Dozens of countries battle after-effects of 'unprecedented' ransomware hack

Doug Stanglin, and Elizabeth Weise
An electronic display calls on travelers to watch the analogue timetable at the main railway station in Frankfurt am Main, western Germany, on May 13, 2017.
A fast-moving wave of cyberattacks swept the globe, apparently exploiting a flaw exposed in documents leaked from the U.S. National Security Agency.

Britain's National Cyber Centre says it is "working round the clock" to counter a fast-moving, global ransomware attack that crippled the National Health Service and hit as many as 74 countries.

The cyberattack, which apparently exploited a flaw exposed in documents leaked from the U.S. National Security Agency, also struck systems — from transport facilities to universities — in Ukraine, Spain, Italy and India. Even Russia's interior ministry said it was hit.

"We have never seen such a fast spreading, well-coordinated attack with as many victims,” said Csaba Krasznay, director of the Cyber Security Academy at Hungary’s National University of Public Service and a product manager at the security company Balabit.

The European Cybercrime Centre, set up four years ago by Europol, the European Union's police agency, said the attack was at an "unprecedented level" and will require a "complex international investigation" to identify the culprits.

How a 22-year-old inadvertently stopped a worldwide cyberattack

The attack appears to have been unintentionally stopped by a 22-year-old computer security worker in England who began studying it Friday afternoon. He registered an internet address the ransomware used to check that it wasn't being observed, thereby tricking it into stopping its spread.

When he double-checked to make sure it had worked, by allowing it to ransomware a dummy computer system, he was thrilled.

"You probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me," the as-yet-unnamed computer scientist, who goes by MalwareTech online, wrote on his blog about the events.

While USA TODAY could not immediately reach the researcher, the United Kingdom's National Cyber Security Centre posted his blog on its site, indicating that officials believe he was in fact the person who stopped the attack.

Read more:

Massive, fast-moving cyberattack hits as many as 74 countries

How to protect yourself against ransomware

Think cyberthreats are bad now? They'll get worse in 2017 with 'spear phishing,' etc.

The attack hit almost 20% of the United Kingdom's 248 public health trusts. By Saturday all but six were back to normal, the Associated Press reported.

British Home Secretary Amber Rudd told the BBC that 45 NHS organizations in England and Scotland were disrupted, but there was no evidence patient data was compromised.

East and North Hertfordshire NHS Trust, which runs four hospitals north of London, postponed all non-urgent work and asked people not to come to the accident and emergency unit. Doctors at some surgeries were forced to use pen and paper to record patient details following the attack.

“We are very aware that attacks on critical services such as the NHS have a massive impact on individuals and their families, and we are doing everything in our power to help them restore these vital services," Britain's National Cyber Centre said in a statement.

It said it was “working round the clock with UK and international partners and with private sector experts to lead the response to these cyber attacks."

At its core, the attack is an extortion scheme aimed at forcing hospitals and other organizations to pay a ransom to avoid having their data deleted. Infected computers showed a screen giving the user three days to pay up. After that, the price would be doubled. After seven days the files would be deleted, it threatened.

The hackers behind the ransomware attack, who have not been identified, demanded $300 worth of the online currency Bitcoin per computer to release files from encryption. In Spain, the largest telecommunications company would need to pay close to $550,000 to unlock all the encrypted computers hit on its network.

The attack seems to have first appeared around 2 a.m. ET Friday in Europe, said Kurt Baumgartner, a principal security researcher with Kaspersky Lab in Moscow. Kaspersky reported Friday it recorded more than 45,000 attacks of the so-called "WannaCry" ransomware in 74 countries around the world, with most of the incursions occurring in Russia.

"It's very well-written code and there is no easy way to crack the encrypted files once they're infected," Baumgartner said.

Avast, a Czech security software company headquartered in Prague, recorded over 50,000 attacks globally as of Friday afternoon.

Patch available

The ransomware took advantage of a flaw in the code for the Microsoft Windows operating system, which Microsoft corrected and issued a patch for on March 14. However, many computers running Windows had not been patched and so were still vulnerable.

On Saturday, Microsoft took the "highly unusual step" of also issuing a patch for Windows XP, even though it ceased supporting that operating system more than three years ago. It posted information on how to patch all previous version of Windows late Friday.

The breadth of the attack indicates the software may have spread around the globe possibly for weeks but then lay dormant when first introduced into a network, said Sean Dillon, a senior security analyst with RiskSense Inc.

“Then the kill switch was pulled and everything went live. You can’t just infect that many computers in a single day,” Dillon said.

The ransomware is believed to be linked to an exploit, computer code that takes advantage of a vulnerability, known to have been used by the Equation Group, which many in the security world believe is connected to the NSA.

That exploit was one of many hacking tools stolen from the NSA and published online by a group that called itself the Shadow Brokers on April 14, according to Avast Software. Shadow Brokers has been leaking pieces of more than a gigabyte worth of older NSA software weapons since August.

Although the culprit has not yet been identified, Kasperksy's Baumgartner said although the ransomware was able to offer "how to pay" documents in dozens of languages, the only language whose writing was perfect was Russian, with the others showing distinct signs that a non-native speaker had written them. "The English is very good, but there are a couple of quirks that would lead me to believe it wasn't written by a native English speaker," he said.

Any network with a web server online that was running an unpatched Windows 10 machine would be vulnerable, and Dillon estimates there may be as many as 2 million such machines out there.

“Once they’re on those machines, they’re past the firewalls, and from there they can just spread the infection,” he said.