CY­BER­AT­TACK Ran­somware ex­pected to wreak havoc on more com­put­ers; in­stall soft­ware up­dates, ex­perts say //

Users urged to run an­tivirus soft­ware, backup data


LON­DON — An un­prece­dented “ran­somware” cy­ber­at­tack that has al­ready hit tens of thou­sands of vic­tims in 150 coun­tries could wreak greater havoc as more ma­li­cious vari­a­tions ap­pear and peo­ple re­turn to their desks Mon­day and power up com­put­ers at the start of the work­week.

Of­fi­cials and ex­perts on Sun­day urged or­ga­ni­za­tions and com­pa­nies to up­date their op­er­at­ing sys­tems im­me­di­ately to en­sure they aren’t vul­ner­a­ble to a sec­ond, more pow­er­ful ver­sion of the soft­ware — or to fu­ture ver­sions that can’t be stopped.

The cy­ber­at­tack par­a­lyzed com­put­ers that run Britain’s hospi­tal net­work, Ger­many’s na­tional rail­way and scores of other com­pa­nies and govern­ment agen­cies world­wide.

The at­tack, al­ready be­lieved to be the big­gest on­line ex­tor­tion scheme ever recorded, is an “es­ca­lat­ing threat” af­ter hit­ting 200,000 vic­tims across the world since Fri­day, ac­cord­ing to Rob Wain­wright, the head of Europol, Europe’s polic­ing agency.

“The num­bers are still go­ing up,” Wain­wright said. “We’ve seen that the slow­down of the in­fec­tion rate over Fri­day night, af­ter a tem­po­rary fix around it, has now been over­come by a sec­ond vari­a­tion the crim­i­nals have re­leased.”

Re­searchers dis­cov­ered at least two vari­ants of the rapidly repli­cat­ing worm Sun­day and one did not in­clude the so-called kill switch that al­lowed them to in­ter­rupt its spread Fri­day by di­vert­ing it to a dead end on the In­ter­net.

Ryan Kalem­ber, se­nior vice-pres­i­dent at Proof­point Inc., said the ver­sion with no kill switch was able to spread, but it con­tained a flaw that wouldn’t al­low it to take over a com­puter and de­mand ran­som to un­lock files. How­ever, he said it’s only a mat­ter of time be­fore such a ver­sion ex­ists.

“I still ex­pect an­other to pop up and be fully op­er­a­tional,” Kalem­ber said. “We haven’t fully dodged this bul­let at all un­til we’re patched against the vul­ner­a­bil­ity it­self.”

The at­tack held users hostage by freez­ing their com­put­ers, en­crypt­ing their data and de­mand­ing money through on­line bit­coin pay­ment — $300 US at first, ris­ing to $600 be­fore it de­stroys files hours later.

Europol spokesper­son Jan Op Gen Oorth said it was too early to say who was be­hind the on­slaught and what their mo­ti­va­tion was, aside from the ob­vi­ous de­mand for money.

The ef­fects were felt around the globe, with Britain’s Na­tional Health Ser­vice, Rus­sia’s In­te­rior Min­istry and com­pa­nies in­clud­ing Spain’s Tele­fon­ica, FedEx Corp. in the U.S. and French car­maker Re­nault all re­port­ing dis­rup­tions.

Chi­nese me­dia re­ported Sun­day that stu­dents at sev­eral uni­ver­si­ties were hit, block­ing ac­cess to their the­sis pa­pers and dis­ser­ta­tion pre­sen­ta­tions.

Had it not been for a young Bri­tish cy­ber­se­cu­rity re­searcher’s ac­ci­den­tal dis­cov­ery of a so-called “kill switch,” the ma­li­cious soft­ware likely would have spread much far­ther and faster.

The 22-year-old re­searcher known as “Mal­wareTech,” who wanted to re­main anony­mous, said he spot­ted a hid­den web ad­dress in the “Wan­naCry” code and made it of­fi­cial by reg­is­ter­ing its do­main name. That move, which cost just $10.69, redi­rected the at­tacks to the server of Kryp­tos Logic, the se­cu­rity com­pany where he works. The server op­er­ates as a “sink­hole” to col­lect in­for­ma­tion about mal­ware — and in Fri­day’s case kept the mal­ware from es­cap­ing.

Se­cu­rity of­fi­cials urged or­ga­ni­za­tions to pro­tect them­selves by in­stalling se­cu­rity fixes, run­ning an­tivirus soft­ware and back­ing up data else­where. “Just patch their sys­tems as soon as pos­si­ble,” Mal­wareTech said. “It won’t be too late as long as they’re not in­fected. It should just be a case of mak­ing sure in­stalling up­dates is en­abled, in­stalling the up­dates, and re­boot.”

Ex­perts say this vul­ner­a­bil­ity has been un­der­stood for months, yet many groups failed to take it se­ri­ously. Mi­crosoft had fixed it in up­dates of re­cent ver­sions of Win­dows since March, but many users did not ap­ply the soft­ware fix.

Short of pay­ing, op­tions for those al­ready in­fected are usu­ally lim­ited to re­cov­er­ing data files from a backup, if avail­able, or liv­ing with­out them.


A screen­shot of the warn­ing screen from a pur­ported ran­somware at­tack.

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.