Global cyber attack slows, but experts see risk of fresh strikes
Russia suffers almost two-thirds of ransomware infections • Hackers use tools honed by US National Security Agency
SINGAPORE/FRANKFURT (Reuters) – A global cyber attack forced a European carmaker to halt some production lines, hit Russian computers with more than half of suspected infections and struck schools in China and hospitals in Indonesia, though it appeared to be dying down on Saturday.
Capitalizing on spying tools believed to have been developed by the US National Security Agency, the cyber assault launched on Friday has infected tens of thousands of computers in 104 countries, with Britain’s health system suffering the worst known disruptions.
Researchers with Czech Republic-based security software maker Avast said they had observed more than 126,000 ransomware infections, with 60% of infected computers located in Russia, followed by Ukraine and Taiwan.
Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that seemed to contain invoices, job offers, security warnings and other legitimate files.
Once inside the targeted network, so-called ransomware made use of recently revealed
spy tools to silently infect other out-of-date machines without any human intervention. This, security experts said, marked an unprecedented escalation in the risk of fresh attacks spreading in the coming days and weeks.
The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Researchers observed some victims paying via the digital currency bitcoin, though no one knows how much may have been transferred to extortionists because of the largely anonymous nature of such transactions.
The hackers, who have not come forward to claim responsibility or otherwise been identified, took advantage of a worm, or self-spreading malware, by exploiting a piece of NSA spy code known as “Eternal Blue” that was released last month by a hackers group known as the Shadow Brokers, according to researchers with several private cyber security firms.
The attack targeted Windows computers that had not installed patches released by Microsoft in March, or older machines running software that Microsoft no longer supports, including the 16-year-old Windows XP system, researchers said.
German rail operator Deutsche Bahn said some electronic signs at stations announcing arrivals and departures were infected, with travelers posting pictures showing some bearing a message demanding a cash payment to restore access.
Europol’s European Cybercrime Center said it was working closely with country investigators and private security firms to combat the threat and help victims. “The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” it said in a statement.
Some experts said the threat had receded for now, in part because a British-based researcher, who declined to give his name, registered a domain that he noticed the malware was trying to connect to, and so limited the worm’s spread.
Researchers are racing against the clock to decrypt infected computers and recover access to victims’ files before the malicious code’s ransom deadline expires in two days. But so far, several said they have found no way to break the encryption.
The attackers may yet tweak the code and restart the cycle. The researcher in Britain widely credited with foiling the ransomware’s proliferation told Reuters he had not seen any such tweaks yet, “but they will [happen].”
In Asia, some hospitals, schools, universities and other institutions were affected, though the full extent of the damage is not yet known.
“I believe many companies have not yet noticed,” said William Saito, a cyber security adviser to Japan’s government. “Things could likely emerge on Monday” as staff return to work.
The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers on Friday.
The health system has largely recovered from the disruption, Home Secretary Amber Rudd said on Saturday after a meeting of the government crisis response committee.
International shipper FedEx Corp. said some of its Windows computers were also breached. “We are implementing remediation steps as quickly as possible,” a statement said.
Telecommunications company Telefonica was among many targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.
The hackers appear to have begun the campaign on targets in Europe, said Thakur, so by the time they turned their attention to the United States, spam filters had identified the threat, diminishing the impact.
Private security firms identified the ransomware as a new variant of “WannaCry” that could spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.
“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.
The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the US spy agency.
Microsoft said it had pushed out automatic Windows updates to defend existing clients from WannaCry. It had issued a patch on March 14 to protect them from Eternal Blue. Late on Friday, Microsoft also released patches for a range of long discontinued software, including Windows XP and Windows Server 2003.
The hack happened four weeks before a British general election in which national security and the management of the state-run National Health Service are important issues.
Authorities in Britain have been braced for cyber attacks in the run-up to the election, as happened during last year’s US election and on the eve of the French runoff vote on May 7.
But those attacks – blamed on Russia, which has repeatedly denied them – followed a different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.
On Friday, Russia’s Interior and Emergencies ministries, as well as its biggest bank, Sberbank, said they were targeted by ransomware. The Interior Ministry said about 1,000 computers had been infected but it had localized the virus.
In order to ensure Israel’s preparedness against the ongoing threat, National Infrastructure, Energy and Water Minister Yuval Steinitz declared an increased state of cyber alert for the country’s energy and water infrastructure on Saturday afternoon.
Throughout the day Saturday, the Energy Ministry and the Israel Electric Corporation took preventative measures to protect and increase the readiness of the country’s infrastructure, in accordance with the pattern of attacks currently taking place around the world. These activities were coordinated by the Energy Ministry’s cyber center, which was established a year ago in order to protect Israel’s energy networks from such types of attacks, the ministry said.
The National Cyber Security Authority in the Prime Minister’s Office warned on Saturday night that over the past day, the WannaCry ransomware has been spreading to computers around the world through system loopholes. However, it is possible to ward off these attacks by “immunizing” both organizational and private computers, a statement from the authority stressed.
“The National Cyber Security Authority maintains constant contact with its global counterparts and security companies in Israel and around the world, in order to receive full information about the attack,” the statement said.
Among the specific actions recommended by the authority are backing up data on a platform separate from current backup systems, as well as installing all anti-virus, security and Microsoft operating system updates. The authority also warned against opening emails sent from unknown sources or clicking on links from unrecognized parties. Detailed technical information and professional recommendations for large organizations are available on the authority’s website.