Experts scramble to contain fallout from cyberattacks
Malware exposes vulnerabilities in 100 countries.
Governments, companies and security experts from China to the United Kingdom raced Saturday to contain the fallout from an audacious cyberattack that spread quickly across the globe, raising fears that people would not be able to meet ransom demands before their data are destroyed.
The global efforts come less than a day after malicious software, transmitted via email and stolen from the National Security Agency, exposed vulnerabilities in computer systems in almost 100 countries in one of the largest “ransomware” attacks on record.
The cyberattackers took over the computers, encrypted the information on them and then demanded payment of $300 or more from users to unlock the devices. Some of the world’s largest institutions and government agencies were affected, including the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service.
As people fretted over whether to pay the digital ransom or lose data from their computers, experts said the attackers might pocket more than $1 billion worldwide before the deadline ran out to unlock the machines.
The coordinated attack was first reported in the United Kingdom and spread globally. It has set off fears that the effects of the continuing threat will be felt for months, if not years. It also raised questions about the intentions of the hackers: Did they carry out the attack for mere financial gain or for other unknown reasons?
“Ransomware attacks happen every day — but what makes this different is the size and boldness of the attack,” said Robert Pritchard, a cybersecurity expert at the Royal United Services Institute, a think tank, in London. “Despite people’s best efforts, this vulnerability still exists, and people will look to exploit it.”
While most cyberattacks are inherently global, the current one, experts say, is more virulent than most. Security firms said the attacks had spread to all corners of the globe, with Russia hit the worst, followed by Ukraine, India and Taiwan, said Kaspersky Lab, a Russian cybersecurity firm.
The attack is believed to be the first in which such a cyberweapon developed by the NSA has been used by cybercriminals against computer users around the globe.
While U.S. companies like FedEx said they had been hit, experts said computer users in the United States had been less affected than others after a British cybersecurity researcher inadvertently stopped the ransomware attack from spreading more widely.
As part of the digital attack, the hackers, who have yet to be identified, had included a way of disabling the malware in case they wanted to shut down their activities. To do so, the assailants included code in the ransomware that would stop it from spreading if the virus sent an online request to a website created by the attackers.
This kill switch would stop the malware from spreading as soon as the website went online and communicated with the spreading digital virus.
When the 22-year-old British researcher, whose Twitter handle is @MalwareTechBlog, confirmed his involvement but insisted on anonymity because he did not want the public scrutiny, saw that the kill switch’s domain name — a long and complicated set of letters — had yet to be registered, he bought it himself. By making the site go live, the researcher shut down the hacking attack before it could fully spread to the United States.
“The kill switch is why the U.S. hasn’t been touched so far,” said Matthieu Suiche, founder of Comae Technologies, a cybersecurity company in the United Arab Emirates. “But it’s only temporary. All the attackers would have to do is create a variant of the hack with a different domain name. I would expect them to do that.”
As the fallout from the attack continued, industry officials said law enforcement would find it difficult to catch the ringleaders, mostly because such cyberattacks are borderless crimes in which the attackers hide behind complex technologies that mask their identities. At the same time, national legal systems were not created to handle such global crimes.
Brian Lord, a former deputy director for intelligence and cyberoperations at Government Communications Headquarters, Britain’s equivalent to the NSA, said that any investigation, which would include the FBI and the National Crime Agency of Britain, would take months to identify the attackers, if it ever does.
By focusing the attacks on large institutions with a track record of not keeping their technology systems up-todate, global criminal organizations can cherry-pick easy targets that are highly susceptible to such hacks, according to Lord.
“Serious organized crime is looking to these new technologies to the maximum effect,” Lord said. “With cybercrime, you can operate globally without leaving where you already are.”
Of the current attack, he said: “It was well thought-out, well timed and well coordinated. But, fundamentally, there is nothing unusual about its delivery. It is still fundamentally robbery and extortion.”
As part of the efforts to combat the attack, Microsoft, whose Windows software lies at the heart of the potential hacking vulnerability, released a software update available to those affected by the attack and others that could be potential targets.