SAN FRANCISCO — A new strain of ransomware raced across 150 countries Friday, wreaking havoc at the National Health Service (NHS) in the UK, hobbling one of Spain’s largest telecom companies, and shutting down Russia’s Internal Affairs Ministry in an attack that cybersecurity experts say is only gaining in momentum.
Ransomware is a type of malware that installs itself on a device, such as a computer or smartphone, and then holds the device hostage until a ransom is paid. This particular strain, WannaCry, exploits a vulnerability in Windows that many systems have not yet patched.
WannaCry has so far infected 100,000 organizations in at least 150 countries, according to cybersecurity companies who are observing its spread across the globe. Among the countries infected are the US, China, Russia, Spain, and the UK.
EU law enforcement agency Europol said it was supporting countries dealing with the cyberattack. "WannaCry Ransomware attack at unprecedented level and requires international investigation," the agency tweeted.
On Sunday, Europol spokesperson Jan Op Gen Oorth said the attack had hit more than 100,000 organizations in at least 150 countries and that the number of individuals who have fallen victim to the cyberextortion could be much higher.
He said it was too early to say who was behind the massive attack but that very few organizations had paid the ransoms demanded. He said more people may be hit by the virus on Monday when they return to work and switch on their computers, the Associated Press reported.
Cybersecurity expert Ralph Echemendia called WannaCry “the biggest Ransomware attack of all time.”
Experts like him have long been warning anyone who would listen about “the big one”: a ransomware attack so effective it would hobble industries across the world. Friday’s attack look to be just that, as it leverages a vulnerability in Microsoft’s Windows operating system previously discovered by the US’s National Security Agency. In this case, the attackers leveraged the vulnerability to infect systems and demand a ransom of between $300 and $600 in order to secure their release. Cybersecurity experts say they are still trying to determine who is behind the WannaCry ransomware.
The Windows vulnerability was made public last month, when a group known as the Shadow Brokers released a trove of alleged NSA hacking tools into the public, included those used to hack into systems.
A spokesman for Microsoft did not return an email asking for comment, but Microsoft released a patch for the exploit in March. Many organizations, however, appear to have not patched their systems or not known about the issue.
“This kind of attack is indiscriminate in its nature — it will attack any machine that is not patched for the particular vulnerability,” said Owen Connelly, VP Services at the IOActive cybersecurity firm. ”This appears to be financially motivated — however, that doesn’t mean that there aren’t other potential scenarios."
"This particular vulnerability is part of a group that were leaked/stolen from the NSA," Connelly said. "If nothing else, this is a salutary lesson in why organizations shouldn’t retain these kind of vulnerabilities with the intention of weaponizing them.”
Other cybersecurity experts were also quick to question whether the NSA did not hold some responsibility in its developing, and hoarding, of vulnerabilities in systems. Like many other government agencies, the NSA develops and researches vulnerabilities, which it can use to launch attacks or conduct cyberespionage campaigns. John Bambanek, threat research manager at the Fidelis Cybersecurity firm, said that “the fact that a vulnerability developed by the NSA was used in this attack shows the dangers that can happen when this knowledge gets out into the wild even after a patch has been developed.”
“Unlike traditional weapons,” said Bambanek, "these tools can be repurposed quickly from devastating criminal attacks. The intelligence community should develop strong procedures that when such tools leak, they immediately give relevant information to software developers and security vendors so protections can be developed before attacks are seen in the wild."
Ransomware is one of the fastest-growing types of cyberattacks. Last year, cybersecurity companies estimated that ransomware attacks brought in over a billion dollars for cybercriminal networks globally, and they are on target to make even more in 2017.
While hospitals were not the target of the WannaCry ransomware strain Friday, they were among the most infected as they often lack budgets to defend their online systems and once their networks are down, thousands of patients' lives may be put at risk. Across the UK Friday, doctors reported chaotic situations, with one tweeting that patients would die as a result of the attack.
“This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors,” the NHS said in a statement. “Our focus is on supporting organisations to manage the incident swiftly and decisively.”
Cybersecurity experts said Friday that the Wannacry ransomware shows no signs of slowing down. Preliminary research on the strain shows that it is able to run in 27 languages, and likely includes other vulnerabilities that can take advantage of systems. For now, cybersecurity experts are urging people to download the Microsoft update that patches the vulnerability as soon as possible to make sure their systems are protected.
Alicia Melville-Smith contributed to this report from London.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Contact Sheera Frenkel at email@example.com.
Got a confidential tip? Submit it here.