and forced hospitals in Britain to turn away patients.

    More than 200,000 people around the world have been affected by the malware, Jake Cigainero reports for NPR’s Newscast.

    “The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” Europol said in a statement.

    As employees return to work on Monday and turn on their computers, the number of infections could rise, the agency said.

    The malware, which has been called multiple names including WannaCry, Wanna Decryptor or WannaCrypt, creates a pop-up window informing users that their files are encrypted and are no longer accessible — without a payment. Screenshots of the malware show an initial request for $300 to be paid in bitcoin, with a timer that says the ransom amount will rise if it’s not paid within a certain time frame, and files will be lost after that.

    The hacker’s total take from the global outbreak, however, appears to be much smaller than anticipated. Security researcher Brian Krebs wrote that as of Saturday, evidence showed about $26,000 in payments to the bitcoin accounts associated with the malware. “One of the nice things about Bitcoin is that anyone can view all of the historic transactions tied a given Bitcoin payment address. As a result, it’s possible to tell how much the criminals at the helm of this crimeware spree have made so far and how many victims have paid the ransom,” Krebs writes.

    “A review of the three payment addresses hardcoded into the Wana ransomware strain indicates that these accounts to date have received 100 payments totaling slightly more than 15 Bitcoins — or approximately $26,148 at the current Bitcoin-to-dollars exchange rate.”
    A “sinkhole” that saves

    A young security researcher in the U.K., identified only as MalwareTech has claimed credit for stemming the initial outbreak.

    The researcher wrote a blog post detailing the creation of a new domain as a “sinkhole” for the ransomware. The malware attempts “to connect to the domain we registered and if the connection is not successful it ransoms the system, if it is successful the malware exits,” MalwareTech wrote.

    The researcher added:

    “[B]ecause WannaCrypt used a single hardcoded domain, my registartion [sic] of it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.
    “One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly importiant [sic] that any unpatched systems are patched as quickly as possible.”
    MalwareTech @MalwareTechBlog
    Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You’re only safe if you patch ASAP.
    1:24 AM – 14 May 2017
    645 645 Retweets 504 504 likes
    The ransomware exploited a security flaw in Microsoft’s Windows operating system. Microsoft released a patch back in March, but many users and organizations had not updated their systems with the the fix.

    That prediction seemed to be borne out Sunday. Cybersecurity researcher Darien Huss, whom MalwareTech credited with assisting in stopping the first outbreak, tweeted Sunday morning that a new outbreak could be oncoming, as likely copycats released an updated version of the ransomware, without the previously used “kill switch.”

    Darien Huss @darienhuss
    This could be bad, new #WannaCry #ransomware with new kill switch domain, I bet someone other than original actors did this and released
    8:49 AM – 14 May 2017
    36 36 Retweets 29 29 likes
    Worldwide lockout

    Any halting of the initial spread, however, does not help with computers already infected.

    Students at universities in China were locked out of their work, including dissertations and thesis papers, according to Chinese media and reported by The Associated Press.

    In Germany, train operator Deutsche Bahn wrote on Twitter that signboards in stations were affected, though no train operations were affected. French automaker Renault had to temporarily shut down manufacturing at plants in northern France and Romania, Reuters reported. Among others affected, according to Reuters, include:

    Hundreds of computers at a hospital in Jakarta, Indonesia
    telecommunications companies in Spain, Portugal and Argentina
    signs at malls in Singapore
    hundreds of hospitals in the U.K.’s National Health Service
    U.K. politicians are harnessing the attacks to criticize the U.K.’s Conservative Party of Prime Minister Theresa May, which made cuts to the NHS system, Willem Marx reports for NPR’s Newscast unit. The cuts made NHS computer systems “outdated and vulnerable” to attack, critics say.

    “Defence Minister Michael Fallon told the BBC that British authorities are spending more than $60 million on safeguarding computer systems,” at the NHS, Marx adds. “Mr. Fallon said the government had already identified cyberattacks as one of the three greatest threats to Britain’s security, and had pledged almost 2 and a half billion dollars to protect IT infrastructure.”

    Ransomware is big business

    Ransomware works by hijacking a person’s files and threatening to delete them without payment. The latest outbreak seems to be the biggest by far, though security experts have been warning about the risks of ransomware, especially to businesses, for some time.

    A report by IBM in December found 40 percent of spam emails contained ransomware attachments last year, up from less than 1 percent the previous year. The technology has been “increasingly rampant since 2014,” the study says, though the concept goes back to 1989, “when PC-locking malcode was snail-mailed to victims on floppy disks.” The average ransom request is $500, IBM found.

    The FBI said victims incurred costs of $209 million in the first three months of 2009, Reuters reported. The U.S. government says more than 4,000 ransomware attacks happen every day.

    The government recommends reporting ransomware immediately to the FBI or the U.S. Secret Service, and advises against paying ransoms, saying that payment is no guarantee of recovering data, and that it only encourages further attacks.

    The IBM study found, however, that seven in 10 victims end up paying to get their data back. The FBI says the typical ransom runs between $200 and $10,000. Of the victims surveyed by IBM, more than half paid more than $10,000 in ransom.

    The government recommends strong prevention measures as the best defense against ransomware attacks, including: strong spam filters, making sure software is patched and up to date, using anti-virus software, and regularly backing up data.

  • Leave a Reply with Your Thoughts on this

    %d bloggers like this: