A global cyber
attack leveraging hacking tools believed to have been developed by the U.S.
National Security Agency has infected tens of thousands of computers in nearly
100 countries, disrupting Britain's health system and global shipper FedEx.
Cyber
extortionists tricked victims into opening malicious malware attachments to
spam emails that appeared to contain invoices, job offers, security warnings
and other legitimate files.
The ransomware
encrypted data on the computers, demanding payments of $300 to $600 to restore
access. Security researchers said they observed some victims paying via the
digital currency bitcoin, though they did not know what percent had given in to
the extortionists.
Researchers
with security software maker Avast said they had observed 57,000 infections in
99 countries, with Russia, Ukraine and Taiwan the top targets.
Asian
countries reported no major breaches on Saturday, but officials in the region
were scrambling to check and the full extent of the damage may not be known for
some time.
China's
official Xinhua news agency said some secondary schools and universities had
been affected, without specifying how many or identifying them.
The most
disruptive attacks were reported in Britain, where hospitals and clinics were
forced to turn away patients after losing access to computers on Friday.
International
shipper FedEx Corp said some of its Windows computers were also infected.
"We are implementing remediation steps as quickly as possible," it
said in a statement.
FROM ARGENTINA
TO SPAIN
Only a small
number of U.S.-headquartered organizations were hit because the hackers appear
to have begun the campaign by targeting organizations in Europe, said Vikram
Thakur, research manager with security software maker Symantec.
By the time
they turned their attention to the United States, spam filters had identified
the new threat and flagged the ransomware-laden emails as malicious, Thakur
added.
Infections of
the worm appeared to have fallen off significantly after a security researcher
bought a domain that the malware was connecting to, by chance undermining the
malware's effectiveness.
Making the
domain active appears to have stunted the spread of the worm, Thakur said on
Saturday.
"The
numbers are extremely low and coming down fast," he said, while cautioning
that any change in the original code could lead the worm to flare up again.
The U.S.
Department of Homeland Security said late on Friday it was aware of reports of
the ransomware, was sharing information with domestic and foreign partners and
was ready to lend technical support.
Telecommunications
company Telefonica was among many targets in Spain, though it said the attack
was limited to some computers on an internal network and had not affected
clients or services. Portugal Telecom and Telefonica Argentina both said they
were also targeted.
Private
security firms identified the ransomware as a new variant of
"WannaCry" that had the ability to automatically spread across large
networks by exploiting a known bug in Microsoft's Windows operating system.
The hackers,
who have not come forward to claim responsibility or otherwise been identified,
likely made it a "worm", or self spreading malware, by exploiting a
piece of NSA code known as "Eternal Blue" that was released last
month by a group known as the Shadow Brokers, researchers with several private
cyber security firms said.
"This is
one of the largest global ransomware attacks the cyber community has ever
seen," said Rich Barger, director of threat research with Splunk, one of
the firms that linked WannaCry to the NSA.
The Shadow
Brokers released Eternal Blue as part of a trove of hacking tools that they
said belonged to the U.S. spy agency.
Microsoft said
it was pushing out automatic Windows updates to defend clients from WannaCry.
It issued a patch on March 14 to protect them from Eternal Blue.
"Today
our engineers added detection and protection against new malicious software
known as Ransom:Win32.WannaCrypt," Microsoft said in a statement on
Friday, adding it was working with customers to provide additional assistance.
SENSITIVE
TIMING
The spread of
the ransomware capped a week of cyber turmoil in Europe that began the previous
week when hackers posted a trove of campaign documents tied to French candidate
Emmanuel Macron just before a run-off vote in which he was elected president of
France.
On Wednesday,
hackers disrupted the websites of several French media companies and aerospace
giant Airbus.Also, the hack happened four weeks before a British general
election in which national security and the management of the state-run
National Health Service (NHS) are important issues.
RELATED
COVERAGE
VIDEOUK
hospitals hit by large-scale cyber attack
Global cyber
attack fuels concern about U.S. vulnerability disclosures
Microsoft adds
detection, protection against global cyberattack: statement
FACT BOX Don't
click - What is the 'ransomware' WannaCry worm?
FACT BOX
British hospitals suffer major cyber attack - What do we know so far?
Authorities in
Britain have been braced for cyber attacks in the run-up to the vote, as
happened during last year's U.S. election and on the eve of the French vote.
But those
attacks - blamed on Russia, which has repeatedly denied them - followed a
different modus operandi involving penetrating the accounts of individuals and
political organizations and then releasing hacked material online.
On Friday,
Russia's interior and emergencies ministries, as well as its biggest bank,
Sberbank, said they were targeted. The interior ministry said on its website
that about 1,000 computers had been infected but it had localized the virus.
The
emergencies ministry told Russian news agencies it had repelled the cyber
attacks while Sberbank said its cyber security systems had prevented viruses
from entering its systems.
NEW BREED OF
RANSOMWARE
Although cyber
extortion cases have been rising for several years, they have to date affected
small-to-mid sized organizations, disrupting services provided by hospitals,
police departments, public transport systems and utilities in the United States
and Europe.
"Seeing a
large telco like Telefonica get hit is going to get everybody worried. Now
ransomware is affecting larger companies with more sophisticated security
operations," said Chris Wysopal, chief technology officer with cyber
security firm Veracode.
The news is
also likely to embolden extortionists when selecting targets, Chris Camacho,
chief strategy officer with cyber intelligence firm Flashpoint, said.
In Spain, some
big firms took pre-emptive steps to thwart ransomware attacks following a
warning from the National Cryptology Center of "a massive ransomware
attack".
Iberdrola and
Gas Natural, along with Vodafone's unit in Spain, asked staff to turn off
computers or cut off internet access in case they had been compromised,
representatives from the firms said.
The attacks
did not disrupt the provision of services or networks operations of the
victims, the Spanish government said in a statement.
REUTERS
0 Comments